fishy - A Framework for Implementing Filesystem-Based Data Hiding Techniques

  • Thomas GöbelEmail author
  • Harald Baier
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 259)


The term anti-forensics refers to any attempt to hinder or even prevent the digital forensics process. Common attempts are to hide, delete or alter digital information and thereby threaten the forensic investigation. A prominent anti-forensic paradigm is hiding data on different abstraction layers, e.g., the filesystem layer. In modern filesystems, private data can be hidden in many places, taking advantage of the structural and conceptual characteristics of each filesystem. In most cases, however, the source code and the theoretical approach of a particular hiding technique is not accessible and thus maintainability and reproducibility of the anti-forensic tool is not guaranteed. In this paper, we present fishy, a framework designed to implement and analyze different filesystem-based data hiding techniques. fishy is implemented in Python and collects various common exploitation methods that make use of existing data structures on the filesystem layer. Currently, the framework is able to hide data within ext4, FAT and NTFS filesystems using different hiding techniques and thus serves as a toolkit of established anti-forensic methods on the filesystem layer. fishy was built to support the exploration and collection of various hiding techniques and ensure the reproducibility and expandability with its publicly available source code. The construction of a modular framework played an important role in the design phase. In addition to the description of the actual framework, its current state, its use, and its easy expandability, we also present some hiding techniques for various filesystems and discuss possible future extensions of our framework.


Anti-forensics Anti-anti-forensics Digital forensics Data hiding File system analysis ext4 NTFS FAT 



This work was supported by the German Federal Ministry of Education and Research (BMBF) within the funding program Forschung an Fachhochschulen (contract number: 13FH019IB6) as well as by the Hessen State Ministry for Higher Education, Research and the Arts (HMWK) within CRISP ( In addition, we would like to thank all participating students of the bachelor module Project System Development, who played a major role in the implementation of the framework.


  1. 1.
    Conlan, K., Baggili, I., Breitinger, F.: Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy. Digit. Investig. 18, 66–75 (2016)CrossRefGoogle Scholar
  2. 2.
    Rogers, M.: Anti-Forensics, presented at Lockheed Martin, San Diego, 15 September 2005. Accessed 12 May 2018
  3. 3.
    Harris, R.: Arriving at an anti-forensics consensus: Examining how to define and control the anti-forensics problem. Digit. Investig. 3, 44–49 (2006)CrossRefGoogle Scholar
  4. 4.
    Wundram, M., Freiling, F.C., Moch, C.: Anti-forensics: The next step in digital forensics tool testing. IT Security Incident Management and IT Forensics (IMF), pp. 83–97 (2013)Google Scholar
  5. 5.
    Ridder, C.K.: Evidentiary implications of potential security weaknesses in forensic software. Int. J. Digit. Crime Forensics (IJDCF) 1(3), 80–91 (2009)CrossRefGoogle Scholar
  6. 6.
    Newsham, T., Palmer, C., Stamos, A., Burns, J.: Breaking forensics software: weaknesses in critical evidence collection. In: Proceedings of the 2007 Black Hat Conference. Citeseer (2007)Google Scholar
  7. 7.
    Kailus, A.V., Hecht, C., Göbel, T., Liebler, L.: fishy - Ein Framework zur Umsetzung von Verstecktechniken in Dateisystemen. D.A.CH Security 2018, syssec Verlag (2018)Google Scholar
  8. 8.
    Anderson, R., Needham, R., Shamir, A.: The steganographic file system. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 73–82. Springer, Heidelberg (1998). Scholar
  9. 9.
    McDonald, A.D., Kuhn, M.G.: StegFS: a steganographic file system for Linux. In: Pfitzmann, A. (ed.) IH 1999. LNCS, vol. 1768, pp. 463–477. Springer, Heidelberg (2000). Scholar
  10. 10.
    Piper, S., Davis, M., Shenoi, S.: Countering hostile forensic techniques. In: Olivier, M.S., Shenoi, S. (eds.) Advances in Digital Forensics II. IFIP AICT, vol. 222, pp. 79–90. Springer, Boston, MA (2006). Scholar
  11. 11.
    Göbel, Thomas, Baier, Harald: Anti-forensic capacity and detection rating of hidden data in the Ext4 filesystem. In: Peterson, G., Shenoi, S. (eds.) Advances in Digital Forensics XIV. IFIP AICT, vol. 532, pp. 87–110. Springer, Cham (2018). Scholar
  12. 12.
    Neuner, S., Voyiatzis, A.G., Schmiedecker, M., Brunthaler, S., Katzenbeisser, S., Weippl, E.R.: Time is on my side: steganography in filesystem metadata. Digit. Investig. 18, 76–86 (2016)CrossRefGoogle Scholar
  13. 13.
    Fairbanks, K.D.: An analysis of Ext4 for digital forensics. Digit. Investig. 9, 118–130 (2012)CrossRefGoogle Scholar
  14. 14.
    Eckstein, K., Jahnke, M.: Data hiding in journaling file systems. In: Proceedings of the 5th Annual Digital Forensic Research Workshop (DFRWS) (2005)Google Scholar
  15. 15.
    Piper, S., Davis, M., Manes, G., Shenoi, S.: Detecting Hidden Data in Ext2/Ext3 File Systems. In: Pollitt, M., Shenoi, S. (eds.) Advances in Digital Forensics. ITIFIP, vol. 194, pp. 245–256. Springer, Boston, MA (2006). Scholar
  16. 16.
    Grugq, T.: The art of defiling: defeating forensic analysis. In: Blackhat Briefings, Las Vegas, NV (2005)Google Scholar
  17. 17.
    Huebner, E., Bem, D., Wee, C.K.: Data hiding in the NTFS file system. Digit. Investig. 3, 211–226 (2006)CrossRefGoogle Scholar
  18. 18.
    Krenhuber, A., Niederschick, A.: Forensic and Anti-Forensic on modern Computer Systems. Johannes Kepler Universitaet, Linz (2007)Google Scholar
  19. 19.
    Berghel, H., Hoelzer, D., Sthultz, M.: Data hiding tactics for windows and unix file systems. In: Advances in Computers, vol. 74, pp. 1–17 (2008)Google Scholar
  20. 20.
    Thompson, I., Monroe, M.: FragFS: an advanced data hiding technique. In: BlackHat Federal, January 2018. Accessed 12 May 2018
  21. 21.
    Forster, J.C., Liu, V.: catch me, if you can... In: BlackHat Briefings (2005). Accessed 12 May 2018
  22. 22.
    Garfinkel, S.: Anti-forensics: techniques, detection and countermeasures. In: 2nd International Conference on i-Warfare and Security, pp. 77–84 (2007)Google Scholar
  23. 23.
    Göbel, T., Baier, H.: Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding. Digit. Investig. 24, 111–120 (2018)CrossRefGoogle Scholar
  24. 24.
    Carrier, B.: File System Forensic Analysis. Addison-Wesley Professional, Boston (2005)Google Scholar
  25. 25.
    Wong, D.J.: Ext4 Disk Layout, Ext4 Wiki (2016). Accessed 12 May 2018

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019

Authors and Affiliations

  1. 1.da/sec - Biometrics and Internet Security Research GroupHochschule DarmstadtDarmstadtGermany

Personalised recommendations