Along this talk, we will talk about a well-known filesystem used by millions of people, the NTFS, which is used in every Windows machine.
In fact, only a few people know what you can really find in a NTFS filesystem, we will see how it works and how we can hijack it.
The talk will be split in three parts, here is the detail:
- Presentation of what is the NTFS (Mainly the MFT), how the files are stored in it and what you can find with a forensic approach
- How some malwares exploits those features or bugs from the NTFS format to hide themselves. I will present you two APT that take part of the NTFS to stay hidden.
I will finally show you two vulnerabilities that I've found on the NTFS.SYS file which is the driver in charge of the storage of the datas on the drive. Those vunerabilities can be triggered by plug-in a USB key (No user interaction).
About Stéfan Le Berre (HEURS) @heurs
Heurs is a security researcher specialized in Windows kernel, bug hunting and exploitation.