Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Steganographic Data Hiding Method in Timestamps by Bit Correction Technique for Anti-Forensics

  • Cho, Gyu-Sang (School of Public Technology Service, Dongyang University)
  • Received : 2018.08.13
  • Accepted : 2018.08.27
  • Published : 2018.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

In this research, a bit correction technique of data hiding method in timestamp of MFT entry in NTFS file system is proposed. This method is proposed in two ways, depending on the number of bytes of data to hide. A basic data hiding method using a bit correction technique to solve the problems of the conventional 2-byte technique is proposed. In order to increase the capacity of the data, a 3-byte data hiding method using an extended bit correction technique is proposed. The data hiding method in the timestamps is based on the fact that is not revealed in the Windows explorer window and the command prompt window even if any data is hidden in the timestamp area of less than one second. It is shown that the validity of the proposed method through the experimental two cases of the basic data hiding method by the bit correction method and the 3-byte data hiding method by the extended bit correction method.

Keywords

References

  1. N. A. Hassan and R. Hijazi, "Data Hiding Techniques in Windows OS", Elsevier, 2017.
  2. Ewa Huebner, Derek Bem and Cheong Kai Wee, "Data hiding in the NTFS file system,", Digital Investigation, Vol. 3, Issue 4, pp. 211-226, Dec. 2006. https://doi.org/10.1016/j.diin.2006.10.005
  3. Gyu-Sang Cho, "A New NTFS Anti-Forensic Technique for NTFS Index Entry," The Journal of Korea Institute of Information, Electronics, and Communication Technology, Vol. 8, No. 4, pp. 327-337, Aug. 2015. https://doi.org/10.17661/jkiiect.2015.8.4.327
  4. Fu-Hau Hsu1 et al., "Data concealments with high privacy in new technology file system," Journal of Supercomputing, Vol. 72, Issue 1, pp 120-140, Jan. 2016. https://doi.org/10.1007/s11227-015-1492-y
  5. Gyu-Sang Cho, "Data Hiding in NTFS Timestamps for Anti-Forensics", International Journal of Internet, Broadcasting and Communication, vol. 8, no. 3, pp. 31-40, Aug. 2016.
  6. Neuner, S. et al., "Time is on my side: steganography in filesystem metadata," Digital Investigation, Vol. 18, Supplement 7, pp. S76-S86, Aug. 2016, https://doi.org/10.1016/j.diin.2016.04.010
  7. Thomas Gobel and Harald Baier, "Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding," Digital Investigation, Vol. 24, pp. s111-s120, Mar. 2018. https://doi.org/10.1016/j.diin.2018.01.014
  8. B. Carrier, "File System Forensic Analysis", Addison-Wesley, pp. 273-396, Mar. 2005
  9. INFO: Working with the FILETIME Structure, https://support.microsoft.com/en-us/help/188768/info-worki ng-with-the-filetime-structure
  10. G.-S. Cho, "A Computer Forensic Method for Detecting Timestamp Forgery in NTFS," Computer & Security, Vol. 34, pp. 36-46. May. 2013. https://doi.org/10.1016/j.cose.2012.11.003
  11. Wicher Minnaard, "Timestomping NTFS," IMSc final research project report, University of Amsterdam, Faculty of Natural Sciences, Mathematics and Computer Science, Jul. 2014.
  12. Metasploit Anti Forensics Project, http://www.metaspl oit.com/research/projects/antiforensics/
  13. SetMace, "https://github.com/jschicht/SetMace"
  14. Chu Luo et al., "A Data Hiding Approach for Sensitive Smartphone Data," DOI: 10.1145/2971648. 2971686, Sep. 2016.
  15. T. Knutsson, "Filesystem Timestamps: What Makes Them Tick?," SANS Institute InfoSec Reading Room, pp. 1-27, Mar. 2016.