CISPA
Browse
- No file added yet -

Ambiguous File System Partitions

Download (407.23 kB)
conference contribution
posted on 2024-09-24, 12:02 authored by Janine SchneiderJanine Schneider, Maximilian Eichhorn, Felix Freiling
We investigate the problem of creating ambiguous file system partitions, i.e., the possibility to have two fully functional file systems within a single file system partition. The problem is different from steganographic data hiding since there is no real distinction between content and cover data, and no translation process may be applied to the content data. Since typical file systems that occur in forensic analysis are usually unambiguous, ambiguous file system partitions may be useful corner cases in forensic tools and processes. We show that it is possible to create ambiguous file system partitions by integrating a guest file system into the structures of a host file system in two cases: We integrate a fully functional FAT32 into Ext3 and HFS+. In a third example we even integrate two guest file systems (HFS+ and FAT32) into a single Btrfs file system partition. We test common forensic tools on these examples and exhibit some deficiencies. Moreover, we develop a taxonomy of ambiguous file system partitions and argue that the existence of essential data at fixed positions still is a way to distinguish host from guest and so to heuristically reduce the ambiguity, without removing it completely.

History

Name of Conference

Digital Forensics Research Conference (DFRWS)

CISPA Affiliation

  • No

Journal

Forensic Science International: Digital Investigation

Volume

42

Page Range

301399-301399

Publisher

Elsevier

Open Access Type

  • Unknown

BibTeX

@inproceedings{Schneider:Eichhorn:Freiling:2022, title = "Ambiguous File System Partitions", author = "Schneider, Janine" AND "Eichhorn, Maximilian" AND "Freiling, Felix", year = 2022, month = 7, journal = "Forensic Science International: Digital Investigation", number = "DFRWS 2022 USA - Proceedings of the Twenty-Second Annual DFRWS USA", pages = "301399--301399", publisher = "Elsevier", issn = "2666-2825", doi = "10.1016/j.fsidi.2022.301399" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC