Digital Forensics and Cyber Crime. 10th International EAI Conference, ICDF2C 2018, New Orleans, LA, USA, September 10–12, 2018, Proceedings

Research Article

fishy - A Framework for Implementing Filesystem-Based Data Hiding Techniques

Download
244 downloads
  • @INPROCEEDINGS{10.1007/978-3-030-05487-8_2,
        author={Thomas G\o{}bel and Harald Baier},
        title={fishy - A Framework for Implementing Filesystem-Based Data Hiding Techniques},
        proceedings={Digital Forensics and Cyber Crime. 10th International EAI Conference, ICDF2C 2018, New Orleans, LA, USA, September 10--12, 2018, Proceedings},
        proceedings_a={ICDF2C},
        year={2019},
        month={1},
        keywords={Anti-forensics Anti-anti-forensics Digital forensics Data hiding File system analysis ext4 NTFS FAT},
        doi={10.1007/978-3-030-05487-8_2}
    }
    
  • Thomas Göbel
    Harald Baier
    Year: 2019
    fishy - A Framework for Implementing Filesystem-Based Data Hiding Techniques
    ICDF2C
    Springer
    DOI: 10.1007/978-3-030-05487-8_2
Thomas Göbel1,*, Harald Baier1,*
  • 1: Hochschule Darmstadt
*Contact email: thomas.goebel@h-da.de, harald.baier@h-da.de

Abstract

The term anti-forensics refers to any attempt to hinder or even prevent the digital forensics process. Common attempts are to hide, delete or alter digital information and thereby threaten the forensic investigation. A prominent anti-forensic paradigm is hiding data on different abstraction layers, e.g., the filesystem layer. In modern filesystems, private data can be hidden in many places, taking advantage of the structural and conceptual characteristics of each filesystem. In most cases, however, the source code and the theoretical approach of a particular hiding technique is not accessible and thus maintainability and reproducibility of the anti-forensic tool is not guaranteed. In this paper, we present , a framework designed to implement and analyze different filesystem-based data hiding techniques. is implemented in Python and collects various common exploitation methods that make use of existing data structures on the filesystem layer. Currently, the framework is able to hide data within ext4, FAT and NTFS filesystems using different hiding techniques and thus serves as a toolkit of established anti-forensic methods on the filesystem layer. was built to support the exploration and collection of various hiding techniques and ensure the reproducibility and expandability with its publicly available source code. The construction of a modular framework played an important role in the design phase. In addition to the description of the actual framework, its current state, its use, and its easy expandability, we also present some hiding techniques for various filesystems and discuss possible future extensions of our framework.