Browse > Article
http://dx.doi.org/10.17661/jkiiect.2015.8.4.327

A New NTFS Anti-Forensic Technique for NTFS Index Entry  

Cho, Gyu-Sang (Department of Computer Information, Dongyang University)
Publication Information
The Journal of Korea Institute of Information, Electronics, and Communication Technology / v.8, no.4, 2015 , pp. 327-337 More about this Journal
Abstract
This work provides new forensic techinque to a hide message on a directory index in Windows NTFS file system. Behavior characteristics of B-tree, which is apoted to manage an index entry, is utilized for hiding message in slack space of an index record. For hidden message not to be exposured, we use a disguised file in order not to be left in a file name attribute of a MFT entry. To understand of key idea of the proposed technique, we describe B-tree indexing method and the proposed of this work. We show the proposed technique is practical for anti-forensic usage with a real message hiding case using a developed software tool.
Keywords
Anti-forensic technique; Data hiding; Directory index; B-tree; NTFS file system;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Wikipedia.org, "NTFS-Features-Scalability", http://en.wikipedia.org/wiki/NTFS#Features
2 Microsoft TechNet, "NTFS Technical Reference",https://technet.microsoft.com/en-us/library/cc758691(v=ws.10).aspx.
3 B. Carrier, File System Forensic Analysis, Addison-Wesley, 2005, pp. 273-396.
4 Wikipedia, "B-tree", http://en.wikipedia.org/wiki/B-tree.
5 William Ballenthin,"NTFS INDX Attribute Parsing", http://www.williballenthin.com/forensics/indx/index.html.
6 Chad Tilbury, "NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files", SANS Digital Forensics and Incident Response Blog, http://digital-forensics.sans.org.
7 Sameer H. Mahant and B. B. Meshram, "NTFS Deleted Files Recovery: Forensics View", IRACST(-International Journal of Computer Science and Information Technology & Security (IJCSITS), Vol. 2, pp. 491-497, No.3, 2012.
8 Ewa Huebner, Derek Bem and Cheong Kai Wee, "Data hiding in the NTFS file system", Digital Investigation, Vol. 3, Issue 4, pp. 211-226, 2006   DOI
9 Christopher Lees, "Determining removal of forensic artefacts using the USN change journalOriginal", Digital Investigation, Vol. 10, Issue 4, pp. 300-310, 2013.   DOI
10 G.-S. Cho, "A computer forensic method for detecting timestamp forgery in NTFS", Computers & Security, Vol. 34, pp. 36-46, 2013.   DOI   ScienceOn
11 Gyu-Sang Cho, A Digital Forensic Method by an Evaluation Function Based on Timestamp Changing Patterns. (2014), Journal of KSDIM(ISSN:1738-6667), Vol. 10, No. 2, pp. 91-105.
12 G.-S. Cho, "NTFS Directory Index Analysis for Computer Forensics", Proceedings of IMIS 2015, Blumenau Brazil, July 2015.
13 Gyu-Sang Cho, A Digital Forensic Analysis for Directory in Windows File System. (2015), Journal of KSDIM(ISSN:1738-6667), Vol. 11, No. 2, pp. 73-89.
14 Microsoft MSDN, "Naming Files, Paths, and Namespace-Short vs. Long Names", http://msdn.microsoft.com.
15 Microsoft TechNet, Fsutil behavior, "https://technet.microsoft.com/en-us/library/cc785435.aspx"