Advanced SearchSearch Tips
A Problem Solving Method for Non-Admittable Characters of a Windows File Name in a Directory Index Anti-Forensic Technique
facebook(new window)  Pirnt(new window) E-mail(new window) Excel Download
 Title & Authors
A Problem Solving Method for Non-Admittable Characters of a Windows File Name in a Directory Index Anti-Forensic Technique
Cho, Gyusang;
  PDF(new window)
This research proposes a modified data hiding method to hide data in a slack space of an NTFS index record. The existing data hiding method is for anti-forensics, which uses traces of file names of an index entry in an index record when files are deleted in a direcotry. The proposed method in this paper modifies the existing method to make non-admittable ASCII characters for a file name applicable. By improving the existing method, problems of a file creation error due to non-admittable characters are remedied; including the non-admittable 9 characters (i. e. slash /, colon :, greater than >, less than <, question mark ?, back slash , vertical bar |, semi-colon ;, esterisk * ), reserved file names(i. e. CON, PRN, AUX, NUL, COM1~COM9, LPT1~LPT9) and two non-admittable characters for an ending character of the file name(i. e. space and dot). Two results of the two message with non-admittable ASCII characters by keyboard inputs show the applicability of the proposed method.
Data Hiding;Direcotory Index;Digital Forensics;NTFS;Windows;B-tree;
 Cited by
1., "NTFS - Features - Scalability,"

Microsoft TechNet, "How NTFS Works,"

B. Carrier, File System Forensic Analysis, Addison-Wesley, 2005, pp. 273-396.

William Ballenthin, "NTFS INDX Attribute Parsing,"

Chad Tilbury, "NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files," SANS Digital Forensics and Incident Response Blog,

William Ballenthin and Jeff Hamm, "Incident Response with NTFS INDX Buffers - Parts 1, 2, 3 and 4,"

Ewa Huebner, Derek Bem and Cheong Kai Wee, "Data hiding in the NTFS file system," Digital Investigation, Vol. 3, Issue 4, 2006, pp. 211-226. crossref(new window)

조규상, "타임스탬프 변화패턴을 근거로 한 평가함수에 의한 디지털 포렌식 방법," 디지털산업정보학회 논문지, 10권, 2호, 2014, pp.91-105.

조규상, "Windows 파일시스템의 디렉토리에 대한 디지털 포렌식 분석," 디지털산업정보학회 논문지, 제11권, 제2호, 2015, pp. 73-90.

Gyu-Sang Cho, "NTFS Directory Index Analysis for Computer Forensics," IMIS 2015(the 9-th Int. Conf. on Innovative Mobile and Internet Services in Ubiquitous Computing), July 8th-10th, Blumenau Brazil, 2015.

조규상, "새로운 NTFS 디렉토리 인덱스 안티포렌식 기법," 한국정보전자통신기술학회논문지, 8권, 4호, 2015, pp. 327-337.

Microsoft MSDN, "Naming Files, Paths, and Namespaces",