Data hiding in the NTFS file system

In this paper we examine the methods of hiding data in the NTFS file system. Further we discuss the analysis techniques which can be applied to detect and recover data hidden using each of these methods. We focus on sophisticated data hiding where the goal is to prevent detection by forensic analysis. Obvious data hiding techniques, for example setting the hidden attribute of a file, will not be included. Hidden data can be further obfuscated by file system independent approaches like data encryption and steganography. This paper is only concerned with the methods which are made possible by the structure of the NTFS file system, and with the recovery of hidden data, not its interpretation.