WO2003083670A1

WO2003083670A1 - Protection of data by hiding the data

Info

Publication number: WO2003083670A1
Application number: PCT/IL2003/000273
Authority: WO
Inventors: Micha Kaufman; Derek Phelps; Yevgeniy Vasyuk
Original assignee: Invisicom, Inc.
Priority date: 2002-04-03
Filing date: 2003-04-02
Publication date: 2003-10-09
Also published as: AU2003227314A1

Abstract

A method for preventing unauthorized access to computer data (22) stored on a storage device (24) having a file table (30, 46), includes saving, in a secure data structure, a chain of cluster numbers (48a, 48b, 48c, 48d) corresponding to clusters (54a, 54b, 54c, 54d) of the storage device (24) in which the data (22) is stored, and modifying one or more entries (50a, 50b, 50c, 50d) in the file table (30, 46) corresponding to the clusters (54a, 54b, 54c, 54d) of the storage device (24) in which the data (22) is stored, so as to inhibit the unauthorized access to the data (22) via the file table (30, 46).

Description

PROTECTION OF DATA BY HIDING THE DATA

CROSS-REFERENCE TO RELATED APPLICATIONS

The present patent application claims the benefit of (a) US Provisional Patent Application 60/369,327, filed April 3, 2002, entitled, "Method for protecting computer data by means of hiding the existence of the data," and (b) US Provisional Patent Application 60/406,116, filed August 27, 2002, entitled, "Securing data by means of hiding the data." Each of these applications includes a code appendix stored on CD- ROM. Both of these applications and the respective code appendices are incorporated herein by reference.

FIELD OF THE INVENTION

The present invention relates generally to computer file systems, and specifically to methods, systems, and software products for preventing unauthorized access to data stored using file systems.

BACKGROUND OF THE INVENTION A file system is the structure in which computer files are named, stored, and organized. File systems are implemented on storage devices, such as hard disk drives. File systems typically allocate space on storage devices in clusters, which are groups of sectors on the storage device. A file is stored in one or more clusters, depending on the size of the file. File systems generally record information about files, including the locations of the files on a storage device, in a file table. Some file systems, such as

Microsoft's FAT file system (including FAT12, FAT16, and FAT32), maintain a centralized reference index in the file table, as well a reference index to the locations of bad and free blocks located on the storage device. A reference index is a reference system in which the location of stored data on a storage device is referenced by using pointers to the cluster or clusters in which the data is stored. Other file systems, such as Microsoft's NTFS and some UNIX and LINUX file systems, store reference pointers separately for each file in the file table.

Microsoft's FAT file system keeps track of where each file resides by using a reference index called a file allocation table (FAT). The FAT contains an entry for every cluster on the storage device. In order to access a file, the FAT file system reads the file's entry in a directory, and retrieves the file's starting cluster number. The file system then looks in the FAT entry for this cluster number. This entry either contains the cluster number of the next cluster of the file, or, if this cluster is the last cluster of the file, an end-of-file (EOF) marker. The file system assembles the file using the resulting chain of cluster numbers. In the FAT file system, the clusters of a file are not necessarily contiguous on the storage device, i.e. data on a storage device often becomes fragmented. Additionally, the file system sometimes determines that at least one sector in a cluster is not able to accurately store data, e.g., because of a physical defect on the surface of a disk. Upon making such a determination, the file system marks the entire cluster as unusable by recording a "bad" value in the cluster's corresponding entry in the FAT.

The NTFS file system, as well as other file systems such as those sometimes used with UNIX and LINUX operating systems, stores nearly every file system structure as a file, including the structures used to manage the partition and maintain statistics and control information about the partition itself. (A partition is a logical division of a storage device, such as a hard disk, created when the storage device is formatted.) The control information is stored in a set of special files that are initially constructed when an NTFS partition is first created. These special files are called metadata files, and include such items as lists of files on the partition, volume information, and cluster allocations.

Information about every file and directory on an NTFS volume, including both metadata files and user files, is stored in a file table called a Master File Table (MFT), which is similar to a relational database table. The MFT is an array of records, each of which holds data about a particular file. Each of these file records contains a collection of the file's attributes, such as a filename, a security descriptor, and a data attribute (which represents the file's data). Whenever the total size of a file's attributes is less than the size of a MFT record, all of the attributes, including the file's data, are stored in the file record. For larger files, one or more attributes, most commonly the data attribute, are stored externally to the MFT on another area of the storage device, and a pointer to the attribute is stored in the file record.

SUMMARY OF THE INVENTION Embodiments of the present invention provide a method for protecting and preventing unauthorized access to computer data stored on a storage device using a file system. The method comprises hiding the data by changing information regarding the location and/or existence of the data, without necessarily encrypting or otherwise altering the data itself. Once the data is hidden, the existence of the data is unknown to non- system programs, and the data is thus generally inaccessible to user applications. An authorized user can restore the data by replacing the reference information about the data, which is stored for this purpose during hiding.

In some embodiments of the present invention, the method for hiding the data comprises modifying file allocation table (FAT) entries corresponding to clusters of the storage device in which the data is stored, and saving and deleting the directory entry of the file containing the data. The FAT entries are typically changed to values indicative of "bad" clusters. The file system therefore ignores these clusters, neither reading nor writing to them. Alternatively, hiding the data comprises modifying another type of reference index, such as a $BadClus file used by NTFS for listing "bad" clusters, or another NTFS metadata Master File Table (MFT) file. Metadata MFT files are normally inaccessible to application programs, without using the techniques described herein. In some embodiments of the present invention, the method for hiding the data comprises creating a hidden directory in an NTFS metadata MFT record that is otherwise unused, such as the 14th record. Alternatively, the hidden directory is created in an ordinary MFT record, and a parent directory to the hidden directory is created in an unused metadata MFT record. To hide a file, the file's corresponding file record is moved from its original directory to the hidden directory. Because information stored in the metadata MFT records is hidden and generally inaccessible to non-system programs, command, and access methods, the operating system is unaware of the hidden directory. As a result, the file record in the hidden directory is generally inaccessible to user applications. Moving the file record from the hidden directory back to the file's original directory restores access to the data. For additional security, the file record is optionally encrypted before being stored in the hidden directory.

There is therefore provided, in accordance with an embodiment of the present invention, a method for preventing unauthorized access to computer data stored on a storage device having a file table, the method including: saving, in a secure data structure, a chain of cluster numbers corresponding to clusters of the storage device in which the data is stored; and modifying one or more entries in the file table corresponding to the clusters of the storage device in which the data is stored, so as to inhibit the unauthorized access to the data via the file table.

For some applications, the file table entries include file allocation table (FAT) entries. In an embodiment of the present invention, saving the chain of cluster numbers includes: marking secure record clusters of the storage device, which clusters contain data of the secure record; storing one or more secure record entries of the file table corresponding to the secure record clusters; and populating each of the secure record file table entries with a value indicative of a bad cluster.

In an embodiment of the present invention, the file table entries include entries in an NTFS metadata Master File Table (MFT) file. Modifying each of the file table entries may include populating the file table entry with a value indicative of a bad cluster.

For some applications, saving the chain of cluster numbers includes encrypting the secure data structure.

In an embodiment, modifying the file table entries includes identifying the file table entries to be modified by following the chain of cluster numbers in the file table corresponding to the clusters of the storage device. Identifying the file table entries may include identifying a first one of the table entries by loading a starting cluster number from a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data. Identifying the file table entries to be modified may include terminating the following of the chain of cluster numbers by detecting an end-of-file marker in one of the file table entries.

In an embodiment, the secure data structure is located external to the file table. For some applications, the secure data structure includes a secure file. Saving the chain of cluster numbers may include saving the chain of cluster numbers in the secure file using a driver provided by the file system.

In an embodiment of the present invention, the method includes modifying a starting cluster number of a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data.

In an embodiment of the present invention, the method includes deleting a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data. For some applications, the directory entry contains metadata with respect to the data structure, and deleting the directory entry includes saving at least a portion of the metadata before deleting the directory entry. Saving the portion of the metadata may include encrypting the portion of the metadata.

There is also provided, in accordance with an embodiment of the present invention, a method for preventing unauthorized access to computer data stored in a data structure on a storage device using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records, the method including: creating a directory in one of the metadata file table records that is not used by the file system; and moving the file record to the directory.

In an embodiment of the present invention, the file table includes a Master File Table (MFT). For some applications, the metadata file table record is selected from the list consisting of records 11 through 15 of the MFT. The metadata file table record may be selected from the list consisting of records 12 through 14 of the MFT.

In an embodiment of the present invention, creating the directory includes directly accessing sectors of the storage device, in which sectors the metadata file table record is stored, without using drivers provided by the file system.

In an embodiment, moving the file record includes encrypting one or more attributes of the file record. Alternatively or additionally, moving the file record includes encrypting a name of the file record. For some applications, moving the file record further includes saving the encrypted name in a key file in the directory.

There is still further provided, in accordance with an embodiment of the present invention, a method for preventing unauthorized access to computer data stored in a data structure on a storage device using a file system, which data structure has a corresponding file record stored in a file table on the storage device, the method including: creating a parent directory in a metadata file table record of the file table, which metadata file table record is not used by the file system; creating a secure directory in a first ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference; and moving the file record to the secure directory.

In an embodiment of the present invention, creating the parent directory in the metadata file table record includes creating the parent directory in a second ordinary file table record of the file table, and moving the parent directory from the second ordinary file table record to the metadata file table record. In an embodiment of the present invention, the file table includes a Master File

Table (MFT). For some applications, the metadata file table record is selected from the list consisting of records 11 through 15 of the MFT. The metadata file table record may be selected from the list consisting of records 12 through 14 of the MFT.

In an embodiment, creating the parent directory includes directly accessing sectors of the storage device, in which sectors the metadata file table record is stored, without using drivers provided by the file system.

For some applications, moving the file record includes encrypting one or more attributes of the file record. For some applications, moving the file record includes encrypting a name of the file record. Encrypting the name of the file record may include saving the encrypted name in a key file in the secure directory.

There is additionally provided, in accordance with an embodiment of the present invention, a method for hiding computer data stored in a data structure on a storage device using a file system having a file table and a directory, which directory includes an original directory entry containing metadata with respect to the data structure, the method including: identifying one or more file table entries in the file table corresponding to clusters of the storage device in which the data is stored, by following a chain of cluster numbers in the file table corresponding to the clusters of the storage device in which the data is stored; saving, in a secure data structure located external to the file table, the chain of cluster numbers; populating each of the identified file table entries with a value indicative of a bad cluster; saving, in the secure data structure, at least a portion of the metadata contained in the original directory entry; and deleting the original directory entry. h an embodiment, the file table entries include file allocation table (FAT) entries.

In an embodiment, the method includes unhiding the data by: creating a new directory entry in the directory; populating the new directory entry with at least some of the saved metadata; and populating the entries in the file table with the cluster numbers in the saved chain of cluster numbers.

For some applications, populating the file table entries with the cluster numbers includes: populating all but a last one of the file table entries with the cluster numbers in the saved chain of cluster numbers; and populating the last one of the file table entries with an end-of-file marker.

There is yet additionally provided, in accordance with an embodiment of the present invention, a method for hiding computer data stored in a data structure on a storage device using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records, the method including: creating a parent directory in one of the metadata file table records that is not used by the file system; creating a secure directory in an ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference; encrypting a name of the file record; saving the encrypted name in a key file in the secure directory; and moving the file record to the secure directory.

In an embodiment, the metadata file table includes a metadata Master File Table (MFT).

In an embodiment of the present invention, the method includes unhiding the data by: loading the encrypted name from the key file, decrypting the encrypted name, and moving the file record from the secure directory to an original directory in which the file record was stored prior to hiding. There is also provided, in accordance with an embodiment of the present invention, a system for preventing unauthorized access to computer data, the system including: a storage device, in which the computer data is stored, the storage device having a file table; and a computer, configured to save, in a secure data structure, a chain of cluster numbers corresponding to clusters of the storage device in which the data is stored, and to modify one or more entries in the file table corresponding to the clusters of the storage device in which the data is stored, so as to inhibit the unauthorized access to the data via the file table. There is further provided, in accordance with an embodiment of the present invention, a system for preventing unauthorized access to computer data, the system including: a storage device, in which the computer data is stored in a data structure, using a file system, which provides a file table that includes a file record of the data structure and metadata file table records; and a computer, configured to create a directory in one of the metadata file table records that is not used by the file system, and to move the file record to the directory.

There is still further provided, in accordance with an embodiment of the present invention, a system for preventing unauthorized access to computer data, the system including: a storage device, on which the computer data is stored in a data structure, using a file system, which data structure has a corresponding file record stored in a file table on the storage device; and a computer, configured to: create a parent directory in a metadata file table record of the file table, which metadata file table record is not used by the file system, create a secure directory in a first ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference, and move the file record to the secure directory.

There is additionally provided, in accordance with an embodiment of the present invention, a system for hiding computer data, the system including: a storage device, in which the computer data is stored in a data structure using a file system having a file table and a directory, which directory includes an original directory entry containing metadata with respect to the data structure; and a computer, configured to: identify one or more file table entries in the file table corresponding to clusters of the storage device in which the data is stored, by following a chain of cluster numbers in the file table corresponding to the clusters of the storage device in which the data is stored, save, in a secure data structure located external to the file table, the chain of cluster numbers, populate each of the identified file table entries with a value indicative of a bad cluster, save, in the secure data structure, at least a portion of the metadata contained in the original directory entry, and delete the original directory entry.

There is yet additionally provided, in accordance with an embodiment of the present invention, a system for hiding computer data, the system including: a storage device, on which the computer data is stored in a data structure using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records; and a computer, configured to: create a parent directory in one of the metadata file table records that is not used by the file system, create a secure directory in an ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference, encrypt a name of the file record, save the encrypted name in a key file in the secure directory, and move the file record to the secure directory.

There is also provided, in accordance with an embodiment of the present invention, a computer software product for preventing unauthorized access to computer data stored on a storage device having a file table, the product including a computer- readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to save, in a secure data structure, a chain of cluster numbers corresponding to clusters of the storage device in which the data is stored, and to modify one or more entries in the file table corresponding to the clusters of the storage device in which the data is stored, so as to inhibit the unauthorized access to the data via the file table.

There is further provided, in accordance with an embodiment of the present invention, a computer software product for preventing unauthorized access to computer data stored in a data structure on a storage device using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records, the product including a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to create a directory in one of the metadata file table records that is not used by the file system, and to move the file record to the directory.

There is still further provided, in accordance with an embodiment of the present invention, a computer software product for preventing unauthorized access to computer data stored in a data structure on a storage device using a file system, which data structure has a corresponding file record stored in a file table on the storage device, the product including a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to: create a parent directory in a metadata file table record of the file table, which metadata file table record is not used by the file system, create a secure directory in a first ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference, and move the file record to the secure directory.

There is additionally provided, in accordance with an embodiment of the present invention, a computer software product for hiding computer data stored in a data structure on a storage device using a file system having a file table and a directory, which directory includes an original directory entry containing metadata with respect to the data structure, the product including a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to: identify one or more file table entries in the file table corresponding to clusters of the storage device in which the data is stored, by following a chain of cluster numbers in the file table corresponding to the clusters of the storage device in which the data is stored, save, in a secure data structure located external to the file table, the chain of cluster numbers, populate each of the identified file table entries with a value indicative of a bad cluster, save, in the secure data structure, at least a portion of the metadata contained in the original directory entry, and delete the original directory entry.

There is yet additionally provided, in accordance with an embodiment of the present invention, a computer software product for hiding computer data stored in a data structure on a storage device using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records, the product including a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to: create a parent directory in one of the metadata file table records that is not used by the file system, create a secure directory in an ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference, encrypt a name of the file record, save the encrypted name in a key file in the secure directory, and move the file record to the secure directory. The present invention will be more fully understood from the following detailed description of embodiments thereof, taken together with the drawings, in which: BRIEF DESCRIPTION OF THE DRAWINGS

Fig. 1 is a schematic illustration of a file hiding system running on a computer workstation, in accordance with an embodiment of the present invention;

Fig. 2 is a schematic illustration of the storage of a file using a File Allocation Table (FAT) file system, in accordance with an embodiment of the present invention;

Fig. 3 is a flow chart that schematically illustrates a method for protecting and preventing unauthorized access to computer data, in accordance with an embodiment of the present invention;

Fig. 4 is a flow chart that schematically illustrates a method for unprotecting access to protected computer data, in accordance with an embodiment of the present invention;

Figs. 5A and 5B are tables showing NTFS metadata files, including a brief description of the function of each file;

Fig. 6 is a schematic illustration of a Master File Table (MFT) used by an NTFS file system, in accordance with an embodiment of the present invention;

Fig. 7 is a flow chart that schematically illustrates a method for protecting and preventing unauthorized access to computer data stored using an NTFS file system, in accordance with an embodiment of the present invention;

Fig. 8 is a flow chart that schematically illustrates a method for unprotecting access to a protected file, in accordance with an embodiment of the present invention; and

Fig. 9 is a schematic illustration of a screen image of a graphical user interface for hiding and unhiding files, in accordance with an embodiment of the present invention.

DETAILED DESCRIPTION OF EMBODIMENTS

System overview

Fig. 1 is a schematic illustration of a file hiding system 10 running on a computer workstation 20, in accordance with an embodiment of the present invention. The file hiding system is used by. a user to protect and prevent unauthorized access to computer data 22 stored on a storage device 24, using a file system 26 running in a memory 28 of the workstation. File system 26 creates and maintains a file table 30 on storage device 24, for recording information about stored files, including the locations of the files on the storage device. Workstation 20 typically comprises a general-purpose computer, which is programmed in software to carry out the functions described herein. This software may be downloaded to the workstation in electronic form, over a network, for example, or it may alternatively be provided on tangible media, such as magnetic or optical media or other non-volatile memory. Although workstation 20 is shown locally accessing storage device 24 in Fig. 1, the workstation may also remotely access storage device 24 over a local area and/or wide area network, such as by using an agent deployed on the remote storage device or on a remote computer controlling the remote storage device. "Storage device," as used in the present patent application and the claims, is to be understood as any device upon which a computer may store data in permanent form. Examples of storage devices include, but are not limited to, external and internal devices, volatile and non-volatile memory (e.g., memory in handheld devices such as PDAs and mobile telephones), hard disk drives, floppy disk drives, removable magnetic media (e.g., USB keys), optical media, magneto-optical media, removable hard drive media, CD- ROM drives, DND-ROM drives, and recordable (read/write) CD and DND drives.

Although data is generally described herein as being stored in clusters on storage device 24, the term "clusters" as used in the present patent application, including the claims, is to be understood as referring to the basic units of logical storage on a storage device, regardless of whether such basic units on any particular storage device are commonly referred to as clusters in the art. Similarly, the term "sectors" as used in the present patent application, including the claims, is to be understood as referring to the smallest physical portion of a storage device that can be accessed, regardless of whether such portions on any particular storage device are commonly referred to as sectors in the art. A cluster comprises one or more sectors.

The term "file table," as used in the present patent application, including the claims, is to be understood as any table, map, index, list or similar structure, which holds references, pointers, or indices to one or more locations on a storage device, in which locations data is stored.

First embodiment - File Allocation Table (FAT)

Fig. 2 is a schematic illustration of the storage of a file using a File Allocation

Table (FAT) file system, in accordance with an embodiment of the present invention. Although this embodiment is described herein with reference to Microsoft's FAT file system (including FAT32, FAT 16, and FAT 12 versions), the embodiment is not limited to this file system, but is broadly applicable to other file systems that use a file allocation table. Each file stored using the FAT file system has a directory entry 40, which contains information regarding the file, such as a filename 42. In order to keep track of where the file resides on storage device 24, directory entry 40 includes a cluster number field 44, which indicates the file's starting cluster number on storage device 24. To access the file, the FAT file system looks in directory entry 40, and retrieves the file's starting cluster number from cluster number field 44. The file system then looks in a FAT 46 for the FAT entry for this cluster number. In the example shown in Fig. 2, the file has a starting cluster number 48a, which refers to a FAT entry 50a. FAT entry 50a contains a cluster number 48b, referring to a FAT entry 50b. Taken together in order, these cluster numbers (48a, 48b, 48c, etc.) form a chain of cluster numbers. This chain continues until it reaches a FAT entry (in this example a FAT entry 48d) that contains an end-of-file (EOF) marker 52, indicating that this cluster (48d) is the last cluster of the file (the EOF marker is also known as an End Of Clusterchain mark, or EOC). For example, the EOF markers for FAT32, FAT16, and FAT12 are the hexadecimal values OxOFFFFFFF, OxFFFF, and OxOFFF, respectively. File system 26 assembles the file using the resulting chain of cluster numbers, relying on the rule that clusters on storage device 24 have cluster numbers corresponding to the numbers of the FAT entries. Therefore, since the first FAT entry of the file, FAT entry 50a, has a cluster number 48a, the first segment of the file's data is found on storage device 24 in a cluster 54a identified by cluster number 48a. Fig. 3 is a flow chart that schematically illustrates a method for protecting and preventing unauthorized access to computer data, in accordance with an embodiment of the present invention. The method is described with reference to the example file described hereinabove with reference to Fig. 2. At a file selection step 70, a user selects at least one data structure to be hidden, such as by using the user interface described hereinbelow with reference to Fig. 9. The data structure may be, for example, a file or a directory. Although the methods described herein with reference to Figs. 3 and 4 are described with respect to hiding and unhiding a file, respectively, these methods are also applicable to other data structures. File hiding system 10 locates the filename entry of the selected file in the directory structure in order to identify directory entry 40 of the file (Fig. 2), at a locate filename step 72. The system saves at least a portion (typically all) of the information regarding the file from directory entry 40 in a buffer 75 in memory 28 (Fig. 1), at a buffer directory information step 74. Such directory information typically includes filename 42, file size, file attributes, and starting cluster number 48a (Fig. 2).

Using starting cluster number 48a, file hiding system 10 jumps to first FAT entry 50a (Fig. 2), at a first jump step 76. System 10 retrieves the value of the FAT entry, at a retrieve FAT entry step 78. The system compares the retrieved value to the value of the EOF marker, at an EOF check step 80. If the retrieved value is not EOF marker 52, the system interprets the value as the next cluster number (cluster number 48b, during the first pass through steps 78 to 84), and saves the cluster number in buffer 75, at a FAT entry save step 82. The system then uses this cluster number to follow the cluster chain and jump to the next FAT entry (FAT entry 50b, during the first pass through steps 78 to 84), at a next FAT entry jump step 84. The method returns to step 78, and continues to retrieve cluster numbers and add them to buffer 75 until EOF marker 52 is detected at step 80 (in FAT entry 50d, during the fourth pass through steps 78 to 84).

Upon detecting EOF marker 52 at step 80, system 10 saves the information stored in buffer 75, including the directory information and the chain of cluster numbers, in a secure data structure, at a secure data structure creation step 86. Such secure data structure, for example, may be an ordinary file created using the file system, or a novel data structure, such as a sector or a secret area on a storage device, which cannot ordinarily be accessed using drivers provided by the file system. System 10 typically encrypts the secure data structure in order to prevent access to the data structure except by the user through system 10. The secure data structure is typically stored on storage device 24, on a removable storage medium, such as a floppy disk, and/or on a remote storage device. System 10 optionally compresses the secure data structure.

Once system 10 verifies that the buffered information has been saved, the system removes directory entry 40 from the directory on storage device 24, at a remove directory entry step 88. The value of each of the FAT entries identified and buffered at steps 76 through 84 is typically changed to a value indicative of a "bad" cluster, at a mark FAT entries step 90. For example, the "bad" cluster values are typically 0x0FFFFFF7, 0xFFF7, and 0x0FF7 for FAT 32, FAT16, and FAT12, respectively. Alternatively, these FAT entries are populated with another identifying marker that prevents file system access to the clusters. After making these changes, the system returns to the user interface and informs the user of the hidden status of the file, at an inform user step 92.

Once hidden, files are generally inaccessible to the file system and the operating system. Hidden files do not appear in any directory. Attempts to read data of hidden files directly from storage device 24 typically fail, because the operating system is generally unable to access clusters it believes are "bad". For the same reason, data of hidden files are also typically protected against accidental or deliberate deletion by users, viruses that seek to damage data, and unauthorized access or tampering by hackers. In addition, normal formatting methods do not affect the data of the hidden files.

Fig. 4 is a flow chart that schematically illustrates a method for unprotecting access to protected computer data, in accordance with an embodiment of the present invention. System 10 uses this method to unhide a data structure, such as a file or directory, that was hidden using the method described hereinabove with reference to Fig. 3. At a file selection step 100, the user selects at least one previously hidden file to be unhidden, such as by using the user interface described hereinbelow with reference to Fig. 9. Before executing the unhiding request, system 10 typically verifies the user's access privileges to the hidden file, such as by requiring the entry of a password or by other access security techniques known in the art. At a secure data structure access step 102, system 10 locates the secure data structure previously created at step 86, described hereinabove with reference to Fig. 3. If the secure data structure has been stored on a removable storage medium or remotely, the user must provide access to the secure data structure before the system performs step 102. The system decrypts and/or decompresses the secure data structure, as appropriate, and loads the contents of the secure data structure into memory 28, including the information that was stored in the hidden file's directory entry and the FAT cluster chain data.

Using the directory information, system 10 creates a new directory entry for the hidden file in the directory in which the hidden file was originally located, at a create directory entry step 104. If the original directory no longer exists, system 10 typically creates a replacement directory having the same name as the original directory. This new directory entry is typically identical to the original directory entry of the hidden file (including the reference to starting cluster number 48b) that was deleted at step 88, as described hereinabove with reference to Fig. 3.

Using the restored starting cluster number, the system jumps to the first FAT entry of the hidden file (FAT entry 50a of Fig. 2), at a first jump step 106. The system checks whether this FAT entry represents the last cluster in the cluster chain of the hidden file, at a last cluster check step 108. If the FAT entry is not the last entry, the system stores the value of the next cluster in the FAT entry, as read from the FAT cluster chain data stored in the secure data structure, at a store next cluster step 110. (In the example shown in Fig. 2, during the first pass through steps 108 to 112, the system stores cluster number 48b in FAT entry 50a at step 110.) The system jumps to the next FAT entry (FAT entry 50b, during the first pass through steps 108 to 112), at a next FAT entry jump step 112. The method returns to step 108, and continues to store cluster numbers in FAT entries until the last cluster is detected at step 108.

Upon detecting the last cluster at step 108, the system stores EOF marker 52 in the current FAT entry, at a store EOF marker step 114. (In the example shown in Fig. 2, EOF marker 52 is stored in FAT entry 50d at step 114.) At this point, assuming no errors occurred, the system has typically restored the directory entry and FAT entries for the unhidden file to precisely the same values as before the file was hidden using the method described hereinabove with reference to Fig. 3. At an inform user step 116, the system returns to the user interface and informs the user that the file has been successfully unhidden, or, if not, that an error has occurred.

In an embodiment of the present invention, system 10 hides the data of a file, but leaves the file's directory entry visible. System 10 typically achieves this outcome using the hiding method described hereinabove with reference to Fig. 3. However, at step 88, instead of deleting the directory entry, the system modifies starting cluster number 48a of the directory entry, such as by changing the cluster number to an EOF marker. As a result, the file system is not able to find the cluster chain associated with the hidden file. The system also typically skips step 74, because the directory information remains in its original directory entry. To unhide the file, system 10 typically uses the unhiding method described hereinabove with reference to Fig. 4. Instead of creating a directory entry at step 104, the system restores staring cluster number 48a to the existing directory entry.

In an embodiment of the present invention, system 10 is configured to enable unhiding of hidden files even after storage device 24 has been formatted using some formatting techniques. In this embodiment, when creating the secure data structure at step 86, as described hereinabove with reference to Fig. 3, system 10 marks the clusters on storage device 24 that contain the data of the secure data structure. Such marking may be performed, for example, by including a special marker within the data, such as a unique sequence of two or more bytes. After creating the secure data structure, system 10 stores the FAT entries associated with the secure data structure, and changes the values of these FAT entries to a value indicative of a "bad" cluster, typically using techniques similar to those described hereinabove with reference to steps 76 through 86 of Fig. 3. Before locating the secure data structure at step 102, as described hereinabove with reference to Fig. 4, system 10 restores the stored FAT entries associated with the secure data structure, typically using techniques similar to those described hereinabove with reference to steps 106 through 114 of Fig. 4. Therefore, when system 10 is not currently accessing the secure data structure, the FAT entries associated with the secure data structure are indicative of "bad" clusters. Some formatting techniques format by resetting values in FAT 46, but do not disturb FAT entries indicative of "bad" clusters, and do not erase computer data 22 stored in the clusters of storage device 24. Such formatting techniques do not affect the FAT entries associated with the secure data structure, because these entries are marked as "bad". After such formatting, system 10 attempts to identify the FAT entries and clusters in which the secure data structure is stored, by searching storage device 24 for clusters that contain the special marker included in the data of the secure data structure. Typically, to reduce search time, system 10 searches only clusters the FAT entries of which are marked "bad". Once the secure data structure has been found, system 10 creates a new directory entry for the data structure, and stores the file's cluster chain. This cluster chain is restored in FAT 46 when the system needs to access the secure data structure, as described above.

In an embodiment of the present invention, methods similar to those described hereinabove with reference to Figs. 2, 3, and 4 are implemented for hiding a file stored using the NTFS file system. In this embodiment, the file's data is hidden, at least in part, by modifying entries in one or more metadata MFT files, such as the $BadClus or $Bitmap files, which are described hereinbelow with reference to Figs. 5A and 5B. The system modifies references to clusters in which the data is stored, thereby generally blocking access to the clusters by the file system and the operating system. For some applications, this technique is implemented in conjunction with the file hiding and unhiding techniques described hereinbelow with reference to Figs. 6, 7, and 8.

Second embodiment - Master File Table (MFT)

Figs. 5A and 5B are tables showing NTFS metadata files, including a brief description of the function of each file. The first sixteen records of the MFT are always reserved for the volume's metadata files. For example, the $BadClus metadata file contains a list of all clusters on the volume that have been marked by the file system as "bad". Because of the importance of these metadata files to the integrity of the partition and the operating system, the file system typically ensures that these metadata files are highly reserved and completely restricted to all but core file system and operating system functions.

Fig. 6 is a schematic illustration of a Master File Table (MFT) 120 used by an

NTFS file system, in accordance with an embodiment of the present invention. A special systems files section 122 consists of the first sixteen records of MFT 120 (records 0 through 15), as described hereinabove with reference to Fig. 1. An ordinary user files section 124 consists of the remaining records 16 through n of the MFT.

Fig. 7 is a flow chart that schematically illustrates a method for protecting and preventing unauthorized access to computer data stored using an NTFS file system, in accordance with an embodiment of the present invention. Although this embodiment is described herein with reference to Microsoft's NTFS file system, the embodiment is broadly applicable to other file systems that use similar structures, including, but not limited to, some UNIX and LINUX file systems.

Upon the first initialization of system 10, system 10 creates a special directory 126 (referred to herein as "Directory X"), at an initialization step 128. To create Directory X 126, system 10 typically first creates a parent directory 130 in ordinary user files section 124 of MFT 120 (Fig. 6), in a record 132 selected by the file system. System 10 then creates Directory X 126 as a child of parent directory 130, in ordinary user files section 124, in a record 134 selected by the file system. System 10 typically randomly generates the name of Directory X 126. Next, directly accessing storage device 24 (i.e., without using standard NTFS drivers), system 10 moves parent directory 130 from record

132 to an NTFS metadata MFT record 136 that is not used by the NTFS file system

(thereby freeing up record 132). In current implementations of NTFS, MFT records 11 through 15 are generally unused by the file system. The inventors have found particularly that MFT records 12 through 14 give good results. Standard NTFS drivers do not provide access to special systems files section 122 for non-system programs. In order to directly access parent directory 130, system 10 uses the novel approach of directly accessing the storage device sectors of record 136, without using the standard MFT drivers. Parent directory 130 thus generally cannot be accessed by the operating system or applications other than system 10, using standard file access methods.

Once parent directory 130 has been moved to record 136, the file system retains no references to, and does not know the name of, Directory X 126. Therefore, Directory X 126 generally cannot be accessed by the operating system or applications other than system 10, using standard file access methods. System 10, however, is able to access Directory X 126 by (a) looking up the name of Directory X 126 in parent directory 130, using novel direct access techniques, and (b) using the name of Directory X 126 to locate and access the directory, using standard NTFS drivers. Alternatively, system 10 creates Directory X 126 in an NTFS metadata MFT record that is not used by the NTFS file system, such as record 136. In this case, system 10 accesses Directory X 126 using novel direct access techniques. (In this embodiment, the system does not create or use parent directory 130.)

As mentioned hereinabove in the Background of the Invention, NTFS stores information regarding each user data structure in a file record in an ordinary MFT record

(i.e., an MFT record with a record number greater than 15). At a file selection step 138, a user selects at least one data structure to be hidden, such as a file, directory, or shortcut. Typically the user performs this selection using the user interface described hereinbelow with reference to Fig. 9. The selected data structure has a corresponding MFT file record. In the example shown in Fig. 6, the selected file's corresponding file record is a file record 140, which is stored in a record m 142. System 10 typically encrypts the name of file record 140, at an encrypt file name step 144. The system stores the new name of the file record in a key file 145 (Fig. 6) created in Directory X 126 for this purpose, at a store name step 146. (For the sake of simplicity, key file 145 is shown in Fig. 6 as being located in Directory X 126. Key file 145 actually is located in a regular MFT record, and only a reference to key file 145 is located in Directory X 126.)

At a move file record step 148, the system moves file record 140 from its original directory to Directory X 126. Moving file record 140 is performed by moving the reference to file record 140 from the file record's original directory to Directory X; file record 140 remains in its original record m 142. If Directory X 126 is located in regular MFT record 134, system 10 uses standard NTFS drivers to access Directory X. On the other hand, if Directory X 126 is located in unused metadata MFT record 136, the system uses the novel direct access techniques described hereinabove for accessing Directory X. Optionally, the system encrypts one or more attributes of file record 140 before or after moving it to Directory X. Once hidden, file record 140 is generally inaccessible to the file system and the operating system, because the file system does not have access to the directory path leading to file record 140. Furthermore, if file record 140 contains reference pointers to non-resident data stored in one or more clusters stored in the file area of storage device 24, system 10 maintains these pointers and leaves the non-resident data unmodified on the storage device. However, once file record 140 is hidden, the file system no longer has access to the reference pointers. As a result, the file system is unaware of the location of this data, and is therefore unable to access the data.

Fig. 8 is a flow chart that schematically illustrates a method for unprotecting access to a protected file corresponding to file record 140, in accordance with an embodiment of the present invention. The system uses this method to unhide a data structure, such as a file, directory, or shortcut, that was hidden using the method described hereinabove with reference to Fig. 7. At a file selection step 150, the user selects at least one previously hidden data structure, such as a file, directory, or shortcut, to be unhidden, such as by using the user interface described hereinbelow with reference to Fig. 9. Before executing the unhiding request, system 10 typically verifies the user's access privileges to the hidden file, such as by requiring the entry of a password or by other access security techniques known in the art.

At a load name information step 152, system 10 locates and loads the encrypted name stored in key file 145 of Directory X 126 (Fig. 6), as described hereinabove with reference to step 146 of fig. 7. Using this name information, system 10 decrypts the encrypted name in order to restore the original name of file record 140, at a restore name step 154, and decrypts the file record if necessary. System 10 moves file record 140 out of Directory X 126 back into the original directory in which file record 140 was stored prior to hiding, at a move file record step 156. Moving file record 140 is performed by moving the reference to file record 140 from Directory X to the file record's original directory; file record 140 remains in its original record m 142. If Directory X 126 is located in regular MFT record 134, system 10 uses standard NTFS drivers to access Directory X. On the other hand, if Directory X 126 is located in unused metadata MFT record 136, the system uses the novel direct access techniques described hereinabove for accessing Directory X. File record 140 is now unhidden. If file record 140 contains reference pointers to non-resident data stored in one or more clusters stored in the file area of storage device 24, the operating system is again able to access this non-resident data, which was not modified by the hiding and unhiding of file record 140.

User interface Fig. 9 is a schematic illustration of a sample screen image 300 provided by a user interface (UI) of system 10 for use by a user in hiding and unhiding data structures, such as files, directories, links, and shortcuts, in accordance with an embodiment of the present invention. Hidden data structures are typically organized in groups 302, which are listed in a group list 304. A user typically creates a new group by clicking a "Create Group" command in a "Groups" menu 306 of a main menu 308.

In order to select the at least one data structure to be hidden, as described hereinabove with reference to step 70 of Fig. 3 and step 138 of Fig. 7, the user typically:

• selects the group in which he would like to include the at least one data structure, by clicking on the appropriate group 302 in group list 304; • selects the at least one data structure from data structures 310 shown in a data structure view window 312, by clicking on the at least one data structure; and

• right-clicking or dragging-and-dropping the selected data structures into a group data structures list 314, which at any given time displays the data structures included in the selected one of groups 302.

Similarly, in order to select one or more data structures for unhiding, as described hereinabove with reference to step 100 of Fig. 4 and step 150 of Fig. 8, the user typically selects one of groups 302 in group list 304. The user then clicks on a "Restore Group" command in "Groups" menu 306 of main menu 308, or clicks on an "Unhide" icon 318 on a toolbar 320.

It will be appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present invention includes both combinations and subcombinations of the various features described hereinabove, as well as variations and modifications thereof that are not in the prior art, which would occur to persons skilled in the art upon reading the foregoing description.

Claims

1. A method for preventing unauthorized access to computer data stored on a storage device having a file table, the method comprising: saving, in a secure data structure, a chain of cluster numbers corresponding to clusters of the storage device in which the data is stored; and modifying one or more enfries in the file table corresponding to the clusters of the storage device in which the data is stored, so as to inhibit the unauthorized access to the data via the file table.

2. A method according to claim 1, wherein the file table entries comprise file allocation table (FAT) entries.

3. A method according to claim 1, wherein saving the chain of cluster numbers comprises: marking secure record clusters of the storage device, which clusters contain data of the secure record; storing one or more secure record enfries of the file table corresponding to the secure record clusters; and populating each of the secure record file table enfries with a value indicative of a bad cluster.

4. A method according to claim 1, wherein the file table enfries comprise entries in an NTFS metadata Master File Table (MFT) file.

5. A method according to claim 1, wherein modifying each of the file table enfries comprises populating the file table entry with a value indicative of a bad cluster.

6. A method according to claim 1, wherein saving the chain of cluster numbers comprises encrypting the secure data structure. 7. A method according to any one of claims 1-6, wherein modifying the file table entries comprises identifying the file table entries to be modified by following the chain of cluster numbers in the file table corresponding to the clusters of the storage device.

8. A method according to claim 7, wherein identifying the file table entries comprises identifying a first one of the table entries by loading a starting cluster number from a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data.

9. A method according to claim 7, wherein identifying the file table entries to be modified comprises terminating the following of the chain of cluster numbers by detecting an end-of-file marker in one of the file table enfries.

10. A method according to any one of claims 1-6, wherein the secure data structure is located external to the file table.

11. A method according to claim 10, wherein the secure data structure comprises a secure file.

12. A method according to claim 11, wherein saving the chain of cluster numbers comprises saving the chain of cluster numbers in the secure file using a driver provided by the file system.

13. A method according to any one of claims 1-6, and comprising modifying a starting cluster number of a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data.

14. A method according to any one of claims 1-6, and comprising deleting a directory entry in a directory of the file system, which directory enfry corresponds to a data structure containing the data.

15. A method according to claim 14, wherein the directory entry contains metadata with respect to the data structure, and wherein deleting the directory entry comprises saving at least a portion of the metadata before deleting the directory entry. 16. A method according to claim 15, wherein saving the portion of the metadata comprises encrypting the portion of the metadata.

17. A method for preventing unauthorized access to computer data stored in a data structure on a storage device using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records, the method comprising: creating a directory in one of the metadata file table records that is not used by the file system; and moving the file record to the directory.

18. A method according to claim 17, wherein the file table comprises a Master File Table (MFT).

19. A method according to claim 18, wherein the metadata file table record is selected from the list consisting of records 11 through 15 of the MFT.

20. A method according to claim 19, wherein the metadata file table record is selected from the list consisting of records 12 through 14 of the MFT. 21. A method according to claim 17, wherein creating the directory comprises directly accessing sectors of the storage device, in which sectors the metadata file table record is stored, without using drivers provided by the file system.

22. A method according to claim 17, wherein moving the file record comprises encrypting one or more attributes of the file record. 23. A method according to claim 17, wherein moving the file record comprises encrypting a name of the file record.

24. A method according to claim 23, wherein moving the file record further comprises saving the encrypted name in a key file in the directory.

25. A method for preventing unauthorized access to computer data stored in a data structure on a storage device using a file system, which data structure has a corresponding file record stored in a file table on the storage device, the method comprising: creating a parent directory in a metadata file table record of the file table, which metadata file table record is not used by the file system; creating a secure directory in a first ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference; and moving the file record to the secure directory.

26. A method according to claim 25, wherein creating the parent directory in the metadata file table record comprises creating the parent directory in a second ordinary file table record of the file table, and moving the parent directory from the second ordinary file table record to the metadata file table record.

27. A method according to any one of claims 25-26, wherein the file table comprises a Master File Table (MFT).

28. A method according to claim 27, wherein the metadata file table record is selected from the list consisting of records 11 through 15 of the MFT.

29. A method according to claim 28, wherein the metadata file table record is selected from the list consisting of records 12 through 14 of the MFT.

30. A method according to claim 25, wherein creating the parent directory comprises directly accessing sectors of the storage device, in which sectors the metadata file table record is stored, without using drivers provided by the file system.

31. A method according to claim 25, wherein moving the file record comprises encrypting one or more attributes of the file record.

32. A method according to any one of claims 25-26, wherein moving the file record comprises encrypting a name of the file record. 33. A method according to claim 32, wherein encrypting the name of the file record comprises saving the encrypted name in a key file in the secure directory.

34. A method for hiding computer data stored in a data structure on a storage device using a file system having a file table and a directory, which directory includes an original directory entry containing metadata with respect to the data structure, the method comprising: identifying one or more file table entries in the file table corresponding to clusters of the storage device in which the data is stored, by following a chain of cluster numbers in the file table corresponding to the clusters of the storage device in which the data is stored; saving, in a secure data structure located external to the file table, the chain of cluster numbers; populating each of the identified file table entries with a value indicative of a bad cluster; saving, in the secure data structure, at least a portion of the metadata contained in the original directory entry; and deleting the original directory enfry.

35. A method according to claim 34, wherein the file table entries comprise file allocation table (FAT) entries.

36. A method according to claim 34, and comprising unhiding the data by: creating a new directory entry in the directory; populating the new directory entry with at least some of the saved metadata; and populating the enfries in the file table with the cluster numbers in the saved chain of cluster numbers.

37. A method according to claim 36, wherein populating the file table entries with the cluster numbers comprises: populating all but a last one of the file table entries with the cluster numbers in the saved chain of cluster numbers; and populating the last one of the file table enfries with an end-of-file marker.

38. A method for hiding computer data stored in a data structure on a storage device using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records, the method comprising: creating a parent directory in one of the metadata file table records that is not used by the file system; creating a secure directory in an ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference; encrypting a name of the file record; saving the encrypted name in a key file in the secure directory; and moving the file record to the secure directory.

39. A method according to claim 38, wherein the metadata file table comprises a metadata Master File Table (MFT).

40. A method according to claim 38, and comprising unhiding the data by: loading the encrypted name from the key file, decrypting the encrypted name, and moving the file record from the secure directory to an original directory in which the file record was stored prior to hiding.

41. A system for preventing unauthorized access to computer data, the system comprising: a storage device, in which the computer data is stored, the storage device having a file table; and a computer, configured to save, in a secure data structure, a chain of cluster numbers corresponding to clusters of the storage device in which the data is stored, and to modify one or more entries in the file table corresponding to the clusters of the storage device in which the data is stored, so as to inhibit the unauthorized access to the data via the file table.

42. A system according to claim 41, wherein the file table enfries comprise file allocation table (FAT) entries. 43. A system according to claim 41, wherein the computer is configured to save the chain of cluster numbers by: marking secure record clusters of the storage device, which clusters contain data of the secure record, storing one or more secure record entries of the file table corresponding to the secure record clusters, and populating each of the secure record file table enfries with a value indicative of a bad cluster.

44. A system according to claim 41, wherein the file table entries comprise entries in an NTFS metadata Master File Table (MFT) file. 45. A system according to claim 41, wherein the computer is configured to modify each of the file table entries by populating the file table entry with a value indicative of a bad cluster.

46. A system according to claim 41, wherein the computer is configured to encrypt the secure data structure. 47. A system according to any one of claims 41-46, wherein the computer is configured to identify the file table enfries to be modified by following the chain of cluster numbers in the file table corresponding to the clusters of the storage device.

48. A system according to claim 47, wherein the computer is configured to identify a first one of the table enfries by loading a starting cluster number from a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data.

49. A system according to claim 47, wherein the computer is configured to terminate the following of the chain of cluster numbers by detecting an end-of-file marker in one of the file table entries. 50. A system according to any one of claims 41-46, wherein the secure data structure is located external to the file table.

51. A system according to claim 50, wherein the secure data structure comprises a secure file.

52. A system according to claim 51, wherein the computer is configured to save the chain of cluster numbers in the secure file using a driver provided by the file system. 53. A system according to any one of claims 41-46, wherein the computer is configured to modify a starting cluster number of a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data.

54. A system according to any one of claims 41-46, wherein the computer is configured to delete a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data.

55. A system according to claim 54, wherein the directory enfry contains metadata with respect to the data structure, and wherein the computer is configured to save at least a portion of the metadata before deleting the directory entry.

56. A system according to claim 55, wherein the computer is configured to encrypt the portion of the metadata.

57. A system for preventing unauthorized access to computer data, the system comprising: a storage device, in which the computer data is stored in a data structure, using a file system, which provides a file table that includes a file record of the data structure and metadata file table records; and a computer, configured to create a directory in one of the metadata file table records that is not used by the file system, and to move the file record to the directory.

58. A system according to claim 57, wherein the file table comprises a Master File Table (MFT). 59. A system according to claim 58, wherein the metadata file table record is selected from the list consisting of records 11 through 15 of the MFT.

60. A system according to claim 59, wherein the metadata file table record is selected from the list consisting of records 12 through 14 of the MFT.

61. A system according to claim 57, wherein the computer is configured to create the directory by directly accessing sectors of the storage device, in which sectors the metadata file table record is stored, without using drivers provided by the file system.

62. A system according to claim 57, wherein the computer is configured to encrypt one or more attributes of the file record.

63. A system according to claim 57, wherein the computer is configured to encrypt a name of the file record.

64. A system according to claim 63, wherein the computer is configured to save the encrypted name in a key file in the directory.

65. A system for preventing unauthorized access to computer data, the system comprising: a storage device, on which the computer data is stored in a data structure, using a file system, which data structure has a corresponding file record stored in a file table on the storage device; and a computer, configured to: create a parent directory in a metadata file table record of the file table, which metadata file table record is not used by the file system, create a secure directory in a first ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference, and move the file record to the secure directory. 66. A system according to claim 65, wherein the computer is configured to create the parent directory in the metadata file table record by creating the parent directory in a second ordinary file table record of the file table, and moving the parent directory from the second ordinary file table record to the metadata file table record.

67. A system according to claim 65, wherein the file table comprises a Master File Table (MFT).

68. A system according to claim 67, wherein the metadata file table record is selected from the list consisting of records 12 through 14 of the MFT.

69. A system according to claim 68, wherein the metadata file table record is selected from the list consisting of records 12 through 14 of the MFT. 70. A system according to claim 65, wherein the computer is configured to create the parent directory by directly accessing sectors of the storage device, in which sectors the metadata file table record is stored, without using drivers provided by the file system.

71. A system according to claim 65, wherein the computer is configured to encrypt one or more attributes of the file record.

72. A system according to claim 65, wherein the computer is configured to encrypt a name of the file record.

73. A system according to claim 72, wherein the computer is configured to save the encrypted name in a key file in the secure directory.

74. A system for hiding computer data, the system comprising: a storage device, in which the computer data is stored in a data structure using a file system having a file table and a directory, which directory includes an original directory entry containing metadata with respect to the data structure; and a computer, configured to: identify one or more file table entries in the file table corresponding to clusters of the storage device in which the data is stored, by following a chain of cluster numbers in the file table corresponding to the clusters of the storage device in which the data is stored, save, in a secure data structure located external to the file table, the chain of cluster numbers, populate each of the identified file table entries with a value indicative of a bad cluster, save, in the secure data structure, at least a portion of the metadata contained in the original directory entry, and delete the original directory enfry.

75. A system according to claim 74, wherein the file table entries comprise file allocation table (FAT) entries.

76. A system according to claim 74, wherein the computer is configured to unhide the data by: creating a new directory entry in the directory, populating the new directory entry with at least some of the saved metadata, and populating the entries in the file table with the cluster numbers in the saved chain of cluster numbers.

77. A system according to claim 76, wherein the computer is configured to populate the file table entries with the cluster numbers by: populating all but a last one of the file table entries with the cluster numbers in the saved chain of cluster numbers, and populating the last one of the file table entries with an end-of-file marker.

78. A system for hiding computer data, the system comprising: a storage device, on which the computer data is stored in a data structure using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records; and a computer, configured to: create a parent directory in one of the metadata file table records that is not used by the file system, create a secure directory in an ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference, encrypt a name of the file record, save the encrypted name in a key file in the secure directory, and move the file record to the secure directory.

79. A system according to claim 78, wherein the metadata file table comprises a metadata Master File Table (MFT) .

80. A system according to claim 78, wherein the computer is configured to unhide the data by: loading the encrypted name from the key file, decrypting the encrypted name, and moving the file record from the secure directory to an original directory in which the file record was stored prior to hiding.

81. A computer software product for preventing unauthorized access to computer data stored on a storage device having a file table, the product comprising a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to save, in a secure data structure, a chain of cluster numbers corresponding to clusters of the storage device in which the data is stored, and to modify one or more entries in the file table corresponding to the clusters of the storage device in which the data is stored, so as to inhibit the unauthorized access to the data via the file table.

82. A product according to claim 81, wherein the file table enfries comprise file allocation table (FAT) entries. 83. A product according to claim 81, wherein the instructions cause the computer to save the chain of cluster numbers by: marking secure record clusters of the storage device, which clusters contain data of the secure»record, storing one or more secure record enfries of the file table corresponding to the secure record clusters, and populating each of the secure record file table entries with a value indicative of a bad cluster.

84. A product according to claim 81, wherein the file table entries comprise entries in an NTFS metadata Master File Table (MFT) file. 85. A product according to claim 81, wherein the instructions cause the computer to modify each of the file table entries by populating the file table entry with a value indicative of a bad cluster.

86. A product according to claim 81, wherein the instructions cause the computer to encrypt the secure data structure. 87. A product according to claim 81, wherein the instructions cause the computer to identify the file table entries to be modified by following the chain of cluster numbers in the file table corresponding to the clusters of the storage device.

88. A product according to claim 87, wherein the instructions cause the computer to identify a first one of the table entries by loading a starting cluster number from a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data.

89. A product according to claim 87, wherein the instructions cause the computer to terminate the following of the chain of cluster numbers by detecting an end-of-file marker in one of the file table entries. 90. A product according to claim 81, wherein the secure data structure is located external to the file table.

91. A product according to claim 90, wherein the secure data structure comprises a secure file.

92. A product according to claim 91, wherein the instructions cause the computer to save the chain of cluster numbers in the secure file using a driver provided by the file system.

93. A product according to claim 81, wherein the instructions cause the computer to modify a starting cluster number of a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data.

94. A product according to claim 81, wherein the instructions cause the computer to delete a directory entry in a directory of the file system, which directory entry corresponds to a data structure containing the data.

95. A product according to claim 94, wherein the directory enfry contains metadata with respect to the data structure, and wherein the instructions cause the computer to save at least a portion of the metadata before deleting the directory entry. 96. A product according to claim 95, wherein the instructions cause the computer to encrypt the portion of the metadata.

97. A computer software product for preventing unauthorized access to computer data stored in a data structure on a storage device using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records, the product comprising a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to create a directory in one of the metadata file table records that is not used by the file system, and to move the file record to the directory.

98. A product according to claim 97, wherein the file table comprises a Master File Table (MFT).

99. A product according to claim 98, wherein the metadata file table record is selected from the list consisting of records 11 through 15 of the MFT.

100. A product according to claim 99, wherein the metadata file table record is selected from the list consisting of records 12 through 14 of the MFT. 101. A product according to claim 97, wherein the instructions cause the computer to create the directory by directly accessing sectors of the storage device, in which sectors the metadata file table record is stored, without using drivers provided by the file system.

102. A product according to claim 97, wherein the instructions cause the computer to encrypt one or more attributes of the file record. 103. A product according to claim 97, wherein the instructions cause the computer to encrypt a name of the file record.

104. A product according to claim 103, wherein the instructions cause the computer to save the encrypted name in a key file in the directory.

105. A computer software product for preventing unauthorized access to computer data stored in a data structure on a storage device using a file system, which data structure has a corresponding file record stored in a file table on the storage device, the product comprising a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to: create a parent directory in a metadata file table record of the file table, which metadata file table record is not used by the file system, create a secure directory in a first ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference, and move the file record to the secure directory. 106. A product according to claim 105, wherein the instructions cause the computer to create the parent directory in the metadata file table record by creating the parent directory in a second ordinary file table record of the file table, and moving the parent directory from the second ordinary file table record to the metadata file table record.

107. A product according to claim 105, wherein the file table comprises a Master File Table (MFT).

108. A product according to claim 107, wherein the metadata file table record is selected from the list consisting of records 12 through 14 of the MFT.

109. A product according to claim 108, wherein the metadata file table record is selected from the list consisting of records 12 through 14 of the MFT. HO. A product according to claim 105, wherein the instructions cause the computer to create the parent directory by directly accessing sectors of the storage device, in which sectors the metadata file table record is stored, without using drivers provided by the file system.

111. A product according to claim 105, wherein the instructions cause the computer to encrypt one or more attributes of the file record. 112. A product according to claim 105, wherein the instructions cause the computer to encrypt a name of the file record.

113. A product according to claim 112, wherein the instructions cause the computer to save the encrypted name in a key file in the secure directory.

114. A computer software product for hiding computer data stored in a data structure on a storage device using a file system having a file table and a directory, which directory includes an original directory entry containing metadata with respect to the data structure, the product comprising a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to: identify one or more file table entries in the file table corresponding to clusters of the storage device in which the data is stored, by following a chain of cluster numbers in the file table corresponding to the clusters of the storage device in which the data is stored, save, in a secure data structure located external to the file table, the chain of cluster numbers, populate each of the identified file table entries with a value indicative of a bad cluster, save, in the secure data structure, at least a portion of the metadata contained in the original directory entry, and delete the original directory entry. 115. A product according to claim 114, wherein the file table enfries comprise file allocation table (FAT) enfries.

116. A product according to claim 114, wherein the instructions cause the computer to unhide the data by: creating a new directory enfry in the directory, populating the new directory enfry with at least some of the saved metadata, and populating the enfries in the file table with the cluster numbers in the saved chain of cluster numbers.

117. A product according to claim 116, wherein the instructions cause the computer to populate the file table entries with the cluster numbers by: populating all but a last one of the file table entries with the cluster numbers in the saved chain of cluster numbers, and populating the last one of the file table entries with an end-of-file marker.

118. A computer software product for hiding computer data stored in a data structure on a storage device using a file system, which provides a file table on the storage device that includes a file record of the data structure and metadata file table records, the product comprising a computer-readable medium, in which program instructions are stored, which instructions, when read by a computer, cause the computer to: create a parent directory in one of the metadata file table records that is not used by the file system, create a secure directory in an ordinary file table record of the file table, such that the parent directory holds a reference to the secure directory, and no other directory holds the reference, encrypt a name of the file record, save the encrypted name in a key file in the secure directory, and move the file record to the secure directory.

119. A product according to claim 118, wherein the metadata file table comprises a metadata Master File Table (MFT).

120. A product according to claim 118, wherein the instructions cause the computer to unhide the data by: loading the encrypted name from the key file, decrypting the encrypted name, and moving the file record from the secure directory to an original directory in which the file record was stored prior to hiding.