Understanding privileges and permissions - Security

0

Recently i downloaded one software that is "protecting" the folders by hiding them.

The software is https://fspro.net/my-lockbox/

I opened the cmd as administrator and i thought that i will recover it by attributes but, nothing, it raised an error File not found - personal

Then i noticed something when i just typed cd personal - Access is denied.

My first thought it was that has to do about privileges takeown /F "D:\person" /A /R /D Y but again the same error Access is denied..

Ok, i continue and i closed every process that had to do with that program.

I followed the same but nothing! With these command icacls "D:\person" /setowner "Administrators" /T /C i got
D:\person: Access is denied. D:\person\*: Access is denied. Successfully processed 0 files; Failed processing 2 files. OK maybe it is something more than this!

Before i "hide" the folder i was inside the folder and when i hided it i checked the Properties and i saw You must have Read permissions to view the properties of this object

I checked the advanced option - Change the Owner and i didn't have the option to change it but only You must have Read permissions to view the properties of this object

With PowerShell and with PowerForensics library .... I found the file!! Also, with a third party (WinUtilities Undelete and https://www.x-ways.net/winhex/)!

I noticed that the name of the file had not changed,(didn't use clsid) it was there! Just hidden, without attributes without encryption!

My question is what is going on there?

What am i missing about privileges - permissions?

what makes it inaccessible and hidden?

Please, the point of this question is not to critique but about knowledge! Thanks!

AlexDotis

Posted 2019-12-11T01:31:31.613

Reputation: 3

1"Recently i downloaded one software that is "protecting" the folders by hiding them." Name? – Mr Ethernet – 2019-12-11T01:57:26.917

@Mr Ethernet I don't know if I say the name of the program will change anything. It's about to understand and take knowledge, but anyway. https://fspro.net/my-lockbox/

– AlexDotis – 2019-12-11T02:40:44.907

1Providing more information generally leads to better quality answers. You should include the name of the software that made these unknown changes in the question. It's one of the most important details. I don't understand the logic behind essentially saying "I used a program and I don't want to tell anyone what it is because I don't think it's relevant... but please help me fix something it broke." – Mr Ethernet – 2019-12-11T03:07:55.337

Yes, you are right! I will edit my post! – AlexDotis – 2019-12-11T22:17:30.190

Please Edit to indicate the Third Party software used to view the file despite My Lockbox hiding the file. – Christopher Hostage – 2019-12-11T22:30:51.323

Have you tried asking the maker of the software My Lockbox? As you have demonstrated, it's not very effective at hiding files from a determined investigator. – Christopher Hostage – 2019-12-11T22:31:50.233

@Christopher Hostage I edit my post. No, i didn't try to contact with the maker of the software. it's not very effective at hiding files from a determined investigator I recovered the file but the question is , what makes it inaccessible. It may be a high-level knowledge but at least I want to have an idea. – AlexDotis – 2019-12-12T00:43:21.327

Answers

0

My Lockbox utilize File System Driver. It essentially sit between the OS and the file system, allowing it to prevent reading and/or hide folders/files when Explorer or other apps using standard API call list the directory. Since it's simply an additional app that get loaded on boot, it's trivial to for apps that doesn't use standard API to list & read the "hidden" files, or just boot from other OS (can be Windows too) that doesn't have the My Lockbox installed. Even disabling the filter driver is enough to bypass the protection. Windows provide this intercept functionality not just for files and folders, but also for registry and process.

This is why My Lockbox attempt to thwart uninstallation without password since that will simply disable any "protection". The difficulty on doing this (since uninstalling don't really need My Lockbox approval), the similarity to virus trying to hide itself (which lead to incompatibilities with antivirus apps), and the wide availability of free & easy to use encryption app that will still work even when you boot from another OS, makes file system driver "protection" without encryption rather obsolete now.

Martheen Cahya Paulo

Posted 2019-12-11T01:31:31.613

Reputation: 1 347

Very good explanation!! Thank you! – AlexDotis – 2019-12-18T20:09:31.950

Asked: 2019-12-11T01:31:31.613

Viewed: 191 times

Active: 2019-12-18T08:13:25.257