원문정보
초록
영어
In this paper, we propose a new anti-forensic method for hiding data in the timestamp of a file in the Windows NTFS filesystem. The main idea of the proposed method is to utilize the 16 least significant bits of the 64 bits in the timestamps. The 64-bit timestamp format represents a number of 100- nanosecond intervals, which are small enough to appear in less than a second, and are not commonly displayed with full precision in the Windows Explorer window or the file browsers of forensic tools. This allows them to be manipulated for other purposes. Every file has $STANDARD_INFORMATION and $FILE_NAME attributes, and each attribute has four timestamps respectively, so we can use 16 bytes to hide data. Without any changes in an original timestamp of “year-month-day hour:min:sec” format, we intentionally put manipulated data into the 16 least significant bits, making the existence of the hidden data in the timestamps difficult to uncover or detect. We demonstrated the applicability and feasibility of the proposed method with a test case.
목차
1. Introduction
2. Timestamp ChangingTools
2.1 Timestamp format of NTFS
2.2 Windows API for addressing file time
2.3 Timestamp manipulating tools: Timestomp
2.4 Timestamp manipulating tools: SetMace
3. A New Method to Hide Data in Timestamps
3.1 Algorithm Used to Hide Data in Timestamps
4. Application to a Test Case
4.1 Test Environments
4.2 Application to a Test Case
5. Limitations and Future Works
6. Conclusions
Acknowledgements
References