JOURNAL BROWSE
Search
Advanced SearchSearch Tips
A New NTFS Anti-Forensic Technique for NTFS Index Entry
facebook(new window)  Pirnt(new window) E-mail(new window) Excel Download
 Title & Authors
A New NTFS Anti-Forensic Technique for NTFS Index Entry
Cho, Gyu-Sang;
  PDF(new window)
 Abstract
This work provides new forensic techinque to a hide message on a directory index in Windows NTFS file system. Behavior characteristics of B-tree, which is apoted to manage an index entry, is utilized for hiding message in slack space of an index record. For hidden message not to be exposured, we use a disguised file in order not to be left in a file name attribute of a MFT entry. To understand of key idea of the proposed technique, we describe B-tree indexing method and the proposed of this work. We show the proposed technique is practical for anti-forensic usage with a real message hiding case using a developed software tool.
 Keywords
Anti-forensic technique;Data hiding;Directory index;B-tree;NTFS file system;
 Language
Korean
 Cited by
1.
디렉토리 인덱스 안티포렌식 기법에서 Windows 파일명에 사용할 수 없는 문자 문제의 해결방법,조규상;

디지털산업정보학회논문지, 2015. vol.11. 4, pp.69-79 crossref(new window)
2.
유니코드 변환이 적용된 NTFS 인덱스 레코드에 데이터를 숨기기 위한 안티포렌식 기법,조규상;

융합보안논문지, 2015. vol.15. 7, pp.75-84
 References
1.
Wikipedia.org, "NTFS-Features-Scalability", http://en.wikipedia.org/wiki/NTFS#Features

2.
Microsoft TechNet, "NTFS Technical Reference",https://technet.microsoft.com/en-us/library/cc758691(v=ws.10).aspx.

3.
B. Carrier, File System Forensic Analysis, Addison-Wesley, 2005, pp. 273-396.

4.
Wikipedia, "B-tree", http://en.wikipedia.org/wiki/B-tree.

5.
William Ballenthin,"NTFS INDX Attribute Parsing", http://www.williballenthin.com/forensics/indx/index.html.

6.
Chad Tilbury, "NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files", SANS Digital Forensics and Incident Response Blog, http://digital-forensics.sans.org.

7.
Sameer H. Mahant and B. B. Meshram, "NTFS Deleted Files Recovery: Forensics View", IRACST(-International Journal of Computer Science and Information Technology & Security (IJCSITS), Vol. 2, pp. 491-497, No.3, 2012.

8.
Ewa Huebner, Derek Bem and Cheong Kai Wee, "Data hiding in the NTFS file system", Digital Investigation, Vol. 3, Issue 4, pp. 211-226, 2006 crossref(new window)

9.
Christopher Lees, "Determining removal of forensic artefacts using the USN change journalOriginal", Digital Investigation, Vol. 10, Issue 4, pp. 300-310, 2013. crossref(new window)

10.
G.-S. Cho, "A computer forensic method for detecting timestamp forgery in NTFS", Computers & Security, Vol. 34, pp. 36-46, 2013. crossref(new window)

11.
Gyu-Sang Cho, A Digital Forensic Method by an Evaluation Function Based on Timestamp Changing Patterns. (2014), Journal of KSDIM(ISSN:1738-6667), Vol. 10, No. 2, pp. 91-105.

12.
G.-S. Cho, "NTFS Directory Index Analysis for Computer Forensics", Proceedings of IMIS 2015, Blumenau Brazil, July 2015.

13.
Gyu-Sang Cho, A Digital Forensic Analysis for Directory in Windows File System. (2015), Journal of KSDIM(ISSN:1738-6667), Vol. 11, No. 2, pp. 73-89.

14.
Microsoft MSDN, "Naming Files, Paths, and Namespace-Short vs. Long Names", http://msdn.microsoft.com.

15.
Microsoft TechNet, Fsutil behavior, "https://technet.microsoft.com/en-us/library/cc785435.aspx"