Criminals with sensitive information such as crime records tend to hide/encrypt this information so that even if their computers are collected by police department, there is no evidence that can be used against them. There are many ways data can be hid. The most famous ways are data encryption and steganography. File system, in addition, can also be used to hide data. This paper discusses some of the possible ways to hide data in NTFS file system and analysis techniques that can be applied to detect and recover hidden data. This paper focuses on criminals as the users of data hiding techniques and the main targets that they want to hide data from are forensic analysts. Certain data hiding techniques that can only be used to hide data against normal users such as setting the hidden attribute of a file will not be included.. Keyword

Data hiding, analysis technique, NTFS

This paper discusses some of the methods that can be used to hide data in NTFS and analysis techniques that can be used to detect and recover hidden data. Target readers for this paper are forensic analysts and examiners. Throughout this paper, the phrase "suspect" is used to refer to the owner of digital devices, where analysis is performed to retrieve digital evidence. RunTime's DiskExplorer for NTFS v2.31 is used to create the hidden data manually for testing purpose. The only exception is hidden data for alternate data stream which is created by normal DOS command. Tools that are used to analyse hidden data are Windows XP chkdsk, Sleuth Kit 2.02, Foremost 0.69, comeforth 1.00, dd, hexedit and strings. Test data is created on a machine with Windows XP version 5.1.2600.

BACKGROUND OF NTFS

In NTFS, everything is file. This includes file system metadata about the structure of the file system. MFT (Master File Table) is the heart of NTFS. Every file or directory has at least one entry in MFT (Master File Table). Microsoft calls each entry in MFT as file record and its default size is 1024 bytes (Mikhailov, n.d.). The first 42 bytes is fixed for MFT entry header and the rest of the entry stores attributes, which is small data structure with specific purpose. Example of attributes are $STANDARD_INFORMATION, $FILE_NAME and $DATA (Microsoft, n.d.). The content of an attribute can be either resident or non resident. A resident attribute stores its content in the MFT entry. A non resident attribute stores its content at external clusters. The list of clusters used is stored as cluster run in the run list of an attribute.

Data unit in NTFS is called cluster, which is the smallest disk space allocation unit. Every cluster in NTFS has a LCN (Logical Cluster Number). The cluster number starts with 0 at the first cluster of the file system (Svensson, 2005). Clusters belong to a file are also assigned a VCN (Virtual Cluster Number). For example, a file with 6 clusters will have cluster 1 of the file with VCN 0 and last cluster with VCN 5.

Figure 1: Structure of MFT entry (Carrier, 2005)

Metadata files are files that describe the file system. Example of metadata files are $MFT, $MFTMirr, $LogFile, $Volume, $AttrDef, ., $Bitmap, $Boot, $BadClus, $Secure, $Upcase and $Extend. Table 1 show the description of some of the metadata files.

Table 1: Description of metadata files in NTFS (Solomon & Russinovich, 2000)

FAKED BAD CLUSTERS

For old hard disks that do not have the capability to handle errors, operating systems detect and mark sectors/ clusters as damaged. Nowadays, modern hard disks handle bad sectors themselves by remapping bad sectors to spare sectors (storagereview, n.d.). It is unlikely that an operating system would detect bad sectors before hard disk does. Clusters marked as bad may be used to hide data.

In NFTS, bad clusters are marked in metadata file called $BadClus, which is in MFT entry 8. Originally, $BadClus is a sparse file which file size is set to the size of entire file system. When bad clusters are detected, they will be allocated to this file.

The size of data that can be hid with this technique is unlimited. Suspects can simply allocate more clusters to $BadClus and use it to hide data.

Procedure to create test data

1) Clusters are added to the run list of $Bad attribute of $BadClus file
2) The size of $Bad attribute and the size of this MFT file record are modified if necessary
3) Allocation status of clusters used to hide data is set to 1
4) Hidden data is pasted to the clusters

Process of how hidden data is created manually in faked bad clusters is shown in Appendix A.