2018-06-07 on Digital Forensics

da/sec scientific talk on Digital Forensics

Topic: fishy – A Framework for Implementing Filesystem-based Data Hiding Techniques

by Adrian Kailus, Christian Hecht, Thomas Göbel
D19/2.03a, June 07, 2018 (Thursday), 12.00 noon

Keywords — Anti-Forensics, Anti-Anti-Forensics, Data Hiding, File System Analysis, ext4, NTFS, FAT


The term anti-forensics refers to any attempt to hinder or even prevent the digital forensics process. Common attempts are to hide, delete or alter digital information and thereby threaten the forensic in-vestigation. A prominent anti-forensic paradigm is hiding data on different abstraction layers, e.g., the file system layer. In modern file systems, private data can be hidden in many places, taking advantage of the structural and conceptual characteristics of each file system. In most cases, however, the source code and the theoretical approach of a particular hiding technique is not accessible and thus maintainability and reproducibility of the anti-forensic tool is not guaranteed.

In this presentation, we present fishy, a framework designed to implement and analyze different file system based data hiding techniques. fishy is implemented in Python and collects various common exploitation methods that make use of existing data structures on the file system layer. Currently, the framework is able to hide data within ext4, FAT and NTFS file systems using different hiding techniques and thus serves as a toolkit of established anti-forensic methods on the file system layer.
fishy was built to support the exploration and collection of various hiding techniques and ensure the reproducibility and expandability with its publicly available source code. The construction of a modular framework played an important role in the design phase. In addition to the description of the actual framework, its current state, its usage, and its easy expandability, we also present some hiding techniques for various file systems and discuss possible future extensions of our framework.