Data-Hiding Techniques

Assignment 4: Data-Hiding Techniques

Darrell J. Bradford

Professor Curtis Bunch

CIS 417 Computer Forensics

August 29th, 2015

It is simply amazing at how advance our computer technology has come. We have created many new methods of transferring and receiving data. With technology becoming smarter, bringing us closer as a world community seems to be getting more and more realistic and easy. Yet, as with the good in something, there is always some bad present. This is definitely the case with Alternate Data Streams, ADS. This neat feature to the NTFS file system was created by Windows, allows users to “fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer” (Ray Zadjmool, 2004). It is important to note that one should not consider using ADS when dealing with critical information. This is so because copying NTFS to other devices that are not NTSF supported, only the main streams will be preserved to that system. Everything else will be ignored. Although, when using ADS, it is suggested that you stick to common data that is not considered critical. These can include, “thumbnails for graphical files, parsing information for program sources, spellcheck and formatting data for documents, or any other data that can easily be rebuilt” (Flexhex.com, 2007). Originally conceived to fix compatibility issues with Macintosh Hierarchical File System, HFS, ADS has found its way into the arsenal of the average hacker. Using ADS takes very little skill, as they are easy to create. All a user would need to know is some simple DOS commands that allow them to attach their items to an existing file. An example command could be:

“type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe”

Here, the calculator program is attached to the “anyfile” program and shockingly the file size isn’t changed. This makes it difficult for regular browsers to detect the...