Authors: Sebastian Neuner (SBA Research), Artemios Voyiatzis (SBA Research), Martin Schmiedecker (SBA Research), Stefan Brunthaler (SBA Research), Stefan Katzenbeisser (Technische Universitat), Edgar Weippl (SBA Research)
DFRWS USA 2016
Abstract
We propose and explore the applicability of file timestamps as a steganographic channel. We identify an information gap between storage and usage of timestamps in modern operating systems that use high-precision timers. Building on this, we describe a layered design of a steganographic system that offers stealthiness, robustness, and wide applicability. The proposed design is evaluated through theoretical, evidence-based, and experimental analysis for the case of NTFS using datasets comprising millions of files. We report a proof-of-concept implementation and confirm that the embedded information is indistinguishable from that of a normal filesystem use. Finally, we discuss the digital forensics analysis implications of this new information-hiding technique.