Detecting Hidden Data in Ext2/Ext3 File Systems

Abstract: The use of digital forensic tools by law enforcement agencies has made it difficult for malicious individuals to hide potentially incriminating evidence. To combat this situation, the hacker community has developed anti-forensic tools that remove or hide electronic evidence for the specific purpose of undermining forensic investigations. This paper examines the latest techniques for hiding data in the popular Ext2 and Ext3 file systems. It also describes techniques for detecting hidden data in the reserved por… Show more

“…Generalized techniques have been proposed for hiding information in unused blocks of hard disks or data structures of filesystems (Huebner et al, 2006;Piper et al, 1984;Eckstein and Jahnke, 2005). However, these techniques are naive and an investigator can easily identify and retrieve hidden data using simple byte-level approaches described in Carrier (2005).…”

“…In order to ensure evasion during forensic investigation, covert channelsea subclass of information hiding techniquesehide sensitive information in media that are neither designed for nor intended to transfer information (Simmons, 1984). Most of the contemporary covert channels are devised for communication protocols while a few information hiding techniques for storage devices have also been proposed (Huebner et al, 2006;Piper et al, 1984;Eckstein and Jahnke, 2005;Anderson et al, 1998;McDonald and Kuhn, 1999;Pang et al, 2003).…”

Designing a cluster-based covert channel to evade disk investigation and forensics

“…Generalized techniques have been proposed for hiding information in unused blocks of hard disks or data structures of filesystems (Huebner et al, 2006;Piper et al, 1984;Eckstein and Jahnke, 2005). However, these techniques are naive and an investigator can easily identify and retrieve hidden data using simple byte-level approaches described in Carrier (2005).…”

“…In order to ensure evasion during forensic investigation, covert channelsea subclass of information hiding techniquesehide sensitive information in media that are neither designed for nor intended to transfer information (Simmons, 1984). Most of the contemporary covert channels are devised for communication protocols while a few information hiding techniques for storage devices have also been proposed (Huebner et al, 2006;Piper et al, 1984;Eckstein and Jahnke, 2005;Anderson et al, 1998;McDonald and Kuhn, 1999;Pang et al, 2003).…”

Designing a cluster-based covert channel to evade disk investigation and forensics

“…Research has also been done on hiding techniques and detecting approach with the ext2 and the ext3 file systems [7]. Apart from this, there is a study proposing a new technique that stores substantial amounts of data inside the journaling file systems in a robust way [1].…”

Data Hiding in Virtual Machine Disk Images

“…The data hiding methods are usually intended to be used in communication protocols for sensitive data transmission [9], [4]. Works [5], [16], [18] provide effective data hiding methods for storing sensitive information in the disk drives. General steganographic methods for data hiding in an unused space of disk structures and file systems are discussed in [5], [10], [18], but in those cases the information can be easily revealed by a third party in case it analyzes the disk.…”

Covert Channel for Cluster-based File Systems Using Multiple Cover Files