Top

Published in:

2019 | OriginalPaper | Chapter

fishy - A Framework for Implementing Filesystem-Based Data Hiding Techniques

Authors : Thomas Göbel, Harald Baier

Published in: Digital Forensics and Cyber Crime

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The term anti-forensics refers to any attempt to hinder or even prevent the digital forensics process. Common attempts are to hide, delete or alter digital information and thereby threaten the forensic investigation. A prominent anti-forensic paradigm is hiding data on different abstraction layers, e.g., the filesystem layer. In modern filesystems, private data can be hidden in many places, taking advantage of the structural and conceptual characteristics of each filesystem. In most cases, however, the source code and the theoretical approach of a particular hiding technique is not accessible and thus maintainability and reproducibility of the anti-forensic tool is not guaranteed. In this paper, we present fishy, a framework designed to implement and analyze different filesystem-based data hiding techniques. fishy is implemented in Python and collects various common exploitation methods that make use of existing data structures on the filesystem layer. Currently, the framework is able to hide data within ext4, FAT and NTFS filesystems using different hiding techniques and thus serves as a toolkit of established anti-forensic methods on the filesystem layer. fishy was built to support the exploration and collection of various hiding techniques and ensure the reproducibility and expandability with its publicly available source code. The construction of a modular framework played an important role in the design phase. In addition to the description of the actual framework, its current state, its use, and its easy expandability, we also present some hiding techniques for various filesystems and discuss possible future extensions of our framework.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter On Efficiency and Effectiveness of Linear Function Detection Approaches for Memory Carving

next chapter If I Had a Million Cryptos: Cryptowallet Application Analysis and a Trojan Proof-of-Concept

http://www.forensicswiki.org/wiki/Anti-forensic_techniques#Generic_Data_Hiding (last accessed 2018-05-10).

https://github.com/dasec/fishy/.

https://packetstormsecurity.com/files/17642/bmap-1.0.17.tar.gz.html (last accessed 2018-05-10).

http://www.bishopfox.com/resources/tools/other-free-tools/mafia/ (last accessed 2018-05-10).

http://index-of.es/Linux/R/runefs.tar.gz (last accessed 2018-05-10).

Python bindings for The Sleuth Kit: https://github.com/py4n6/pytsk (last accessed 2018-05-14).

Conlan, K., Baggili, I., Breitinger, F.: Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy. Digit. Investig. 18, 66–75 (2016)CrossRef

Rogers, M.: Anti-Forensics, presented at Lockheed Martin, San Diego, 15 September 2005. www.researchgate.net/profile/Marcus_Rogers/publication/268290676_Anti-Forensics_Anti-Forensics/links/575969a908aec91374a3656c.pdf. Accessed 12 May 2018

Harris, R.: Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem. Digit. Investig. 3, 44–49 (2006)CrossRef

Wundram, M., Freiling, F.C., Moch, C.: Anti-forensics: The next step in digital forensics tool testing. IT Security Incident Management and IT Forensics (IMF), pp. 83–97 (2013)

Ridder, C.K.: Evidentiary implications of potential security weaknesses in forensic software. Int. J. Digit. Crime Forensics (IJDCF) 1(3), 80–91 (2009)CrossRef

Newsham, T., Palmer, C., Stamos, A., Burns, J.: Breaking forensics software: weaknesses in critical evidence collection. In: Proceedings of the 2007 Black Hat Conference. Citeseer (2007)

Kailus, A.V., Hecht, C., Göbel, T., Liebler, L.: fishy - Ein Framework zur Umsetzung von Verstecktechniken in Dateisystemen. D.A.CH Security 2018, syssec Verlag (2018)

Anderson, R., Needham, R., Shamir, A.: The steganographic file system. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 73–82. Springer, Heidelberg (1998). https://doi.org/10.1007/3-540-49380-8_6CrossRef

McDonald, A.D., Kuhn, M.G.: StegFS: a steganographic file system for Linux. In: Pfitzmann, A. (ed.) IH 1999. LNCS, vol. 1768, pp. 463–477. Springer, Heidelberg (2000). https://doi.org/10.1007/10719724_32CrossRef

10.

Piper, S., Davis, M., Shenoi, S.: Countering hostile forensic techniques. In: Olivier, M.S., Shenoi, S. (eds.) Advances in Digital Forensics II. IFIP AICT, vol. 222, pp. 79–90. Springer, Boston, MA (2006). https://doi.org/10.1007/0-387-36891-4_7CrossRef

11.

Göbel, Thomas, Baier, Harald: Anti-forensic capacity and detection rating of hidden data in the Ext4 filesystem. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics XIV. IFIP AICT, vol. 532, pp. 87–110. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-99277-8_6CrossRef

12.

Neuner, S., Voyiatzis, A.G., Schmiedecker, M., Brunthaler, S., Katzenbeisser, S., Weippl, E.R.: Time is on my side: steganography in filesystem metadata. Digit. Investig. 18, 76–86 (2016)CrossRef

13.

Fairbanks, K.D.: An analysis of Ext4 for digital forensics. Digit. Investig. 9, 118–130 (2012)CrossRef

14.

Eckstein, K., Jahnke, M.: Data hiding in journaling file systems. In: Proceedings of the 5th Annual Digital Forensic Research Workshop (DFRWS) (2005)

15.

Piper, S., Davis, M., Manes, G., Shenoi, S.: Detecting Hidden Data in Ext2/Ext3 File Systems. In: Pollitt, M., Shenoi, S. (eds.) Advances in Digital Forensics. ITIFIP, vol. 194, pp. 245–256. Springer, Boston, MA (2006). https://doi.org/10.1007/0-387-31163-7_20CrossRef

16.

Grugq, T.: The art of defiling: defeating forensic analysis. In: Blackhat Briefings, Las Vegas, NV (2005)

17.

Huebner, E., Bem, D., Wee, C.K.: Data hiding in the NTFS file system. Digit. Investig. 3, 211–226 (2006)CrossRef

18.

Krenhuber, A., Niederschick, A.: Forensic and Anti-Forensic on modern Computer Systems. Johannes Kepler Universitaet, Linz (2007)

19.

Berghel, H., Hoelzer, D., Sthultz, M.: Data hiding tactics for windows and unix file systems. In: Advances in Computers, vol. 74, pp. 1–17 (2008)

20.

Thompson, I., Monroe, M.: FragFS: an advanced data hiding technique. In: BlackHat Federal, January 2018. http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Thompson/BH-Fed-06-Thompson-up.pdf. Accessed 12 May 2018

21.

Forster, J.C., Liu, V.: catch me, if you can... In: BlackHat Briefings (2005). http://www.blackhat.com/presentations/bh-usa-05/bh-us-05-foster-liu-update.pdf. Accessed 12 May 2018

22.

Garfinkel, S.: Anti-forensics: techniques, detection and countermeasures. In: 2nd International Conference on i-Warfare and Security, pp. 77–84 (2007)

23.

Göbel, T., Baier, H.: Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding. Digit. Investig. 24, 111–120 (2018)CrossRef

24.

Carrier, B.: File System Forensic Analysis. Addison-Wesley Professional, Boston (2005)

25.

Wong, D.J.: Ext4 Disk Layout, Ext4 Wiki (2016). https://ext4.wiki.kernel.org/index.php/Ext4_Disk_Layout. Accessed 12 May 2018

Title: fishy - A Framework for Implementing Filesystem-Based Data Hiding Techniques
Authors: Thomas Göbel
Harald Baier
Publisher: Springer International Publishing
Book: Digital Forensics and Cyber Crime
Print ISBN: 978-3-030-05486-1

Electronic ISBN: 978-3-030-05487-8

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-05487-8_2

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner