Presentation is loading. Please wait.

Presentation is loading. Please wait.

2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 1 Data Hiding in Journaling File Systems Knut Eckstein, Marko Jahnke 報告人:陳晉煒.

Published byAudra Tyler Modified over 8 years ago

Similar presentations

Presentation on theme: "2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 1 Data Hiding in Journaling File Systems Knut Eckstein, Marko Jahnke 報告人:陳晉煒."— Presentation transcript:

1 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 1 Data Hiding in Journaling File Systems Knut Eckstein, Marko Jahnke 報告人:陳晉煒

2 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 2 Abstract Data hiding is one technique by which system perpetrators store information while reducing the risk of being detected by system administrators. First major section of this article structures and compares existing data hiding methods for UNIX file systems in terms of usability and countermeasures. The second section proposes a new technique that stores substantial amounts of data inside journaling file systems in a robust fashion with low detectability.

3 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 3 1.Introduction What is Journaling File Systems? A journaling (or journalling) file system is a file system that logs changes to a journal (usually a circular log in a specially-allocated area) before actually writing them to the main file system. Developed by IBM. Linux (Unix-like system ) Advantage: availability, data completeness speed, easy to transform For example: ext2/3 file systems

4 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 4 2.Known Hiding Techniques 2.1 Media management layer 2.1-1  Using unused media areas. 2.1-2  Mounting on non-empty directories. 2.2 File system layer 2.2-1  File system category. 2.2-2  Data unit category: Slack space. 2.2-3  Metadata category: Use reserved inodes. 2.2-4  Metadata category: Extended file attributes. 2.2-5  File name category: “Special” filenames. 2.2-6  File name category: Removal of open files. 2.2-7  Metadata/File name category: Hide in deleted inodes plus trojan fsck.

5 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 5 2.3 Application layer 2.3-1  Obfuscated Loopback File systems. 2.3-2  Unused spaces in application file formats. 2.3-3  Steganography(Stenography).

6 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 6 2.1 Media management layer 2.1-1 Using unused media areas The usage of an area that is marked as not in use according to the partition table. EX:1st track  Start of disk partition, 2nd track  62 sectors or 31KB ---Usability for the Attacker An attacker has to reduce the partition size, requires administrator privileges ---Countermeasures Regular checking of partition size and IDE disk/HPA sizes 2.1-2 Mounting on non-empty directories The data to be hidden is stored in ordinary files or subdirectories in an appropriate directory. ---Usability for the Attacker Easy to use, no special tools and no deeper file system knowledge ---Countermeasures Rely on auditing the (remote) system log for subsequent (un)mount operations

7 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 7 2.2 File system layer 2.2-1 File system category These data structures may not use an entire logical disk block. Similar to the previous section, this may lead to a number of very small data hiding opportunities. 2.2-2 Data unit category: slack space Slack space is defined as the unused part of a file's last data unit. For example, a file which is 10KB in size will require three 4KB data units for storage in a file system with 4KB block size. 2.2-3 Metadata category: Use reserved inodes An attacker may use inodes which the operating system itself will not use.

8 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 8 2.2-4 Metadata category: Extended file attributes They are easy to use for the attacker and easy to detect for the system administrator using commands provided by the operating system. 2.2-5 File name category: “Special” filenames In the file name category, a file system stores and processes data to assign human-recognizable names to files and directories.

9 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 9 2.2-6 File name category: Removal of open files Accessing these hidden files after program termination or from another program is difficult and requires forensic tools. 2.2-7 Metadata/File name category: Hide in deleted inodes plus trojan fsck It is based on the method introduced in the previous subsection. The fundamental idea is to use a trojanized version of the file system checking program (fsck).

10 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 10 2.3 Application layer 2.3-1 Obfuscated Loopback Filesystems A simple, but effective method to obfuscate the real purpose of the image file is to use the offset option of the loopback mount command 2.3-2 Unused spaces in application file formats Many file formats contain unused sections, for example the comment field in a jpeg image format. 2.3-3 Steganography (Stenography) ---“Covered or hidden writing”

11 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 11 3.New Scheme: Deliberate FS Inconsistencies 3.1 Proof of concept demonstration --- 1: Creation of sample ext3 file system --- 2: Initial file system usage --- 3: File system reconnaissance --- 4: Data hiding in progress --- 5: File system filling up --- 6: File system check after power cycle --- 7: Full file system consistency check --- 8: File system driver error message

12 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 12 3.2 Usability for the Attacker This attack requires in-depth knowledge about the layout of the target file system. It provides the attacker with a long- lived, “crash-proof” hiding scheme while avoiding the risk of accidental overwrites. 3.3 Countermeasures ---Unless access to raw disk devices is being audited or limited, the chances of this scheme being detected are very low. ---System crash with substantial disk corruption, resulting in a full consistency check. ---The administrator comparing the output of the disk usage and disk free commands. EX:df,du.

13 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 13 3.4 Variants of the new hiding scheme ---Instead of just occupying data blocks, an attack variant could include the use of inodes in a similar fashion. ---The technique introduced in this section could also be applied to traditional, non-journaling file systems.

14 2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 14 4.Summary and conclusions In contrast to standard hiding methods which are either complex to use, easy to detect, limited in storage capacity or offer a rather volatile storage capacity, the new scheme avoids most disadvantages. System administrators of sensitive systems should be aware of the security implications of file system technology choices and perform detective measures accordingly. Forensic analysis tools should include specialized file system consistency checkers

Download ppt "2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 1 Data Hiding in Journaling File Systems Knut Eckstein, Marko Jahnke 報告人:陳晉煒."

Similar presentations

Chapter 12: File System Implementation

Chapter 12: File System Implementation
Chapter 9 Part III Linux File System Administration

Chapter 9 Part III Linux File System Administration
File Management.

File Management.
COMP091 – Operating Systems 1

COMP091 – Operating Systems 1
Operating Systems File Management.

Operating Systems File Management.
Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 7. Systems Software 1 System Software This software is used to provide the.

Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 7. Systems Software 1 System Software This software is used to provide the.
2013-2014. 1. Concepts about the file system 2. The disk structure 3. Files in disk – The ext2 FS 4. The Virtual File System (c) 2013, Prof. Jordi Garcia.

Concepts about the file system 2. The disk structure 3. Files in disk – The ext2 FS 4. The Virtual File System (c) 2013, Prof. Jordi Garcia.
File Systems.

File Systems.
Computer Forensics BACS 371

Computer Forensics BACS 371
Full-Datapath Secure Deletion Sarah Diesburg 1. Overview Problem  Current secure deletion methods do not work State of the art  Optimistic system-wide.

Full-Datapath Secure Deletion Sarah Diesburg 1. Overview Problem  Current secure deletion methods do not work State of the art  Optimistic system-wide.
Allocation Methods - Contiguous

Allocation Methods - Contiguous
File Systems Examples.

File Systems Examples.
Chapter 10: File-System Interface

Chapter 10: File-System Interface
Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.

Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.
File System Analysis.

File System Analysis.
Chapter 11: File System Implementation

Chapter 11: File System Implementation
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 10: File-System Interface.

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 10: File-System Interface.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.

Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
CS 104 Introduction to Computer Science and Graphics Problems Operating Systems (4) File Management & Input/Out Systems 10/14/2008 Yang Song (Prepared.

CS 104 Introduction to Computer Science and Graphics Problems Operating Systems (4) File Management & Input/Out Systems 10/14/2008 Yang Song (Prepared.
File Systems Implementation. 2 Recap What we have covered: –User-level view of FS –Storing files: contiguous, linked list, memory table, FAT, I-nodes.

File Systems Implementation. 2 Recap What we have covered: –User-level view of FS –Storing files: contiguous, linked list, memory table, FAT, I-nodes.

Similar presentations

Ads by Google