The Journal of Supercomputing

, Volume 72, Issue 1, pp 120–140 | Cite as

Data concealments with high privacy in new technology file system

  • Fu-Hau Hsu
  • Min-Hao Wu
  • Syun-Cheng Ou
  • Shiuh-Jeng Wang


This paper proposes a new approach, called file concealer (FC), to conceal files in a computer system. FC modifies metadata about a file in NTFS (New Technology File System) to hide the file. Unlike traditional hooking methods which can be easily detected by antivirus software, experimental results show that it is difficult for antivirus software to detect the files hidden by FC. Moreover, to enhance the concealment capability of FC, FC also rearranges the order of some data sectors of a hidden file. As a result, even if another person finds the original sectors used by the hidden file, it is difficult for him to recover the original content of the hidden file. Experimental results show that even data recovery tools cannot restore the content of a hidden file. All information that is required to restore a hidden file is stored in a file, called recovery file hereafter. When a user uses FC to hide a file, the user can specify any file as a host file, such as an image file, to which the recovery file will be appended. As a result, the user can easily restore a hidden file; however, it is difficult for other person to detect or restore the hidden file and the related recovery file.


File rootkit NTFS File storage system Anti-forensics 



This research was partially supported by the Ministry of Science and Technology of the Republic of China under the Grant NSC 102-2221-E-015-001-, MOST 103-2221-E-015-002-, MOST 104-2221-E-015-001-, MOST 103-2221-E-008 -087- and MOST 104-2221-E-008 -056-.


  1. 1.
    Butler J, Hoglund G (2004) VICE-catch the hookers. Black Hat USA 61:17–35Google Scholar
  2. 2.
    Tan CK (2004) Defeating kernel native API hookers by direct service dispatch table restoration. In: Technical Report, Special Interest Group in Security and Information Integrity, pp 1–12Google Scholar
  3. 3.
    Hoglund G, Butler J (2006) Rootkits: subverting the Windows kernel. Addison-Wesley Professional, bookGoogle Scholar
  4. 4.
    MSDN (2013) ZwXxx routines [Online]. Accessed 3 Aug 2015
  5. 5.
    Symantec (2012) Windows rootkit overview [Online]. Accessed 3 Aug 2015
  6. 6.
    Riley R, Jiang X, Xu D (2009) Multi-aspect profiling of kernel rootkit behavior. In: Proceedings of the 4th ACM European conference on computer systems, pp 47–60Google Scholar
  7. 7.
    Wang YM, Beck D, Vo B, Roussev R, Verbowski C (2005) Detecting stealth software with strider ghostbuster. In: International conference on dependable systems and networks, DSN 2005, Proceedings, pp 368–377Google Scholar
  8. 8.
    Ramaswamy A (2008) Detecting kernel rootkits. In: Technical Report TR2008-627, Dartmouth College, Computer Science, Hanover, NHGoogle Scholar
  9. 9.
    Srivastava A, Giffin J (2012) Efficient protection of kernel data structures via object partitioning. In: Proceedings of the 28th annual computer security applications conference, pp 429–438Google Scholar
  10. 10.
    Martini AI, Zaharis A, Ilioudis C (2008) Detecting and manipulating compressed alternate data streams in a forensics investigation. In: Third international annual workshop on digital forensics and incident analysis, WDFIA’08, pp 53–59Google Scholar
  11. 11.
    Means RL (2003) Alternate data streams: out of the shadows and into the light. Retrieved 20:2005Google Scholar
  12. 12.
    Wang C (2015) Alternate data streams [Online]. Accessed 3 Aug 2015
  13. 13.
    Wee CK (2006) Analysis of hidden data in NTFS file system [Online]. Accessed 3 Aug 2015
  14. 14.
    Dima A (2007) A Win32-based technique for finding and hashing NTFS alternate data streams. In: Proceeding of DoD CyberCrime 2007 Conference, pp 1–14Google Scholar
  15. 15.
    Huebner E, Bem D, Wee CK (2006) Data hiding in the NTFS file system. Digit Investig 3:211–226CrossRefGoogle Scholar
  16. 16.
    Russon R, Fledel Y (2004) NTFS documentation [Online]. Accessed 3 Aug 2015
  17. 17.
    Sedory DB (2012) An examination of the NTFS volume boot record [Online]. Accessed 3 Aug 2015
  18. 18.
    Mehrdad (2011) How to invalidate the file system cache? [Online]. November 2011. Accessed 3 Aug 2015

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  • Fu-Hau Hsu
    • 1
  • Min-Hao Wu
    • 1
  • Syun-Cheng Ou
    • 1
  • Shiuh-Jeng Wang
    • 2
  1. 1.Department of Computer Science and Information EngineeringNational Central UniversityTaoyuanTaiwan
  2. 2.Department of Information ManagementCentral Police UniversityTaoyuanTaiwan

Personalised recommendations