An analysis of anti-forensic capabilities of B-tree file system (Btrfs)

ABSTRACT Anti-forensic techniques aim to prevent, hinder or corrupt the forensic process of evidence acquisition, its analysis, and/or its admissibility. File systems are at the spotlight of almost every forensic investigation. The Linux B-tree file system (Btrfs) offers a paradigm shift in file system design by providing simple administration, end-to-end data integrity, and immense scalability without loss of performance. However, the potential of Btrfs for forensics examination and its resistance to anti-forensic activities was not investigated before. This paper covers this gap by analysing the forensics value of Btrfs and its robustness against anti-forensics activities. The experimental results suggest that Btrfs offers strong hurdles to many anti-forensic attacks. These include making it difficult to securely wipe files, disallowing hiding data in reserved locations of the file system data structures, and so on. Based on our findings, even a corrupt Btrfs volume could contain remnants of deletion of small files, hidden data in reserved locations and magic string forgery. Furthermore, forensic tools meant for Btrfs investigation must be augmented to support automated forensic analysis of possible hidden data in boot sector, file slack, volume slack and mount-point directories, MAC-DTS forgery, and sparse files.

[1]  Marko Jahnke,et al.  Data Hiding in Journaling File Systems , 2005, DFRWS.

[2]  Wasim Ahmad Bhat Achieving Efficient Purging in Transparent per-file Secure Wiping Extensions , 2015 .

[3]  Ali Dehghantanha,et al.  Forensic investigation of OneDrive, Box, GoogleDrive and Dropbox applications on Android and iOS devices , 2016 .

[4]  Paolo Gubian,et al.  SIM and USIM filesystem: a forensics perspective , 2007, SAC '07.

[5]  Eoghan Casey,et al.  The impact of full disk encryption on digital forensics , 2008, OPSR.

[6]  Gyu-Sang Cho Development of an anti-forensic tool for hiding message in a directory index of NTFS , 2015, 2015 World Congress on Internet Security (WorldCIS).

[7]  Angelos Stavrou,et al.  HIDEINSIDE — A novel randomized & encrypted antiforensic information hiding , 2013, 2013 International Conference on Computing, Networking and Communications (ICNC).

[8]  Jie Wu,et al.  Duplicate File Names-A Novel Steganographic Data Hiding Technique , 2011, ACC.

[9]  Nicole Beebe,et al.  Digital forensic implications of ZFS , 2009 .

[10]  Christopher Lees Determining removal of forensic artefacts using the USN change journal , 2013, Digit. Investig..

[11]  Sujeet Shenoi,et al.  Detecting Hidden Data in Ext2/Ext3 File Systems , 2005, IFIP Int. Conf. Digital Forensics.

[12]  S. M. K. Quadri,et al.  restFS: Secure data deletion using reliable & efficient stackable file system , 2012, 2012 IEEE 10th International Symposium on Applied Machine Intelligence and Informatics (SAMI).

[13]  Chris Palmer,et al.  Breaking Forensics Software: Weaknesses in Critical Evidence Collection , 2007 .

[14]  Frank Breitinger,et al.  Anti-forensics , 2016 .

[15]  S. M. K. Quadri,et al.  POSTER: Dr. Watson provides data for post-breach analysis , 2013, CCS.

[16]  Ali Dehghantanha,et al.  SugarSync forensic analysis , 2016 .

[17]  Michael Austin Halcrow eCryptfs: An Enterprise-class Encrypted Filesystem for Linux , 2010 .

[18]  Ali Dehghantanha,et al.  Investigating Social Networking applications on smartphones detecting Facebook, Twitter, LinkedIn and Google+ artefacts on Android and iOS platforms , 2016 .

[19]  J. Cifuentes,et al.  Analysis and Implementation of Anti-Forensics Techniques on ZFS , 2012, IEEE Latin America Transactions.

[20]  Kim-Kwang Raymond Choo,et al.  An integrated conceptual digital forensic framework for cloud computing , 2012, Digit. Investig..

[21]  Wasim Ahmad Bhat,et al.  After-deletion data recovery: myths and solutions , 2012 .

[22]  Ewa Huebner,et al.  Data hiding in the NTFS file system , 2006, Digit. Investig..

[23]  Josef Bacik,et al.  BTRFS: The Linux B-Tree Filesystem , 2013, TOS.

[24]  Harald Baier,et al.  Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding , 2018, Digit. Investig..

[25]  Kamal Dahbur,et al.  The anti-forensics challenge , 2011, ISWSA '11.

[26]  Jie Wu,et al.  Steganographic information hiding that exploits a novel file system vulnerability , 2013, Int. J. Secur. Networks.

[27]  Gail-Joon Ahn,et al.  Understanding Anti-forensic Techniques with Timestamp Manipulation (Invited Paper) , 2016, 2016 IEEE 17th International Conference on Information Reuse and Integration (IRI).

[28]  Shiuh-Jeng Wang,et al.  Data concealments with high privacy in new technology file system , 2015, The Journal of Supercomputing.

[29]  Ramlan Mahmoud,et al.  Digital forensics trends and future , 2013 .