Top

The Journal of Supercomputing

Published in:

01-01-2016

Data concealments with high privacy in new technology file system

Authors: Fu-Hau Hsu, Min-Hao Wu, Syun-Cheng Ou, Shiuh-Jeng Wang

Published in: The Journal of Supercomputing | Issue 1/2016

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

This paper proposes a new approach, called file concealer (FC), to conceal files in a computer system. FC modifies metadata about a file in NTFS (New Technology File System) to hide the file. Unlike traditional hooking methods which can be easily detected by antivirus software, experimental results show that it is difficult for antivirus software to detect the files hidden by FC. Moreover, to enhance the concealment capability of FC, FC also rearranges the order of some data sectors of a hidden file. As a result, even if another person finds the original sectors used by the hidden file, it is difficult for him to recover the original content of the hidden file. Experimental results show that even data recovery tools cannot restore the content of a hidden file. All information that is required to restore a hidden file is stored in a file, called recovery file hereafter. When a user uses FC to hide a file, the user can specify any file as a host file, such as an image file, to which the recovery file will be appended. As a result, the user can easily restore a hidden file; however, it is difficult for other person to detect or restore the hidden file and the related recovery file.

previous article Security experts’ capability design for future internet of things platform

next article Cybercrime investigation countermeasure using created-accessed-modified model in cloud computing environments

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Butler J, Hoglund G (2004) VICE-catch the hookers. Black Hat USA 61:17–35

Tan CK (2004) Defeating kernel native API hookers by direct service dispatch table restoration. In: Technical Report, Special Interest Group in Security and Information Integrity, pp 1–12

Hoglund G, Butler J (2006) Rootkits: subverting the Windows kernel. Addison-Wesley Professional, book

MSDN (2013) ZwXxx routines [Online]. http://msdn.microsoft.com/en-us/library/windows/hardware/ff567122(v=vs.85).aspx. Accessed 3 Aug 2015

Symantec (2012) Windows rootkit overview [Online]. http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf. Accessed 3 Aug 2015

Riley R, Jiang X, Xu D (2009) Multi-aspect profiling of kernel rootkit behavior. In: Proceedings of the 4th ACM European conference on computer systems, pp 47–60

Wang YM, Beck D, Vo B, Roussev R, Verbowski C (2005) Detecting stealth software with strider ghostbuster. In: International conference on dependable systems and networks, DSN 2005, Proceedings, pp 368–377

Ramaswamy A (2008) Detecting kernel rootkits. In: Technical Report TR2008-627, Dartmouth College, Computer Science, Hanover, NH

Srivastava A, Giffin J (2012) Efficient protection of kernel data structures via object partitioning. In: Proceedings of the 28th annual computer security applications conference, pp 429–438

10.

Martini AI, Zaharis A, Ilioudis C (2008) Detecting and manipulating compressed alternate data streams in a forensics investigation. In: Third international annual workshop on digital forensics and incident analysis, WDFIA’08, pp 53–59

11.

Means RL (2003) Alternate data streams: out of the shadows and into the light. Retrieved 20:2005

12.

Wang C (2015) Alternate data streams [Online]. http://cyrilwang.blogspot.tw/2009/06/alternate-data-streams_18.html. Accessed 3 Aug 2015

13.

Wee CK (2006) Analysis of hidden data in NTFS file system [Online]. http://www.forensicfocus.com/downloads/ntfs-hidden-data-analysis.pdf. Accessed 3 Aug 2015

14.

Dima A (2007) A Win32-based technique for finding and hashing NTFS alternate data streams. In: Proceeding of DoD CyberCrime 2007 Conference, pp 1–14

15.

Huebner E, Bem D, Wee CK (2006) Data hiding in the NTFS file system. Digit Investig 3:211–226CrossRef

16.

Russon R, Fledel Y (2004) NTFS documentation [Online]. http://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf. Accessed 3 Aug 2015

17.

Sedory DB (2012) An examination of the NTFS volume boot record [Online]. http://thestarman.narod.ru/asm/mbr/NTFSBR.htm. Accessed 3 Aug 2015

18.

Mehrdad (2011) How to invalidate the file system cache? [Online]. http://stackoverflow.com/questions/7405868/how-to-invalidate-the-file-system-cache. November 2011. Accessed 3 Aug 2015

Title: Data concealments with high privacy in new technology file system
Authors: Fu-Hau Hsu
Min-Hao Wu
Syun-Cheng Ou
Shiuh-Jeng Wang
Publication date: 01-01-2016
Publisher: Springer US
Published in: The Journal of Supercomputing / Issue 1/2016
Print ISSN: 0920-8542
Electronic ISSN: 1573-0484
DOI: https://doi.org/10.1007/s11227-015-1492-y

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Other articles of this Issue 1/2016

Privacy-enhanced middleware for location-based sub-community discovery in implicit social groups

Editorial: A special section on “Emerging Platform Technologies”

A novel security architecture of electronic vehicle system for smart grid communication

Mutual authentication scheme between biosensor device and data manager in healthcare environment

Real-time motion control on Android platform

A new approach to deploying private mobile network exploits

Premium Partner