My real comment
. . . is undetectable.
Computer scientists have developed software that hides sensitive data on hard drive, without the use of encryption, by controlling the precise disk locations containing the file's data fragments. The application, which the academic researchers said they would release as open-source software, makes use of steganography, or the …
Defrag was the first problem that crossed my thoroughly inexpert mind, and here it is:
7. Limitations
This section discusses the limitations of the proposed covert channel based evasion approach.
2. Defragmentation or deletion of a cover file from the filesystem will result in loss of the hidden data.
Another nail in the coffin for computer experts(*)
This simply means very soon that anybody who has anything to do with computers will be assumed to have the knowledge to hide things in this manner and thus must be doing so. One more reason to for law enforcement to assume we are all guilty and hiding something.
(*) DM standard definition - Anybody from the tea boy at IBM or support drones in India upwards.
Bit out of date there - we lost the tea ladies in 1980 or so, as I recall. Not sure on balance if the decreased cost justified the loss of the feeling of ''isn't this a nice place to work?". It may actually have introduced the concept of 'work' to 'a nice place'. There were claims that the move stifled creativity arising from free form discussions around the tea trolley, however - in my hut at least - most of these discussions were about the free form of xxxx and her thigh length shiny black boots, which seemed to require special attention from a couple of managers.....
Defragmentation would destroy your data. Scraping the HD for data may or may not reveal interesting stuff, but you would think that it would reveal the presense of the code used to hide or reveal the data. Cue telephone books and rubber hoses.
You could have the codec on another PC, true. So it limits this to being useful only for data transport.
Its amazing what you can pick up with just simple scraping software. I had a client who accidently re-imaged her PC from a disaster recovery partition. I got back all of her photos, (normally about 5 copies of each picture, with a couple extra of rubbish).
Isn't the fact that there is software installed on the computer that controls the disk locations an indication that there is something to hide? And if the software doesn't employ encryption, you would have much easier access to the data should you find it (unless the data is encrypted separately, which would be logical). And at 20 meg per 160 gig, you're rather limited on the volume of data you can store. Think we need more info on exactly how this works as I don't really see the advantages this has over a Truecrypt archive/partition, which offers complete plausible deniability (although may not be completely hidden).
I would see this working one of two ways - 1) the program to do the decrypting (or whatever you want to call the piecing together of the info) is online, so you merely access a website, type in your code and it analyses your HDD. Bit of a risk that your connection might be tapped and of course of letting an external connection have full access to your HDD! However, there would be no program on your computer to alert the authorities to your hidden data.
Alternative scenario is that you only put the hidden data on external HDD's which are what is passed back and forth between different computers. The program to identify the hidden message is located on the computers, not the HDD itself. That way if your comps raided, yes they find the program identifying that maybe you have hidden data somewhere, but they also have to identify the correct external HDD and the correct password before they have any chance of finding anything...
In theory it could also be made to work remotely.
So in much the same way that certain scumbags take over a web server and place fake Bank site web pages for phishing attacks, they could do something similar to a web server and store their data in a place that someone else could also get access to.
They mention FAT32, NTFS and HPFS file systems as candidate systems for this technique, except...
HPFS is 'naturally defragmented'.
(HP = High Performance... Not a certain pusher of server equipment)
When a file is written to disk, it will be allocated a 'run' of consecutive sectors that fits the filesize.(A simple closest fit algorithm is used) If a single run cannot be allocated, the file-system driver will attempt to allocate as few as possible 'runs' to match the filesize. This also happens when a file is changed.
The filesystem driver not only attempts to keep files defragmented, but also tries to avoid unnecessary fragmentation of unused space.
(This really sucks when a disk is nearly full, though)
... The hidden volumes I've come across tend to stick out like a sore thumb.
"You've encrypted your hard disk, but only half the total space is available, there's a hidden volume in the other half isn't there?".
Law enforcement tend to take the same view, anything less than the maximum possible disk space being available = hidden encrypted volume, and the laws are such that you can be prosecuted for not handing over the key.
It would be more like "You've encrypted your hard disk, but only half the total space is used, there's a hidden volume in the other half isn't there?" Now try and prove it. Unless you put in the password for the hidden volume when mounting the outer volume, the whole of the space will show as available (and indeed you can overwrite the hidden volume by accident this way - it's the only way to maintain plausible deniability).
This is assuming that you're referring to the plausible deniability option, and not just a single encrypted section of hard disk, in which case that bit would show as unavailable.
I do seem to recall that you can "hide" a RAR archive behind a jpeg - can you do the same behind a video? Get a reasonable length video, say 45 mins or so at lowish quality (300 megs?) then stick a 300 meg encrypted volume (with hidden volume within for added security and a few bank statements or whatever in the outer volume so you can justify the encryption if it is found) behind it in a RAR archive. Plod/investigator sees 600 meg video file and probably doesn't think twice about it...
Thats not how the hidden volumes work. When you mount the outer "safe" volume you see the WHOLE of the encrypted space. So this means the oute volume + hidden volume. You have thresholds between the two where you can store files, once you go over the size of the outer volume you overwrite the hidden volume and break it.
Unless you mount the hidden volume you cannot see it. It is just a block of encrypted data that is contained within the outer volume.
@Dibbley. You're not using truecrypt properly then (if at all) . I have a 50GB truecrypt partition (with a 40GB hidden partition inside). When I mount the outer volume (as per a court order) is mounts as a 50GB partition - there is no 'missing space where the hidden volume is obviously located'. All of the space is available (if i wanted to trash the hidden volume that is). When I mount the hidden volume only then do I see a smaller volume - but I would never do this as part of the court order. You've got something mixed up in your head somewhere I think.
How would this work with NTFS? NTFS tends to be far less fragmented though mainly due to it's use on larger HDDs. Would SSD drives with there tendency to clean themselves up render this useless?
These aren't rhetorical questions - I don't know the answer. Report is 7 months old, so obviously didn't make that great a wave when released.
Too random. This is the main thing that gives them away. Barring an actual chunk of random data (which admittedly there are a few obscure reason for someone to have) they can't be mistaken for anything else.
Spooks worth their salt will be very suspicious of a "video" file that is 100% random. But it's not quite as easy as greping files headers.
Think the possibility of secure transfer data for serous business. I see there is no reason why it wouldn't work for DVD for other form of removable media.
Let's say you need to transfer some data that is very important that it cannot be in the wrong hand. You can encrypt it, but it is possible for someone else to crack it. So you post a DVD/USB drive with seemly useless information. The sender and receiver can run the control software to pick the bit from right location on that DVD/USB drive. And the location is controlled by a secure code that can be pre-arranged or sent separately by other way (eg. on Sunday's news pager, the third car ad and the first sports news, etc). Now if the media was in the wrong hand, they will have no way to decode the information. If they ever change the data on such media, they would destroy the information.
It is even possible to send the information perfectly safe in public (eg. as free DVD in your usual children's book), and the receiver only needs to get the correct code that pick the information.
So the transfer would be secure if you could securely agree the 'prearranged code'.
Now apply Occam's razor.
Whatever 'secure' method you choose for agreeing the prearranged code could be used instead to exchange the sensitive data - why bother with the steg thing at all.
Good effort - but no cigar.
There is already a better system for NTFS - it hides data in the partially unused blocks at the end of files. So if you have a 17k file the disk uses 4 full 4K blocks and a final block with 1K used and 3K free. NTFS can be set to preserve/copy/etc the unused parts of blocks so your 'secret' data gets kept safe.
NTFS has a lot of out-of-band functionality so it can do lots of clever filesystem stuff that nobody ever implemented (cos like NT it was written by someone clever)
@AC and Alan F
Think in "practical" situation. Your task is to transfer some sort of doomsday weapon design you discovered. Now you need to safely transfer it to your destination, and there are other people out there who will do anything to get hand on this information and use it.
You can send several copies by different route and destroy the original (eg. one posted in USB stick, one on a removable HDD, one split into several DVDs, etc). As long as one copy arrived safely, you have transferred the information. However, this is useless without the code that identify where to locate all the bits and bytes.
Once you know the physical media was received, you only need to send a very short 2kb code over to complete the transfer. How you manage this 2kb code is much much simple job.