International Journal of Internet, Broadcasting and Communication

The Institute of Internet, Broadcasting and Communication (한국인터넷방송통신학회)
권호 표지
DOI QR코드

DOI QR Code

A Maximum Data Allocation Rule for an Anti-forensic Data Hiding Method in NTFS Index Record

  • Cho, Gyu-Sang (School of Public Technology Service, Dongyang University)
  • Received : 2017.05.20
  • Accepted : 2017.06.10
  • Published : 2017.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

An anti-forensic data hiding method in an NTFS index record is a method designed for anti-forensics, which records data as a file name in index entries and thereafter the index entries are made to remain in the intentionally generated slack area in a 4KB-sized index record[7]. In this paper, we propose a maximum data allocation rule for an anti-forensic data hiding method in an NTFS index record; i.e., a computational method for storing optimal data to hide data in an index record of NTFS is developed and the optimal solution is obtained by applying the method. We confirm that the result of analyzing the case where the number of index entries n = 7 is the maximum case, and show the screen captures of index entries as experimental results.

Keywords

References

  1. Wikipedia, Anti-computer forensics, https://en.wikipedia.org/wiki/Anti-computer_forensics
  2. Michael T. Raggo and Chet Hosmer, Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols, Elsevier, 2013.
  3. H. Carvey, Windows Forensics and Incident Recovery, Addison-Wesley, 2005.
  4. Metasploit, Anti Forensics Project, http://www.metasploit.com/research/projects/antiforensics/
  5. Ewa Huebner, Derek Bem and Cheong Kai Wee, "Data Hiding in the NTFS File System," Digital Investigation, Vol. 3, Issue 4, 2006, pp. 211-226. https://doi.org/10.1016/j.diin.2006.10.005
  6. K. Eckstein and M. Jahnke, "Data Hiding in Journaling File Systems," Proceedings of Digital Forensic Research Workshop (DFRWS 2005), pp. 1-8, Aug. 2005.
  7. G.-S. Cho, "A New NTFS Anti-Forensic Technique for NTFS Index Entry," The Journal of Korea Institute of Information, Electronics, and Communication Technology, Vol. 8, No. 4, 2015.
  8. G.-S. Cho, “An Anti-Forensic Technique for Hiding Data in NTFS Index Record with a Unicode Transformation,” Journal of Korea Convergence Security Association, Vol. 16, No. 7, pp. 75-84, July 2015.
  9. B. Carrier, File System Forensic Analysis, Addison-Wesley, 2005.