Permutation Steganography in FAT Filesystems

  • John AycockEmail author
  • Daniel Medeiros Nunes de Castro
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8948)


It is easy to focus on elaborate steganographic schemes and forget that even straightforward ones can have a devastating impact in an enterprise setting, if they allow information to be exfiltrated from the organization.

To this end, we offer a cautionary tale: we show how messages may be hidden in FAT filesystems using the permutation of filenames, a method that allows a hidden message to be embedded using regular file copy commands. A straightforward scheme, but effective. Our experiments on seven different platforms show that the existence of the hidden message is obscured in practice in the vast majority of cases.


Actual File Levenshtein Distance Hide Message Permutation Steganography Strong Adversary 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was supported by a grant from TELUS Communications. Thanks to the anonymous referees for suggestions that helped improve the paper.


  1. 1.
    Caraman, P. (trans.): The Hunted Priest: Autobiography of John Gerard. Fontana (1959)Google Scholar
  2. 2.
    Macaulay, G.C. (trans.): The History of Herodotus, vol. 2. Macmillan, London (1890)Google Scholar
  3. 3.
    Johnson, N.F., Duric, Z., Jajodia, S.: Information Hiding: Steganography and Watermarking - Attacks and Countermeasures. Kluwer, Boston (2001)CrossRefGoogle Scholar
  4. 4.
    Katzenbeisser, S., Petitcolas, F.A.P. (eds.): Information Hiding: Techniques for Steganography and Digital Watermarking. Artech House, Norwood (2000)Google Scholar
  5. 5.
    Wayner, P.: Disappearing Cryptography, 2nd edn. Morgan Kaufmann, New York (2002)Google Scholar
  6. 6.
    Duncan, R. (ed.): The MS-DOS Encyclopedia. Microsoft Press, Redmond (1988)Google Scholar
  7. 7.
    Laisant, C.A.: Sur la numération factorielle, application aux permutations. Bulletin de la Société Mathématique de France 16, 176–183 (1888)zbMATHMathSciNetGoogle Scholar
  8. 8.
    Lehmer, D.H.: Teaching combinatorial tricks to a computer. In: 10th Symposium in Applied Mathematics of the American Mathematical Society, pp. 179–193 (1960). Symposium was actually held in 1958Google Scholar
  9. 9.
    Knuth, D.E.: The Art of Computer Programming: Seminumerical Algorithms, 3rd edn., vol. 2. Addison Wesley (1998)Google Scholar
  10. 10.
    Reversing Labs: Hiding in the familiar: Steganography and vulnerabilities in popular archives formats. ( (Accessed 14 March 2014)
  11. 11.
    Levenshtein, V.I.: Binary codes capable of correcting deletions, insertions, and reversals. Soviet Physics - Doklady 10, 707–710 (1966). TranslationMathSciNetGoogle Scholar
  12. 12.
    Carrier, B.: File System Forensic Analysis. Addison-Wesley, Reading (2005)Google Scholar
  13. 13.
    Jiang, A., Schwartz, M., Bruck, J.: Error-correcting codes for rank modulation. In: IEEE International Symposium on Information Theory, pp. 1736–1740 (2008)Google Scholar
  14. 14.
    Chakinala, R.C., Kumarasubramanian, A., Manokaran, R., Noubir, G., Rangan, C.P., Sundaram, R.: Steganographic communication in ordered channels. In: Camenisch, J.L., Collberg, C.S., Johnson, N.F., Sallee, P. (eds.) IH 2006. LNCS, vol. 4437, pp. 42–57. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  15. 15.
    Eidenbenz, R., Locher, T., Wattenhofer, R.: Hidden communication in P2P networks steganographic handshake and broadcast. In: Proceedings IEEE INFOCOM 2011, pp. 954–962 (2011)Google Scholar
  16. 16.
    Forest, K., Knight, S.: Permutation-based steganographic channels. In: Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS), pp. 67–73 (2009)Google Scholar
  17. 17.
    Rudebusch, W.G.: Permutation steganography in many systems. Master’s thesis, University of Nevada, Reno (2011)Google Scholar
  18. 18.
    Mosunov, A., Sinha, V., Crawford, H., Aycock, J., de Castro, D.M.N., Kumari, R.: Assured supraliminal steganography in computer games. In: Kim, Y., Lee, H., Perrig, A. (eds.) WISA 2013. LNCS, vol. 8267, pp. 245–259. Springer, Heidelberg (2014) CrossRefGoogle Scholar
  19. 19.
    Tapiador, J.M., Hernandez-Castro, J.C., Alcaide, A., Ribagorda, A.: On the distinguishability of distance-bounded permutations in ordered channels. Trans. Info. For. Sec. 3, 166–172 (2008)CrossRefGoogle Scholar
  20. 20.
    Anderson, R., Needham, R., Shamir, A.: The steganographic file system. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 73–82. Springer, Heidelberg (1998) CrossRefGoogle Scholar
  21. 21.
    McDonald, A.D., Kuhn, M.G.: StegFS: A steganographic file system for Linux. In: Pfitzmann, A. (ed.) IH 1999. LNCS, vol. 1768, pp. 463–477. Springer, Heidelberg (2000) Google Scholar
  22. 22.
    Pang, H., Tan, K.L., Zhou, X.: StegFS: a steganographic file system. In: 19th International Conference on Data Engineering 2003, pp. 657–667 (2003)Google Scholar
  23. 23.
    Niu, X., Li, Q., Wang, W., Wang, Y.: G bytes data hiding method based on cluster chain structure. Wuhan University J. Nat. Sci. 18, 443–448 (2013)CrossRefGoogle Scholar
  24. 24.
    Srinivasan, A., Wu, J.: Duplicate file names-a novel steganographic data hiding technique. In: Abraham, A., Mauri, J.L., Buford, J.F., Suzuki, J., Thampi, S.M. (eds.) ACC 2011, Part IV. CCIS, vol. 193, pp. 260–268. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  25. 25.
    Thompson, I., Monroe, M.: FragFS: An advanced data hiding technique. Presentation at BlackHat Federal (2006)Google Scholar
  26. 26.
    Shu-fen, L., Sheng, P., Xing-yan, H., Lu, T.: File hiding based on FAT file system. In: IEEE International Symposium on IT in Medicine Education, ITIME 2009, vol. 1, pp. 1198–1201 (2009)Google Scholar
  27. 27.
    Khan, H., Javed, M., Khayam, S.A., Mirza, F.: Designing a cluster-based covert channel to evade disk investigation and forensics. Comput. Secur. 30, 35–49 (2011)CrossRefGoogle Scholar
  28. 28.
    Srinivasan, A., Stavrou, A., Nazaraj, S.T.: HideInside - a novel randomized & encrypted antiforensic information hiding. In: Proceedings of the 2013 International Conference on Computing, Networking and Communications (ICNC), ICNC 2013, pp. 626–631. IEEE Computer Society, Washington, DC (2013)Google Scholar
  29. 29.
    The grugq: The art of defiling - defeating forensic analysis on Unix file systems. Presentation at BlackHat Asia (2003)Google Scholar
  30. 30.
    Savoldi, A., Gubian, P.: Data hiding in SIM/USIM cards: A steganographic approach. In: Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2007, pp. 86–100. IEEE Computer Society, Washington, DC (2007)Google Scholar
  31. 31.
    Savoldi, A., Gubian, P.: SIM and USIM filesystem: A forensics perspective. In: Proceedings of the 2007 ACM Symposium on Applied Computing, SAC 2007, pp. 181–187. ACM, New York (2007)Google Scholar
  32. 32.
    Davis, J., MacLean, J., Dampier, D.: Methods of information hiding and detection in file systems. In: Proceedings of the 2010 Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, SADFE 2010, pp. 66–69. IEEE Computer Society, Washington, DC (2010)Google Scholar
  33. 33.
    Huebner, E., Bem, D., Wee, C.K.: Data hiding in the NTFS file system. Digital Invest. 3, 211–226 (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • John Aycock
    • 1
    Email author
  • Daniel Medeiros Nunes de Castro
    • 1
  1. 1.Department of Computer ScienceUniversity of CalgaryCalgaryCanada

Personalised recommendations