CN1317712C - Files hiding method based on NTFS disk files system structure - Google Patents
Files hiding method based on NTFS disk files system structure Download PDFInfo
- Publication number
- CN1317712C CN1317712C CNB031185460A CN03118546A CN1317712C CN 1317712 C CN1317712 C CN 1317712C CN B031185460 A CNB031185460 A CN B031185460A CN 03118546 A CN03118546 A CN 03118546A CN 1317712 C CN1317712 C CN 1317712C
- Authority
- CN
- China
- Prior art keywords
- file
- hidden
- name
- stream
- hiding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The present invention discloses a file hiding method based on an NTFS disk file system structure, which comprises the following steps: (1) illegal file name characters in a whole pathname of a file to be hidden are removed, and a unique flow name is obtained; (2) a data flow of root directory objects is newly created, and the name of the data flow is the flow name obtained by the steps (1); (3) contents of the file to be hidden are copied into the flow created by the step (2); (4) the file to be hidden is deleted; (5) the whole path information of the file to be hidden is recorded. The present invention can hide files of any formats under an NTFS file system, a hidden effect has permanence, and hidden failure can not be caused by the change of an operating system. Host files can not be generated, and the present invention has high safety.
Description
Technical field
The invention belongs to the Computer Applied Technology field, be specifically related to a kind of file hiding method based on NTFS disk file system structure.
Background technology
On 08 26th, 1998 disclosed Chinese patents 02115105.9 are a kind of distortion-free data-hiding methods.It utilizes the redundancy that exists in the image, guarantees in the embedding bulk information that in image the image of embedding information any distortion can not occur.The security that hides Info is very big to the dependence of image file.If image file is changed, then may cause hiding Info losing fully.
Existing file hiding method has:
(1) data that will treat hidden file merge in another file, and such as system file or image file (being called " host's file "), host's file itself also is not destroyed, and reaches hiding purpose.The security of this kind method is not high enough, if obtained host's file and merging mode by the disabled user, hiding Info just is extracted out easily; Simultaneously, if host's file is changed or deleted, will causing, hidden file can not correctly recover.
(2) open up the monitor process of an operating system, when hidden file was attempted to show in user's operation, monitor process was intercepted and captured this message, judged to show whether the condition of hidden file satisfies, if do not satisfy, then stop operating system to show the operation of hidden file by force.This method takes to intercept and capture the mode of message, therefore can only realize the file hiding under the current operation system.It relies on the continuous service in monitor process, in case process is closed, perhaps enters the operating system that other does not move this process, and file will show.
Summary of the invention
The object of the present invention is to provide a kind of file hiding method based on NTFS disk file system structure that can overcome above-mentioned defective, this hidden method utilizes the file of new technology file system can have the characteristics of a plurality of data stream, hide from the disk file system structure, make and very high security is arranged file hiding separating system environment.
For achieving the above object, a kind of file hiding method based on NTFS disk file system structure may further comprise the steps:
(1) removes illegal file name character in the comspec treat hidden file, draw a unique stream title;
(2) newly-built root directory object data stream, its name is called the stream title that step (1) draws;
(3) content that will treat hidden file copies in the stream that step (2) creates;
(4) hidden file is treated in deletion;
(5) the complete trails information of hidden file treated in record.
The present invention can hide the arbitrary format file under the new technology file system, and concealment effect has permanent, can't cause because of the change of operating system hiding losing efficacy.Can not generate host's file, have higher security.
Description of drawings
Fig. 1 is for adopting the process flow diagram of hidden method hidden file of the present invention;
Fig. 2 is for recovering the process flow diagram of above-mentioned hidden file.
Embodiment
New technology file system is based on the method store data of object and attribute, and file and catalogue all are objects, and the content of file and catalogue, size, creation-time or the like are exactly attribute.An object can have a plurality of attributes, or even data stream property.Data stream is divided into unnamed stream and name stream again.Check in the mode at the All Files of operating system, the unnamed stream of a meeting display file, the size of file also only relates to the size of unnamed data stream.And name stream allows to be connected to extra data in the file as file system, can't see in file browser, can only visit by a mode of " filename: flow " with the file I/O function among the Windows SDK.The front is mentioned, and catalogue also is a kind of object, therefore also supports multiple data stream.If we in a name stream of root directory, delete source file to the copying data for the treatment of hidden file then, can realize hiding of file.
Described in its hiding step such as the summary of the invention, the step of recovering hidden file is as follows:
(1) reads the complete trails information for the treatment of recovery file.
(2) according to treating the comspec of recovery file, the title of recovery file treated its called after by a newly-built file.
(3) remove illegal file name character in the comspec treat recovery file, draw a unique stream title.
(4) name in the root directory object is called the content of the data stream of the stream title that step (3) draws, copies in the newly-built file of step (2).
(5) name is called the data stream of the stream title that step (3) draws in the deletion root directory object.
Illustrate said method below:
Hide the test.txt file as needs, this document be positioned at " C: Documents andSettings Administrator My Documents file hiding " under the catalogue.
(1) the deletion comspec " C: Documents and Settings Administrator MyDocuments file hiding test.txt " in "<〉: "/| " etc. unallowable instruction digit obtain stream name " a CDocuments and SettingsAdministratorMy Documents file hiding test.txt ";
(2) with a data stream of the newly-built root directory object of CreateFile function, by name ": CDocuments and SettingsAdministratorMy Documents file hiding test.txt ";
(3) use ReadFile, the WriteFile function is in the copying to of the byte of a byte of content of test.txt file ": CDocuments and SettingsAdministratorMy Documents file hiding test.txt " stream;
(4) with DeleteFile function deletion test.txt file;
(5) record complete trails information " C: Documents and Settings Administrator MyDocuments file hiding test.txt " in a certain file under the system directory, as " C: WINNT system32 Hidels.sys "
CreateFile wherein, ReadFile, WriteFile, functions such as DeleteFile are the file I/O function among the Windows SDK.
Recover the file that preamble is hidden
(1) from " C: WINNT system32 Hidels.sys " read the file complete trails information " C: Documents and Settings Administrator My Documents file hiding test.txt ";
(2) newly-built test.txt file be positioned at " C: Documents andSettings Administrator My Documents file hiding " under the catalogue;
(3) from comspec " C: Documents and Settings Administrator MyDocuments file hiding test.txt " deletion "<〉: "/| " etc. unallowable instruction digit obtain stream name ": CDocuments and SettingsAdministratorMy Documents file hiding test.txt ";
(4) content in copy ": the CDocuments and SettingsAdministratorMy Documents file hiding test.txt " stream is in the test.txt file;
(5) deletion ": CDocuments and SettingsAdministratorMy Documents file hiding test.txt " stream.
Claims (1)
1, a kind of file hiding method based on NTFS disk file system structure may further comprise the steps:
(1) removes illegal file name character in the comspec treat hidden file, draw a unique stream title;
(2) newly-built root directory object data stream, its name is called the stream title that step (1) draws;
(3) content that will treat hidden file copies in the stream that step (2) creates;
(4) hidden file is treated in deletion;
(5) the complete trails information of hidden file treated in record.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031185460A CN1317712C (en) | 2003-01-25 | 2003-01-25 | Files hiding method based on NTFS disk files system structure |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB031185460A CN1317712C (en) | 2003-01-25 | 2003-01-25 | Files hiding method based on NTFS disk files system structure |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1434451A CN1434451A (en) | 2003-08-06 |
| CN1317712C true CN1317712C (en) | 2007-05-23 |
Family
ID=27634421
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB031185460A Expired - Fee Related CN1317712C (en) | 2003-01-25 | 2003-01-25 | Files hiding method based on NTFS disk files system structure |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1317712C (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070022117A1 (en) * | 2005-07-21 | 2007-01-25 | Keohane Susann M | Accessing file system snapshots directly within a file system directory |
| CN107230484B (en) * | 2017-06-22 | 2018-04-20 | 北京众谊越泰科技有限公司 | A kind of method for hiding specified file and file |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2002084482A1 (en) * | 2001-04-12 | 2002-10-24 | W. Quinn, Inc. | System and method for using memory mapping to scan a master file table |
| CN1382331A (en) * | 1999-10-22 | 2002-11-27 | 松下电器产业株式会社 | Active data hiding for secure electronic media distribution |
| WO2002102055A1 (en) * | 2001-06-12 | 2002-12-19 | International Business Machines Corporation | Method of invisibly embedding and hiding data into soft-copy text documents |
-
2003
- 2003-01-25 CN CNB031185460A patent/CN1317712C/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1382331A (en) * | 1999-10-22 | 2002-11-27 | 松下电器产业株式会社 | Active data hiding for secure electronic media distribution |
| WO2002084482A1 (en) * | 2001-04-12 | 2002-10-24 | W. Quinn, Inc. | System and method for using memory mapping to scan a master file table |
| WO2002102055A1 (en) * | 2001-06-12 | 2002-12-19 | International Business Machines Corporation | Method of invisibly embedding and hiding data into soft-copy text documents |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1434451A (en) | 2003-08-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11809605B2 (en) | Method and system for storage-based intrusion detection and recovery | |
| US7610307B2 (en) | Method and system of detecting file system namespace changes and restoring consistency | |
| US7330863B2 (en) | Method and systems for hyperlinking files | |
| Garfinkel et al. | A general strategy for differential forensic analysis | |
| MXPA05011696A (en) | Method and system for maintaining namespace consistency with a file system. | |
| US9842155B2 (en) | Systems and methods for file loading | |
| US8863287B1 (en) | Commonality factoring pattern detection | |
| Mikus et al. | An analysis of disc carving techniques | |
| Wahyudi et al. | Virtual machine forensic analysis and recovery method for recovery and analysis digital evidence | |
| CN1317712C (en) | Files hiding method based on NTFS disk files system structure | |
| AlHarbi et al. | Forensic analysis of anti‐forensic file‐wiping tools on Windows | |
| Richard et al. | In-place file carving | |
| CN100341071C (en) | Files hiding method based on FAT32 disk files system structure | |
| Craiger | Recovering digital evidence from Linux systems | |
| Raychaudhuri | A Comparative Study of Analysis and Extraction of Digital Forensic Evidences from exhibits using Disk Forensic Tools. | |
| Jones | Deleted audio file decay on a digital voice recorder | |
| CN1352426A (en) | Computer virus prevention method | |
| CN100428260C (en) | Minimum invading data hidding method of computer network | |
| Garfinkel | The prevalence of encoded digital trace evidence in the nonfile space of computer media | |
| Kiltz et al. | Hidden in Plain Sight-Persistent Alternative Mass Storage Data Streams as a Means for Data Hiding With the Help of UEFI NVRAM and Implications for IT Forensics | |
| KR102294926B1 (en) | Automated system for forming analyzed data by extracting original data | |
| Mathew et al. | A survey on different video restoration techniques | |
| Knight | Forensic disk imaging report | |
| Mostovoy | Modern Methods of Detecting and Eradicating Known and Unknown Viruses | |
| Hosgor | Detection and Mitigation of Anti-Forensics Using Forensic Tools |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C19 | Lapse of patent right due to non-payment of the annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |