The document discusses data hiding in slack space, which is unused space in a disk cluster. It proposes hiding secret data in the slack space of files stored on a private cloud. It determines slack sizes of files using a hex editor. MD5 hashes of file paths and a key are sorted, and the encrypted secret data is divided and hidden in slack spaces according to the sorted hashes and sizes. This allows retrieval of the hidden data using the hash-size mapping. It extends this idea to propose an algorithm for splitting and sharing secret data among cloud users using file slack space, making the data accessible and secure.
This is a self made slide covering topics related to storage systems available in the market with certain information of file systems to understand the fundamentals.
There are also some information is available related to how the whole stuff works.
Types of File Systems
How does the file system handle security?
Attacks on the file system
How does the file system ensure data integrity?
A file system is an abstraction to store, retrieve and update a set of files. The term also identifies the data structures specified by some of those abstractions, which are designed to organize multiple files as a single stream of bytes. responsible for organizing files and directories, and keeping track of which areas of the media belong to which file and which are not being used.
عمار عبد الكريم صاحب مبارك
AmmAr Abdualkareem sahib mobark
In a computer, a file system (sometimes written filesystem) is the way in which files are named and where they are placed logically for storage and retrieval.
This is a self made slide covering topics related to storage systems available in the market with certain information of file systems to understand the fundamentals.
There are also some information is available related to how the whole stuff works.
Types of File Systems
How does the file system handle security?
Attacks on the file system
How does the file system ensure data integrity?
A file system is an abstraction to store, retrieve and update a set of files. The term also identifies the data structures specified by some of those abstractions, which are designed to organize multiple files as a single stream of bytes. responsible for organizing files and directories, and keeping track of which areas of the media belong to which file and which are not being used.
عمار عبد الكريم صاحب مبارك
AmmAr Abdualkareem sahib mobark
In a computer, a file system (sometimes written filesystem) is the way in which files are named and where they are placed logically for storage and retrieval.
A File Structure should be according to a required format that the operating system can understand.
A file has a certain defined structure according to its type.
A text file is a sequence of characters organized into lines.
A source file is a sequence of procedures and functions.
An object file is a sequence of bytes organized into blocks that are understandable by the machine.
File Type
File type refers to the ability of the operating system to distinguish different types of file such as text files source files and binary files etc. Many operating systems support many types of files. Operating system like MS-DOS and UNIX have the following types of files −
Ordinary files
These are the files that contain user information.
These may have text, databases or executable program.
The user can apply various operations on such files like add, modify, delete or even remove the entire file.
Directory files
These files contain list of file names and other information related to these files.
Special files
These files are also known as device files.
These files represent physical device like disks, terminals, printers, networks, tape drive etc.
Can be built on top of base methods
General involve creation of an index for the file
Keep index in memory for fast determination of location of data to be operated on (consider UPC code plus record of data about that item)
If too large, index (in memory) of the index (on disk)
IBM indexed sequential-access method (ISAM)
Small master index, points to disk blocks of secondary index
File kept sorted on a defined key
All done by the OS
VMS operating system provides index and relative files as another example .
Why Is Your BMW X3 Hood Not Responding To Release CommandsDart Auto
Experiencing difficulty opening your BMW X3's hood? This guide explores potential issues like mechanical obstruction, hood release mechanism failure, electrical problems, and emergency release malfunctions. Troubleshooting tips include basic checks, clearing obstructions, applying pressure, and using the emergency release.
What Does the Active Steering Malfunction Warning Mean for Your BMWTanner Motors
Discover the reasons why your BMW’s Active Steering malfunction warning might come on. From electrical glitches to mechanical failures and software anomalies, addressing these promptly with professional inspection and maintenance ensures continued safety and performance on the road, maintaining the integrity of your driving experience.
More Related Content
Similar to introduction to information security and management
A File Structure should be according to a required format that the operating system can understand.
A file has a certain defined structure according to its type.
A text file is a sequence of characters organized into lines.
A source file is a sequence of procedures and functions.
An object file is a sequence of bytes organized into blocks that are understandable by the machine.
File Type
File type refers to the ability of the operating system to distinguish different types of file such as text files source files and binary files etc. Many operating systems support many types of files. Operating system like MS-DOS and UNIX have the following types of files −
Ordinary files
These are the files that contain user information.
These may have text, databases or executable program.
The user can apply various operations on such files like add, modify, delete or even remove the entire file.
Directory files
These files contain list of file names and other information related to these files.
Special files
These files are also known as device files.
These files represent physical device like disks, terminals, printers, networks, tape drive etc.
Can be built on top of base methods
General involve creation of an index for the file
Keep index in memory for fast determination of location of data to be operated on (consider UPC code plus record of data about that item)
If too large, index (in memory) of the index (on disk)
IBM indexed sequential-access method (ISAM)
Small master index, points to disk blocks of secondary index
File kept sorted on a defined key
All done by the OS
VMS operating system provides index and relative files as another example .
Why Is Your BMW X3 Hood Not Responding To Release CommandsDart Auto
Experiencing difficulty opening your BMW X3's hood? This guide explores potential issues like mechanical obstruction, hood release mechanism failure, electrical problems, and emergency release malfunctions. Troubleshooting tips include basic checks, clearing obstructions, applying pressure, and using the emergency release.
What Does the Active Steering Malfunction Warning Mean for Your BMWTanner Motors
Discover the reasons why your BMW’s Active Steering malfunction warning might come on. From electrical glitches to mechanical failures and software anomalies, addressing these promptly with professional inspection and maintenance ensures continued safety and performance on the road, maintaining the integrity of your driving experience.
What Exactly Is The Common Rail Direct Injection System & How Does It WorkMotor Cars International
Learn about Common Rail Direct Injection (CRDi) - the revolutionary technology that has made diesel engines more efficient. Explore its workings, advantages like enhanced fuel efficiency and increased power output, along with drawbacks such as complexity and higher initial cost. Compare CRDi with traditional diesel engines and discover why it's the preferred choice for modern engines.
"Trans Failsafe Prog" on your BMW X5 indicates potential transmission issues requiring immediate action. This safety feature activates in response to abnormalities like low fluid levels, leaks, faulty sensors, electrical or mechanical failures, and overheating.
Things to remember while upgrading the brakes of your carjennifermiller8137
Upgrading the brakes of your car? Keep these things in mind before doing so. Additionally, start using an OBD 2 GPS tracker so that you never miss a vehicle maintenance appointment. On top of this, a car GPS tracker will also let you master good driving habits that will let you increase the operational life of your car’s brakes.
Core technology of Hyundai Motor Group's EV platform 'E-GMP'Hyundai Motor Group
What’s the force behind Hyundai Motor Group's EV performance and quality?
Maximized driving performance and quick charging time through high-density battery pack and fast charging technology and applicable to various vehicle types!
Discover more about Hyundai Motor Group’s EV platform ‘E-GMP’!
What Does the PARKTRONIC Inoperative, See Owner's Manual Message Mean for You...Autohaus Service and Sales
Learn what "PARKTRONIC Inoperative, See Owner's Manual" means for your Mercedes-Benz. This message indicates a malfunction in the parking assistance system, potentially due to sensor issues or electrical faults. Prompt attention is crucial to ensure safety and functionality. Follow steps outlined for diagnosis and repair in the owner's manual.
𝘼𝙣𝙩𝙞𝙦𝙪𝙚 𝙋𝙡𝙖𝙨𝙩𝙞𝙘 𝙏𝙧𝙖𝙙𝙚𝙧𝙨 𝙞𝙨 𝙫𝙚𝙧𝙮 𝙛𝙖𝙢𝙤𝙪𝙨 𝙛𝙤𝙧 𝙢𝙖𝙣𝙪𝙛𝙖𝙘𝙩𝙪𝙧𝙞𝙣𝙜 𝙩𝙝𝙚𝙞𝙧 𝙥𝙧𝙤𝙙𝙪𝙘𝙩𝙨. 𝙒𝙚 𝙝𝙖𝙫𝙚 𝙖𝙡𝙡 𝙩𝙝𝙚 𝙥𝙡𝙖𝙨𝙩𝙞𝙘 𝙜𝙧𝙖𝙣𝙪𝙡𝙚𝙨 𝙪𝙨𝙚𝙙 𝙞𝙣 𝙖𝙪𝙩𝙤𝙢𝙤𝙩𝙞𝙫𝙚 𝙖𝙣𝙙 𝙖𝙪𝙩𝙤 𝙥𝙖𝙧𝙩𝙨 𝙖𝙣𝙙 𝙖𝙡𝙡 𝙩𝙝𝙚 𝙛𝙖𝙢𝙤𝙪𝙨 𝙘𝙤𝙢𝙥𝙖𝙣𝙞𝙚𝙨 𝙗𝙪𝙮 𝙩𝙝𝙚 𝙜𝙧𝙖𝙣𝙪𝙡𝙚𝙨 𝙛𝙧𝙤𝙢 𝙪𝙨.
Over the 10 years, we have gained a strong foothold in the market due to our range's high quality, competitive prices, and time-lined delivery schedules.
In this presentation, we have discussed a very important feature of BMW X5 cars… the Comfort Access. Things that can significantly limit its functionality. And things that you can try to restore the functionality of such a convenient feature of your vehicle.
Symptoms like intermittent starting and key recognition errors signal potential problems with your Mercedes’ EIS. Use diagnostic steps like error code checks and spare key tests. Professional diagnosis and solutions like EIS replacement ensure safe driving. Consult a qualified technician for accurate diagnosis and repair.
5 Warning Signs Your BMW's Intelligent Battery Sensor Needs AttentionBertini's German Motors
IBS monitors and manages your BMW’s battery performance. If it malfunctions, you will have to deal with an array of electrical issues in your vehicle. Recognize warning signs like dimming headlights, frequent battery replacements, and electrical malfunctions to address potential IBS issues promptly.
Comprehensive program for Agricultural Finance, the Automotive Sector, and Empowerment . We will define the full scope and provide a detailed two-week plan for identifying strategic partners in each area within Limpopo, including target areas.:
1. Agricultural : Supporting Primary and Secondary Agriculture
• Scope: Provide support solutions to enhance agricultural productivity and sustainability.
• Target Areas: Polokwane, Tzaneen, Thohoyandou, Makhado, and Giyani.
2. Automotive Sector: Partnerships with Mechanics and Panel Beater Shops
• Scope: Develop collaborations with automotive service providers to improve service quality and business operations.
• Target Areas: Polokwane, Lephalale, Mokopane, Phalaborwa, and Bela-Bela.
3. Empowerment : Focusing on Women Empowerment
• Scope: Provide business support support and training to women-owned businesses, promoting economic inclusion.
• Target Areas: Polokwane, Thohoyandou, Musina, Burgersfort, and Louis Trichardt.
We will also prioritize Industrial Economic Zone areas and their priorities.
Sign up on https://profilesmes.online/welcome/
To be eligible:
1. You must have a registered business and operate in Limpopo
2. Generate revenue
3. Sectors : Agriculture ( primary and secondary) and Automative
Women and Youth are encouraged to apply even if you don't fall in those sectors.
introduction to information security and management
1. Data Hiding in Slack Space Revisited
R.Vishnu Thampy, Praveen K., Ashok Kumar Mohan
TIFAC-CORE in Cyber Security
Amrita School of Engineering, Coimbatore
Amrita Vishwa Vidyapeetham, India
rvishnuthampy@gmail.com, k praveen@cb.amrita.edu, m ashokkumar@cb.amrita.edu
Abstract—In the current world scenario storing of any
data securely in any storage medium is of major concern.
Transferring any secret data without being compromised by
the attacker is becoming difficult day by day. In such a
situation, using the slack space for storing and retrieving secret
information can be a great boon. Slack space is nothing but the
unused space in a disk cluster. Here, the slack space of private
cloud and slack space of the files which is being uploaded to
the private cloud is considered for hiding and retrieving the
secret information. Slack sizes of files are determined using hex
editors. MD5 hashes of the path of the files containing slack
and key are taken and sorted in the ascending order. Message
to be hidden is encrypted and is divided into chunks of data
depending on slack sizes of files which has been reordered by
its corresponding sorting of MD5 hashes of file paths along
with the key. Divided chunks of data are hidden in the slack
spaces accordingly. Mapping of MD5 hashes of file paths along
with the key and slack size will help in the retrieval of hidden
information from slack spaces. The secret data will be securely
hidden in the slack spaces of the private cloud. The idea of
keeping secret data in slack space of private cloud is more
advantageous because cloud itself provides security than usual
physical storage media and moreover that, the possibility of
being detected by an attacker is often less as slack space often
contains data which could not be easily detected by normal
analysis. Along with this, a secret sharing algorithm is proposed
for splitting and sharing the secret data among cloud users and
the file slack space in the cloud gives the accessibility of secret
data.
Index Terms—Slack space, MD5 hash, private cloud, ZFS
I. INTRODUCTION
Slack space plays a vital role in the forensic study of
any storage media. It is a storage area generated when a
file created by the user does not take over all the space
allocated by a file system. In other terms it is a type of
internal fragmentation. [1] i.e. unused space in an allocated
region of a disk cluster. A Cluster is nothing but the storage
blocks of fixed size used by the file system. It contains
a collection of adjacent sectors. Every file will be stored
from the very beginning of the cluster or clusters allocated
to them. For each of the newly generated file, file system
assigns a specific number of clusters. The file size can be
either equal or can be less than the total number of clusters
multiplied by a cluster size. Mostly in all cases, matching
between the size of file and size of multiple clusters happens
rarely. As a result, a small left out space will get generated
between the end of file contents and end of the last cluster
allocated to the file by the file system.This allocated yet
unused space is file slack or slack space [10] of a file. In
other words, the logical and physical size differences also
International Journal of Pure and Applied Mathematics
Volume 118 No. 18 2018, 3017-3025
ISSN: 1311-8080 (printed version); ISSN: 1314-3395 (on-line version)
url: http://www.ijpam.eu
Special Issue
ijpam.eu
3017
2. result in the formation of file slack. The real size of the
file refers to the logical size and number of sectors assigned
to the file by file system determines the physical size of
a file. Major divisions of file slack include RAM slack and
drive slack [2]. Typically, a Windows file system uses chunks
of 512 bytes whenever a file needs to be written to a disk.
In such cases, if the last sector in the last cluster is not
completely filled, then the OS fills those empty space with
the random data from the RAM. This random data filled
area is called RAM Slack. RAM slack is concerned only
with the last sector of a file. The remaining sectors, which
forms a part of the last cluster allocated by the file system,
may be left as empty as the file data size can be very less in
some cases. In such a scenario, OS does not fill this space
as it did in the case of RAM slack and this unfilled area
of remaining sectors is called Drive Slack. Fig. 1 shows the
ram and drive slack space in a typical cluster of size 2048
bytes (2 KB). This cluster contains 4 sectors each of size 512
bytes totaling it to 2048 bytes. It is evident from the fig.1
that the file data consumes the entire first sector and half of
the second sector. Remaining half of the second sector will
be filled by the random data from RAM thus generating
RAM slack and sector 3 and 4 will be left empty and this
left unused space is nothing but the drive slack.
Fig. 1. Slack space in a cluster.
Slack space [10] is a major source of evidence in the
forensic investigation [15] field. It may contain forensically
relevant information. If a user deletes a particular file that
occupied the entire cluster of a disk and later on saves a
new file which takes only less than half of the cluster size,
then remaining sectors would not be empty. It may contain
some relevant part of previously deleted files [12] or data or
any sensitive information which can prove to be useful from
forensic perspective. In another scenario, an attacker can
intentionally use the file slack space for hiding secret data
leaving no clue for the investigator regarding the existence
of any data during a forensic investigation [16].
This paper focuses on the hiding and retrieval of secret
data from the file slack space of a USB drive and further
extends it to find the file slack space in a ZFS based private
cloud storage. Along with this, a novel idea is proposed for
sharing secret data among the cloud [17] users in a cloud
storage by using the file slack concept. Slack space provides
a proper hiding place for secret data and the use of file slack
space of private cloud storage can be of great advantage
as the cloud itself is providing security for stored data and
moreover, that data is stored in file slack of cloud which
makes it undetectable.
A. File System
File system is a systematic arrangement, which deals with
the storing ,accessing and management of files on a storage
media. It deals with the internal operations of a disk and
its functionality is made abstract to the users. A typical
disk contains its own file system, information regarding data
storage and its accessibility by any application or any user.
Other operations of the file system include naming of files,
folders or directories and managing of access rules, metadata
and user privileges. The existence of a file system helps, not
only in the removal of the installed programs but also makes
the possibility of having two files with similar names. It also
deals with information like cluster and sector size, location
of file, file size and hierarchical details of directories. It
helps in the efficient working of all the files and applications
in a particular disk. Commonly used file systems include
NTFS (New Technology File System), FAT (FAT12, FAT16,
FAT32), ex FAT, for Windows , ext2, ext3 [13], ext4 for
Linux, Hierarchical File System (HFS), (HFS+)for MAC,
ZFS(Zettabyte File System) for FreeBSD [3].
B. FAT and NTFS file system
The FAT file system contains two relevant data structures,
a file allocation table (or FAT) and directory entries [4].A
directory entry is allocated to each of the files and direc-
tories. These entries are stored in clusters and if there are
more number of clusters used, then the individual entries
are located by FAT data structure. FAT table is used to find
out the next cluster in a file. The FAT system saves the
data after a specified number of reserved sectors and FAT
areas, and sector zero marks the beginning of these reserved
sectors. For each and every cluster in the file system, an entry
will be made in FAT structure and each of these entry uses
three date/time stamps namely last accessed, last written and
created [4].
Compared to FAT, the NTFS provides an easy way of
locating file data in the file system. In NTFS, a file record
is created for each and every data file of the user. Master
File Table (MFT) is the main feature in NTFS. MFT is
a special table which stores all the file records and each
MFT entry size is of 1024 bytes [5]. MFT stores the file
data, if it is small enough to fit in it, otherwise it generally
International Journal of Pure and Applied Mathematics Special Issue
3018
3. contains information regarding file operations and retrieval
of data [4]. The MFT resides in partition boot sector which
forms the first sector of NTFS file system. The information
regarding the user created file is placed as a series of
attributes in MFT entry. The number of attributes that can
be found in a file record depends on the created file type
and type of the attribute is identified by an identifier of the
attribute.
For the efficient management of whole file system, NTFS
generates metadata files and these files contain adminis-
trative data. So as to differentiate the metadata files from
normal files, each of these metadata file begins with a dollar
sign. These files are kept hidden from the users. For the
further enhancement of the file system, NTFS reserves first
sixteen entries for these metadata files in the MFT.
C. ZFS
Zettabyte file system [9] is one of the advanced file
system which is used in FreeNas cloud storage. Its combined
features of a file system and logical volume manager makes
it a unique one among other file systems. Main features
of ZFS includes high storage capabilities, protection of
data against corruption, snapshots, automatic repair, integrity
check and so on. As it has the combined feature of a file
system and volume manager it knows the entire information
about the physical disks and volume including their status,
condition, logical arrangement and also of all the stored files
in it. The physical devices such as (HDDs and SSDs) used by
ZFS are arranged in to virtual devices(vdevs). These vdevs
are used for the redundant storage for a ZFS pool. ZFS is
also concerned with how the file systems and volumes are
held within a ZFS pool so as to make the entire system
abstract to the end users.
D. Paper organization
The remainder of this paper is organized as follows.
An overview of related literature is presented in section-
II. Section-III discusses the proposed system of hiding and
retrieval of data from the file slack. Section-IV presents
a secret sharing algorithm for splitting and sharing secret
data using file slack space. In section-V, experimental results
regarding the file slack space of USB drive and cloud has
been discussed. And the last section, section VI concludes
the work by highlighting the relevance of the file slack space
and briefs the hiding and retrieval of secret data from the file
slack. Along with that, an implementation of secret sharing
algorithm is taken into consideration for the future work.
II. LITERATURE SURVEY
An idea regarding the generation of slack space as per
the user need has been discussed by Srinivasan in his work
related to slack space [1]. This was achieved by creating
new files as per the demand of the users and thus utilizing
slack space of those files as a cover for hiding data.
Another related work [11] describes about an anti-forensic
technique which uses directory index of NTFS for hiding
secret messages and also proposes a tool for implementing
the same.
Different types of slack space can be used in digital
forensics so as to hide information from users or operating
systems. The various forms of slack space and size of the
block in a file system plays a major role in determining the
amount of information that can be hidden. The availability of
the file slack space has been increasing day by day due to the
ever increasing storage capacities of devices. Other areas that
can be used for data hiding includes Device Configuration
Overlay and Host Protected Area [6] on the storage devices
like hard drive. But the pitfall in hiding in these areas is
that it can be easily detected by forensic tools like Encase,
Sleuth Kit.
The file slack space can be considered as a byproduct
of operating system [6]. File slack is created as the result
of non alignment between data file data size and cluster
size. The availability of usable slack space depends on sector
size, cluster size of the file system, and the number of files
available in a storage device. Sector size in hard drives varies
from 512 bytes to 4K in the most modern hard drives. Also
the cluster size of FAT 32 varies in between 4KB and 32KB
but for NTFS it ranges from 4KB to 16 TB [6]. If the portion
of file data in the last cluster, having n sectors, is less than
the sector size of file system, then the windows uses the
concept of padding to fill the last sector at the end of each
file, thus leaving n-1 sectors possibly untouched [7]. The
advantage of file slack is that it can be found on any hard
disk that uses clusters as the smallest disk allocation unit.
The amount of file slack can be increased either by using
large number of files or using clusters of larger sizes.
File slack is a result of internal fragmentation [8]. When-
ever a file gets deleted, the clusters allocated to that typical
file will be marked as free by the file system. When a
file of size 8 KB is stored on hard disk which contain
clusters of size 4KB, the file system assigns two clusters
namely cluster 1 and cluster 2 for the file. Again if a file
of size 12 KB is to be stored, the file system allocates
three clusters starting from cluster 3 to cluster 5 and this
happens because the first two clusters are already occupied
by the first file. At this scenario, if the first file gets deleted
and the storing of another file of 3KB size in first cluster
results in the formation of a file slack. This file slack
will be of size 1KB and contains data from the first file.
This 1KB slack may contain sensitive information and is
vulnerable to get exposed. File slack can also be found in
file servers which uses windows operating system [8]. This
International Journal of Pure and Applied Mathematics Special Issue
3019
4. can become a serious issue if these file servers are used by
any company/corporations, as their sensitive data can easily
become a part of file slack and thus leads to a security
breach.
III. PROPOSED SYSTEM
Nowadays many technologies have been emerging so as
to hide and retrieve data from devices. Instead of developing
a new technology, making use of the available ones through
which data can be hidden and retrieved without being
detected by any hacker can become a breakthrough. Such
a novel intention leads to the use of allocated but unused
space in any device or any file system which is nothing
but the slack space. The proposed system is to find the file
slack space of a storage device typically in a USB drive
and to hide and retrieve secret data from it. It is further
extended to fetch file slack space of private cloud storage,
FreeNas which is running on ZFS [9] file system. A secret
sharing algorithm is also proposed so as to share the secret
data among cloud users by using the concept of file slack
space where the secret data can be hidden. Fig.2 gives the
architecture model for the proposed system.
Slack space of the local system files or private cloud is
fetched using hexeditor. Slack sizes corresponding to files
are estimated using the same hex editor. The MD5 hashes
of the file paths, of those files that contains slack, and key is
calculated. Providing the key along with the file path helps
in achieving the integrity i.e. only intended users can be able
to get the information regarding file slack using proper key.
And key can be any 128-bit random number chosen by the
user. Data hiding in the slack space has to be done in a
random order so as to make it difficult to be compromised
by any attacker. So for this, the obtained MD5 hashes of file
paths along with the key is sorted in the ascending order. As
a result, a mapping can be obtained between the sorted MD5
hashes and slack sizes, which was determined using hex
editor. Message to be hidden is encrypted using encryption
algorithm. Encrypted message is divided into small blocks
and division of this message depends on the determined
slack sizes. The resultant blocks of messages are hidden in
the slack spaces and can be retrieved using mapping of MD5
hashes and slack sizes.
The methodology used by the existing system [1] in-
tentionally creates slack space for hiding the data. But
the proposed system make use of the file slack from all
the available files. This gives the advantage that secret
data resides along with the normal data making it more
undetectable for the hacker. Compared to the existing system
[1], proposed system uses a specific method, by using the
WinHex tool, to fetch the file slack, to determine the slack
sizes of every file, and also to hide the encrypted data in the
exact slack location of the files. Another feature includes
the file slack determination of the files of a private cloud.
Proposed system also suggests a novel idea for the secret
sharing of data among the cloud users. This secret sharing
algorithm also contributes to the uniqueness of proposed
system when compared to existing one.
Fig. 2. Module diagram.
A. Implementation steps
NTFS (New Technology file system) is considered for the
implementation purpose. Default Cluster size of NTFS is
4096 bytes which contains 8 sectors and each sector is of
size 512 bytes. Hex editor is used to find and analyze the
slack space of the file. The preferred one is WinHex tool
[14] full version. For the purpose of analyzing the slack
space files need to accessed from a drive.
• Opening the preferred drive : Files can be accessed from
a USB drive or any other drives of the computer system.
After opening the drive using the WinHex [14] tool, all
the files in the drive will be listed along with their sizes.
Each file can be opened and its hexadecimal format will
be displayed along the side (Fig 3).
• Slack space gathering : Entire slack space of the drive
can be fetched using WinHex [14] tool by Gather
slack option in specialist menu (Fig 4). Slack space
can be saved in a notepad or it will be displayed
simultaneously in the Winhex tool (Fig 5). The total
size of the slack space of the selected drive can be seen
along the side in the WinHex. It lists all the clusters
which contains slack space. But it does not mean that
slack space will be starting from the very beginning of
the listed clusters. So need to determine the slack space
of each of the files listed in the drive using the cluster
information which was obtained from above.
International Journal of Pure and Applied Mathematics Special Issue
3020
5. • Determining slack space of each file in the drive : Total
number of clusters used by each file can be obtained by
navigating to list clusters option. The last cluster can
be spotted from the list of clusters of a particular file.
Last cluster will be displayed along with the number of
bytes used in that particular cluster (Fig 6). From the
default cluster size and the information regarding the
used number of bytes in the last cluster, slack space
for the particular file can be determined.(Fig 6)
• While hiding data in the slack space there should be
some sort of randomness. This randomness of storing
data would make it difficult for any attacker who tries
to analyze any hidden data in slack space of a particular
drive. So as to provide randomness, initially MD5
hashes of file paths ,of all files containing slack space,
and key are taken. While taking file path, file name
is also included in the path. Providing the key along
with the file path helps in achieving the integrity i.e.
only intended users can be able to get the information
regarding file slack using proper key. And key can be
any 128-bit random number chosen by the user. After
finding the hashes, first 64 significant bits of hashes
are converted to its corresponding decimal values. All
the resultant decimal values are sorted in the ascending
order. Finally all the file paths having slack will be
sorted in the ascending order of decimal values of their
MD5 hashes (Table II and III).
• Now the Secret message to be hidden is encrypted using
AES algorithm. Encrypted data is divided into small
blocks depending on the slack size information obtained
from WinHex tool. These slack sizes are arranged in
the ascending order of decimal values obtained from
MD5 hashes of file paths containing the slack and user
preferred key. As a result a mapping can be obtained
between MD5 hashes and slack sizes of the files.
• Finally the divided blocks of encrypted message are
hidden in the slack sizes of the files. The mapping
information and user key can be used to retrieve the
hidden message from the slack space.
IV. SECRET SHARING ALGORITHM
This algorithm helps in sharing the secret data among the
private cloud users by using file slack as a hidden space
for secret data. Initially the secret file which needs to be
shared among the users is determined along with its size.
The main concept used here is the splitting of secret data and
then sharing those with the intended users. And also, here
admin is considered as the trusted party and is responsible
for splitting the secret data. The secret data file, which needs
to be shared, is considered to be a text file named File.txt.
This text file is initially converted in to its binary format. As
a result of this, the converted file will be a binary one which
contains only zeros and ones and is named as Binary file.txt.
In this algorithm, it is considered that only two users need to
share the secret data among themselves. So for this purpose,
the obtained binary file, Binary file.txt is split into two other
binary files namely Binary share 1 and Binary share 2, each
of them having the same size as that of the actual secret
file, Binary file.txt. The formation of the two new shares is
based on XOR logic which is given in TABLE I.
TABLE I
XOR LOGIC FOR GETTING ACTUAL SECRET DATA FROM THE SPLIT
SHARES
Secret binary data file- Binary share1 Binary share2
XOR of Binary share1 &
Binary share2
1 0 1
1 1 0
0 1 1
0 0 0
The contents of the newly generated binary files are
arranged in such a way that, performing a XOR operation
between the respective binary bits of these files will result
in the formation of the actual secret file, Binary file.txt.
The admin of the private cloud storage assigns necessary
privileges to both the users, U1 and U2, who wants to share
the secret data among themselves. Also a shared folder is
created for these users which can be needed for the later
use. User U1 stores the first share, Binary share 1 in its file
slack space and user U2 stores the second share, Binary share
2 in its respective file slack space. Both the users are given
privileges to access each others file slack. And with the help
of mapping information regarding the MD5 hashes of file
slack paths and slack sizes, along with the key information
,both the binary shares can be combined to get exact secret
information. This retrieved secret information is placed in
the shared folder which can only be accessed by these two
users.
The secret sharing algorithm can be further extended
among n number of users by splitting secret shared file
into n shares. And these n shares will be stored in the file
slack spaces of n users. In this case, XOR logic table will
contain n number of column entries corresponding to each
splitted n binary shares. And with help of mapping and key
information, n shares can be combined using XOR logic to
get original secret information which will be then placed in a
shared folder, which can be accessed only by these intended
users.
Even though splitted secret share is stored in the file slack
of the private cloud there can be an issue regarding the
availability of this data in those file slacks. If the secret
data is stored only in file slack of one particular file/files
and that particular file gets deleted or get corrupted then the
International Journal of Pure and Applied Mathematics Special Issue
3021
6. secret share cannot retrieved from it. In such a case, storing
the secret shares in the file slacks of multiple files of an user
can prove more advantageous as this will make the redundant
copies of secret share and thus can easily made available at
the time of error occurrence to any of those files. Also the
amount of data that can be retrieved from a file slack is also
a major concern. This is because there can be chance that file
slack space of file can get modified if more data is written
into it, thus reducing the retrieval probability of secret data.
As a solution for this, files needs to be categorized based
on their aging factor. Every file needs to be analyzed for its
period of existence and frequency of modification. So, secret
shares need to be stored in that files which persists for a long
time and have lesser probability of getting modified.
V. EXPERIMENTAL RESULTS
A. File slack in a USB drive
Detected the file slack space and slack sizes of files along
with that hided and retrieved data from a particular USB
drive.
Fig. 3. Opening the preferred drive.
• Fetched the file slack space from the USB drive (Fig.
4) and the resultant slack space of the file is displayed
in Fig. 5.
Fig. 4. Fetching the slack space.
• Determined the exact start of file slack space in a typical
file (Fig 6). Exact file slack location was found out by
following formulation.
Let the cluster size be denoted as Cs, no of sectors as
Fig. 5. Slack space of the file along with the size
Sn, Sector size as Ss. Cluster size of a file system can
be calculated by multiplying no of sectors with sector
size.
Cluster size = No of sectors * Sector size
Cs = Sn * Ss
Let Bn be the number of bytes used by the file in the
last cluster
Fig. 6. Locating the exact start of slack space
For finding slack size of a file, number of sectors used
by a file needs to be calculated. Su and Ss denotes
the number of used sectors and sector size respectively.
Used sectors are calculated by dividing Number of
bytes used by the file in the last cluster with sector
size :
Su = Bn / Ss
Unused sectors Sun in the last cluster is given by
subtracting the used sectors in the last cluster Su from
the total number of sectors in the last cluster Sn.
Sun = Sn - Su
In Fig. 6, used sectors were 6.76 sectors and unused
sectors were calculated to be 1.23 sectors. The starting
sector of the cluster 47 was 65896. From 65896 sector,
adding the used number of sectors gives almost the
middle location of sector 65902, which is the exact
slack starting location.
International Journal of Pure and Applied Mathematics Special Issue
3022
7. Fig. 7. Slack space of the file filled with user data
• Fig. 7 shows the snapshot of slack space after getting
filled with data. Table II shows the MD5 hashes of Key
and file paths having slack and Table III shows the MD5
hashes of Key and file paths after sorting.
TABLE II
FILE PATHS AND HASHES
File having slack Slack size MD5 hashes
I:NewfolderBooked Ticket 0.6 KB ca5da4e46bf19dfccce266
History.pdfkey∗ 29e7e5f77e
I:New folderproject 3.6 KB b38db25e2d9fafb1acbe
content.docxkey∗ 02a04461d400
I:New folderuser.txt 3.8 KB 333e1885d483bcd7b15
key∗ c990fdfbd0584
I:New folderforensi 2.5 KB fa1f1baf4c206ad288f352
note.txtkey∗ ef0f4be69c
∗Key can be any user preferred 128-bit random key
TABLE III
SORTED MD5 HASHES OF THE FILE ALONG WITH SLACK SIZE
File having slack Slack size MD5 hashes
I:New folder user.txt 3.8 KB 333e1885d483bcd7b15
key∗ c990fdfbd0584
I:NewfolderBooked Ticket 0.6 KB ca5da4e46bf19dfccce266
History.pdfkey∗ 29e7e5f77e
I:New folderforensi 2.5 KB fa1f1baf4c206ad288f352
note.txtkey∗ ef0f4be69c
I:New folderproject 3.6 KB b38db25e2d9fafb1acbe
content.docxkey∗ 02a04461d400
∗Key can be any user preferred 128-bit random key
B. File slack in Cloud Storage
All the files in the cloud can be mapped to a local drive.
From the local drive slack spaces of all the files can be
determined using Hexeditor. Also the slack spaces of all
files, that has to be uploaded to cloud, can be determined
and analyzed by following the same procedure which was
done for a USB drive. After analyzing the slack sizes, secret
data can be hidden in those slacks and can be uploaded to
the cloud. Secret data in the file slack of cloud gives an
added advantage as it will be undetectable for an attacker.
A sample of 6 files was taken and also analyzed the slack
sizes of each of those files and determined the MD5 hashes
of file paths along with its key.(Table IV and V)
TABLE IV
SAMPLE OF FILES THAT WERE UPLOADED TO CLOUD
File having slack Slack size MD5 hashes
E:filesHideinside 1.6 KB abe1c32564dd8f059ecc49fe
Encrypted.pdfkey∗ c39bc65f
E:filesAnti-Forensic/ 0.7 KB 4b3c7e550c1de99dcb97e393
Tool.pdfkey∗ 83d6127d
E:filesSlack 2013.pdf 3.2 KB 8999330b8044cc12214963e2
key∗ ca1cd310
E:filesForensic Data 2.1 KB c9935905746075adcfa680f4d
carving.pdfkey∗ 2b7f5d0
E:filesConcerning File 4.1 KB c25f34330762c9c9b07ef510e
slack.pdfkey∗ 9a6138d
E:filesHiding-finding-data- 1.1KB b417749c8ec1f6a5a6f081bf
linux.pdfkey∗ 7370a84d70a84d
∗Key can be any user preferred 128-bit random key
VI. CONCLUSION AND FUTURE WORK
Hiding of any secret information without being compro-
mised by any attacker has become a major concern these
days. Ensuring the security of this secret data has become
a vital part from the forensic and data security perspective.
Just hiding the data anywhere is not enough, along with
that it has to be ensured that whatever secret data is to
be hidden it should be undetectable to the intruders. So
a solution concerning the hiding of secret information and
its retrieval was found out. For this, the file slack space
which was generated during the cluster allocation by any
file system, was taken into consideration and was able to
detect it successfully. Slack sizes of various files having file
slack were determined and analyzed using one of the hex
editor. Along with that, to make the secret data undetectable,
a sort of randomness was also provided by taking the MD5
hash values of file paths containing the file slack and sorting
them in the ascending order. Encrypted secret messages were
divided according to the file slack sizes and were able to
hide and retrieve those secret messages from the file slack
of files with the help of mapping information of file slack
sizes and MD5 hashes. Further slack spaces of files which
International Journal of Pure and Applied Mathematics Special Issue
3023
8. TABLE V
SORTED MD5 HASHES OF THE SAMPLE OF FILES THAT WERE
UPLOADED TO CLOUD
File having slack Slack size MD5 hashes
E:filesAnti-Forensic 0.7 KB 4b3c7e550c1de99dcb9
Tool.pdfkey∗ 7e39383d6127d
E:filesSlack 2013.pdf 3.2 KB 8999330b8044cc12214
key∗ 963e2ca1cd310
E:filesHideinside 1.6 KB abe1c32564dd8f059
Encrypted.pdfkey∗ ecc49fec39bc65f
E:filesHiding-finding-data- 1.1KB b417749c8ec1f6a5a6f0
linux.pdfkey∗ 81bf7370a84d
E:filesConcerning File 4.1 KB c25f34330762c9c9b07e
slack.pdfkey∗ f510e9a6138d
E:filesForensic Data 2.1 KB c9935905746075adcfa
carving.pdfkey∗ 680f4d2b7f5d0
∗Key can be any user preferred 128-bit random key
were uploaded to cloud were also determined and analyzed
using same method. In addition to it, an overall idea about
ZFS file system in FreeNas cloud was also obtained.
The scope of the future work will be concerned about
the implementation of secret data sharing in the private
cloud storage. The secret data can be shared with multiple
users in the cloud. The sharing of the data will be done
securely without getting noticed by any hacker or attacker.
For this, secret data can be shared in the slack spaces of
the multiple users so that only the concerned users will
only be knowing the existence of secret data. Secret sharing
using slack space and moreover implementing it in the cloud
storage can provide a better way of security for hiding any
secret data.
REFERENCES
[1] Srinivasan, Avinash, Srinath Thirthahalli Nazaraj, and Angelos
Stavrou. ”HIDEINSIDE – A novel randomized & encrypted antiforen-
sic information hiding.” In Computing, Networking and Communica-
tions (ICNC), 2013 International Conference on, pp. 626-631. IEEE,
2013.
[2] http://niiconsulting.com/checkmate/2006/06/file-slack-vs-ram-slack-
vs-drive-slack/.
[3] Easttom, Chuck. System forensics, investigation, and response. Jones
& Bartlett Learning, 2017.
[4] Mahant, Sameer H., and B. B. Meshram. ”NTFS Deleted Files Re-
covery: Forensics View.” IRACST-International Journal of Computer
Science and Information Technology & Security (IJCSITS), ISSN
(2012): 2249-9555.
[5] Rusbarsky, Kelsey Laine. ”A Forensic Comparison of NTFS and
FAT32 File Systems.” (2012).
[6] Mulazzani, Martin, Sebastian Neuner, Peter Kieseberg, Markus Huber,
Sebastian Schrittwieser, and Edgar Weippl. ”Quantifying windows file
slack size and stability.” In IFIP International Conference on Digital
Forensics, pp. 183-193. Springer, Berlin, Heidelberg, 2013.
[7] Carrier, Brian. File system forensic analysis. Addison-Wesley Profes-
sional, 2005.
[8] Larson, Stephen P. ”Concerning File slack.” In Proceedings of the
Conference on Digital Forensics, Security and Law, p. 103. Associa-
tion of Digital Forensics, Security and Law, 2009.
[9] Bonwick, Jeff, Matt Ahrens, Val Henson, Mark Maybee, and Mark
Shellenbaum. ”The zettabyte file system.” In Proc. of the 2nd Usenix
Conference on File and Storage Technologies, vol. 215. 2003.
[10] T. Prem, V. Paul Selwin and Ashok Kumar Mohan. ”Disk Memory
Forensics - Ananlysis of Memory Forensics Frameworks Flow.” Inno-
vations in Power and Advanced Computing Technologies (i-PACT),
2017.
[11] Cho, Gyu-Sang. ”Development of an anti-forensic tool for hiding mes-
sage in a directory index of NTFS.” In Internet Security (WorldCIS),
2015 World Congress on, pp. 144-145. IEEE, 2015.
[12] Holleboom, Thijs, and Johan Garcia. ”Fragment retention characteris-
tics in slack spaceAnalysis and measurements.” In Security and Com-
munication Networks (IWSCN), 2010 2nd International Workshop on,
pp. 1-6. IEEE, 2010.
[13] Chen, Tseng-Yi, Yuan-Hao Chang, Shuo-Han Chen, Chih-Ching Kuo,
Ming-Chang Yang, Hsin-Wen Wei, and Wei-Kuan Shih. ”Enabling
Write-Reduction Strategy for Journaling File Systems over Byte-
addressable NVRAM.” In Proceedings of the 54th Annual Design
Automation Conference 2017, p. 44. ACM, 2017.
[14] Sindhu, K. K., and B. B. Meshram. ”Digital forensic investigation
using WinHex Tool.” International Journal of Computer Science and
Technology 3, no. 1 (2012): 1-7.
[15] Tripathi, Shweta, and B. B. Meshram. ”Digital Forensic Investigation
on File System And Database Tampering.”
[16] Karabiyik, Umit, and Sudhir Aggarwal. ”Model of hierarchical disk
investigation.” In Digital Forensic and Security (ISDFS), 2016 4th
International Symposium on, pp. 84-88. IEEE, 2016.
[17] Santanam, Raghu, ed. Cyber Security, Cyber Crime and Cyber Foren-
sics: Applications and Perspectives: Applications and Perspectives.
IGI Global, 2010.
International Journal of Pure and Applied Mathematics Special Issue
3024