Abstract
The use of digital forensic tools by law enforcement agencies has made it difficult for malicious individuals to hide potentially incriminating evidence. To combat this situation, the hacker community has developed anti-forensic tools that remove or hide electronic evidence for the specific purpose of undermining forensic investigations. This paper examines the latest techniques for hiding data in the popular Ext2 and Ext3 file systems. It also describes techniques for detecting hidden data in the reserved portions of these file systems.
Chapter PDF
Similar content being viewed by others
References
D. Bovet and M. Cesati, Understanding the Linux Kernel, O’Reilly, Sebastopol, California, 2002.
R. Card, Cross-referencing Linux (lxr.linux.no/source/include/linux/ext2_fs.h?v=2.6.10).
R. Card, T. Ts’o and S. Tweedie, Design and implementation of the Second Extended File System, Proceedings of the First Dutch International Symposium on Linux, 1994.
B. Carrier, File System Forensic Analysis, Addison-Wesley, Craw-fordsville, Indiana, 2005.
A. Cuff, Anti-forensic tools, Computer Network Defence Ltd., Corsham, Wiltshire, United Kingdom (www.networkintrusion.co.uk/foranti.htm), 2004.
The grugq, Defeating forensic analysis on Unix, Phrack 59 (www.phrack.org/show.php?p=59&a=6), July 28, 2002.
The grugq, The art of defiling, presented at the 2004 Hack in the Box Conference (packetstormsecurity.nl/hitb04/hitb04-grugq.pdf), October 8, 2004.
M. Johnson, Red Hat’s new journaling file system: Ext3 (www.redhat.com/support/wpapers/redhat/ext3/index.html), 2001.
W. Kruse and J. Heiser, Computer Forensics: Incident Response Essentials, Addison-Wesley, Boston, Massachusetts, 2002.
D. Phillips, A directory index for Ext2, Proceedings of the Fifth Annual Linux Showcase and Conference, 2001.
A. Saita, Antiforensics: The looming arms race, Information Security Magazine, May 2003.
T. Ts’o, E2fsprogs: Ext2 file system utilities (e2fsprogs.sourceforge.net).
S. Tweedie, Journaling the Linux Ext2fs filesystem, presented at the Fourth Annual Linux Expo (jamesthornton.com/hotlist/linux-filesystems/ext3-journal-design.pdf), 1998.
S. Tweedie, Ext3: Journaling filesystem (olstrans.sourceforge.net /release/OLS2000-ext3/OLS2000-ext3.html), July 20, 2000.
M. Wilcox, The Second Extended File System (mail.nl.linux.org/kernel-doc/1999-03/msg00001.html), March 1, 1999.
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 International Federation for Information Processing
About this paper
Cite this paper
Piper, S., Davis, M., Manes, G., Shenoi, S. (2006). Detecting Hidden Data in Ext2/Ext3 File Systems. In: Pollitt, M., Shenoi, S. (eds) Advances in Digital Forensics. DigitalForensics 2005. IFIP — The International Federation for Information Processing, vol 194. Springer, Boston, MA. https://doi.org/10.1007/0-387-31163-7_20
Download citation
DOI: https://doi.org/10.1007/0-387-31163-7_20
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-30012-2
Online ISBN: 978-0-387-31163-0
eBook Packages: Computer ScienceComputer Science (R0)