Skip to main content
Log in

Data concealments with high privacy in new technology file system

The Journal of Supercomputing Aims and scope Submit manuscript

Abstract

This paper proposes a new approach, called file concealer (FC), to conceal files in a computer system. FC modifies metadata about a file in NTFS (New Technology File System) to hide the file. Unlike traditional hooking methods which can be easily detected by antivirus software, experimental results show that it is difficult for antivirus software to detect the files hidden by FC. Moreover, to enhance the concealment capability of FC, FC also rearranges the order of some data sectors of a hidden file. As a result, even if another person finds the original sectors used by the hidden file, it is difficult for him to recover the original content of the hidden file. Experimental results show that even data recovery tools cannot restore the content of a hidden file. All information that is required to restore a hidden file is stored in a file, called recovery file hereafter. When a user uses FC to hide a file, the user can specify any file as a host file, such as an image file, to which the recovery file will be appended. As a result, the user can easily restore a hidden file; however, it is difficult for other person to detect or restore the hidden file and the related recovery file.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19

References

  1. Butler J, Hoglund G (2004) VICE-catch the hookers. Black Hat USA 61:17–35

    Google Scholar 

  2. Tan CK (2004) Defeating kernel native API hookers by direct service dispatch table restoration. In: Technical Report, Special Interest Group in Security and Information Integrity, pp 1–12

  3. Hoglund G, Butler J (2006) Rootkits: subverting the Windows kernel. Addison-Wesley Professional, book

  4. MSDN (2013) ZwXxx routines [Online]. http://msdn.microsoft.com/en-us/library/windows/hardware/ff567122(v=vs.85).aspx. Accessed 3 Aug 2015

  5. Symantec (2012) Windows rootkit overview [Online]. http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf. Accessed 3 Aug 2015

  6. Riley R, Jiang X, Xu D (2009) Multi-aspect profiling of kernel rootkit behavior. In: Proceedings of the 4th ACM European conference on computer systems, pp 47–60

  7. Wang YM, Beck D, Vo B, Roussev R, Verbowski C (2005) Detecting stealth software with strider ghostbuster. In: International conference on dependable systems and networks, DSN 2005, Proceedings, pp 368–377

  8. Ramaswamy A (2008) Detecting kernel rootkits. In: Technical Report TR2008-627, Dartmouth College, Computer Science, Hanover, NH

  9. Srivastava A, Giffin J (2012) Efficient protection of kernel data structures via object partitioning. In: Proceedings of the 28th annual computer security applications conference, pp 429–438

  10. Martini AI, Zaharis A, Ilioudis C (2008) Detecting and manipulating compressed alternate data streams in a forensics investigation. In: Third international annual workshop on digital forensics and incident analysis, WDFIA’08, pp 53–59

  11. Means RL (2003) Alternate data streams: out of the shadows and into the light. Retrieved 20:2005

    Google Scholar 

  12. Wang C (2015) Alternate data streams [Online]. http://cyrilwang.blogspot.tw/2009/06/alternate-data-streams_18.html. Accessed 3 Aug 2015

  13. Wee CK (2006) Analysis of hidden data in NTFS file system [Online]. http://www.forensicfocus.com/downloads/ntfs-hidden-data-analysis.pdf. Accessed 3 Aug 2015

  14. Dima A (2007) A Win32-based technique for finding and hashing NTFS alternate data streams. In: Proceeding of DoD CyberCrime 2007 Conference, pp 1–14

  15. Huebner E, Bem D, Wee CK (2006) Data hiding in the NTFS file system. Digit Investig 3:211–226

    Article  Google Scholar 

  16. Russon R, Fledel Y (2004) NTFS documentation [Online]. http://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf. Accessed 3 Aug 2015

  17. Sedory DB (2012) An examination of the NTFS volume boot record [Online]. http://thestarman.narod.ru/asm/mbr/NTFSBR.htm. Accessed 3 Aug 2015

  18. Mehrdad (2011) How to invalidate the file system cache? [Online]. http://stackoverflow.com/questions/7405868/how-to-invalidate-the-file-system-cache. November 2011. Accessed 3 Aug 2015

Download references

Acknowledgments

This research was partially supported by the Ministry of Science and Technology of the Republic of China under the Grant NSC 102-2221-E-015-001-, MOST 103-2221-E-015-002-, MOST 104-2221-E-015-001-, MOST 103-2221-E-008 -087- and MOST 104-2221-E-008 -056-.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Shiuh-Jeng Wang.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Hsu, FH., Wu, MH., Ou, SC. et al. Data concealments with high privacy in new technology file system. J Supercomput 72, 120–140 (2016). https://doi.org/10.1007/s11227-015-1492-y

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11227-015-1492-y

Keywords

Navigation