Abstract
The term anti-forensics refers to any attempt to hinder or even prevent the digital forensics process. Common attempts are to hide, delete or alter digital information and thereby threaten the forensic investigation. A prominent anti-forensic paradigm is hiding data on different abstraction layers, e.g., the filesystem layer. In modern filesystems, private data can be hidden in many places, taking advantage of the structural and conceptual characteristics of each filesystem. In most cases, however, the source code and the theoretical approach of a particular hiding technique is not accessible and thus maintainability and reproducibility of the anti-forensic tool is not guaranteed. In this paper, we present fishy, a framework designed to implement and analyze different filesystem-based data hiding techniques. fishy is implemented in Python and collects various common exploitation methods that make use of existing data structures on the filesystem layer. Currently, the framework is able to hide data within ext4, FAT and NTFS filesystems using different hiding techniques and thus serves as a toolkit of established anti-forensic methods on the filesystem layer. fishy was built to support the exploration and collection of various hiding techniques and ensure the reproducibility and expandability with its publicly available source code. The construction of a modular framework played an important role in the design phase. In addition to the description of the actual framework, its current state, its use, and its easy expandability, we also present some hiding techniques for various filesystems and discuss possible future extensions of our framework.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
http://www.forensicswiki.org/wiki/Anti-forensic_techniques#Generic_Data_Hiding (last accessed 2018-05-10).
- 2.
- 3.
https://packetstormsecurity.com/files/17642/bmap-1.0.17.tar.gz.html (last accessed 2018-05-10).
- 4.
http://www.bishopfox.com/resources/tools/other-free-tools/mafia/ (last accessed 2018-05-10).
- 5.
http://index-of.es/Linux/R/runefs.tar.gz (last accessed 2018-05-10).
- 6.
Python bindings for The Sleuth Kit: https://github.com/py4n6/pytsk (last accessed 2018-05-14).
References
Conlan, K., Baggili, I., Breitinger, F.: Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy. Digit. Investig. 18, 66–75 (2016)
Rogers, M.: Anti-Forensics, presented at Lockheed Martin, San Diego, 15 September 2005. www.researchgate.net/profile/Marcus_Rogers/publication/268290676_Anti-Forensics_Anti-Forensics/links/575969a908aec91374a3656c.pdf. Accessed 12 May 2018
Harris, R.: Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem. Digit. Investig. 3, 44–49 (2006)
Wundram, M., Freiling, F.C., Moch, C.: Anti-forensics: The next step in digital forensics tool testing. IT Security Incident Management and IT Forensics (IMF), pp. 83–97 (2013)
Ridder, C.K.: Evidentiary implications of potential security weaknesses in forensic software. Int. J. Digit. Crime Forensics (IJDCF) 1(3), 80–91 (2009)
Newsham, T., Palmer, C., Stamos, A., Burns, J.: Breaking forensics software: weaknesses in critical evidence collection. In: Proceedings of the 2007 Black Hat Conference. Citeseer (2007)
Kailus, A.V., Hecht, C., Göbel, T., Liebler, L.: fishy - Ein Framework zur Umsetzung von Verstecktechniken in Dateisystemen. D.A.CH Security 2018, syssec Verlag (2018)
Anderson, R., Needham, R., Shamir, A.: The steganographic file system. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 73–82. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49380-8_6
McDonald, A.D., Kuhn, M.G.: StegFS: a steganographic file system for Linux. In: Pfitzmann, A. (ed.) IH 1999. LNCS, vol. 1768, pp. 463–477. Springer, Heidelberg (2000). https://doi.org/10.1007/10719724_32
Piper, S., Davis, M., Shenoi, S.: Countering hostile forensic techniques. In: Olivier, M.S., Shenoi, S. (eds.) Advances in Digital Forensics II. IFIP AICT, vol. 222, pp. 79–90. Springer, Boston, MA (2006). https://doi.org/10.1007/0-387-36891-4_7
Göbel, Thomas, Baier, Harald: Anti-forensic capacity and detection rating of hidden data in the Ext4 filesystem. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics XIV. IFIP AICT, vol. 532, pp. 87–110. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99277-8_6
Neuner, S., Voyiatzis, A.G., Schmiedecker, M., Brunthaler, S., Katzenbeisser, S., Weippl, E.R.: Time is on my side: steganography in filesystem metadata. Digit. Investig. 18, 76–86 (2016)
Fairbanks, K.D.: An analysis of Ext4 for digital forensics. Digit. Investig. 9, 118–130 (2012)
Eckstein, K., Jahnke, M.: Data hiding in journaling file systems. In: Proceedings of the 5th Annual Digital Forensic Research Workshop (DFRWS) (2005)
Piper, S., Davis, M., Manes, G., Shenoi, S.: Detecting Hidden Data in Ext2/Ext3 File Systems. In: Pollitt, M., Shenoi, S. (eds.) Advances in Digital Forensics. ITIFIP, vol. 194, pp. 245–256. Springer, Boston, MA (2006). https://doi.org/10.1007/0-387-31163-7_20
Grugq, T.: The art of defiling: defeating forensic analysis. In: Blackhat Briefings, Las Vegas, NV (2005)
Huebner, E., Bem, D., Wee, C.K.: Data hiding in the NTFS file system. Digit. Investig. 3, 211–226 (2006)
Krenhuber, A., Niederschick, A.: Forensic and Anti-Forensic on modern Computer Systems. Johannes Kepler Universitaet, Linz (2007)
Berghel, H., Hoelzer, D., Sthultz, M.: Data hiding tactics for windows and unix file systems. In: Advances in Computers, vol. 74, pp. 1–17 (2008)
Thompson, I., Monroe, M.: FragFS: an advanced data hiding technique. In: BlackHat Federal, January 2018. http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Thompson/BH-Fed-06-Thompson-up.pdf. Accessed 12 May 2018
Forster, J.C., Liu, V.: catch me, if you can... In: BlackHat Briefings (2005). http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf. Accessed 12 May 2018
Garfinkel, S.: Anti-forensics: techniques, detection and countermeasures. In: 2nd International Conference on i-Warfare and Security, pp. 77–84 (2007)
Göbel, T., Baier, H.: Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding. Digit. Investig. 24, 111–120 (2018)
Carrier, B.: File System Forensic Analysis. Addison-Wesley Professional, Boston (2005)
Wong, D.J.: Ext4 Disk Layout, Ext4 Wiki (2016). https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout. Accessed 12 May 2018
Acknowledgments
This work was supported by the German Federal Ministry of Education and Research (BMBF) within the funding program Forschung an Fachhochschulen (contract number: 13FH019IB6) as well as by the Hessen State Ministry for Higher Education, Research and the Arts (HMWK) within CRISP (www.crisp-da.de). In addition, we would like to thank all participating students of the bachelor module Project System Development, who played a major role in the implementation of the framework.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Göbel, T., Baier, H. (2019). fishy - A Framework for Implementing Filesystem-Based Data Hiding Techniques. In: Breitinger, F., Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 259. Springer, Cham. https://doi.org/10.1007/978-3-030-05487-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-05487-8_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-05486-1
Online ISBN: 978-3-030-05487-8
eBook Packages: Computer ScienceComputer Science (R0)