Abstract:
With the growing security concerns of the digital world, the forensic investigators and law enforcement agencies need to thoroughly scrutinize the suspected system, leaving no stone unturned. Extracting and recovering the hidden data in a forensically sound manner helps a lot in getting the required information and conducting the forensic investigation with success. NTFS Alternate data streams provide an ideal way to conceal the data within them and hence terrorists as well as adversaries could employ this feature to hide their offensive plans and malicious activities in the ADS of the compromised systems as normal users are unaware of the ADS presence. The factors that further augment the value of the ADS for data hiding are that they require low level of expertise to create and manipulate, are not much prone to suspicion for hiding high level secrets, and are the integral part of the most widely used file system. To reverse engineer alternate data streams for efficient and effectual data retrieval, exploring diverse possible ways of data hiding is essential. The research follows this approach and successfully implements the data hiding concepts of ADS nesting, encoded fragmentation and also the defense-in-depth strategy by applying the compression, password encryption, encoding, fragmentation and ADS nesting concurrently. Also the data concealed through different stated techniques is effectively recovered, keeping integrity intact. A comprehensive route, encompassing all the mentioned techniques, is then proposed in the thesis to effectively analyze and retrieve the ADS and their contents.
