International Journal of Internet, Broadcasting and Communication

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

Data Hiding in NTFS Timestamps for Anti-Forensics

  • Cho, Gyu-Sang (Dept. of Computer Information Warfare, Dongyang University)
  • Received : 2016.06.11
  • Accepted : 2016.07.12
  • Published : 2016.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

In this paper, we propose a new anti-forensic method for hiding data in the timestamp of a file in the Windows NTFS filesystem. The main idea of the proposed method is to utilize the 16 least significant bits of the 64 bits in the timestamps. The 64-bit timestamp format represents a number of 100-nanosecond intervals, which are small enough to appear in less than a second, and are not commonly displayed with full precision in the Windows Explorer window or the file browsers of forensic tools. This allows them to be manipulated for other purposes. Every file has $STANDARD_INFORMATION and $FILE_NAME attributes, and each attribute has four timestamps respectively, so we can use 16 bytes to hide data. Without any changes in an original timestamp of "year-month-day hour:min:sec" format, we intentionally put manipulated data into the 16 least significant bits, making the existence of the hidden data in the timestamps difficult to uncover or detect. We demonstrated the applicability and feasibility of the proposed method with a test case.

Keywords

References

  1. F. A. P. Petitcolas, R. J. Anderson, AND M. G. Kuhn, "Information Hiding-A Survey," Proceedings of the IEEE, Vol. 87, No. 7, pp. 1062-1078, July 1999. https://doi.org/10.1109/5.771065
  2. Michael T. Raggo and Chet Hosmer, Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols, Elsevier, 2013.
  3. K. Eckstein and M. Jahnke, "Data Hiding in Journaling File Systems", Proceedings of Digital Forensic Research Workshop (DFRWS), pp. 1-8, 2005.
  4. Ewa Huebner, Derek Bem and Cheong Kai Wee, "Data Hiding in the NTFS File System," Digital Investigation, Vol. 3, Issue 4, 2006, pp. 211-226. https://doi.org/10.1016/j.diin.2006.10.005
  5. G.-S. Cho, "A New NTFS Anti-Forensic Technique for NTFS Index Entry," The Journal of Korea Institute of Information, Electronics, and Communication Technology (ISSN 2005-081X), vol. 8, no. 4, 2015.
  6. G.-S. Cho, "An Anti-Forensic Technique for Hiding Data in NTFS Index Record with a Unicode Transformation," Journal of Korea Convergence Security Association, Vol. 16, No. 7, pp. 75-84, July 2015.
  7. G.-S. Cho, "A Computer Forensic Method for Detecting Timestamp Forgery in NTFS", Computer & Security, Vol. 34, 2013, pp. 36-46. https://doi.org/10.1016/j.cose.2012.11.003
  8. Microsoft MSDN, File Times, https://msdn.microsoft.com/en-us/library/windows/desktop/ms724290(v=vs.85).aspx
  9. B. Carrier, File System Forensic Analysis, Addison-Wesley, pp. 273-396, 2005
  10. Wicher Minnaard, "Timestomping NTFS," IMSc final research project report, University of Amsterdam, Faculty of Natural Sciences, Mathematics and Computer Science, 2014.