Computer scientists have developed software that hides sensitive data on hard drive, without the use of encryption, by controlling the precise disk locations containing the file's data fragments. The application, which the academic researchers said they would release as open-source software, makes use of steganography, or the …
My real comment
. . . is undetectable.
...given how long the fake comment is, your real one is probably only a couple of characters.
Remember to turn off "Housekeeping", etc.
Defrag was the first problem that crossed my thoroughly inexpert mind, and here it is:
This section discusses the limitations of the proposed covert channel based evasion approach.
2. Defragmentation or deletion of a cover file from the filesystem will result in loss of the hidden data.
Type your comment here — plain text only, no HTML
Just what we need
Another nail in the coffin for computer experts(*)
This simply means very soon that anybody who has anything to do with computers will be assumed to have the knowledge to hide things in this manner and thus must be doing so. One more reason to for law enforcement to assume we are all guilty and hiding something.
(*) DM standard definition - Anybody from the tea boy at IBM or support drones in India upwards.
@Chris W: "... Anybody from the tea boy at IBM..."
Bit out of date there - we lost the tea ladies in 1980 or so, as I recall. Not sure on balance if the decreased cost justified the loss of the feeling of ''isn't this a nice place to work?". It may actually have introduced the concept of 'work' to 'a nice place'. There were claims that the move stifled creativity arising from free form discussions around the tea trolley, however - in my hut at least - most of these discussions were about the free form of xxxx and her thigh length shiny black boots, which seemed to require special attention from a couple of managers.....
"Another nail in the coffin for computer experts"
Very good, now perhaps you could use it to write a message that is worth reading? :)
"Very good, now perhaps you could use it to write a message that is worth reading? :)"
Doesn't this reply also qualify for a request for something worthwhile to read, too?
Does my reply to reply? When will this madness end?
it does, OMG I@M GOIUNG TAUTOLOGICALLY MAD I TELL YOYU!!1!"!
Doesn't sound all that practical
Defragmentation would destroy your data. Scraping the HD for data may or may not reveal interesting stuff, but you would think that it would reveal the presense of the code used to hide or reveal the data. Cue telephone books and rubber hoses.
You could have the codec on another PC, true. So it limits this to being useful only for data transport.
Its amazing what you can pick up with just simple scraping software. I had a client who accidently re-imaged her PC from a disaster recovery partition. I got back all of her photos, (normally about 5 copies of each picture, with a couple extra of rubbish).
"Its amazing what you can pick up with just simple scraping software."
Agreed, but if you don't want it found, you can use any number of utilities to overwrite the drive, or just its free space. Especially if said hard drive is to be sold.
www.Ccleaner.com comes to mind.
This ain't new ... it's basically a variation of something like "first letter of every word spells out the real message" ... or "third letter on every odd page in book" etc .... plenty of prior art.
It really is, but you'd have to have something seriously important to hide to go to all the fuss, especially as it seems that for two people to exchange the info they would have to exchange the physical drive - suspicious in itself.
In theory it could also be made to work remotely.
So in much the same way that certain scumbags take over a web server and place fake Bank site web pages for phishing attacks, they could do something similar to a web server and store their data in a place that someone else could also get access to.
Isn't the fact that there is software installed on the computer that controls the disk locations an indication that there is something to hide? And if the software doesn't employ encryption, you would have much easier access to the data should you find it (unless the data is encrypted separately, which would be logical). And at 20 meg per 160 gig, you're rather limited on the volume of data you can store. Think we need more info on exactly how this works as I don't really see the advantages this has over a Truecrypt archive/partition, which offers complete plausible deniability (although may not be completely hidden).
Just an idea...
I would see this working one of two ways - 1) the program to do the decrypting (or whatever you want to call the piecing together of the info) is online, so you merely access a website, type in your code and it analyses your HDD. Bit of a risk that your connection might be tapped and of course of letting an external connection have full access to your HDD! However, there would be no program on your computer to alert the authorities to your hidden data.
Alternative scenario is that you only put the hidden data on external HDD's which are what is passed back and forth between different computers. The program to identify the hidden message is located on the computers, not the HDD itself. That way if your comps raided, yes they find the program identifying that maybe you have hidden data somewhere, but they also have to identify the correct external HDD and the correct password before they have any chance of finding anything...
Except that, as is almost inevitable, governments throughout the world will demand a "back door" in or make it illegal to hide ANYTHING! As has been commented, if you encrypt, then you obviously must be up to no good.
"if you encrypt, then you obviously must be up to no good"
Ah, so that's why they're always losing un-encrypted data!
its going to be Open Sourced :O
So they will sort of be able to see what its doing anyway.
Tis easier for our
Mktg Ho's to just write up some of their normal twaddle as you could hide entire universes in their communications due to the S/N BS being so high.
A bit of a snag in the papers...
They mention FAT32, NTFS and HPFS file systems as candidate systems for this technique, except...
HPFS is 'naturally defragmented'.
(HP = High Performance... Not a certain pusher of server equipment)
When a file is written to disk, it will be allocated a 'run' of consecutive sectors that fits the filesize.(A simple closest fit algorithm is used) If a single run cannot be allocated, the file-system driver will attempt to allocate as few as possible 'runs' to match the filesize. This also happens when a file is changed.
The filesystem driver not only attempts to keep files defragmented, but also tries to avoid unnecessary fragmentation of unused space.
(This really sucks when a disk is nearly full, though)
Open source? handy!
Even assuming that this technique hasn't already been 'discovered' by the Spooks, it presumably won't take long for someone to come up with a way of identifying 'cover files' or otherwise finding a way to see the secrets.
Seems the article deals with FAT filesystems only.
....Defrag isn't a problem for us using EXT3 , but, it's not directly addressed in the article. <pooh!!!!>
Here we go!
Cue "proganda panic" from law enforcement and politicians about peado-geddon coming our way in 3...2...1...
A novel idea, for sure, but I guess they haven't heard of TrueCrypt's hidden volume.
Only problem is...
... The hidden volumes I've come across tend to stick out like a sore thumb.
"You've encrypted your hard disk, but only half the total space is available, there's a hidden volume in the other half isn't there?".
Law enforcement tend to take the same view, anything less than the maximum possible disk space being available = hidden encrypted volume, and the laws are such that you can be prosecuted for not handing over the key.
Or more accurately...
... be prosecuted for not being able to prove you havent created a hidden volume!.
It would be more like "You've encrypted your hard disk, but only half the total space is used, there's a hidden volume in the other half isn't there?" Now try and prove it. Unless you put in the password for the hidden volume when mounting the outer volume, the whole of the space will show as available (and indeed you can overwrite the hidden volume by accident this way - it's the only way to maintain plausible deniability).
This is assuming that you're referring to the plausible deniability option, and not just a single encrypted section of hard disk, in which case that bit would show as unavailable.
I do seem to recall that you can "hide" a RAR archive behind a jpeg - can you do the same behind a video? Get a reasonable length video, say 45 mins or so at lowish quality (300 megs?) then stick a 300 meg encrypted volume (with hidden volume within for added security and a few bank statements or whatever in the outer volume so you can justify the encryption if it is found) behind it in a RAR archive. Plod/investigator sees 600 meg video file and probably doesn't think twice about it...
Thats not how the hidden volumes work. When you mount the outer "safe" volume you see the WHOLE of the encrypted space. So this means the oute volume + hidden volume. You have thresholds between the two where you can store files, once you go over the size of the outer volume you overwrite the hidden volume and break it.
Unless you mount the hidden volume you cannot see it. It is just a block of encrypted data that is contained within the outer volume.
@Dibbley. You're not using truecrypt properly then (if at all) . I have a 50GB truecrypt partition (with a 40GB hidden partition inside). When I mount the outer volume (as per a court order) is mounts as a 50GB partition - there is no 'missing space where the hidden volume is obviously located'. All of the space is available (if i wanted to trash the hidden volume that is). When I mount the hidden volume only then do I see a smaller volume - but I would never do this as part of the court order. You've got something mixed up in your head somewhere I think.
Just replied to Dibbley saying the same thing - didn't see your reply first - sorry.
Still not as hidden
If you ignore the filesystem and simply scan the entire physical drive, that "block of encrypted data" will be fairly easy to spot. Yes, decrypting it is another matter, but the point of steganography is to give no indication that hidden data exists in the first place.
How on earth is this news? I wrote something that did this on Comodore 64 floppies back in the dark days of the 1980s. Is this seriously what our future boffins are doing with their time at university? Shouldn't they be developing facebook and bittorrent replacements?
This was used on Commodore Game software media to prevent copying. I wonder what happens when you use Spinrite by Gibson Research http://www.grc.com/intro.htm
Billy - The ASCII Guy
How would this work with NTFS? NTFS tends to be far less fragmented though mainly due to it's use on larger HDDs. Would SSD drives with there tendency to clean themselves up render this useless?
These aren't rhetorical questions - I don't know the answer. Report is 7 months old, so obviously didn't make that great a wave when released.
I have a cunning plan ...
Cryptography is too secure: we can't prove your files are [videos of naked kiddies|bomb recipes]. So how do we re-introduce a backdoor for the spooks?
20MB hidden on a 160GB disk?
Why don't I just ZIP my 20MB of data, encrypt the file, name it to flibble.avi and bury it somewhere in 160GB of clutter. That? No that's a video file. Hmmm it used to work, must've got corrupted...
encrypted files don't look random
They tend to have headers which give the game away. Searching for these using automated tools available on any Linux/Unix is an exercise for 1st year undergrads. What you name the file doesn't matter.
"They tend to have headers which give the game away. "
What about TrueCrypts' encrypted container (i.e. in a file) - does that have headers that would give it away?
No, they DO look random
Too random. This is the main thing that gives them away. Barring an actual chunk of random data (which admittedly there are a few obscure reason for someone to have) they can't be mistaken for anything else.
Spooks worth their salt will be very suspicious of a "video" file that is 100% random. But it's not quite as easy as greping files headers.
It could work very well if you need it
Think the possibility of secure transfer data for serous business. I see there is no reason why it wouldn't work for DVD for other form of removable media.
Let's say you need to transfer some data that is very important that it cannot be in the wrong hand. You can encrypt it, but it is possible for someone else to crack it. So you post a DVD/USB drive with seemly useless information. The sender and receiver can run the control software to pick the bit from right location on that DVD/USB drive. And the location is controlled by a secure code that can be pre-arranged or sent separately by other way (eg. on Sunday's news pager, the third car ad and the first sports news, etc). Now if the media was in the wrong hand, they will have no way to decode the information. If they ever change the data on such media, they would destroy the information.
It is even possible to send the information perfectly safe in public (eg. as free DVD in your usual children's book), and the receiver only needs to get the correct code that pick the information.
So the transfer would be secure if you could securely agree the 'prearranged code'.
Now apply Occam's razor.
Whatever 'secure' method you choose for agreeing the prearranged code could be used instead to exchange the sensitive data - why bother with the steg thing at all.
Good effort - but no cigar.
Incorrect. Codes are small, data is large.
It's much easier to securely distribute a 20-byte password than a 20MB data file.
That's the point of codebooks. Heck, that's the point of passwords!
Perhaps I'm missing something, but...
When they go to reinstate the file(s), just use a keylogger to get the password that reassembles the data.
I have tools that can do this already (and they are quite old too). Some employ slack space, some use other 'bits' of disk - but this ain't new (or even news). Just look up MAFIA (metasploit antiforensics project) tools like slacker - and that's one of many.
Why not ...
... hide our secrets on a USB Flash drive ? Store the drive securely.
Put it another way, has anyone swallowed USB drive ?
Swallowed a USB drive???
Can't see it being very practical. A MicroSD, on the other hand...
There is already a better system for NTFS - it hides data in the partially unused blocks at the end of files. So if you have a 17k file the disk uses 4 full 4K blocks and a final block with 1K used and 3K free. NTFS can be set to preserve/copy/etc the unused parts of blocks so your 'secret' data gets kept safe.
NTFS has a lot of out-of-band functionality so it can do lots of clever filesystem stuff that nobody ever implemented (cos like NT it was written by someone clever)
I would be surprised if someone is not doing it already
@AC and Alan F
Think in "practical" situation. Your task is to transfer some sort of doomsday weapon design you discovered. Now you need to safely transfer it to your destination, and there are other people out there who will do anything to get hand on this information and use it.
You can send several copies by different route and destroy the original (eg. one posted in USB stick, one on a removable HDD, one split into several DVDs, etc). As long as one copy arrived safely, you have transferred the information. However, this is useless without the code that identify where to locate all the bits and bytes.
Once you know the physical media was received, you only need to send a very short 2kb code over to complete the transfer. How you manage this 2kb code is much much simple job.