2007/5/312005 Digital Forensic Research Workshop (DFRWS) New Orleans, LA 1 Data Hiding in Journaling File Systems Knut Eckstein, Marko Jahnke 報告人:陳晉煒.

Slides:



Advertisements
Similar presentations
Chapter 12: File System Implementation
Advertisements

Chapter 9 Part III Linux File System Administration
File Management.
COMP091 – Operating Systems 1
Operating Systems File Management.
Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 7. Systems Software 1 System Software This software is used to provide the.
Concepts about the file system 2. The disk structure 3. Files in disk – The ext2 FS 4. The Virtual File System (c) 2013, Prof. Jordi Garcia.
File Systems.
Computer Forensics BACS 371
Full-Datapath Secure Deletion Sarah Diesburg 1. Overview Problem  Current secure deletion methods do not work State of the art  Optimistic system-wide.
Allocation Methods - Contiguous
File Systems Examples.
Chapter 10: File-System Interface
Ext2/Ext3 Linux File System Reporter: Po-Liang, Wu.
File System Analysis.
Chapter 11: File System Implementation
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 10: File-System Interface.
Lecture 10: The FAT, VFAT, and NTFS Filesystems 6/17/2003 CSCE 590 Summer 2003.
CS 104 Introduction to Computer Science and Graphics Problems Operating Systems (4) File Management & Input/Out Systems 10/14/2008 Yang Song (Prepared.
File Systems Implementation. 2 Recap What we have covered: –User-level view of FS –Storing files: contiguous, linked list, memory table, FAT, I-nodes.
Linux Operating System
File Systems. Main Points File layout Directory layout.
Unix File System Internal Structures By C. Shing ITEC Dept Radford University.
BACS 371 Computer Forensics
 FILE S SYSTEM  DIFFERENT FILE SYSTEMS  FILE SYSTEM COMPONENTS  FILE OPERATIONS  LOG STRUCTERD FILE SYSTEM  FILE EXAMPLES.
File Systems (1). Readings r Silbershatz et al: 10.1,10.2,
Lesson 7-Creating and Changing Directories. Overview Using directories to create order. Managing files in directories. Using pathnames to manage files.
1 Chapter 12 File Management Systems. 2 Systems Architecture Chapter 12.
CS 346 – Chapter 12 File systems –Structure –Information to maintain –How to access a file –Directory implementation –Disk allocation methods  efficient.
Guide to Linux Installation and Administration, 2e1 Chapter 8 Basic Administration Tasks.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #29 Information/Data Hiding and Counter-forensics November 5, 2007.
11 INSTALLING AND MANAGING STORAGE DEVICES IN WINDOWS XP Chapter 8.
MCTS Guide to Microsoft Windows Vista Chapter 4 Managing Disks.
Chapter 6: Linux Filesystem Administration
Full-Datapath Secure Data Deletion Sarah Diesburg 5/4/
File System Implementation Chapter 12. File system Organization Application programs Application programs Logical file system Logical file system manages.
Operating System Concepts and Techniques Lecture 17
1 Interface Two most common types of interfaces –SCSI: Small Computer Systems Interface (servers and high-performance desktops) –IDE/ATA: Integrated Drive.
Managing Disks and Drives Chapter 13 powered by dj.
1 Objectives Manage and install new file systems.
Introduction to the new mainframe © Copyright IBM Corp., All rights reserved. Chapter 4: Working with data sets.
Linux Ext 3 File System. Linux Uses Ext3 in Linux Hierarchical FS composed of directories. Files mounted during boot process When shut down the.
Chapter 5 File Management File System Implementation.
Using Model Checking to Find Serious File System Errors StanFord Computer Systems Laboratory and Microsft Research. Published in 2004 Presented by Chervet.
Manage Directories and Files in Linux. 2 Objectives Understand the Filesystem Hierarchy Standard (FHS) Identify File Types in the Linux System Change.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 11: File System Implementation.
Creating and Managing File Systems. Module 5 – Creating and Managing File Systems ♦ Overview This module deals with the structure of the file system,
Project 6 Unix File System. Administrative No Design Review – A design document instead 2-3 pages max No collaboration with peers – Piazza is for clarifications.
Linux+ Guide to Linux Certification, Third Edition
Linux+ Guide to Linux Certification Chapter Six Linux Filesystem Administration.
UNIX File System (UFS) Chapter Five.
Annotated by B. Hirsbrunner File Systems Chapter Files 5.2 Directories 5.3 File System Implementation 5.4 Security 5.5 Protection Mechanism 5.6 Overview.
Filesystem Management and Backups. 2 Section Overview Devices and Files Filesystem Management Network Filesystems Backups.
11.1 Silberschatz, Galvin and Gagne ©2005 Operating System Principles 11.5 Free-Space Management Bit vector (n blocks) … 012n-1 bit[i] =  1  block[i]
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
File system and file structures
Chapter 8 File Systems FAT 12/16/32. Defragmentation Defrag a hard drive – Control Panel  System and Security  Administration tools  Defrag hard drive.
Materi managing user & groups, file system Managing Software Packages and File Systems The Complete Guide to Linux System Administration Chapter 10.
W4118 Operating Systems Instructor: Junfeng Yang.
Silberschatz, Galvin and Gagne ©2011 Operating System Concepts Essentials – 8 th Edition Chapter 3: Windows7 Part 3.
Linux Filesystem Administration
Day 28 File System.
EXT in Detail High-Performance Database Research Center
Filesystem Management and Backups
Chapter 12: File System Implementation
Chapter 11: File System Implementation
Chapter 3: Windows7 Part 3.
CSE 451 Fall 2003 Section 11/20/2003.
File System Implementation
The Design and Implementation of a Log-Structured File System
Presentation transcript:

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA 1 Data Hiding in Journaling File Systems Knut Eckstein, Marko Jahnke 報告人:陳晉煒

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA 2 Abstract Data hiding is one technique by which system perpetrators store information while reducing the risk of being detected by system administrators. First major section of this article structures and compares existing data hiding methods for UNIX file systems in terms of usability and countermeasures. The second section proposes a new technique that stores substantial amounts of data inside journaling file systems in a robust fashion with low detectability.

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA 3 1.Introduction What is Journaling File Systems? A journaling (or journalling) file system is a file system that logs changes to a journal (usually a circular log in a specially-allocated area) before actually writing them to the main file system. Developed by IBM. Linux (Unix-like system ) Advantage: availability, data completeness speed, easy to transform For example: ext2/3 file systems

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA 4 2.Known Hiding Techniques 2.1 Media management layer  Using unused media areas  Mounting on non-empty directories. 2.2 File system layer  File system category  Data unit category: Slack space  Metadata category: Use reserved inodes  Metadata category: Extended file attributes  File name category: “Special” filenames  File name category: Removal of open files  Metadata/File name category: Hide in deleted inodes plus trojan fsck.

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA Application layer  Obfuscated Loopback File systems  Unused spaces in application file formats  Steganography(Stenography).

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA Media management layer Using unused media areas The usage of an area that is marked as not in use according to the partition table. EX:1st track  Start of disk partition, 2nd track  62 sectors or 31KB ---Usability for the Attacker An attacker has to reduce the partition size, requires administrator privileges ---Countermeasures Regular checking of partition size and IDE disk/HPA sizes Mounting on non-empty directories The data to be hidden is stored in ordinary files or subdirectories in an appropriate directory. ---Usability for the Attacker Easy to use, no special tools and no deeper file system knowledge ---Countermeasures Rely on auditing the (remote) system log for subsequent (un)mount operations

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA File system layer File system category These data structures may not use an entire logical disk block. Similar to the previous section, this may lead to a number of very small data hiding opportunities Data unit category: slack space Slack space is defined as the unused part of a file's last data unit. For example, a file which is 10KB in size will require three 4KB data units for storage in a file system with 4KB block size Metadata category: Use reserved inodes An attacker may use inodes which the operating system itself will not use.

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA Metadata category: Extended file attributes They are easy to use for the attacker and easy to detect for the system administrator using commands provided by the operating system File name category: “Special” filenames In the file name category, a file system stores and processes data to assign human-recognizable names to files and directories.

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA File name category: Removal of open files Accessing these hidden files after program termination or from another program is difficult and requires forensic tools Metadata/File name category: Hide in deleted inodes plus trojan fsck It is based on the method introduced in the previous subsection. The fundamental idea is to use a trojanized version of the file system checking program (fsck).

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA Application layer Obfuscated Loopback Filesystems A simple, but effective method to obfuscate the real purpose of the image file is to use the offset option of the loopback mount command Unused spaces in application file formats Many file formats contain unused sections, for example the comment field in a jpeg image format Steganography (Stenography) ---“Covered or hidden writing”

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA 11 3.New Scheme: Deliberate FS Inconsistencies 3.1 Proof of concept demonstration --- 1: Creation of sample ext3 file system --- 2: Initial file system usage --- 3: File system reconnaissance --- 4: Data hiding in progress --- 5: File system filling up --- 6: File system check after power cycle --- 7: Full file system consistency check --- 8: File system driver error message

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA Usability for the Attacker This attack requires in-depth knowledge about the layout of the target file system. It provides the attacker with a long- lived, “crash-proof” hiding scheme while avoiding the risk of accidental overwrites. 3.3 Countermeasures ---Unless access to raw disk devices is being audited or limited, the chances of this scheme being detected are very low. ---System crash with substantial disk corruption, resulting in a full consistency check. ---The administrator comparing the output of the disk usage and disk free commands. EX:df,du.

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA Variants of the new hiding scheme ---Instead of just occupying data blocks, an attack variant could include the use of inodes in a similar fashion. ---The technique introduced in this section could also be applied to traditional, non-journaling file systems.

2007/5/ Digital Forensic Research Workshop (DFRWS) New Orleans, LA 14 4.Summary and conclusions In contrast to standard hiding methods which are either complex to use, easy to detect, limited in storage capacity or offer a rather volatile storage capacity, the new scheme avoids most disadvantages. System administrators of sensitive systems should be aware of the security implications of file system technology choices and perform detective measures accordingly. Forensic analysis tools should include specialized file system consistency checkers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.