Академический Документы
Профессиональный Документы
Культура Документы
net/publication/221411287
CITATIONS READS
4 3,863
3 authors, including:
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by David Anthony Dampier on 17 June 2015.
Abstract—Multiple methods of information hiding can be used by criminals to conceal incriminating data. The FAT
and NTFS file systems are the most commonly used file systems in operating systems today, and therefore are the
most exploited. Most methods of information hiding can be detected using forensic tool kits designed specifically for
cyber crime investigators. The purpose of this paper is to explore various methods of information hiding in the FAT
and NTFS file systems)
Keywords- Digital forensics, information hiding, file system, FAT, NTFS, slack space, file slack, disk slack, bad cluster, free space,
steganography, forensic toolkit, deleted file, hidden file, directory entries, alternate data streams, master file table, hidden partition,
computer forensics analysis
I. INTRODUCTION
Information hiding, accomplished by exploiting a computer's file system and various other operating system
characteristics, can take on many forms. In many cases, information hiding is a intentional activity that an individual
employs to store away sensitive information in an attempt to make it invisible to everyone else. However, there are some
exceptions, such as digital watermarking, that are used for appropriate purposes. Some common methods of information
hiding include: hidden files, deleted files, hidden partitions, alternate data streams, steganography, and slack space hiding.
There are many computer forensics tool kits available that allow a user to detect multiple types of information hiding.
Taking a more in depth look to how these tool kits detect the types of information hiding mentioned gives a deeper
understanding of how the information hiding was accomplished.
The most widely used file systems for Windows operating systems are the file allocation table (FAT) file systems and the
new technologies file system (NTFS). These file systems both perform the same basic tasks, but for the purposes of
information hiding, their subtle differences change the ways that some methods of information hiding are accomplished.
Thus, a brief overview of each file system, along with a small discussion of their differences is warranted and shall be
presented prior to the discussion of the various methods of information hiding.
II. FAT FILE SYSTEMS
The FAT or File Allocation Table file system is one of the simplest file systems used today. Its simplicity is mainly due to
its compatibility with multiple operating systems and its small number of data structures [1]. Because of this, many cross-
platform storage devices, such as thumb drives, use FAT file systems to avoid complications when running the device on
other machines with different operating systems. However, as Carrier [1] points out, the simplicity has lead to many
modifications used to give the system new capabilities. Also, FAT does not follow the five-category model laid out by
Carrier [1]. This is mainly due to its low number of data structures that perform duties for more than one category. This
makes it easier to analyze the FAT file system in terms of its data structures as apposed to breaking it down into the five
categories of file system data. The FAT file system uses two primary data structures, the file allocation table and directory
entries [1].
III. NTFS FILE SYSTEMS
The New Technologies File System (NTFS) was designed by Microsoft and is the default file system for Microsoft
Windows NT, Windows 2000, Windows Server, and Windows XP [1]. NTFS is also the default file system for Windows
Vista and Windows 7.
The master file table (MFT) is the primary data structure and it contains information about all files and directories of the
file system [1]. Each entry in the MFT contains attributes that describe the file. These attributes are denoted by a name
beginning with a ‘$’. One important aspect of the NTFS file system is that everything is treated as a file, even the MFT.
The NTFS file system is a more complex and advanced file system. Its introduction was supposed to provide a more
reliable and secure file system than FAT [1]. However, NTFS file systems are still susceptible to virtually all of the same
methods of information hiding that the FAT file systems are.
IV. REASONS FOR INFORMATION HIDING
Not all information hiding is done for criminal purposes. Hidden partitions can be used to place a system recovery
partition on the disk. Also, hidden partitions can be used when you need to install multiple legacy operating systems that do
not usually work well when installed simultaneously [3]. Steganography can be used for digital watermarking in an attempt
to prevent copyright infringement. Alternate Data Streams (ADS) can be used to allow a file to contain additional property
information. For the purposes of this paper, however, let us discuss the methods of information hiding from a perspective of
both the criminal and the investigator.
V. INFORMATION HIDING METHODS
[1] B. Carrier, “File System Forensic Analysis,” Addison-Wesley, Upper Saddle River, NJ, 2005.
[2] C. Davis, A. Phillip, and D. Cowen, “Hacking Exposed: Computer Forensics Secrets & Solutions,” McGraw-Hill, Emeryville, CA, 2005.
[3] “Hide Data in Hidden Partitions,” http://blog.crowdway.com/2009/04/15/hide-data-in-hidden-partitions/ (current 8 November 2009).
[4] G. C. Kessler, “An Overview of Steganography for the Computer Forensics Examiner,” Forensic Science Communications, vol. 6 no. 3, July 2004.
Available online: http://www.fbi.gov/hq/lab/fsc/backissu/july2004/research/2004_03_research01.htm
[5] “Practical Guide to Alternative Data Streams in NTFS,” http://www.irongeek.com/i.php?page=security/altds. (current 8 November 2009).
[6] L. Shu-fen, P. Sheng, H. Xing-yan, and T. Lu, “File Hiding Based on FAT File System,” Proceedings IEEE International Symposium on IT in
Medicine & Education, Ji’nan, China, vol. 1, 2009, pp. 1198-1201.