Data hiding in the NTFS file system

Authors:
Ewa Huebner;Derek Bem;Cheong Kai Wee
Affiliations:
University of Western Sydney, Australia;University of Western Sydney, Australia;Edith Cowan University, Perth, Western Australia, Australia
Venue:
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Year:
2006

Citing 3
Cited 3

Forensic Discovery

Forensic Discovery
File System Forensic Analysis

File System Forensic Analysis
Track-aligned extents: matching access patterns to disk drive characteristics

FAST'02 Proceedings of the 1st USENIX conference on File and storage technologies

Computer forensics workshop for undergraduate students

ACE '08 Proceedings of the tenth conference on Australasian computing education - Volume 78
Persistent systems techniques in forensic acquisition of memory

Digital Investigation: The International Journal of Digital Forensics & Incident Response
Steganographic information hiding that exploits a novel file system vulnerability

International Journal of Security and Networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

In this paper we examine the methods of hiding data in the NTFS file system. Further we discuss the analysis techniques which can be applied to detect and recover data hidden using each of these methods. We focus on sophisticated data hiding where the goal is to prevent detection by forensic analysis. Obvious data hiding techniques, for example setting the hidden attribute of a file, will not be included. Hidden data can be further obfuscated by file system independent approaches like data encryption and steganography. This paper is only concerned with the methods which are made possible by the structure of the NTFS file system, and with the recovery of hidden data, not its interpretation.