Authors: Anton Schwietert, Jan-Niclas Hilgert
DFRWS APAC 2025
Abstract
File systems are a fundamental component of virtually all modern computing devices. While their primary purpose is to manage and organize data on persistent storage, they also offer a range of opportunities for concealing information in unintended ways—a practice commonly referred to as data hiding. Given the challenges these techniques pose to forensic analysis, it becomes essential to understand where and how hidden data may reside within file system structures. In response, this paper systematically examines the current state of research on data hiding techniques in file systems, consolidating known methods across widely used file systems including NTFS, ext, and FAT. Building on this comprehensive survey, we explore how existing methods can be adapted or extended and identify previously unexamined data hiding opportunities, particularly in underexplored file systems. Furthermore, we propose and discuss novel data hiding techniques leveraging unique properties of contemporary file systems such as the misuse of snapshots. To support future research and evaluation, we apply a range of data hiding techniques across multiple file systems and present the first publicly available, scenario-based dataset dedicated to file system data hiding. As no comparable dataset currently exists, this contribution addresses a critical gap by supporting systematic evaluation and encouraging the development of effective detection methods.