Forensics Journal - Stevenson University 2013 | Page 34

FORENSICS JOURNAL

FIGURE 6
Since file streams are a feature of NTFS, ADS is dependent on that
file system. Once a file containing an ADS hidden file is moved to
another file system, e.g. FAT 12/16/32, EXT2/3, CDFS, etc. the hidden data is discarded. Figure 7 shows that the file ‘test.txt’ will lose its
hidden data ‘hidden.txt’ if it is copied to a drive that is formatted with
the FAT file system.

As you can see, the images above appear to be the same. The image
on the right has a copy of the US Constitution embedded in it using
steganography. The first image has a file size of 66.9 KB while the
second image has a file size of 81.3 KB.
FIGURE 8
Forensic tools such as EnCase and FTK provide the investigator with
the ability to create custom hash lists that are used to scan evidence
files looking for matches. However, the investigator would first need
to locate steganographic content before being able to populate this list
with the hash values.

FIGURE 7
Similar to traditional forms of steganography, ADS can be performed
on any file type, including executable files.

IMPACT ON LAW ENFORCEMENT

FORENSIC DETECTION OF STEGANOGRAPHY

In the SANS white paper “Steganalysis: Detecting Hidden Information with Compu \