Development of an anti-forensic tool for hiding message in a directory index of NTFS

This research is about a development of software tool for hiding message in a directory index in Windows NTFS file system. A method of hiding message in directory index slack space is a newly proposed technique. A B-tree is adopted to manage file indexes in a directory in NTFS. Operating characteristics of the B-tree is utilized for hiding message in the slack space of an index record. Not to be revealed the hidden message, we make use of a disguised file name for a MFT entry. To develop the tool for the proposed method, we use Visual Studio 2013 with C/C++ and MFC class and a program type is a Windows dialog based application. The program has features to control a message length from 8 characters to n characters, to select working path, to make directory name and to attach file name prefix and suffix. We show screen shots of the developed tool and the case of the hidden messages in the index record.