Summary
In this chapter, we've looked at a variety of methods for hiding data within a live file system. In most cases, restricting those areas of the file system to which the user can write will prevent hiding data by any of these methods.
If these activities cannot be prevented through the use of access control lists, then other methods such as scanning or monitoring must be employed. However, these are only technical measures that may be used to enforce security policies.
Keep in mind that other methods of hiding data may be used. For example, when an investigator is looking for indications of certain activities, very often she will attempt to focus her efforts by using search terms and searching all files on the system for those terms. However, ...
Get Windows Forensics and Incident Recovery now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
