Authors: Janine Schneider (Friedrich-Alexander-Universität Erlangen-Nürnberg), Maximilian Eichhorn (Friedrich-Alexander-Universität Erlangen-Nürnberg), and Felix Freiling (Friedrich-Alexander-Universität Erlangen-Nürnberg)
DFRWS USA 2022
Abstract
We investigate the problem of creating ambiguous file system partitions, i.e., the possibility to have two fully functional file systems within a single file system partition. The problem is different from steganographic data hiding since there is no real distinction between content and cover data, and no translation process may be applied to the content data. Since typical file systems that occur in forensic analysis are usually unambiguous, ambiguous file system partitions may be useful corner cases in forensic tools and processes. We show that it is possible to create ambiguous file system partitions by integrating a guest file system into the structures of a host file system in two cases: We integrate a fully functional FAT32 into Ext3 and HFS+. In a third example we even integrate two guest file systems (HFS+ and FAT32) into a single Btrfs file system partition. We test common forensic tools on these examples and exhibit some deficiencies. Moreover, we develop a taxonomy of ambiguous file system partitions and argue that the existence of essential data at fixed positions still is a way to distinguish host from guest and so to heuristically reduce the ambiguity, without removing it completely.
Downloads
Ambiguous File System Partitions (Paper) |
Ambiguous File System Partitions (Slides) |