A Method of Data Hiding in a File System by Modifying Directory Information

Cho Gyu Sang

Journal of The Korea Society of Computer and Information

Abbr : JKSCI
2018, 23(8), pp.85-93
Publisher : The Korean Society Of Computer And Information
Research Area : Computer Science

Cho Gyu Sang ¹

¹동양대학교

ABSTRACT

In this research, it is proposed that a method to hide data by modifying directory index entry information. It consists of two methods: a directory list hiding and a file contents hiding. The directory list hiding method is to avoid the list of files from appearing in the file explorer window or the command prompt window. By modifying the file names of several index entries to make them duplicated, if the duplicated files are deleted, then the only the original file is deleted, but the modified files are retained in the MFT entry intact. So, the fact that these files are hidden is not exposed. The file contents hiding is to allocate data to be hidden on an empty index record page that is not used. If many files are made in the directory, several 4KB index records are allocated. NTFS leaves the empty index records unchanged after deleting the files. By modifying the run-list of the index record with the cluster number of the file-to-hide, the contents of the file-to-hide are hidden in the index record. By applying the proposed method to the case of hiding two files, the file lists are not exposed in the file explorer and the command prompt window, and the contents of the file-to-hide are hidden in the empty index record. It is proved that the proposed method has effectiveness and validity.
KEYWORDS

Data hiding, Directory, Modifying direcotory information, File System, NTFS
REFERENCES (16)

[book] Michael T. Raggo / 2012 / Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols / Syngress

[book] N. A. Hassan. / 2017 / Data Hiding Techniques in Windows OS / Elsevier

[web] / 0000 / Metasploit Anti Forensics Project / http://www.metasploit.com/research/projects/antiforensics/

[book] I. Thompson / 2006 / FragFS: an advanced data hiding technique / BlackHat Federal

[book] Piper / 2005 / Advanced in Digital Forensics / Springer : 245~256

[journal] Ewa Huebner / 2006 / Data hiding in the NTFS file system / Digital Investigation / Elsevier BV 3(4) : 211~226 / 10.1016/j.diin.2006.10.005

[journal] 조규상 / 2016 / Data Hiding in NTFS Timestamps for Anti-Forensics / The International Journal of Internet, Broadcasting and Communication / 한국인터넷방송통신학회 8(3) : 31~40 / http://dx.doi.org/10.7236/IJIBC.2016.8.3.31

[journal] Sebastian Neuner / 2016 / Time is on my side: Steganography in filesystem metadata / Digital Investigation / Elsevier BV 18 : S76~S86 / 10.1016/j.diin.2016.04.010

[journal] Thomas Göbel / 2018 / Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding / Digital Investigation / Elsevier BV 24 : S111~S120 / 10.1016/j.diin.2018.01.014

[confproc] P. Grd. / 2010 / Analysis of B-tree data structure and its usage in computer forensics / Proc. of the 21st Cent. Euro. Conf. on Infor. and Intelli. Sys. : 423~428

[journal] 조규상 / 2017 / Ordinary B-tree vs NTFS B-tree: A Digital Forensics Perspectives / 한국컴퓨터정보학회논문지 / 한국컴퓨터정보학회 22(8) : 73~83

[journal] 조규상 / 2015 / A New NTFS Anti-Forensic Technique for NTFS Index Entry / 한국정보전자통신기술학회 논문지 / 한국정보전자통신기술학회 8(4) : 327~337

[journal] A. Srinivasan / 2013 / Steganographic information hiding that exploits a novel file system vulnerability / Int. J. Security and Networks 8(2)

[journal] Fu-Hau Hsu / 2016 / Data concealments with high privacy in new technology file system / The Journal of Supercomputing / Springer Nature 72(1) : 120~140 / 10.1007/s11227-015-1492-y

[book] B. Carrier / 2005 / File System Forensic Analysis / Addison-Wesley : 273~396

[journal] 조규상 / 2017 / A Maximum Data Allocation Rule for an Anti-forensic Data Hiding Method in NTFS Index Record / The International Journal of Internet, Broadcasting and Communication / 한국인터넷방송통신학회 9(3) : 17~26 / https://doi.org/10.7236/IJIBC.2017.9.3.17
KCI Citation (0)

KJC Korea
Journal Central

Statistics

Tools