Go to MOBIHOC 2022 homepageNULL byte injection: anti-forensic technique for data hiding in FAT32 file system
Abstract: In the FAT32 file system, a null byte in the metadata means that there is no file or folder. Since the metadata are stored consecutively, if the first byte of a metadata field is null, the operating system does not read data anymore. In this study, we propose an anti-forensic technique referred to as "NULL Byte injection", which hides files or folders by injecting null bytes into the metadata field of the FAT32 file system. We presented 3 injection methods for hiding, and we evaluated the effectiveness and limitations of each injection method through experiments. As a result, we confirmed that our technique can hide files or folders in Windows OS. Based on the injection method, different effects were observed. We also confirmed that our methods can hide files or folders and bypass the detection of several forensic tools. Our technique can contribute to preventing such anti-forensic attacks by exploiting the mechanism of the file system to hide data.
0 Replies
Loading