In this research, it is proposed that a method to hide data by modifying directory index entry information.
It consists of two methods: a directory list hiding and a file contents hiding. The directory list hiding method is to avoid the list of files from appearing in the file explorer window or the command prompt window.
By modifying the file names of several index entries to make them duplicated, if the duplicated files are deleted, then the only the original file is deleted, but the modified files are retained in the MFT entry intact. So, the fact that these files are hidden is not exposed.
The file contents hiding is to allocate data to be hidden on an empty index record page that is not used. If many files are made in the directory, several 4KB index records are allocated. NTFS leaves the empty index records unchanged after deleting the files. By modifying the run-list of the index record with the cluster number of the file-to-hide, the contents of the file-to-hide are hidden in the index record.
By applying the proposed method to the case of hiding two files, the file lists are not exposed in the file explorer and the command prompt window, and the contents of the file-to-hide are hidden in the empty index record. It is proved that the proposed method has effectiveness and validity.
[book]
Michael T. Raggo
/ 2012
/ Data Hiding: Exposing Concealed Data in Multimedia, Operating Systems, Mobile Devices and Network Protocols
/ Syngress
[book]
N. A. Hassan.
/ 2017
/ Data Hiding Techniques in Windows OS
/ Elsevier
[journal]
Sebastian Neuner
/ 2016
/ Time is on my side: Steganography in filesystem metadata
/ Digital Investigation
/ Elsevier BV
18
: S76~S86
/ 10.1016/j.diin.2016.04.010
[journal]
Thomas Göbel
/ 2018
/ Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding
/ Digital Investigation
/ Elsevier BV
24
: S111~S120
/ 10.1016/j.diin.2018.01.014
[confproc]
P. Grd.
/ 2010
/ Analysis of B-tree data structure and its usage in computer forensics
/ Proc. of the 21st Cent. Euro. Conf. on Infor. and Intelli. Sys.
: 423~428
[journal]
A. Srinivasan
/ 2013
/ Steganographic information hiding that exploits a novel file system vulnerability
/ Int. J. Security and Networks
8(2)
[journal]
Fu-Hau Hsu
/ 2016
/ Data concealments with high privacy in new technology file system
/ The Journal of Supercomputing
/ Springer Nature
72(1)
: 120~140
/ 10.1007/s11227-015-1492-y
[book]
B. Carrier
/ 2005
/ File System Forensic Analysis
/ Addison-Wesley
: 273~396
@article{ART002377560}, author={Cho Gyu Sang}, title={A Method of Data Hiding in a File System by Modifying Directory Information}, journal={Journal of The Korea Society of Computer and Information}, issn={1598-849X}, year={2018}, volume={23}, number={8}, pages={85-93}, doi={10.9708/jksci.2018.23.08.085}
TY - JOUR AU - Cho Gyu Sang TI - A Method of Data Hiding in a File System by Modifying Directory Information JO - Journal of The Korea Society of Computer and Information PY - 2018 VL - 23 IS - 8 PB - The Korean Society Of Computer And Information SP - 85 EP - 93 SN - 1598-849X AB - In this research, it is proposed that a method to hide data by modifying directory index entry information.
It consists of two methods: a directory list hiding and a file contents hiding. The directory list hiding method is to avoid the list of files from appearing in the file explorer window or the command prompt window.
By modifying the file names of several index entries to make them duplicated, if the duplicated files are deleted, then the only the original file is deleted, but the modified files are retained in the MFT entry intact. So, the fact that these files are hidden is not exposed.
The file contents hiding is to allocate data to be hidden on an empty index record page that is not used. If many files are made in the directory, several 4KB index records are allocated. NTFS leaves the empty index records unchanged after deleting the files. By modifying the run-list of the index record with the cluster number of the file-to-hide, the contents of the file-to-hide are hidden in the index record.
By applying the proposed method to the case of hiding two files, the file lists are not exposed in the file explorer and the command prompt window, and the contents of the file-to-hide are hidden in the empty index record. It is proved that the proposed method has effectiveness and validity. KW - Data hiding;Directory;Modifying direcotory information;File System;NTFS DO - 10.9708/jksci.2018.23.08.085 ER -
Cho Gyu Sang. (2018). A Method of Data Hiding in a File System by Modifying Directory Information. Journal of The Korea Society of Computer and Information, 23(8), 85-93.
Cho Gyu Sang. 2018, "A Method of Data Hiding in a File System by Modifying Directory Information", Journal of The Korea Society of Computer and Information, vol.23, no.8 pp.85-93. Available from: doi:10.9708/jksci.2018.23.08.085
Cho Gyu Sang "A Method of Data Hiding in a File System by Modifying Directory Information" Journal of The Korea Society of Computer and Information 23.8 pp.85-93 (2018) : 85.
Cho Gyu Sang. A Method of Data Hiding in a File System by Modifying Directory Information. 2018; 23(8), 85-93. Available from: doi:10.9708/jksci.2018.23.08.085
Cho Gyu Sang. "A Method of Data Hiding in a File System by Modifying Directory Information" Journal of The Korea Society of Computer and Information 23, no.8 (2018) : 85-93.doi: 10.9708/jksci.2018.23.08.085
Cho Gyu Sang. A Method of Data Hiding in a File System by Modifying Directory Information. Journal of The Korea Society of Computer and Information, 23(8), 85-93. doi: 10.9708/jksci.2018.23.08.085
Cho Gyu Sang. A Method of Data Hiding in a File System by Modifying Directory Information. Journal of The Korea Society of Computer and Information. 2018; 23(8) 85-93. doi: 10.9708/jksci.2018.23.08.085
Cho Gyu Sang. A Method of Data Hiding in a File System by Modifying Directory Information. 2018; 23(8), 85-93. Available from: doi:10.9708/jksci.2018.23.08.085
Cho Gyu Sang. "A Method of Data Hiding in a File System by Modifying Directory Information" Journal of The Korea Society of Computer and Information 23, no.8 (2018) : 85-93.doi: 10.9708/jksci.2018.23.08.085