WO2003083670A1 - Protection de donnees par cache de donnees - Google Patents
Protection de donnees par cache de donnees Download PDFInfo
- Publication number
- WO2003083670A1 WO2003083670A1 PCT/IL2003/000273 IL0300273W WO03083670A1 WO 2003083670 A1 WO2003083670 A1 WO 2003083670A1 IL 0300273 W IL0300273 W IL 0300273W WO 03083670 A1 WO03083670 A1 WO 03083670A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- file
- directory
- record
- file table
- computer
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6281—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/80—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
Definitions
- the present invention relates generally to computer file systems, and specifically to methods, systems, and software products for preventing unauthorized access to data stored using file systems.
- a file system is the structure in which computer files are named, stored, and organized. File systems are implemented on storage devices, such as hard disk drives. File systems typically allocate space on storage devices in clusters, which are groups of sectors on the storage device. A file is stored in one or more clusters, depending on the size of the file. File systems generally record information about files, including the locations of the files on a storage device, in a file table. Some file systems, such as
- Microsoft's FAT file system (including FAT12, FAT16, and FAT32), maintain a centralized reference index in the file table, as well a reference index to the locations of bad and free blocks located on the storage device.
- a reference index is a reference system in which the location of stored data on a storage device is referenced by using pointers to the cluster or clusters in which the data is stored.
- Other file systems such as Microsoft's NTFS and some UNIX and LINUX file systems, store reference pointers separately for each file in the file table.
- FAT file system keeps track of where each file resides by using a reference index called a file allocation table (FAT).
- FAT contains an entry for every cluster on the storage device.
- the FAT file system reads the file's entry in a directory, and retrieves the file's starting cluster number.
- the file system looks in the FAT entry for this cluster number. This entry either contains the cluster number of the next cluster of the file, or, if this cluster is the last cluster of the file, an end-of-file (EOF) marker.
- EEF end-of-file
- the file system assembles the file using the resulting chain of cluster numbers.
- the clusters of a file are not necessarily contiguous on the storage device, i.e.
- the file system sometimes determines that at least one sector in a cluster is not able to accurately store data, e.g., because of a physical defect on the surface of a disk. Upon making such a determination, the file system marks the entire cluster as unusable by recording a "bad" value in the cluster's corresponding entry in the FAT.
- the NTFS file system stores nearly every file system structure as a file, including the structures used to manage the partition and maintain statistics and control information about the partition itself.
- a partition is a logical division of a storage device, such as a hard disk, created when the storage device is formatted.
- the control information is stored in a set of special files that are initially constructed when an NTFS partition is first created. These special files are called metadata files, and include such items as lists of files on the partition, volume information, and cluster allocations.
- MFT Master File Table
- the MFT is an array of records, each of which holds data about a particular file.
- Each of these file records contains a collection of the file's attributes, such as a filename, a security descriptor, and a data attribute (which represents the file's data).
- a filename such as a filename, a security descriptor
- a data attribute which represents the file's data.
- Embodiments of the present invention provide a method for protecting and preventing unauthorized access to computer data stored on a storage device using a file system.
- the method comprises hiding the data by changing information regarding the location and/or existence of the data, without necessarily encrypting or otherwise altering the data itself. Once the data is hidden, the existence of the data is unknown to non- system programs, and the data is thus generally inaccessible to user applications. An authorized user can restore the data by replacing the reference information about the data, which is stored for this purpose during hiding.
- the method for hiding the data comprises modifying file allocation table (FAT) entries corresponding to clusters of the storage device in which the data is stored, and saving and deleting the directory entry of the file containing the data.
- FAT entries are typically changed to values indicative of "bad" clusters. The file system therefore ignores these clusters, neither reading nor writing to them.
- hiding the data comprises modifying another type of reference index, such as a $BadClus file used by NTFS for listing "bad" clusters, or another NTFS metadata Master File Table (MFT) file. Metadata MFT files are normally inaccessible to application programs, without using the techniques described herein.
- the method for hiding the data comprises creating a hidden directory in an NTFS metadata MFT record that is otherwise unused, such as the 14th record.
- the hidden directory is created in an ordinary MFT record, and a parent directory to the hidden directory is created in an unused metadata MFT record.
- To hide a file the file's corresponding file record is moved from its original directory to the hidden directory. Because information stored in the metadata MFT records is hidden and generally inaccessible to non-system programs, command, and access methods, the operating system is unaware of the hidden directory. As a result, the file record in the hidden directory is generally inaccessible to user applications. Moving the file record from the hidden directory back to the file's original directory restores access to the data. For additional security, the file record is optionally encrypted before being stored in the hidden directory.
- a method for preventing unauthorized access to computer data stored on a storage device having a file table including: saving, in a secure data structure, a chain of cluster numbers corresponding to clusters of the storage device in which the data is stored; and modifying one or more entries in the file table corresponding to the clusters of the storage device in which the data is stored, so as to inhibit the unauthorized access to the data via the file table.
- the file table entries include file allocation table (FAT) entries.
- saving the chain of cluster numbers includes: marking secure record clusters of the storage device, which clusters contain data of the secure record; storing one or more secure record entries of the file table corresponding to the secure record clusters; and populating each of the secure record file table entries with a value indicative of a bad cluster.
- FAT file allocation table
- the file table entries include entries in an NTFS metadata Master File Table (MFT) file. Modifying each of the file table entries may include populating the file table entry with a value indicative of a bad cluster.
- MFT metadata Master File Table
- saving the chain of cluster numbers includes encrypting the secure data structure.
- modifying the file table entries includes identifying the file table entries to be modified by following the chain of cluster numbers in the file table corresponding to the clusters of the storage device. Identifying the file table entries may include identifying a first one of the table entries by loading a starting cluster number from a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data. Identifying the file table entries to be modified may include terminating the following of the chain of cluster numbers by detecting an end-of-file marker in one of the file table entries.
- the secure data structure is located external to the file table.
- the method includes modifying a starting cluster number of a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data.
- the method includes deleting a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data.
- the directory entry contains metadata with respect to the data structure, and deleting the directory entry includes saving at least a portion of the metadata before deleting the directory entry. Saving the portion of the metadata may include encrypting the portion of the metadata.
- a method for preventing unauthorized access to computer data stored in a data structure on a storage device using a file system which provides a file table on the storage device that includes a file record of the data structure and metadata file table records, the method including: creating a directory in one of the metadata file table records that is not used by the file system; and moving the file record to the directory.
- the file table includes a Master File Table (MFT).
- MFT Master File Table
- the metadata file table record is selected from the list consisting of records 11 through 15 of the MFT.
- the metadata file table record may be selected from the list consisting of records 12 through 14 of the MFT.
- creating the directory includes directly accessing sectors of the storage device, in which sectors the metadata file table record is stored, without using drivers provided by the file system.
- moving the file record includes encrypting one or more attributes of the file record.
- moving the file record includes encrypting a name of the file record.
- moving the file record further includes saving the encrypted name in a key file in the directory.
- a method for preventing unauthorized access to computer data stored in a data structure on a storage device using a file system, which data structure has a corresponding file record stored in a file table on the storage device including: creating a parent directory in a metadata file table record of the file table, which metadata file table record is not used by the file system; creating a secure directory in a first ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference; and moving the file record to the secure directory.
- creating the parent directory in the metadata file table record includes creating the parent directory in a second ordinary file table record of the file table, and moving the parent directory from the second ordinary file table record to the metadata file table record.
- the file table includes a Master File
- the metadata file table record is selected from the list consisting of records 11 through 15 of the MFT.
- the metadata file table record may be selected from the list consisting of records 12 through 14 of the MFT.
- creating the parent directory includes directly accessing sectors of the storage device, in which sectors the metadata file table record is stored, without using drivers provided by the file system.
- moving the file record includes encrypting one or more attributes of the file record.
- moving the file record includes encrypting a name of the file record. Encrypting the name of the file record may include saving the encrypted name in a key file in the secure directory.
- a method for hiding computer data stored in a data structure on a storage device using a file system having a file table and a directory, which directory includes an original directory entry containing metadata with respect to the data structure including: identifying one or more file table entries in the file table corresponding to clusters of the storage device in which the data is stored, by following a chain of cluster numbers in the file table corresponding to the clusters of the storage device in which the data is stored; saving, in a secure data structure located external to the file table, the chain of cluster numbers; populating each of the identified file table entries with a value indicative of a bad cluster; saving, in the secure data structure, at least a portion of the metadata contained in the original directory entry; and deleting the original directory entry.
- the file table entries include file allocation table (FAT) entries.
- the method includes unhiding the data by: creating a new directory entry in the directory; populating the new directory entry with at least some of the saved metadata; and populating the entries in the file table with the cluster numbers in the saved chain of cluster numbers.
- populating the file table entries with the cluster numbers includes: populating all but a last one of the file table entries with the cluster numbers in the saved chain of cluster numbers; and populating the last one of the file table entries with an end-of-file marker.
- a method for hiding computer data stored in a data structure on a storage device using a file system which provides a file table on the storage device that includes a file record of the data structure and metadata file table records
- the method including: creating a parent directory in one of the metadata file table records that is not used by the file system; creating a secure directory in an ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference; encrypting a name of the file record; saving the encrypted name in a key file in the secure directory; and moving the file record to the secure directory.
- the metadata file table includes a metadata Master File Table (MFT).
- MFT metadata Master File Table
- the method includes unhiding the data by: loading the encrypted name from the key file, decrypting the encrypted name, and moving the file record from the secure directory to an original directory in which the file record was stored prior to hiding.
- a system for preventing unauthorized access to computer data including: a storage device, in which the computer data is stored, the storage device having a file table; and a computer, configured to save, in a secure data structure, a chain of cluster numbers corresponding to clusters of the storage device in which the data is stored, and to modify one or more entries in the file table corresponding to the clusters of the storage device in which the data is stored, so as to inhibit the unauthorized access to the data via the file table.
- a system for preventing unauthorized access to computer data including: a storage device, in which the computer data is stored in a data structure, using a file system, which provides a file table that includes a file record of the data structure and metadata file table records; and a computer, configured to create a directory in one of the metadata file table records that is not used by the file system, and to move the file record to the directory.
- a system for preventing unauthorized access to computer data including: a storage device, on which the computer data is stored in a data structure, using a file system, which data structure has a corresponding file record stored in a file table on the storage device; and a computer, configured to: create a parent directory in a metadata file table record of the file table, which metadata file table record is not used by the file system, create a secure directory in a first ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference, and move the file record to the secure directory.
- a system for hiding computer data including: a storage device, in which the computer data is stored in a data structure using a file system having a file table and a directory, which directory includes an original directory entry containing metadata with respect to the data structure; and a computer, configured to: identify one or more file table entries in the file table corresponding to clusters of the storage device in which the data is stored, by following a chain of cluster numbers in the file table corresponding to the clusters of the storage device in which the data is stored, save, in a secure data structure located external to the file table, the chain of cluster numbers, populate each of the identified file table entries with a value indicative of a bad cluster, save, in the secure data structure, at least a portion of the metadata contained in the original directory entry, and delete the original directory entry.
- a system for hiding computer data including: a storage device, on which the computer data is stored in a data structure using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records; and a computer, configured to: create a parent directory in one of the metadata file table records that is not used by the file system, create a secure directory in an ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference, encrypt a name of the file record, save the encrypted name in a key file in the secure directory, and move the file record to the secure directory.
- a computer software product for preventing unauthorized access to computer data stored on a storage device having a file table
- the product including a computer- readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to save, in a secure data structure, a chain of cluster numbers corresponding to clusters of the storage device in which the data is stored, and to modify one or more entries in the file table corresponding to the clusters of the storage device in which the data is stored, so as to inhibit the unauthorized access to the data via the file table.
- a computer software product for preventing unauthorized access to computer data stored in a data structure on a storage device using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records, the product including a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to create a directory in one of the metadata file table records that is not used by the file system, and to move the file record to the directory.
- a computer software product for preventing unauthorized access to computer data stored in a data structure on a storage device using a file system, which data structure has a corresponding file record stored in a file table on the storage device
- the product including a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to: create a parent directory in a metadata file table record of the file table, which metadata file table record is not used by the file system, create a secure directory in a first ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference, and move the file record to the secure directory.
- a computer software product for hiding computer data stored in a data structure on a storage device using a file system having a file table and a directory, which directory includes an original directory entry containing metadata with respect to the data structure
- the product including a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to: identify one or more file table entries in the file table corresponding to clusters of the storage device in which the data is stored, by following a chain of cluster numbers in the file table corresponding to the clusters of the storage device in which the data is stored, save, in a secure data structure located external to the file table, the chain of cluster numbers, populate each of the identified file table entries with a value indicative of a bad cluster, save, in the secure data structure, at least a portion of the metadata contained in the original directory entry, and delete the original directory entry.
- a computer software product for hiding computer data stored in a data structure on a storage device using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records, the product including a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to: create a parent directory in one of the metadata file table records that is not used by the file system, create a secure directory in an ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference, encrypt a name of the file record, save the encrypted name in a key file in the secure directory, and move the file record to the secure directory.
- Fig. 1 is a schematic illustration of a file hiding system running on a computer workstation, in accordance with an embodiment of the present invention
- FIG. 2 is a schematic illustration of the storage of a file using a File Allocation Table (FAT) file system, in accordance with an embodiment of the present invention
- Fig. 3 is a flow chart that schematically illustrates a method for protecting and preventing unauthorized access to computer data, in accordance with an embodiment of the present invention
- Fig. 4 is a flow chart that schematically illustrates a method for unprotecting access to protected computer data, in accordance with an embodiment of the present invention
- Figs. 5A and 5B are tables showing NTFS metadata files, including a brief description of the function of each file;
- Fig. 6 is a schematic illustration of a Master File Table (MFT) used by an NTFS file system, in accordance with an embodiment of the present invention
- Fig. 7 is a flow chart that schematically illustrates a method for protecting and preventing unauthorized access to computer data stored using an NTFS file system, in accordance with an embodiment of the present invention
- Fig. 8 is a flow chart that schematically illustrates a method for unprotecting access to a protected file, in accordance with an embodiment of the present invention.
- Fig. 9 is a schematic illustration of a screen image of a graphical user interface for hiding and unhiding files, in accordance with an embodiment of the present invention.
- Fig. 1 is a schematic illustration of a file hiding system 10 running on a computer workstation 20, in accordance with an embodiment of the present invention.
- the file hiding system is used by. a user to protect and prevent unauthorized access to computer data 22 stored on a storage device 24, using a file system 26 running in a memory 28 of the workstation.
- File system 26 creates and maintains a file table 30 on storage device 24, for recording information about stored files, including the locations of the files on the storage device.
- Workstation 20 typically comprises a general-purpose computer, which is programmed in software to carry out the functions described herein. This software may be downloaded to the workstation in electronic form, over a network, for example, or it may alternatively be provided on tangible media, such as magnetic or optical media or other non-volatile memory.
- workstation 20 is shown locally accessing storage device 24 in Fig. 1, the workstation may also remotely access storage device 24 over a local area and/or wide area network, such as by using an agent deployed on the remote storage device or on a remote computer controlling the remote storage device.
- Storage device as used in the present patent application and the claims, is to be understood as any device upon which a computer may store data in permanent form.
- Examples of storage devices include, but are not limited to, external and internal devices, volatile and non-volatile memory (e.g., memory in handheld devices such as PDAs and mobile telephones), hard disk drives, floppy disk drives, removable magnetic media (e.g., USB keys), optical media, magneto-optical media, removable hard drive media, CD- ROM drives, DND-ROM drives, and recordable (read/write) CD and DND drives.
- volatile and non-volatile memory e.g., memory in handheld devices such as PDAs and mobile telephones
- hard disk drives e.g., floppy disk drives
- removable magnetic media e.g., USB keys
- optical media magneto-optical media
- removable hard drive media e.g., CD- ROM drives, DND-ROM drives, and recordable (read/write) CD and DND drives.
- clusters are to be understood as referring to the basic units of logical storage on a storage device, regardless of whether such basic units on any particular storage device are commonly referred to as clusters in the art.
- the term “sectors” as used in the present patent application, including the claims, is to be understood as referring to the smallest physical portion of a storage device that can be accessed, regardless of whether such portions on any particular storage device are commonly referred to as sectors in the art.
- a cluster comprises one or more sectors.
- file table as used in the present patent application, including the claims, is to be understood as any table, map, index, list or similar structure, which holds references, pointers, or indices to one or more locations on a storage device, in which locations data is stored.
- Fig. 2 is a schematic illustration of the storage of a file using a File Allocation
- Each file stored using the FAT file system has a directory entry 40, which contains information regarding the file, such as a filename 42.
- directory entry 40 includes a cluster number field 44, which indicates the file's starting cluster number on storage device 24.
- the FAT file system looks in directory entry 40, and retrieves the file's starting cluster number from cluster number field 44.
- the file system looks in a FAT 46 for the FAT entry for this cluster number.
- the file has a starting cluster number 48a, which refers to a FAT entry 50a.
- FAT entry 50a contains a cluster number 48b, referring to a FAT entry 50b.
- these cluster numbers (48a, 48b, 48c, etc.) form a chain of cluster numbers. This chain continues until it reaches a FAT entry (in this example a FAT entry 48d) that contains an end-of-file (EOF) marker 52, indicating that this cluster (48d) is the last cluster of the file (the EOF marker is also known as an End Of Clusterchain mark, or EOC).
- EOC End Of Clusterchain mark
- EOF markers for FAT32, FAT16, and FAT12 are the hexadecimal values OxOFFFFFFF, OxFFFF, and OxOFFF, respectively.
- File system 26 assembles the file using the resulting chain of cluster numbers, relying on the rule that clusters on storage device 24 have cluster numbers corresponding to the numbers of the FAT entries. Therefore, since the first FAT entry of the file, FAT entry 50a, has a cluster number 48a, the first segment of the file's data is found on storage device 24 in a cluster 54a identified by cluster number 48a.
- Fig. 3 is a flow chart that schematically illustrates a method for protecting and preventing unauthorized access to computer data, in accordance with an embodiment of the present invention.
- a user selects at least one data structure to be hidden, such as by using the user interface described hereinbelow with reference to Fig. 9.
- the data structure may be, for example, a file or a directory.
- File hiding system 10 locates the filename entry of the selected file in the directory structure in order to identify directory entry 40 of the file (Fig. 2), at a locate filename step 72.
- the system saves at least a portion (typically all) of the information regarding the file from directory entry 40 in a buffer 75 in memory 28 (Fig. 1), at a buffer directory information step 74.
- Such directory information typically includes filename 42, file size, file attributes, and starting cluster number 48a (Fig. 2).
- file hiding system 10 jumps to first FAT entry 50a (Fig. 2), at a first jump step 76.
- System 10 retrieves the value of the FAT entry, at a retrieve FAT entry step 78.
- the system compares the retrieved value to the value of the EOF marker, at an EOF check step 80. If the retrieved value is not EOF marker 52, the system interprets the value as the next cluster number (cluster number 48b, during the first pass through steps 78 to 84), and saves the cluster number in buffer 75, at a FAT entry save step 82.
- the system then uses this cluster number to follow the cluster chain and jump to the next FAT entry (FAT entry 50b, during the first pass through steps 78 to 84), at a next FAT entry jump step 84.
- the method returns to step 78, and continues to retrieve cluster numbers and add them to buffer 75 until EOF marker 52 is detected at step 80 (in FAT entry 50d, during the fourth pass through steps 78 to 84).
- system 10 Upon detecting EOF marker 52 at step 80, system 10 saves the information stored in buffer 75, including the directory information and the chain of cluster numbers, in a secure data structure, at a secure data structure creation step 86.
- secure data structure for example, may be an ordinary file created using the file system, or a novel data structure, such as a sector or a secret area on a storage device, which cannot ordinarily be accessed using drivers provided by the file system.
- System 10 typically encrypts the secure data structure in order to prevent access to the data structure except by the user through system 10.
- the secure data structure is typically stored on storage device 24, on a removable storage medium, such as a floppy disk, and/or on a remote storage device.
- System 10 optionally compresses the secure data structure.
- the system removes directory entry 40 from the directory on storage device 24, at a remove directory entry step 88.
- the value of each of the FAT entries identified and buffered at steps 76 through 84 is typically changed to a value indicative of a "bad" cluster, at a mark FAT entries step 90.
- the "bad" cluster values are typically 0x0FFFFFF7, 0xFFF7, and 0x0FF7 for FAT 32, FAT16, and FAT12, respectively.
- these FAT entries are populated with another identifying marker that prevents file system access to the clusters.
- Hidden files do not appear in any directory. Attempts to read data of hidden files directly from storage device 24 typically fail, because the operating system is generally unable to access clusters it believes are "bad". For the same reason, data of hidden files are also typically protected against accidental or deliberate deletion by users, viruses that seek to damage data, and unauthorized access or tampering by hackers. In addition, normal formatting methods do not affect the data of the hidden files.
- Fig. 4 is a flow chart that schematically illustrates a method for unprotecting access to protected computer data, in accordance with an embodiment of the present invention.
- System 10 uses this method to unhide a data structure, such as a file or directory, that was hidden using the method described hereinabove with reference to Fig. 3.
- a file selection step 100 the user selects at least one previously hidden file to be unhidden, such as by using the user interface described hereinbelow with reference to Fig. 9.
- system 10 Before executing the unhiding request, system 10 typically verifies the user's access privileges to the hidden file, such as by requiring the entry of a password or by other access security techniques known in the art.
- system 10 locates the secure data structure previously created at step 86, described hereinabove with reference to Fig. 3. If the secure data structure has been stored on a removable storage medium or remotely, the user must provide access to the secure data structure before the system performs step 102.
- the system decrypts and/or decompresses the secure data structure, as appropriate, and loads the contents of the secure data structure into memory 28, including the information that was stored in the hidden file's directory entry and the FAT cluster chain data.
- system 10 uses the directory information to create a new directory entry for the hidden file in the directory in which the hidden file was originally located, at a create directory entry step 104. If the original directory no longer exists, system 10 typically creates a replacement directory having the same name as the original directory. This new directory entry is typically identical to the original directory entry of the hidden file (including the reference to starting cluster number 48b) that was deleted at step 88, as described hereinabove with reference to Fig. 3.
- the system jumps to the first FAT entry of the hidden file (FAT entry 50a of Fig. 2), at a first jump step 106.
- the system checks whether this FAT entry represents the last cluster in the cluster chain of the hidden file, at a last cluster check step 108. If the FAT entry is not the last entry, the system stores the value of the next cluster in the FAT entry, as read from the FAT cluster chain data stored in the secure data structure, at a store next cluster step 110. (In the example shown in Fig.
- the system stores cluster number 48b in FAT entry 50a at step 110.
- the system jumps to the next FAT entry (FAT entry 50b, during the first pass through steps 108 to 112), at a next FAT entry jump step 112.
- the method returns to step 108, and continues to store cluster numbers in FAT entries until the last cluster is detected at step 108.
- the system Upon detecting the last cluster at step 108, the system stores EOF marker 52 in the current FAT entry, at a store EOF marker step 114. (In the example shown in Fig. 2, EOF marker 52 is stored in FAT entry 50d at step 114.) At this point, assuming no errors occurred, the system has typically restored the directory entry and FAT entries for the unhidden file to precisely the same values as before the file was hidden using the method described hereinabove with reference to Fig. 3. At an inform user step 116, the system returns to the user interface and informs the user that the file has been successfully unhidden, or, if not, that an error has occurred.
- system 10 hides the data of a file, but leaves the file's directory entry visible.
- System 10 typically achieves this outcome using the hiding method described hereinabove with reference to Fig. 3.
- the system modifies starting cluster number 48a of the directory entry, such as by changing the cluster number to an EOF marker.
- the file system is not able to find the cluster chain associated with the hidden file.
- the system also typically skips step 74, because the directory information remains in its original directory entry.
- system 10 typically uses the unhiding method described hereinabove with reference to Fig. 4. Instead of creating a directory entry at step 104, the system restores staring cluster number 48a to the existing directory entry.
- system 10 is configured to enable unhiding of hidden files even after storage device 24 has been formatted using some formatting techniques.
- system 10 marks the clusters on storage device 24 that contain the data of the secure data structure. Such marking may be performed, for example, by including a special marker within the data, such as a unique sequence of two or more bytes.
- system 10 stores the FAT entries associated with the secure data structure, and changes the values of these FAT entries to a value indicative of a "bad" cluster, typically using techniques similar to those described hereinabove with reference to steps 76 through 86 of Fig. 3.
- system 10 restores the stored FAT entries associated with the secure data structure, typically using techniques similar to those described hereinabove with reference to steps 106 through 114 of Fig. 4. Therefore, when system 10 is not currently accessing the secure data structure, the FAT entries associated with the secure data structure are indicative of "bad" clusters.
- Some formatting techniques format by resetting values in FAT 46, but do not disturb FAT entries indicative of "bad” clusters, and do not erase computer data 22 stored in the clusters of storage device 24. Such formatting techniques do not affect the FAT entries associated with the secure data structure, because these entries are marked as "bad".
- system 10 attempts to identify the FAT entries and clusters in which the secure data structure is stored, by searching storage device 24 for clusters that contain the special marker included in the data of the secure data structure. Typically, to reduce search time, system 10 searches only clusters the FAT entries of which are marked "bad". Once the secure data structure has been found, system 10 creates a new directory entry for the data structure, and stores the file's cluster chain. This cluster chain is restored in FAT 46 when the system needs to access the secure data structure, as described above.
- methods similar to those described hereinabove with reference to Figs. 2, 3, and 4 are implemented for hiding a file stored using the NTFS file system.
- the file's data is hidden, at least in part, by modifying entries in one or more metadata MFT files, such as the $BadClus or $Bitmap files, which are described hereinbelow with reference to Figs. 5A and 5B.
- the system modifies references to clusters in which the data is stored, thereby generally blocking access to the clusters by the file system and the operating system.
- this technique is implemented in conjunction with the file hiding and unhiding techniques described hereinbelow with reference to Figs. 6, 7, and 8.
- Figs. 5A and 5B are tables showing NTFS metadata files, including a brief description of the function of each file.
- the first sixteen records of the MFT are always reserved for the volume's metadata files.
- the $BadClus metadata file contains a list of all clusters on the volume that have been marked by the file system as "bad". Because of the importance of these metadata files to the integrity of the partition and the operating system, the file system typically ensures that these metadata files are highly reserved and completely restricted to all but core file system and operating system functions.
- Fig. 6 is a schematic illustration of a Master File Table (MFT) 120 used by an MFT.
- MFT Master File Table
- a special systems files section 122 consists of the first sixteen records of MFT 120 (records 0 through 15), as described hereinabove with reference to Fig. 1.
- An ordinary user files section 124 consists of the remaining records 16 through n of the MFT.
- Fig. 7 is a flow chart that schematically illustrates a method for protecting and preventing unauthorized access to computer data stored using an NTFS file system, in accordance with an embodiment of the present invention.
- this embodiment is described herein with reference to Microsoft's NTFS file system, the embodiment is broadly applicable to other file systems that use similar structures, including, but not limited to, some UNIX and LINUX file systems.
- system 10 Upon the first initialization of system 10, system 10 creates a special directory 126 (referred to herein as "Directory X"), at an initialization step 128.
- Directory X 126 system 10 typically first creates a parent directory 130 in ordinary user files section 124 of MFT 120 (Fig. 6), in a record 132 selected by the file system.
- System 10 then creates Directory X 126 as a child of parent directory 130, in ordinary user files section 124, in a record 134 selected by the file system.
- System 10 typically randomly generates the name of Directory X 126.
- directly accessing storage device 24 i.e., without using standard NTFS drivers
- system 10 moves parent directory 130 from record
- MFT records 11 through 15 are generally unused by the file system.
- the inventors have found particularly that MFT records 12 through 14 give good results.
- Standard NTFS drivers do not provide access to special systems files section 122 for non-system programs.
- system 10 uses the novel approach of directly accessing the storage device sectors of record 136, without using the standard MFT drivers.
- Parent directory 130 thus generally cannot be accessed by the operating system or applications other than system 10, using standard file access methods.
- Directory X 126 generally cannot be accessed by the operating system or applications other than system 10, using standard file access methods.
- System 10 is able to access Directory X 126 by (a) looking up the name of Directory X 126 in parent directory 130, using novel direct access techniques, and (b) using the name of Directory X 126 to locate and access the directory, using standard NTFS drivers.
- system 10 creates Directory X 126 in an NTFS metadata MFT record that is not used by the NTFS file system, such as record 136. In this case, system 10 accesses Directory X 126 using novel direct access techniques. (In this embodiment, the system does not create or use parent directory 130.)
- NTFS stores information regarding each user data structure in a file record in an ordinary MFT record
- a user selects at least one data structure to be hidden, such as a file, directory, or shortcut. Typically the user performs this selection using the user interface described hereinbelow with reference to Fig. 9.
- the selected data structure has a corresponding MFT file record.
- the selected file's corresponding file record is a file record 140, which is stored in a record m 142.
- System 10 typically encrypts the name of file record 140, at an encrypt file name step 144. The system stores the new name of the file record in a key file 145 (Fig.
- a move file record step 148 the system moves file record 140 from its original directory to Directory X 126.
- Moving file record 140 is performed by moving the reference to file record 140 from the file record's original directory to Directory X; file record 140 remains in its original record m 142.
- Directory X 126 is located in regular MFT record 134
- system 10 uses standard NTFS drivers to access Directory X.
- Directory X 126 is located in unused metadata MFT record 136
- the system uses the novel direct access techniques described hereinabove for accessing Directory X.
- the system encrypts one or more attributes of file record 140 before or after moving it to Directory X.
- file record 140 is generally inaccessible to the file system and the operating system, because the file system does not have access to the directory path leading to file record 140. Furthermore, if file record 140 contains reference pointers to non-resident data stored in one or more clusters stored in the file area of storage device 24, system 10 maintains these pointers and leaves the non-resident data unmodified on the storage device. However, once file record 140 is hidden, the file system no longer has access to the reference pointers. As a result, the file system is unaware of the location of this data, and is therefore unable to access the data.
- Fig. 8 is a flow chart that schematically illustrates a method for unprotecting access to a protected file corresponding to file record 140, in accordance with an embodiment of the present invention.
- the system uses this method to unhide a data structure, such as a file, directory, or shortcut, that was hidden using the method described hereinabove with reference to Fig. 7.
- a file selection step 150 the user selects at least one previously hidden data structure, such as a file, directory, or shortcut, to be unhidden, such as by using the user interface described hereinbelow with reference to Fig. 9.
- system 10 Before executing the unhiding request, system 10 typically verifies the user's access privileges to the hidden file, such as by requiring the entry of a password or by other access security techniques known in the art.
- system 10 locates and loads the encrypted name stored in key file 145 of Directory X 126 (Fig. 6), as described hereinabove with reference to step 146 of fig. 7. Using this name information, system 10 decrypts the encrypted name in order to restore the original name of file record 140, at a restore name step 154, and decrypts the file record if necessary. System 10 moves file record 140 out of Directory X 126 back into the original directory in which file record 140 was stored prior to hiding, at a move file record step 156. Moving file record 140 is performed by moving the reference to file record 140 from Directory X to the file record's original directory; file record 140 remains in its original record m 142.
- Directory X 126 is located in regular MFT record 134, system 10 uses standard NTFS drivers to access Directory X. On the other hand, if Directory X 126 is located in unused metadata MFT record 136, the system uses the novel direct access techniques described hereinabove for accessing Directory X.
- File record 140 is now unhidden. If file record 140 contains reference pointers to non-resident data stored in one or more clusters stored in the file area of storage device 24, the operating system is again able to access this non-resident data, which was not modified by the hiding and unhiding of file record 140.
- FIG. 9 is a schematic illustration of a sample screen image 300 provided by a user interface (UI) of system 10 for use by a user in hiding and unhiding data structures, such as files, directories, links, and shortcuts, in accordance with an embodiment of the present invention.
- Hidden data structures are typically organized in groups 302, which are listed in a group list 304.
- a user typically creates a new group by clicking a "Create Group” command in a "Groups" menu 306 of a main menu 308.
- the user In order to select the at least one data structure to be hidden, as described hereinabove with reference to step 70 of Fig. 3 and step 138 of Fig. 7, the user typically:
- the user in order to select one or more data structures for unhiding, as described hereinabove with reference to step 100 of Fig. 4 and step 150 of Fig. 8, the user typically selects one of groups 302 in group list 304. The user then clicks on a "Restore Group” command in "Groups" menu 306 of main menu 308, or clicks on an "Unhide” icon 318 on a toolbar 320.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2003227314A AU2003227314A1 (en) | 2002-04-03 | 2003-04-02 | Protection of data by hiding the data |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US36932702P | 2002-04-03 | 2002-04-03 | |
US60/369,327 | 2002-04-03 | ||
US40611602P | 2002-08-27 | 2002-08-27 | |
US60/406,116 | 2002-08-27 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2003083670A1 true WO2003083670A1 (fr) | 2003-10-09 |
Family
ID=28678268
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/IL2003/000273 WO2003083670A1 (fr) | 2002-04-03 | 2003-04-02 | Protection de donnees par cache de donnees |
Country Status (2)
Country | Link |
---|---|
AU (1) | AU2003227314A1 (fr) |
WO (1) | WO2003083670A1 (fr) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP1811407A2 (fr) * | 2006-01-11 | 2007-07-25 | Samsung Electronics Co., Ltd. | Appareil et procédé de gestion de la zone cachée |
CN100428260C (zh) * | 2006-09-21 | 2008-10-22 | 上海交通大学 | 计算机网络最小侵入式数据隐藏的方法 |
DE102007018769A1 (de) | 2007-04-20 | 2008-10-23 | Giesecke & Devrient Gmbh | Zugriff auf den Massenspeicher eines portalen Datenträgers |
US8984636B2 (en) | 2005-07-29 | 2015-03-17 | Bit9, Inc. | Content extractor and analysis system |
CN111428272A (zh) * | 2020-04-21 | 2020-07-17 | 深圳融安网络科技有限公司 | 移动存储设备的安全访问方法、设备及存储介质 |
CN117194333A (zh) * | 2023-11-07 | 2023-12-08 | 中孚信息股份有限公司 | 基于ntfs文件系统下的文件隐藏方法、系统、设备及介质 |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20020023225A1 (en) * | 2000-08-08 | 2002-02-21 | Lomnes Randy Keith | Method and system for automatically preserving persistent storage |
US6356941B1 (en) * | 1999-02-22 | 2002-03-12 | Cyber-Ark Software Ltd. | Network vaults |
-
2003
- 2003-04-02 AU AU2003227314A patent/AU2003227314A1/en not_active Abandoned
- 2003-04-02 WO PCT/IL2003/000273 patent/WO2003083670A1/fr not_active Application Discontinuation
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6356941B1 (en) * | 1999-02-22 | 2002-03-12 | Cyber-Ark Software Ltd. | Network vaults |
US20020023225A1 (en) * | 2000-08-08 | 2002-02-21 | Lomnes Randy Keith | Method and system for automatically preserving persistent storage |
Non-Patent Citations (1)
Title |
---|
SOLOMON D.A.: "INSIDE WINDOWS NT, second edition", 1998, MICROSOFT PRESS, XP002973611 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8984636B2 (en) | 2005-07-29 | 2015-03-17 | Bit9, Inc. | Content extractor and analysis system |
EP1811407A2 (fr) * | 2006-01-11 | 2007-07-25 | Samsung Electronics Co., Ltd. | Appareil et procédé de gestion de la zone cachée |
EP1811407A3 (fr) * | 2006-01-11 | 2014-04-23 | Samsung Electronics Co., Ltd. | Appareil et procédé de gestion de la zone cachée |
CN100428260C (zh) * | 2006-09-21 | 2008-10-22 | 上海交通大学 | 计算机网络最小侵入式数据隐藏的方法 |
DE102007018769A1 (de) | 2007-04-20 | 2008-10-23 | Giesecke & Devrient Gmbh | Zugriff auf den Massenspeicher eines portalen Datenträgers |
CN111428272A (zh) * | 2020-04-21 | 2020-07-17 | 深圳融安网络科技有限公司 | 移动存储设备的安全访问方法、设备及存储介质 |
CN111428272B (zh) * | 2020-04-21 | 2023-06-06 | 深圳融安网络科技有限公司 | 移动存储设备的安全访问方法、设备及存储介质 |
CN117194333A (zh) * | 2023-11-07 | 2023-12-08 | 中孚信息股份有限公司 | 基于ntfs文件系统下的文件隐藏方法、系统、设备及介质 |
CN117194333B (zh) * | 2023-11-07 | 2024-02-20 | 中孚信息股份有限公司 | 基于ntfs文件系统下的文件隐藏方法、系统、设备及介质 |
Also Published As
Publication number | Publication date |
---|---|
AU2003227314A1 (en) | 2003-10-13 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7856451B2 (en) | Selective file erasure using metadata modifications | |
JP4160933B2 (ja) | 超大規模ファイル・システムでのファイル・システム使用のすばやい復元 | |
US7861311B2 (en) | Apparatus and method of managing hidden area | |
US7107416B2 (en) | Method, system, and program for implementing retention policies to archive records | |
US9753934B2 (en) | Method and system for metadata modification | |
US7472238B1 (en) | Systems and methods for recovering electronic information from a storage medium | |
US8818950B2 (en) | Method and apparatus for localized protected imaging of a file system | |
US7624275B2 (en) | Disk drive, control method thereof and disk-falsification detection method | |
US20060047714A1 (en) | Systems and methods for rapid presentation of historical views of stored data | |
US20050076042A1 (en) | Method, system, and program for archiving files | |
US7624243B2 (en) | Apparatus and method for protecting system data on computer hard-disk | |
US20050132212A1 (en) | Policy-driven file system with integrated RAID functionality | |
JP5833754B2 (ja) | ファイルシステムをクリーニングするための方法及び装置並びにその記憶媒体 | |
US7469261B2 (en) | Apparatus and method for protecting system data on computer hard-disk | |
CN100447765C (zh) | 一种移动存储设备的映射方法 | |
US20060206484A1 (en) | Method for preserving consistency between worm file attributes and information in management servers | |
WO2003083670A1 (fr) | Protection de donnees par cache de donnees | |
KR101135629B1 (ko) | 이동형 usb 저장장치의 자동실행방지 방법 및 장치 | |
US6779129B2 (en) | Method, article of manufacture and apparatus for copying information to a storage medium | |
CN111913915A (zh) | 文件隐藏方法和装置 | |
RU96433U1 (ru) | Система безвозвратного удаления файла (шредер файла) | |
EP2385465A1 (fr) | Système de stockage et procédé pour l'administration et d'ecriture sur les systèmes de stockage protégés par les points de reprise |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
122 | Ep: pct application non-entry in european phase | ||
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: JP |