Abstract
This paper proposes a new approach, called file concealer (FC), to conceal files in a computer system. FC modifies metadata about a file in NTFS (New Technology File System) to hide the file. Unlike traditional hooking methods which can be easily detected by antivirus software, experimental results show that it is difficult for antivirus software to detect the files hidden by FC. Moreover, to enhance the concealment capability of FC, FC also rearranges the order of some data sectors of a hidden file. As a result, even if another person finds the original sectors used by the hidden file, it is difficult for him to recover the original content of the hidden file. Experimental results show that even data recovery tools cannot restore the content of a hidden file. All information that is required to restore a hidden file is stored in a file, called recovery file hereafter. When a user uses FC to hide a file, the user can specify any file as a host file, such as an image file, to which the recovery file will be appended. As a result, the user can easily restore a hidden file; however, it is difficult for other person to detect or restore the hidden file and the related recovery file.
References
Butler J, Hoglund G (2004) VICE-catch the hookers. Black Hat USA 61:17–35
Tan CK (2004) Defeating kernel native API hookers by direct service dispatch table restoration. In: Technical Report, Special Interest Group in Security and Information Integrity, pp 1–12
Hoglund G, Butler J (2006) Rootkits: subverting the Windows kernel. Addison-Wesley Professional, book
MSDN (2013) ZwXxx routines [Online]. http://msdn.microsoft.com/en-us/library/windows/hardware/ff567122(v=vs.85).aspx. Accessed 3 Aug 2015
Symantec (2012) Windows rootkit overview [Online]. http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf. Accessed 3 Aug 2015
Riley R, Jiang X, Xu D (2009) Multi-aspect profiling of kernel rootkit behavior. In: Proceedings of the 4th ACM European conference on computer systems, pp 47–60
Wang YM, Beck D, Vo B, Roussev R, Verbowski C (2005) Detecting stealth software with strider ghostbuster. In: International conference on dependable systems and networks, DSN 2005, Proceedings, pp 368–377
Ramaswamy A (2008) Detecting kernel rootkits. In: Technical Report TR2008-627, Dartmouth College, Computer Science, Hanover, NH
Srivastava A, Giffin J (2012) Efficient protection of kernel data structures via object partitioning. In: Proceedings of the 28th annual computer security applications conference, pp 429–438
Martini AI, Zaharis A, Ilioudis C (2008) Detecting and manipulating compressed alternate data streams in a forensics investigation. In: Third international annual workshop on digital forensics and incident analysis, WDFIA’08, pp 53–59
Means RL (2003) Alternate data streams: out of the shadows and into the light. Retrieved 20:2005
Wang C (2015) Alternate data streams [Online]. http://cyrilwang.blogspot.tw/2009/06/alternate-data-streams_18.html. Accessed 3 Aug 2015
Wee CK (2006) Analysis of hidden data in NTFS file system [Online]. http://www.forensicfocus.com/downloads/ntfs-hidden-data-analysis.pdf. Accessed 3 Aug 2015
Dima A (2007) A Win32-based technique for finding and hashing NTFS alternate data streams. In: Proceeding of DoD CyberCrime 2007 Conference, pp 1–14
Huebner E, Bem D, Wee CK (2006) Data hiding in the NTFS file system. Digit Investig 3:211–226
Russon R, Fledel Y (2004) NTFS documentation [Online]. http://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf. Accessed 3 Aug 2015
Sedory DB (2012) An examination of the NTFS volume boot record [Online]. http://thestarman.narod.ru/asm/mbr/NTFSBR.htm. Accessed 3 Aug 2015
Mehrdad (2011) How to invalidate the file system cache? [Online]. http://stackoverflow.com/questions/7405868/how-to-invalidate-the-file-system-cache. November 2011. Accessed 3 Aug 2015
Acknowledgments
This research was partially supported by the Ministry of Science and Technology of the Republic of China under the Grant NSC 102-2221-E-015-001-, MOST 103-2221-E-015-002-, MOST 104-2221-E-015-001-, MOST 103-2221-E-008 -087- and MOST 104-2221-E-008 -056-.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Hsu, FH., Wu, MH., Ou, SC. et al. Data concealments with high privacy in new technology file system. J Supercomput 72, 120–140 (2016). https://doi.org/10.1007/s11227-015-1492-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11227-015-1492-y