Browse > Article
http://dx.doi.org/10.9708/jksci.2018.23.08.085

A Method of Data Hiding in a File System by Modifying Directory Information  

Cho, Gyu-Sang (School of Public Technology Service, Dongyang University)
Publication Information
Journal of the Korea Society of Computer and Information / v.23, no.8, 2018 , pp. 85-93 More about this Journal
Abstract
In this research, it is proposed that a method to hide data by modifying directory index entry information. It consists of two methods: a directory list hiding and a file contents hiding. The directory list hiding method is to avoid the list of files from appearing in the file explorer window or the command prompt window. By modifying the file names of several index entries to make them duplicated, if the duplicated files are deleted, then the only the original file is deleted, but the modified files are retained in the MFT entry intact. So, the fact that these files are hidden is not exposed. The file contents hiding is to allocate data to be hidden on an empty index record page that is not used. If many files are made in the directory, several 4KB index records are allocated. NTFS leaves the empty index records unchanged after deleting the files. By modifying the run-list of the index record with the cluster number of the file-to-hide, the contents of the file-to-hide are hidden in the index record. By applying the proposed method to the case of hiding two files, the file lists are not exposed in the file explorer and the command prompt window, and the contents of the file-to-hide are hidden in the empty index record. It is proved that the proposed method has effectiveness and validity.
Keywords
Data hiding; Directory; Modifying direcotory information; File System; NTFS;
Citations & Related Records
Times Cited By KSCI : 4  (Citation Analysis)
연도 인용수 순위
1 Michael T. Raggo, Chet Hosmer, "Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols", Syngress, 2012.
2 N. A. Hassan and R. Hijazi, "Data Hiding Techniques in Windows OS", Elsevier, 2017.
3 Metasploit Anti Forensics Project, http://www.metasploit.com/research/projects/antiforensics/
4 I. Thompson, and M. Monroe, "FragFS: an advanced data hiding technique", BlackHat Federal. Jan. 2006.
5 Piper et al., "Detecting hidden data in ext2/ext3 file systems," "Advanced in Digital Forensics", pp. 245-256, Springer, 2005.
6 Ewa Huebner, "Data hiding in the NTFS file system,", Digital Investigation, Vol. 3, Issue 4, pp. 211-226, Dec. 2006.   DOI
7 Gyu-Sang Cho, "Data Hiding in NTFS Timestamps for Anti-Forensics", International Journal of Internet, Broadcasting and Communication, vol. 8, no. 3, pp. 31-40, Aug. 2016.
8 Neuner, S. et. al., "Time is on my side: steganography in filesystem metadata," Digital Investigation, 18, pp. S76-S86. 2016.   DOI
9 T. Gobel and H. Baier, "Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding," Digital Investigation, 24, pp. S111-S120, 2018.   DOI
10 P. Grd and M. Baca, "Analysis of B-tree data structure and its usage in computer forensics," Proc. of the 21st Cent. Euro. Conf. on Infor. and Intelli. Sys. pp. 423-428, Sep. 2010.
11 Gyu-Sang Cho, "Ordinary B-tree vs NTFS B-tree: A Digital Forensics Perspectives," Journal of The Korea Society of Computer and Information, Vol. 22 No. 8, pp. 73-83, Aug. 2017.   DOI
12 Gyu-Sang Cho, "A New NTFS Anti-Forensic Technique for NTFS Index Entry," The Journal of Korea Institute of Information, Electronics, and Communication Technology, Vol. 8, No. 4, pp. 327-337, Aug. 2015.   DOI
13 A. Srinivasan, S. Kolli, and J. Wu, "Steganographic information hiding that exploits a novel file system vulnerability," Int. J. Security and Networks, Vol. 8, No. 2, Aug. 2013.
14 Fu-Hau Hsu1 et. al., "Data concealments with high privacy in new technology file system," Journal of Supercomputing, Vol. 72, Issue 1, pp 120-140, Jan. 2016.   DOI
15 B. Carrier, "File System Forensic Analysis", Addison-Wesley, pp. 273-396, 2005.
16 Gyu-Sang Cho, "A Maximum Data Allocation Rule for an Anti-forensic Data Hiding Method in NTFS Index Record," International Journal of Internet, Broadcasting and Communication, Vol.9, No.3, pp. 17-26, Aug. 2017.