Didier Stevens

Wednesday 22 July 2009

The Ultimate Disaster Recovery Plan

Filed under: Encryption,My Software — Didier Stevens @ 20:34

The ultimate disaster recovery plan is not a corporate plan.

This plan is for your family, to help them take over from you, when you’re not able to take up your role in the family. Hopefully, this will only be a temporary situation, but you have to plan for the worse too: your demise.

List all critical tasks you perform for your family. Think about the information a family member needs to take over your tasks. Document this. Communicate this to your family members.

Most of this documentation is private but not confidential. You don’t want an outsider to read it, but it contains no real secrets. You’ll only want to use encryption for the real secrets, and communicate the key and decryption procedure to your family members and/or lawyer (or another trustworthy outsider). You don’t have to trust a single person with your key if you don’t want to, you can split it over several persons, like Cory Doctorow did.

2 years ago, a very good friend of mine died suddenly. That’s what motivated me to develop a html/javascript page with AES encryption to record and encrypt my will. The advantage of html/javascript is that it’s standalone and very portable.

When you open my Virtual Will page, it will detect that it contains no encrypted content, and display the following dialog:


Use this dialog to create and encrypt your message.


Copy all html code from the encrypt textbox, and save it as an html file. This html file is identical to the original, but it also contains your message encrypted with AES.


Provide this document to your family members, together with the (partial) key. For example, you could burn it to a CD-ROM and use autorun to open the page automatically.

To decrypt it, open the html file:


and enter the password:


You can also use a Virtual Will page with ciphertext to create a new page or update your will: type encrypt in the password field, and you’ll see the encryption fields appear.

I obtained the JavaScript AES code from Chris Veness.

Some limitations:

  • Chris’ implementation doesn’t use a standard key derivation algorithm (and is limited to first 32 characters of the password)
  • the ciphertext is not compatible with the openssl format
  • it works with many browsers on different operating systems, but not on my S60 Nokia
  • get the enter key to work correctly

I’ll improve these limitations if my software proves to be useful.

Of course, you can use this html page to encrypt anything and then pass it along, it doesn’t have to be a disaster recovery plan.

Download: virtualwill.html

Tuesday 21 July 2009

Quickpost: More Picture-Taking with Python

Filed under: Hardware,My Software,Quickpost — Didier Stevens @ 9:24

Per @TimelessP’s request, here’s so more Python code that can be used for time-lapse photography.

It’s code I wrote to take surveillance pictures from IP-cameras:


You have to update 2 config files with the data of your IP-cameras: vs.config and credentials.config. Fields in the config files are tab-separated.

vs.config contains the IP cameras, example:

Hall.jpg    -

First field is the prefix for the name when saving the picture (suffix is a timestamp). Second field is the URL to access the picture on the IP camera (depends on the model your using). Third field is a fixed name for the picture, use a hyphen (-) if not used.

credentials.config contains the passwords to access the IP-cameras, example:    admin    password


vs_v0_2.zip (https)

MD5: DB806B49705D544F4B928A8F76622125

SHA256: 042FA2CE1F5AEBD433D59B9D4755783E6CE58014FE59086C6A2A8E8781C63B45

Quickpost info

Monday 13 July 2009

Quickpost: TrueCrypt’s Boot Loader Screen Options

Filed under: Encryption,Entertainment,Quickpost — Didier Stevens @ 0:26

Ready for some Security Through Obscurity fun?
I’ve been playing with TrueCrypt‘s Boot Loader Screen Options to display a custom message when I boot my laptop with full disk encryption.


It’s probably enough to be misleading during a casual inspection of your laptop:


The screen doesn’t even display asterisks when you type your TrueCrypt password.
It’s just as unresponsive as the original “NTLDR is missing” screen.
The only difference with the Windows XP NT Loader missing message, is that the original is just a bit longer:


Or you can just let it display gibberish, like this:



And if challenged, say your laptop was infected with a virus from that damned hotel’s WiFi network.

Quickpost info

Monday 6 July 2009

Patching PDF Readers to Support Hidden Embedded Files

Filed under: Hacking,PDF — Didier Stevens @ 20:27

Today, I’m showing you how you can patch your PDF reader (Foxit or Adobe) to handle PDF documents with hidden embedded files. And for Foxit, there’s a bonus: Foxit Reader can also embed files into existing PDF documents.

In my stego PDF trick, I just replace the name /EmbeddedFiles with /Embeddedfiles in the PDF document. As the PDF language is case-sensitive, your PDF reader doesn’t recognize /Embeddedfiles, and hence doesn’t handle the embedded file. PDF readers are designed to skip features of the PDF language they don’t understand (i.e. new features of the PDF language), so that’s why you don’t get an error message from your PDF reader for /Embeddedfiles.

If you search for the string EmbeddedFiles in the binaries of your PDF reader and replace it with Embeddedfiles, it will handle PDF documents with hidden embedded files (but it will stop supporting PDF documents with visible embedded files).

Doing this for Foxit is easy, as there’s only one binary, Foxit Reader.exe. Open it with a hex editor and search for EmbeddedFiles:


Replace it with Embeddedfiles and save it:


That’s it, now you use your patched Foxit Reader to reveal hidden embedded files:


And have you noticed the Add button? Foxit Reader also provides support to add embedded files to existing PDF documents! So you’re not limited to using my Python program to create your own PDF documents.

For Adobe Reader, the trick is the same. Open AcroRd32.dll in a hex editor and do a search and replace (I had to patch 2 instances of of EmbeddedFiles).

Wednesday 1 July 2009

Embedding and Hiding Files in PDF Documents

Filed under: My Software,PDF — Didier Stevens @ 6:28

My corrupted PDF quip inspired me to program another steganography trick: embed a file in a PDF document and corrupt the reference, thereby effectively making the embedded file invisible to the PDF reader.

The PDF specification provides ways to embed files in PDF documents. I’m releasing my Python program to create a PDF file with embedded file (I used make-pdf-embedded.py to create my EICAR.pdf).

Here’s how a PDF document with an embedded file looks like:


/EmbeddedFiles points to the dictionary with the embedded files:


As names defined in the PDF specification are case sensitive, changing the case changes the semantics: /Embeddedfiles has no meaning, and thus the PDF reader ignores it and doesn’t find the embedded file.



Actually, I used this trick in my Brucon puzzle. I used the –stego option of make-pdf-embedded.py:


Of course, once you know the stego trick, it’s easy to recover the embedded file: edit the PDF document with an hex editor and change the case back to /EmbeddedFiles.

But if you want to make it harder to detect, use PDF obfuscation techniques. Or embed the file twice with incremental updates. First version is the file you want to hide, second version is a decoy…

The PDF language offers so many features to hide and obfuscate data!


make-pdf_V0_1_2.zip (https)

MD5: 305D57692C27DD3CD91D8C85A3932948

SHA256: A030BBCB8B54137D8047A4CB5C350725599383A4B113CABBA8871AC221378C5B

Blog at WordPress.com.