Ambiguous File System Partitions

Schneider J, Eichhorn M, Freiling F (2022)

Publication Language: English

Publication Type: Conference contribution, Conference Contribution

Publication year: 2022

Book Volume: 42

Conference Proceedings Title: Forensic Science International: Digital Investigation

Event location: On the Internet US


DOI: 10.1016/j.fsidi.2022.301399


We investigate the problem of creating ambiguous file system partitions, i.e., the possibility to have two fully functional file systems within a single file system partition. The problem is different from steganographic data hiding since there is no real distinction between content and cover data, and no translation process may be applied to the content data. Since typical file systems that occur in forensic analysis are usually unambiguous, ambiguous file system partitions may be useful corner cases in forensic tools and processes. We show that it is possible to create ambiguous file system partitions by integrating a guest file system into the structures of a host file system in two cases: We integrate a fully functional FAT32 into Ext3 and HFS+. In a third example we even integrate two guest file systems (HFS+ and FAT32) into a single Btrfs file system partition. We test common forensic tools on these examples and exhibit some deficiencies. Moreover, we develop a taxonomy of ambiguous file system partitions and argue that the existence of essential data at fixed positions still is a way to distinguish host from guest and so to heuristically reduce the ambiguity, without removing it completely.

Authors with CRIS profile

Related research project(s)

How to cite


Schneider, J., Eichhorn, M., & Freiling, F. (2022). Ambiguous File System Partitions. In Elsevier (Eds.), Forensic Science International: Digital Investigation. On the Internet, US.


Schneider, Janine, Maximilian Eichhorn, and Felix Freiling. "Ambiguous File System Partitions." Proceedings of the DFRWS USA 2022, On the Internet Ed. Elsevier, 2022.

BibTeX: Download