Detecting Hidden Information in FAT

Full Text (PDF, 415KB), PP.33-43

Views: 0 Downloads: 0


Kyryl Shekhanin 1,* Alexandr Kuznetsov 1 Victor Krasnobayev 1 Oleksii Smirnov 2

1. V. N. Karazin Kharkiv National University, Svobody sq., 4, Kharkiv, 61022, Ukraine

2. Central Ukrainian National Technical University, 8 University Ave, Kropivnitskiy, 25006, Ukraine

* Corresponding author.


Received: 24 Mar. 2020 / Revised: 26 Mar. 2020 / Accepted: 30 Mar. 2020 / Published: 8 Jun. 2020

Index Terms

Hidden Information, File System, File Allocation Table, cover files, Steganographic Analysis Technique


Various steganographic methods are used to hide information. Some of them allow you to reliably hide the fact of storage and transmission of information data. This paper analysis the methods of technical steganography that are based on hiding information messages into the structure of the FAT file system by reordering particular clusters of specially selected files (cover files). These methods allow you to reliably hide information in the file system structure, while redundancy is not explicitly entered anywhere. This means that the hidden information is not explicitly contained in the service fields or individual clusters of the file system, the size of the data stored on the physical storage medium does not change. Such steganographic systems are very difficult to detect, it is almost impossible to identify the fact of hiding information by traditional methods. The steganographic analysis technique based on the study of file system properties was developed. In particular, we analyzed the fragmentation of various files stored on a physical medium, and examine the statistical properties of various types, sizes and uses of files. Identification of anomalous properties may indicate a possible reordering of clusters of individual files, i.e. this will detect hidden information. The study of these principles is important for a better understanding of the design and counteraction of steganographic systems based on the methods of reordering clusters of cover files in the structure of the FAT. Thus, this article substantiates new approaches to steganoanalysis of cluster file systems for information hidingю. They are based on a statistical analysis of file systems of various data carriers, as well as an assessment of the fragmentation level of both individual files and the entire file system.

Cite This Paper

Kyryl Shekhanin, Alexandr Kuznetsov, Victor Krasnobayev, Oleksii Smirnov, "Detecting Hidden Information in FAT", International Journal of Computer Network and Information Security(IJCNIS), Vol.12, No.3, pp.33-43, 2020. DOI: 10.5815/ijcnis.2020.03.04


[1] D. Johnson and M. Ketel, “IoT: Application Protocols and Security,” International Journal of Computer Network and Information Security, vol. 11, no. 4, pp. 1–8, Apr. 2019.

[2] M. Zaliskyi, R. Odarchenko, S. Gnatyuk, Yu. Petrova. A.Chaplits, Method of traffic monitoring for DDoS attacks detection in e-health systems and networks. CEUR Workshop Proceedings, Vol. 2255, pp. 193-204, 2018.

[3] J. A. Ojeniyi, E. O. Edward, and S. M. Abdulhamid, “Security Risk Analysis in Online Banking Transactions: Using Diamond Bank as a Case Study,” International Journal of Education and Management Engineering, vol. 9, no. 2, pp. 1–14, Mar. 2019.

[4] Gnatyuk S., Akhmetova J., Sydorenko V., Polishchuk Yu., Petryk V. Quantitative Evaluation Method for Mass Media Manipulative Influence on Public Opinion, CEUR Workshop Proceedings, Vol. 2362, pp. 71-83, 2019.

[5] T. K. Fataliyev and S. A. Mehdiyev, “Analysis and New Approaches to the Solution of Problems of Operation of Oil and Gas Complex as Cyber-Physical System,” International Journal of Information Technology and Computer Science, vol. 10, no. 11, pp. 67–76, Nov. 2018.

[6] S. Gnatyuk, M. Aleksander, P. Vorona, Yu. Polishchuk, J. Akhmetova, Network-centric Approach to Destructive Manipulative Influence Evaluation in Social Media, CEUR Workshop Proceedings, Vol. 2392, pp. 273-285, 2019.

[7] Z. Hassan, R. Odarchenko, S. Gnatyuk, A. Zaman, M. Shah, Detection of Distributed Denial of Service Attacks Using Snort Rules in Cloud Computing & Remote Control Systems, Proceedings of the 2018 IEEE 5th International Conference on Methods and Systems of Navigation and Motion Control, October 16-18, 2018. Kyiv, Ukraine, pp. 283-288.

[8] S. Gnatyuk, Critical Aviation Information Systems Cybersecurity, Meeting Security Challenges Through Data Analytics and Decision Support, NATO Science for Peace and Security Series, D: Information and Communication Security. IOS Press Ebooks, Vol.47, №3, рр.308-316, 2016.

[9] O. Hosam, “Attacking Image Watermarking and Steganography - A Survey,” International Journal of Information Technology and Computer Science, vol. 11, no. 3, pp. 23–37, Mar. 2019.

[10] H. Ogras, “An Efficient Steganography Technique for Images using Chaotic Bitstream,” International Journal of Computer Network and Information Security, vol. 11, no. 2, pp. 21–27, Feb. 2019.

[11] S. Dogan, “A New Approach for Data Hiding based on Pixel Pairs and Chaotic Map,” International Journal of Computer Network and Information Security, vol. 10, no. 1, pp. 1–9, Jan. 2018.

[12] G. P. Rajkumar and V. S. Malemath, “Video Steganography: Secure Data Hiding Technique,” International Journal of Computer Network and Information Security, vol. 9, no. 9, pp. 38–45, Sep. 2017.

[13] H.Khan, M.Javed, S.A.Khayam, F.Mirza. “Designing a cluster-based covert channel to evade disk investigation and forensics”. Computers & Security, Volume 30, Issue 1, January 2011. On-line]. Internet: S016740481000088X.

[14] H.Khan, M.Javed, S.A.Khayam, F.Mirza. “Designing a cluster-based covert channel to evade disk investigation and forensics”. Computers & Security, Volume 30, Issue 1, January 2011. [On-line]. Internet: S016740481000088X.

[15] H.Khan, M.Javed, S.A.Khayam, F.Mirza. “Evading Disk Investigation and Forensics using a Cluster-Based Covert Channel”. National University of Science & Technology (NUST), Islamabad 44000, Pakistan. [On-line]. Internet:

[16] N.Morkevičius, G.Petraitis, A.Venčkauskas, J.Čeponis. “Covert Channel for Cluster-based File Systems Using Multiple Cover Files”. Information Technology and Control, 2013, Vol.42, No.3. pp. 32. [On-line]. Internet:

[17] A. Kuznetsov, K. Shekhanin, A. Kolhatin, I. Mikheev and I. Belozertsev, "Hiding data in the structure of the FAT family file system," 2018 IEEE 9th International Conference on Dependable Systems, Services and Technologies (DESSERT), Kyiv, Ukraine, 2018, pp. 337-342. DOI: 10.1109/DESSERT.2018.8409155.

[18] K.Yu. Shekhanin, A.O. Kolhatin, E.E. Demenko, A. A. Kuznetsov. “On Hiding Data Into the Structure of the FAT Family File System.” Telecommunications and Radio Engineering, Volume 78, 2019, Issue 11, pp. 973-985. DOI: 10.1615/TelecomRadEng.v78.i11.5.

[19] Description of the FAT32 File System: Microsoft Knowledge Base Article 154997.

[20] Overview of FAT, HPFS, and NTFS File Systems: Microsoft Knowledge Base Article 100108.

[21] S. f. Liu, S. Pei, X. y. Huang and L. Tian, "File hiding based on FAT file system," 2009 IEEE International Symposium on IT in Medicine & Education, Jinan, 2009, pp. 1198-1201.

[22] J. Davis, J. MacLean and D. Dampier, "Methods of Information Hiding and Detection in File Systems," 2010 Fifth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, Oakland, CA, 2010, pp. 66-69.

[23] "Partitioning, Partition Sizes and Drive Lettering", The PC Guide. April 17, 2001. Retrieved 2018-09-20. [On-line]. Internet:

[24] "Switches: Sector copy". Symantec. 2001-01-14. Retrieved 2018-09-20, [On-line]. Internet:

[25] D. Samanta, "Classic Data Structures", Prentice Hall India Pvt., Aug 1. 2004 p. 480, pp.76-127.