Forensics Journal - Stevenson University 2013 | Page 33

STEVENSON UNIVERSITY officially released the New Technology File System (NTFS) to home users. NTFS provided users with the benefits of being able to support higher capacity storage devices as well as a higher level of security by providing disk encryption and recoverability as well as other methods of built-in security. FIGURE 3 NTFS features alternate data streams (ADS) which function in a similar manner as steganography. ADS allows a hidden file to be created within a legitimate file; these hidden files do not appear in a directory listing as a legitimate file would. (Graves 114-115) Each stream associated with a file has its own allocation size, actual size, and valid data length: Figure 4 shows the file size of test.txt that also contains a file called hidden.txt; the size of both files is 15 bytes. • The allocation size is the amount of disk space reserved for a stream. • The actual size is the number of bytes used by a caller. • The valid data length (VDL) is the number of bytes initialized from the allocation size for the stream. (“Microsoft”) FIGURE 4 As shown in Figure 2, every file has several components that provide various pieces of information about the individual file. In addition to file attributes, files stored on an NTFS system also contain a listing of all security restrictions for that file. NTFS also adds streams to each file. A stream is a sequence of bytes containing all of the data written to the file as well as various pieces of information used by the system to store and retrieve the file. DETECTING ADS Because of the manner in which ADS hides data, it is undetectable by traditional forensic tools. Figure 5 is a screenshot from Forensic Toolkit (FTK) Imager that shows the contents of test.txt after hidden. txt was added to it. FTK is only able to detect the actual contents of the file, i.e. the string of text “This is a test” but not the hidden string “This should be hidden.” FIGURE 5 FIGURE 2 Since ADS are undetectable by standard forensic methods, a variety of tools have been created which are able to detect if anything is hidden within a file using data streaming. Figure 6 shows the output of one ADS tool called lns that detects the presence of a file called ‘hidden. txt.’ Source: http://www.flexhex.com/docs/articles/alternate-streams.phtml With traditional steganography, when a file is written to a carrier file, the size of the carrier file will increase to compensate for the added data. With ADS, the hidden data is not combined with the carrier file by the same method used in steganography. Instead, the hidden data is written to an alternate data stream that is ignored by the file system. Figure 3 shows the size of a file called test.txt. 32