Abstract
Slack space can be used to hide data from the operating system and other users. While some forms of data hiding are easily detectable, others are subtle and require an experienced forensic practitioner to discover the hidden data. The amount of data that can be hidden varies with the type of slack space and environmental parameters such as filesystem block size and partition alignment. This paper evaluates the amount of file slack space available in Windows systems and the stability of slack space over time with respect to system updates. Measurements of the file slack for eighteen versions of Microsoft Windows with the NTFS filesystem reveal that many of the files change very little during system updates and are, thus, highly suitable for hiding data. A model is presented for estimating the amount of data that can be hidden in the file slack space of Windows filesystems of arbitrary size.
Chapter PDF
Similar content being viewed by others
References
M. Balduzzi, J. Zaddach, D. Balzarotti, E. Kirda and S. Loureiro, A security analysis of Amazon’s Elastic Compute Cloud Service, Proceedings of the Twenty-Seventh Annual ACM Symposium on Applied Computing, pp. 1427–1434, 2012.
H. Berghel, Hiding data, forensics and anti-forensics, Communications of the ACM, vol. 50(4), pp. 15–20, 2007.
B. Carrier, File System Forensic Analysis, Pearson Education, Upper Saddle River, New Jersey, 2005.
E. Casey and G. Stellatos, The impact of full disk encryption on digital forensics, ACM SIGOPS Operating Systems Review, vol. 42(3), pp. 93–98, 2008.
S. Garfinkel, Automating disk forensic processing with Sleuthkit, XML and Python, Proceedings of the Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering, pp. 73–84, 2009.
S. Garfinkel and A. Shelat, Remembrance of data passed: A study of disk sanitization practices, IEEE Security and Privacy, vol. 1(1), pp. 17–27, 2003.
E. Huebner, D. Bem and C. Wee, Data hiding in the NTFS file system, Digital Investigation, vol. 3(4), pp. 211–226, 2006.
S. Katzenbeisser and F. Petitolas (Eds.), Information Hiding Techniques for Steganography and Digital Watermarking, Artech House, Norwood, Massachusetts, 2000.
K. Kent, S. Chevalier, T. Grance and H. Dang, Guide to Integrating Forensic Techniques into Incident Response, NIST Special Publication 800-86, National Institute of Standards and Technology, Gaithersburg, Maryland, 2006.
H. Khan, M. Javed, S. Khayam and F. Mirza, Designing a cluster-based covert channel to evade disk investigation and forensics, Computers and Security, vol. 30(1), pp. 35–49, 2011.
Microsoft, Default cluster size for NTFS, FAT and exFAT, Redmond, Washington ( support.microsoft.com/kb/140365 ), 2002.
Microsoft, Microsoft support policy for 4K sector hard drives in Windows, Redmond, Washington ( support.microsoft.com/kb/2510009 ), 2013.
M. Mulazzani, S. Schrittwieser, M. Leithner, M. Huber and E. Weippl, Dark clouds on the horizon: Using cloud storage as attack vector and online slack space, Proceedings of the Twentieth USENIX Conference on Security, 2011.
I. Thompson and M. Monroe, FragFS: An advanced data hiding technique, presented at the BlackHat Federal Conference, 2006.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Mulazzani, M., Neuner, S., Kieseberg, P., Huber, M., Schrittwieser, S., Weippl, E. (2013). Quantifying Windows File Slack Size and Stability. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics IX. DigitalForensics 2013. IFIP Advances in Information and Communication Technology, vol 410. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41148-9_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-41148-9_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41147-2
Online ISBN: 978-3-642-41148-9
eBook Packages: Computer ScienceComputer Science (R0)