back to article Boffins devise way to hide secret data on hard drives

Computer scientists have developed software that hides sensitive data on hard drive, without the use of encryption, by controlling the precise disk locations containing the file's data fragments. The application, which the academic researchers said they would release as open-source software, makes use of steganography, or the …

COMMENTS

This topic is closed for new posts.

Page:

My real comment

. . . is undetectable.

4
0
Coat

Yeah, but...

...given how long the fake comment is, your real one is probably only a couple of characters.

1
0

Remember to turn off "Housekeeping", etc.

Defrag was the first problem that crossed my thoroughly inexpert mind, and here it is:

7. Limitations

This section discusses the limitations of the proposed covert channel based evasion approach.

2. Defragmentation or deletion of a cover file from the filesystem will result in loss of the hidden data.

1
0
Thumb Down

Bleedin' obvious

Type your comment here — plain text only, no HTML

1
0
Silver badge

Just what we need

Another nail in the coffin for computer experts(*)

This simply means very soon that anybody who has anything to do with computers will be assumed to have the knowledge to hide things in this manner and thus must be doing so. One more reason to for law enforcement to assume we are all guilty and hiding something.

(*) DM standard definition - Anybody from the tea boy at IBM or support drones in India upwards.

0
2
Coat

@Chris W: "... Anybody from the tea boy at IBM..."

Bit out of date there - we lost the tea ladies in 1980 or so, as I recall. Not sure on balance if the decreased cost justified the loss of the feeling of ''isn't this a nice place to work?". It may actually have introduced the concept of 'work' to 'a nice place'. There were claims that the move stifled creativity arising from free form discussions around the tea trolley, however - in my hut at least - most of these discussions were about the free form of xxxx and her thigh length shiny black boots, which seemed to require special attention from a couple of managers.....

0
0
Boffin

"Another nail in the coffin for computer experts"

OOOoooOOOoooOOOLOooloOOoooo

1
0
Silver badge

Sir

"OOOoooOOOoooOOOLOooloOOoooo"

Very good, now perhaps you could use it to write a message that is worth reading? :)

1
0
Grenade

orobus

"Very good, now perhaps you could use it to write a message that is worth reading? :)"

Doesn't this reply also qualify for a request for something worthwhile to read, too?

Does my reply to reply? When will this madness end?

1
0
Silver badge

Sir

it does, OMG I@M GOIUNG TAUTOLOGICALLY MAD I TELL YOYU!!1!"!

0
0
Black Helicopters

Doesn't sound all that practical

Defragmentation would destroy your data. Scraping the HD for data may or may not reveal interesting stuff, but you would think that it would reveal the presense of the code used to hide or reveal the data. Cue telephone books and rubber hoses.

You could have the codec on another PC, true. So it limits this to being useful only for data transport.

Its amazing what you can pick up with just simple scraping software. I had a client who accidently re-imaged her PC from a disaster recovery partition. I got back all of her photos, (normally about 5 copies of each picture, with a couple extra of rubbish).

1
0
C 2
Pint

Recovering files..

"Its amazing what you can pick up with just simple scraping software."

Agreed, but if you don't want it found, you can use any number of utilities to overwrite the drive, or just its free space. Especially if said hard drive is to be sold.

www.Ccleaner.com comes to mind.

0
0
FAIL

Ancient

This ain't new ... it's basically a variation of something like "first letter of every word spells out the real message" ... or "third letter on every odd page in book" etc .... plenty of prior art.

5
1
Silver badge

Clever

It really is, but you'd have to have something seriously important to hide to go to all the fuss, especially as it seems that for two people to exchange the info they would have to exchange the physical drive - suspicious in itself.

1
0

Ah, but...

In theory it could also be made to work remotely.

So in much the same way that certain scumbags take over a web server and place fake Bank site web pages for phishing attacks, they could do something similar to a web server and store their data in a place that someone else could also get access to.

1
0

(untitled)

Isn't the fact that there is software installed on the computer that controls the disk locations an indication that there is something to hide? And if the software doesn't employ encryption, you would have much easier access to the data should you find it (unless the data is encrypted separately, which would be logical). And at 20 meg per 160 gig, you're rather limited on the volume of data you can store. Think we need more info on exactly how this works as I don't really see the advantages this has over a Truecrypt archive/partition, which offers complete plausible deniability (although may not be completely hidden).

0
0
Go

Just an idea...

I would see this working one of two ways - 1) the program to do the decrypting (or whatever you want to call the piecing together of the info) is online, so you merely access a website, type in your code and it analyses your HDD. Bit of a risk that your connection might be tapped and of course of letting an external connection have full access to your HDD! However, there would be no program on your computer to alert the authorities to your hidden data.

Alternative scenario is that you only put the hidden data on external HDD's which are what is passed back and forth between different computers. The program to identify the hidden message is located on the computers, not the HDD itself. That way if your comps raided, yes they find the program identifying that maybe you have hidden data somewhere, but they also have to identify the correct external HDD and the correct password before they have any chance of finding anything...

2
0

Interesting

Except that, as is almost inevitable, governments throughout the world will demand a "back door" in or make it illegal to hide ANYTHING! As has been commented, if you encrypt, then you obviously must be up to no good.

1
0
Silver badge

Sir

"if you encrypt, then you obviously must be up to no good"

Ah, so that's why they're always losing un-encrypted data!

4
0
Bronze badge
Linux

But

its going to be Open Sourced :O

So they will sort of be able to see what its doing anyway.

0
1
Megaphone

Tis easier for our

Mktg Ho's to just write up some of their normal twaddle as you could hide entire universes in their communications due to the S/N BS being so high.

2
0

A bit of a snag in the papers...

They mention FAT32, NTFS and HPFS file systems as candidate systems for this technique, except...

HPFS is 'naturally defragmented'.

(HP = High Performance... Not a certain pusher of server equipment)

When a file is written to disk, it will be allocated a 'run' of consecutive sectors that fits the filesize.(A simple closest fit algorithm is used) If a single run cannot be allocated, the file-system driver will attempt to allocate as few as possible 'runs' to match the filesize. This also happens when a file is changed.

The filesystem driver not only attempts to keep files defragmented, but also tries to avoid unnecessary fragmentation of unused space.

(This really sucks when a disk is nearly full, though)

0
0
Big Brother

Open source? handy!

Even assuming that this technique hasn't already been 'discovered' by the Spooks, it presumably won't take long for someone to come up with a way of identifying 'cover files' or otherwise finding a way to see the secrets.

0
0
Linux

Seems the article deals with FAT filesystems only.

....Defrag isn't a problem for us using EXT3 , but, it's not directly addressed in the article. <pooh!!!!>

0
0
Silver badge
Happy

Here we go!

Cue "proganda panic" from law enforcement and politicians about peado-geddon coming our way in 3...2...1...

3
0

TrueCrypt

A novel idea, for sure, but I guess they haven't heard of TrueCrypt's hidden volume.

1
1
Anonymous Coward

Only problem is...

... The hidden volumes I've come across tend to stick out like a sore thumb.

"You've encrypted your hard disk, but only half the total space is available, there's a hidden volume in the other half isn't there?".

Law enforcement tend to take the same view, anything less than the maximum possible disk space being available = hidden encrypted volume, and the laws are such that you can be prosecuted for not handing over the key.

0
0
Anonymous Coward

Or more accurately...

... be prosecuted for not being able to prove you havent created a hidden volume!.

1
0
FAIL

Not quite

It would be more like "You've encrypted your hard disk, but only half the total space is used, there's a hidden volume in the other half isn't there?" Now try and prove it. Unless you put in the password for the hidden volume when mounting the outer volume, the whole of the space will show as available (and indeed you can overwrite the hidden volume by accident this way - it's the only way to maintain plausible deniability).

This is assuming that you're referring to the plausible deniability option, and not just a single encrypted section of hard disk, in which case that bit would show as unavailable.

I do seem to recall that you can "hide" a RAR archive behind a jpeg - can you do the same behind a video? Get a reasonable length video, say 45 mins or so at lowish quality (300 megs?) then stick a 300 meg encrypted volume (with hidden volume within for added security and a few bank statements or whatever in the outer volume so you can justify the encryption if it is found) behind it in a RAR archive. Plod/investigator sees 600 meg video file and probably doesn't think twice about it...

1
0
Linux

@Dibbley

Thats not how the hidden volumes work. When you mount the outer "safe" volume you see the WHOLE of the encrypted space. So this means the oute volume + hidden volume. You have thresholds between the two where you can store files, once you go over the size of the outer volume you overwrite the hidden volume and break it.

Unless you mount the hidden volume you cannot see it. It is just a block of encrypted data that is contained within the outer volume.

4
0
Stop

Eh!

@Dibbley. You're not using truecrypt properly then (if at all) . I have a 50GB truecrypt partition (with a 40GB hidden partition inside). When I mount the outer volume (as per a court order) is mounts as a 50GB partition - there is no 'missing space where the hidden volume is obviously located'. All of the space is available (if i wanted to trash the hidden volume that is). When I mount the hidden volume only then do I see a smaller volume - but I would never do this as part of the court order. You've got something mixed up in your head somewhere I think.

1
0
Anonymous Coward

Oops.

Just replied to Dibbley saying the same thing - didn't see your reply first - sorry.

0
0
Anonymous Coward

Still not as hidden

If you ignore the filesystem and simply scan the entire physical drive, that "block of encrypted data" will be fairly easy to spot. Yes, decrypting it is another matter, but the point of steganography is to give no indication that hidden data exists in the first place.

0
0
Anonymous Coward

Seriously!

How on earth is this news? I wrote something that did this on Comodore 64 floppies back in the dark days of the 1980s. Is this seriously what our future boffins are doing with their time at university? Shouldn't they be developing facebook and bittorrent replacements?

0
0
Grenade

Agree

This was used on Commodore Game software media to prevent copying. I wonder what happens when you use Spinrite by Gibson Research http://www.grc.com/intro.htm

Good Stuff

Billy - The ASCII Guy

0
0
Big Brother

NTFS

How would this work with NTFS? NTFS tends to be far less fragmented though mainly due to it's use on larger HDDs. Would SSD drives with there tendency to clean themselves up render this useless?

These aren't rhetorical questions - I don't know the answer. Report is 7 months old, so obviously didn't make that great a wave when released.

1
0
Boffin

I have a cunning plan ...

Cryptography is too secure: we can't prove your files are [videos of naked kiddies|bomb recipes]. So how do we re-introduce a backdoor for the spooks?

A-ha!

0
0
Alien

Wow

20MB hidden on a 160GB disk?

Why don't I just ZIP my 20MB of data, encrypt the file, name it to flibble.avi and bury it somewhere in 160GB of clutter. That? No that's a video file. Hmmm it used to work, must've got corrupted...

2
2
Stop

encrypted files don't look random

They tend to have headers which give the game away. Searching for these using automated tools available on any Linux/Unix is an exercise for 1st year undergrads. What you name the file doesn't matter.

0
2
Silver badge

Sir

"They tend to have headers which give the game away. "

What about TrueCrypts' encrypted container (i.e. in a file) - does that have headers that would give it away?

1
0
Silver badge
Boffin

No, they DO look random

Too random. This is the main thing that gives them away. Barring an actual chunk of random data (which admittedly there are a few obscure reason for someone to have) they can't be mistaken for anything else.

Spooks worth their salt will be very suspicious of a "video" file that is 100% random. But it's not quite as easy as greping files headers.

1
0
Thumb Up

It could work very well if you need it

Think the possibility of secure transfer data for serous business. I see there is no reason why it wouldn't work for DVD for other form of removable media.

Let's say you need to transfer some data that is very important that it cannot be in the wrong hand. You can encrypt it, but it is possible for someone else to crack it. So you post a DVD/USB drive with seemly useless information. The sender and receiver can run the control software to pick the bit from right location on that DVD/USB drive. And the location is controlled by a secure code that can be pre-arranged or sent separately by other way (eg. on Sunday's news pager, the third car ad and the first sports news, etc). Now if the media was in the wrong hand, they will have no way to decode the information. If they ever change the data on such media, they would destroy the information.

It is even possible to send the information perfectly safe in public (eg. as free DVD in your usual children's book), and the receiver only needs to get the correct code that pick the information.

2
0
FAIL

Hmmm...

So the transfer would be secure if you could securely agree the 'prearranged code'.

Now apply Occam's razor.

Whatever 'secure' method you choose for agreeing the prearranged code could be used instead to exchange the sensitive data - why bother with the steg thing at all.

Good effort - but no cigar.

1
1
Anonymous Coward

Incorrect. Codes are small, data is large.

It's much easier to securely distribute a 20-byte password than a 20MB data file.

That's the point of codebooks. Heck, that's the point of passwords!

1
0
Happy

Keylogger...Problem Solved?

Perhaps I'm missing something, but...

When they go to reinstate the file(s), just use a keylogger to get the password that reassembles the data.

Presto!

0
2
WTF?

Old news

I have tools that can do this already (and they are quite old too). Some employ slack space, some use other 'bits' of disk - but this ain't new (or even news). Just look up MAFIA (metasploit antiforensics project) tools like slacker - and that's one of many.

0
0

Why not ...

... hide our secrets on a USB Flash drive ? Store the drive securely.

Put it another way, has anyone swallowed USB drive ?

0
0
Unhappy

Swallowed a USB drive???

Can't see it being very practical. A MicroSD, on the other hand...

0
0
Silver badge

@NTFS

There is already a better system for NTFS - it hides data in the partially unused blocks at the end of files. So if you have a 17k file the disk uses 4 full 4K blocks and a final block with 1K used and 3K free. NTFS can be set to preserve/copy/etc the unused parts of blocks so your 'secret' data gets kept safe.

NTFS has a lot of out-of-band functionality so it can do lots of clever filesystem stuff that nobody ever implemented (cos like NT it was written by someone clever)

1
1
FAIL

I would be surprised if someone is not doing it already

@AC and Alan F

Think in "practical" situation. Your task is to transfer some sort of doomsday weapon design you discovered. Now you need to safely transfer it to your destination, and there are other people out there who will do anything to get hand on this information and use it.

You can send several copies by different route and destroy the original (eg. one posted in USB stick, one on a removable HDD, one split into several DVDs, etc). As long as one copy arrived safely, you have transferred the information. However, this is useless without the code that identify where to locate all the bits and bytes.

Once you know the physical media was received, you only need to send a very short 2kb code over to complete the transfer. How you manage this 2kb code is much much simple job.

1
0

Page:

This topic is closed for new posts.

Forums