Digital content is most often stored in files, which may be thought of as structured containers for data. This structure facilitates the processing and rendering of the data for human or machine consumption, and also enables the storage of metadata related to the stored content. A side effect of this structured container approach is that the stored file contains more information, sometimes much more, than the actual data that is rendered or available to the receiving human or machine. Additionally, these structures have gaps and other areas where additional data may be stored, unknown to the file owner or subsequent processor. In this paper we propose and test a non-algorithmic and file-type independent approach for hiding persistent and stealthy data in files. This approach may be used to surreptitiously tag files for attribution or tracing purposes, as well as to search for data hidden in existing files. Our approach is not algorithmic like steganography and cryptography. Rather, we take a black box approach to find candidate hiding locations, then we test each of these locations for file integrity and persistence. For our tests, we hid data in MS Word documents using the Office Open Extensible Markup Language (OOXML) format, although our work easily generalizes to other formats. We found multiple locations which allowed for the persistent and benign storage of additional data under various usage scenarios. The main contributions of this paper are: a methodology for identifying conditions favorable for hiding benign and persistent data in arbitrary file types, a methodology for testing these conditions, and empirical results using OOXML formatted files.

Ademu, I. O., Imafidon, C. O. and Preston, D. S. (2011), "A new approach of digital forensic model for digital forensic investigation", International Journal of Advanced Computer Science and Applications, 2 (12): 175–178.

Beer, R. de Stander, A. and Belle, J. (2015), "Anti-Forensics: A Practitioner Perspective", International Journal of Cyber-Security and Digital Forensics (IJCSDF), 4 (2): 390–403.

Cantrell, G. and Dampier, D. D. (2004). 'Experiments in hiding data inside the file structure of common office documents: a stegonography application'. In Proceedings of the 2004 international Symposium on information and Communication Technologies. June 16 -18. Las Vegas, NV.

Castiglione, A., D’Alessio, B., De Santis, A. and Palmieri, F. (2011), "Hiding Information into OOXML Documents: New Steganographic Perspectives", Journal of Wireless Mobile Networks Ubiquitous Computing and Dependable Applications, 2 (4): 59–83.

Castiglione, A., De Santis, A. and Soriente, C. (2007), "Taking advantages of a disadvantage: Digital forensics and steganography using document metadata", Journal of Systems and Software, 80 (5): 750–764.

Fu, Z., Sun, X. and Xi, J. (2015), "Digital forensics of Microsoft Office 2007-2013 documents to prevent covert communication", Journal of Communications and Networks, 17 (5): 525–533.

Garfinkel, S. L. and Migletz, J. J. (2009), "New XML-Based Files: Implications for Forensics", IEEE Security and Privacy. 7 (2): 38–44.

Garfinkel, S., Farrell, P., Roussev, V. and Dinolt, G. (2009), "Bringing Science to Digital Forensics with Standardized Forensic Corpora", Digital Investigation. 6 (1): S2–S11.

Jain, A. and Chhabra, G. S. (2014). 'Anti-forensics techniques: An analytical review'. In 2014 Seventh International Conference on Contemporary Computing (IC3). Aug 7-9. Noida, India.

Kessler, G. C. (2007). 'Anti-forensics and the digital investigator'. In Proceedings of the 5th Australian Digital Forensics Conference. Mar 12. WA, Australia.

Levine, D. M., and Stephan, D. F. (2014), Even You Can Learn Statistics and Analytics: An Easy to Understand Guide to Statistics and Analytics. Pearson FT Press, New Jersey.

Liu, T. Y. and Tsai, W. H. (2007), "A New Steganographic Method for Data Hiding in Microsoft Word Documents by a Change Tracking Technique", IEEE Transactions on Information Forensics and Security, 2 (1): 24–30.

Park, B., Park, J. and Lee, S. (2009), "Data concealment and detection in Microsoft Office 2007 files", Digital Investigation, 5 (3): 104 - 114.

Park, J. and Lee, S. (2009), "Forensic investigation of Microsoft PowerPoint files". Digital Investigation, 6 (1): 16–24.

Raggo, M. T. and Hosmer, C. (2013), Data hiding: exposing concealed data in multimedia, operating systems, mobile devices and network protocols. Elsevier, Waltham, Massachusetts.