Chapter 3. Data Hiding

Once a system has been compromised and the attacker has gained access, there a number of ways to hide data and executables on a live file system. In much the same manner, legitimate internal users can hide data or code using many of the same methods as an external attacker. Also, the particular file system in use plays a significant role, and there are more ways to hide data on an NTFS file system than on a FAT file system. As such, this chapter will focus on hiding data in a live system, with an emphasis on the NTFS file system. Not all of the techniques described require that the file system be NTFS, and those that will not work on another file system will be clearly identified.

Topics that will not be covered include ...

Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.