Quantifying Windows File Slack Size and Stability

Abstract : Slack space can be used to hide data from the operating system and other users. While some forms of data hiding are easily detectable, others are subtle and require an experienced forensic practitioner to discover the hidden data. The amount of data that can be hidden varies with the type of slack space and environmental parameters such as filesystem block size and partition alignment. This paper evaluates the amount of file slack space available in Windows systems and the stability of slack space over time with respect to system updates. Measurements of the file slack for eighteen versions of Microsoft Windows with the NTFS filesystem reveal that many of the files change very little during system updates and are, thus, highly suitable for hiding data. A model is presented for estimating the amount of data that can be hidden in the file slack space of Windows filesystems of arbitrary size.
Type de document :
Communication dans un congrès
Gilbert Peterson; Sujeet Shenoi. 9th International Conference on Digital Forensics (DF), Jan 2013, Orlando, FL, United States. Springer, IFIP Advances in Information and Communication Technology, AICT-410, pp.183-193, 2013, Advances in Digital Forensics IX. 〈10.1007/978-3-642-41148-9_13〉
Liste complète des métadonnées

Littérature citée [12 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01460605
Contributeur : Hal Ifip <>
Soumis le : mardi 7 février 2017 - 17:25:48
Dernière modification le : vendredi 1 décembre 2017 - 01:16:43
Document(s) archivé(s) le : lundi 8 mai 2017 - 14:56:45

Fichier

978-3-642-41148-9_13_Chapter.p...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Martin Mulazzani, Sebastian Neuner, Peter Kieseberg, Markus Huber, Sebastian Schrittwieser, et al.. Quantifying Windows File Slack Size and Stability. Gilbert Peterson; Sujeet Shenoi. 9th International Conference on Digital Forensics (DF), Jan 2013, Orlando, FL, United States. Springer, IFIP Advances in Information and Communication Technology, AICT-410, pp.183-193, 2013, Advances in Digital Forensics IX. 〈10.1007/978-3-642-41148-9_13〉. 〈hal-01460605〉

Partager

Métriques

Consultations de la notice

82

Téléchargements de fichiers

141