Journal of the Korea Society of Computer and Information (한국컴퓨터정보학회논문지)

Korean Society of Computer Information (한국컴퓨터정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Method of Data Hiding in a File System by Modifying Directory Information

  • Cho, Gyu-Sang (School of Public Technology Service, Dongyang University)
  • Received : 2018.08.01
  • Accepted : 2018.08.21
  • Published : 2018.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

In this research, it is proposed that a method to hide data by modifying directory index entry information. It consists of two methods: a directory list hiding and a file contents hiding. The directory list hiding method is to avoid the list of files from appearing in the file explorer window or the command prompt window. By modifying the file names of several index entries to make them duplicated, if the duplicated files are deleted, then the only the original file is deleted, but the modified files are retained in the MFT entry intact. So, the fact that these files are hidden is not exposed. The file contents hiding is to allocate data to be hidden on an empty index record page that is not used. If many files are made in the directory, several 4KB index records are allocated. NTFS leaves the empty index records unchanged after deleting the files. By modifying the run-list of the index record with the cluster number of the file-to-hide, the contents of the file-to-hide are hidden in the index record. By applying the proposed method to the case of hiding two files, the file lists are not exposed in the file explorer and the command prompt window, and the contents of the file-to-hide are hidden in the empty index record. It is proved that the proposed method has effectiveness and validity.

Keywords

References

  1. Michael T. Raggo, Chet Hosmer, "Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols", Syngress, 2012.
  2. N. A. Hassan and R. Hijazi, "Data Hiding Techniques in Windows OS", Elsevier, 2017.
  3. Metasploit Anti Forensics Project, http://www.metasploit.com/research/projects/antiforensics/
  4. I. Thompson, and M. Monroe, "FragFS: an advanced data hiding technique", BlackHat Federal. Jan. 2006.
  5. Piper et al., "Detecting hidden data in ext2/ext3 file systems," "Advanced in Digital Forensics", pp. 245-256, Springer, 2005.
  6. Ewa Huebner, "Data hiding in the NTFS file system,", Digital Investigation, Vol. 3, Issue 4, pp. 211-226, Dec. 2006. https://doi.org/10.1016/j.diin.2006.10.005
  7. Gyu-Sang Cho, "Data Hiding in NTFS Timestamps for Anti-Forensics", International Journal of Internet, Broadcasting and Communication, vol. 8, no. 3, pp. 31-40, Aug. 2016.
  8. Neuner, S. et. al., "Time is on my side: steganography in filesystem metadata," Digital Investigation, 18, pp. S76-S86. 2016. https://doi.org/10.1016/j.diin.2016.04.010
  9. T. Gobel and H. Baier, "Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding," Digital Investigation, 24, pp. S111-S120, 2018. https://doi.org/10.1016/j.diin.2018.01.014
  10. P. Grd and M. Baca, "Analysis of B-tree data structure and its usage in computer forensics," Proc. of the 21st Cent. Euro. Conf. on Infor. and Intelli. Sys. pp. 423-428, Sep. 2010.
  11. Gyu-Sang Cho, "Ordinary B-tree vs NTFS B-tree: A Digital Forensics Perspectives," Journal of The Korea Society of Computer and Information, Vol. 22 No. 8, pp. 73-83, Aug. 2017. https://doi.org/10.9708/JKSCI.2017.22.08.073
  12. Gyu-Sang Cho, "A New NTFS Anti-Forensic Technique for NTFS Index Entry," The Journal of Korea Institute of Information, Electronics, and Communication Technology, Vol. 8, No. 4, pp. 327-337, Aug. 2015. https://doi.org/10.17661/jkiiect.2015.8.4.327
  13. A. Srinivasan, S. Kolli, and J. Wu, "Steganographic information hiding that exploits a novel file system vulnerability," Int. J. Security and Networks, Vol. 8, No. 2, Aug. 2013.
  14. Fu-Hau Hsu1 et. al., "Data concealments with high privacy in new technology file system," Journal of Supercomputing, Vol. 72, Issue 1, pp 120-140, Jan. 2016. https://doi.org/10.1007/s11227-015-1492-y
  15. B. Carrier, "File System Forensic Analysis", Addison-Wesley, pp. 273-396, 2005.
  16. Gyu-Sang Cho, "A Maximum Data Allocation Rule for an Anti-forensic Data Hiding Method in NTFS Index Record," International Journal of Internet, Broadcasting and Communication, Vol.9, No.3, pp. 17-26, Aug. 2017.