Anti-forensics in ext4: On secrecy and usability of timestamp-based data hiding

Ext4 is a popular file system used by Android and many Linux distributions. With its rising pervasiveness, anti-forensic techniques like data hiding may be used to conceal data. This paper analyzes the feasibility of using timestamps of the ext4 file system to hide data. First, we examine the usage, the structure and the capacity of the available timestamps with a special focus on their sub-second granularity. The results reveal that the nanoseconds part of the ext4 timestamps can be used to build a system with steganographic strength. Second, we devise an ext4 anti-forensic technique that offers secrecy of the hidden data and easy usability in a wide range of scenarios. We provide a set of requirements (e.g., indistinguishability of regular and tampered timestamps) and a proof-of-concept implementation that is able to conceal arbitrary data within the file system timestamps. The evaluation shows that our implementation satisfies our requirements and actually works in practice.