back to article Boffins devise way to hide secret data on hard drives

Computer scientists have developed software that hides sensitive data on hard drive, without the use of encryption, by controlling the precise disk locations containing the file's data fragments. The application, which the academic researchers said they would release as open-source software, makes use of steganography, or the …

COMMENTS

This topic is closed for new posts.
  1. sleepy

    My real comment

    . . . is undetectable.

    1. Anonymous Coward
      Coat

      Yeah, but...

      ...given how long the fake comment is, your real one is probably only a couple of characters.

  2. EL Vark

    Remember to turn off "Housekeeping", etc.

    Defrag was the first problem that crossed my thoroughly inexpert mind, and here it is:

    7. Limitations

    This section discusses the limitations of the proposed covert channel based evasion approach.

    2. Defragmentation or deletion of a cover file from the filesystem will result in loss of the hidden data.

  3. Anonymous Coward
    Thumb Down

    Bleedin' obvious

    Type your comment here — plain text only, no HTML

  4. Anonymous Coward
    Anonymous Coward

    Just what we need

    Another nail in the coffin for computer experts(*)

    This simply means very soon that anybody who has anything to do with computers will be assumed to have the knowledge to hide things in this manner and thus must be doing so. One more reason to for law enforcement to assume we are all guilty and hiding something.

    (*) DM standard definition - Anybody from the tea boy at IBM or support drones in India upwards.

    1. A.A.Hamilton
      Coat

      @Chris W: "... Anybody from the tea boy at IBM..."

      Bit out of date there - we lost the tea ladies in 1980 or so, as I recall. Not sure on balance if the decreased cost justified the loss of the feeling of ''isn't this a nice place to work?". It may actually have introduced the concept of 'work' to 'a nice place'. There were claims that the move stifled creativity arising from free form discussions around the tea trolley, however - in my hut at least - most of these discussions were about the free form of xxxx and her thigh length shiny black boots, which seemed to require special attention from a couple of managers.....

    2. Anonymous Coward
      Boffin

      "Another nail in the coffin for computer experts"

      OOOoooOOOoooOOOLOooloOOoooo

      1. Sir Runcible Spoon

        Sir

        "OOOoooOOOoooOOOLOooloOOoooo"

        Very good, now perhaps you could use it to write a message that is worth reading? :)

        1. Nauip
          Grenade

          orobus

          "Very good, now perhaps you could use it to write a message that is worth reading? :)"

          Doesn't this reply also qualify for a request for something worthwhile to read, too?

          Does my reply to reply? When will this madness end?

          1. Sir Runcible Spoon

            Sir

            it does, OMG I@M GOIUNG TAUTOLOGICALLY MAD I TELL YOYU!!1!"!

  5. Paul 129
    Black Helicopters

    Doesn't sound all that practical

    Defragmentation would destroy your data. Scraping the HD for data may or may not reveal interesting stuff, but you would think that it would reveal the presense of the code used to hide or reveal the data. Cue telephone books and rubber hoses.

    You could have the codec on another PC, true. So it limits this to being useful only for data transport.

    Its amazing what you can pick up with just simple scraping software. I had a client who accidently re-imaged her PC from a disaster recovery partition. I got back all of her photos, (normally about 5 copies of each picture, with a couple extra of rubbish).

    1. C 2
      Pint

      Recovering files..

      "Its amazing what you can pick up with just simple scraping software."

      Agreed, but if you don't want it found, you can use any number of utilities to overwrite the drive, or just its free space. Especially if said hard drive is to be sold.

      www.Ccleaner.com comes to mind.

  6. Iainn

    (untitled)

    Isn't the fact that there is software installed on the computer that controls the disk locations an indication that there is something to hide? And if the software doesn't employ encryption, you would have much easier access to the data should you find it (unless the data is encrypted separately, which would be logical). And at 20 meg per 160 gig, you're rather limited on the volume of data you can store. Think we need more info on exactly how this works as I don't really see the advantages this has over a Truecrypt archive/partition, which offers complete plausible deniability (although may not be completely hidden).

    1. lglethal Silver badge
      Go

      Just an idea...

      I would see this working one of two ways - 1) the program to do the decrypting (or whatever you want to call the piecing together of the info) is online, so you merely access a website, type in your code and it analyses your HDD. Bit of a risk that your connection might be tapped and of course of letting an external connection have full access to your HDD! However, there would be no program on your computer to alert the authorities to your hidden data.

      Alternative scenario is that you only put the hidden data on external HDD's which are what is passed back and forth between different computers. The program to identify the hidden message is located on the computers, not the HDD itself. That way if your comps raided, yes they find the program identifying that maybe you have hidden data somewhere, but they also have to identify the correct external HDD and the correct password before they have any chance of finding anything...

  7. Anonymous Coward
    Anonymous Coward

    Clever

    It really is, but you'd have to have something seriously important to hide to go to all the fuss, especially as it seems that for two people to exchange the info they would have to exchange the physical drive - suspicious in itself.

    1. Tony S

      Ah, but...

      In theory it could also be made to work remotely.

      So in much the same way that certain scumbags take over a web server and place fake Bank site web pages for phishing attacks, they could do something similar to a web server and store their data in a place that someone else could also get access to.

  8. poohbear
    FAIL

    Ancient

    This ain't new ... it's basically a variation of something like "first letter of every word spells out the real message" ... or "third letter on every odd page in book" etc .... plenty of prior art.

  9. David 45

    Interesting

    Except that, as is almost inevitable, governments throughout the world will demand a "back door" in or make it illegal to hide ANYTHING! As has been commented, if you encrypt, then you obviously must be up to no good.

    1. Sir Runcible Spoon

      Sir

      "if you encrypt, then you obviously must be up to no good"

      Ah, so that's why they're always losing un-encrypted data!

    2. Captain Scarlet Silver badge
      Linux

      But

      its going to be Open Sourced :O

      So they will sort of be able to see what its doing anyway.

  10. s. pam Silver badge
    Megaphone

    Tis easier for our

    Mktg Ho's to just write up some of their normal twaddle as you could hide entire universes in their communications due to the S/N BS being so high.

  11. Big Al
    Big Brother

    Open source? handy!

    Even assuming that this technique hasn't already been 'discovered' by the Spooks, it presumably won't take long for someone to come up with a way of identifying 'cover files' or otherwise finding a way to see the secrets.

    1. Michael 28
      Linux

      Seems the article deals with FAT filesystems only.

      ....Defrag isn't a problem for us using EXT3 , but, it's not directly addressed in the article. <pooh!!!!>

  12. The Fuzzy Wotnot
    Happy

    Here we go!

    Cue "proganda panic" from law enforcement and politicians about peado-geddon coming our way in 3...2...1...

  13. Trygve Henriksen

    A bit of a snag in the papers...

    They mention FAT32, NTFS and HPFS file systems as candidate systems for this technique, except...

    HPFS is 'naturally defragmented'.

    (HP = High Performance... Not a certain pusher of server equipment)

    When a file is written to disk, it will be allocated a 'run' of consecutive sectors that fits the filesize.(A simple closest fit algorithm is used) If a single run cannot be allocated, the file-system driver will attempt to allocate as few as possible 'runs' to match the filesize. This also happens when a file is changed.

    The filesystem driver not only attempts to keep files defragmented, but also tries to avoid unnecessary fragmentation of unused space.

    (This really sucks when a disk is nearly full, though)

  14. Anonymous Coward
    Anonymous Coward

    Seriously!

    How on earth is this news? I wrote something that did this on Comodore 64 floppies back in the dark days of the 1980s. Is this seriously what our future boffins are doing with their time at university? Shouldn't they be developing facebook and bittorrent replacements?

    1. William Higinbotham
      Grenade

      Agree

      This was used on Commodore Game software media to prevent copying. I wonder what happens when you use Spinrite by Gibson Research http://www.grc.com/intro.htm

      Good Stuff

      Billy - The ASCII Guy

  15. as2003

    TrueCrypt

    A novel idea, for sure, but I guess they haven't heard of TrueCrypt's hidden volume.

    1. Anonymous Coward
      Anonymous Coward

      Only problem is...

      ... The hidden volumes I've come across tend to stick out like a sore thumb.

      "You've encrypted your hard disk, but only half the total space is available, there's a hidden volume in the other half isn't there?".

      Law enforcement tend to take the same view, anything less than the maximum possible disk space being available = hidden encrypted volume, and the laws are such that you can be prosecuted for not handing over the key.

      1. Anonymous Coward
        Anonymous Coward

        Or more accurately...

        ... be prosecuted for not being able to prove you havent created a hidden volume!.

      2. Anonymous Coward
        FAIL

        Not quite

        It would be more like "You've encrypted your hard disk, but only half the total space is used, there's a hidden volume in the other half isn't there?" Now try and prove it. Unless you put in the password for the hidden volume when mounting the outer volume, the whole of the space will show as available (and indeed you can overwrite the hidden volume by accident this way - it's the only way to maintain plausible deniability).

        This is assuming that you're referring to the plausible deniability option, and not just a single encrypted section of hard disk, in which case that bit would show as unavailable.

        I do seem to recall that you can "hide" a RAR archive behind a jpeg - can you do the same behind a video? Get a reasonable length video, say 45 mins or so at lowish quality (300 megs?) then stick a 300 meg encrypted volume (with hidden volume within for added security and a few bank statements or whatever in the outer volume so you can justify the encryption if it is found) behind it in a RAR archive. Plod/investigator sees 600 meg video file and probably doesn't think twice about it...

      3. Anonymous Coward
        Linux

        @Dibbley

        Thats not how the hidden volumes work. When you mount the outer "safe" volume you see the WHOLE of the encrypted space. So this means the oute volume + hidden volume. You have thresholds between the two where you can store files, once you go over the size of the outer volume you overwrite the hidden volume and break it.

        Unless you mount the hidden volume you cannot see it. It is just a block of encrypted data that is contained within the outer volume.

        1. Anonymous Coward
          Anonymous Coward

          Oops.

          Just replied to Dibbley saying the same thing - didn't see your reply first - sorry.

        2. Anonymous Coward
          Anonymous Coward

          Still not as hidden

          If you ignore the filesystem and simply scan the entire physical drive, that "block of encrypted data" will be fairly easy to spot. Yes, decrypting it is another matter, but the point of steganography is to give no indication that hidden data exists in the first place.

      4. Anonymous Coward
        Stop

        Eh!

        @Dibbley. You're not using truecrypt properly then (if at all) . I have a 50GB truecrypt partition (with a 40GB hidden partition inside). When I mount the outer volume (as per a court order) is mounts as a 50GB partition - there is no 'missing space where the hidden volume is obviously located'. All of the space is available (if i wanted to trash the hidden volume that is). When I mount the hidden volume only then do I see a smaller volume - but I would never do this as part of the court order. You've got something mixed up in your head somewhere I think.

  16. Anonymous Coward
    Big Brother

    NTFS

    How would this work with NTFS? NTFS tends to be far less fragmented though mainly due to it's use on larger HDDs. Would SSD drives with there tendency to clean themselves up render this useless?

    These aren't rhetorical questions - I don't know the answer. Report is 7 months old, so obviously didn't make that great a wave when released.

  17. Nick Kew
    Boffin

    I have a cunning plan ...

    Cryptography is too secure: we can't prove your files are [videos of naked kiddies|bomb recipes]. So how do we re-introduce a backdoor for the spooks?

    A-ha!

  18. Anonymous Coward
    Alien

    Wow

    20MB hidden on a 160GB disk?

    Why don't I just ZIP my 20MB of data, encrypt the file, name it to flibble.avi and bury it somewhere in 160GB of clutter. That? No that's a video file. Hmmm it used to work, must've got corrupted...

    1. copsewood
      Stop

      encrypted files don't look random

      They tend to have headers which give the game away. Searching for these using automated tools available on any Linux/Unix is an exercise for 1st year undergrads. What you name the file doesn't matter.

      1. Sir Runcible Spoon

        Sir

        "They tend to have headers which give the game away. "

        What about TrueCrypts' encrypted container (i.e. in a file) - does that have headers that would give it away?

      2. Old Handle
        Boffin

        No, they DO look random

        Too random. This is the main thing that gives them away. Barring an actual chunk of random data (which admittedly there are a few obscure reason for someone to have) they can't be mistaken for anything else.

        Spooks worth their salt will be very suspicious of a "video" file that is 100% random. But it's not quite as easy as greping files headers.

  19. D. M
    Thumb Up

    It could work very well if you need it

    Think the possibility of secure transfer data for serous business. I see there is no reason why it wouldn't work for DVD for other form of removable media.

    Let's say you need to transfer some data that is very important that it cannot be in the wrong hand. You can encrypt it, but it is possible for someone else to crack it. So you post a DVD/USB drive with seemly useless information. The sender and receiver can run the control software to pick the bit from right location on that DVD/USB drive. And the location is controlled by a secure code that can be pre-arranged or sent separately by other way (eg. on Sunday's news pager, the third car ad and the first sports news, etc). Now if the media was in the wrong hand, they will have no way to decode the information. If they ever change the data on such media, they would destroy the information.

    It is even possible to send the information perfectly safe in public (eg. as free DVD in your usual children's book), and the receiver only needs to get the correct code that pick the information.

    1. Anonymous Coward
      FAIL

      Hmmm...

      So the transfer would be secure if you could securely agree the 'prearranged code'.

      Now apply Occam's razor.

      Whatever 'secure' method you choose for agreeing the prearranged code could be used instead to exchange the sensitive data - why bother with the steg thing at all.

      Good effort - but no cigar.

      1. Anonymous Coward
        Anonymous Coward

        Incorrect. Codes are small, data is large.

        It's much easier to securely distribute a 20-byte password than a 20MB data file.

        That's the point of codebooks. Heck, that's the point of passwords!

  20. maclovinz
    Happy

    Keylogger...Problem Solved?

    Perhaps I'm missing something, but...

    When they go to reinstate the file(s), just use a keylogger to get the password that reassembles the data.

    Presto!

  21. Anonymous Coward
    WTF?

    Old news

    I have tools that can do this already (and they are quite old too). Some employ slack space, some use other 'bits' of disk - but this ain't new (or even news). Just look up MAFIA (metasploit antiforensics project) tools like slacker - and that's one of many.

  22. Alan Firminger

    Why not ...

    ... hide our secrets on a USB Flash drive ? Store the drive securely.

    Put it another way, has anyone swallowed USB drive ?

    1. Toastan Buttar
      Unhappy

      Swallowed a USB drive???

      Can't see it being very practical. A MicroSD, on the other hand...

  23. Yet Another Anonymous coward Silver badge

    @NTFS

    There is already a better system for NTFS - it hides data in the partially unused blocks at the end of files. So if you have a 17k file the disk uses 4 full 4K blocks and a final block with 1K used and 3K free. NTFS can be set to preserve/copy/etc the unused parts of blocks so your 'secret' data gets kept safe.

    NTFS has a lot of out-of-band functionality so it can do lots of clever filesystem stuff that nobody ever implemented (cos like NT it was written by someone clever)

  24. D. M
    FAIL

    I would be surprised if someone is not doing it already

    @AC and Alan F

    Think in "practical" situation. Your task is to transfer some sort of doomsday weapon design you discovered. Now you need to safely transfer it to your destination, and there are other people out there who will do anything to get hand on this information and use it.

    You can send several copies by different route and destroy the original (eg. one posted in USB stick, one on a removable HDD, one split into several DVDs, etc). As long as one copy arrived safely, you have transferred the information. However, this is useless without the code that identify where to locate all the bits and bytes.

    Once you know the physical media was received, you only need to send a very short 2kb code over to complete the transfer. How you manage this 2kb code is much much simple job.

  25. Alan Brown Silver badge
    Grenade

    stego, but slooooooooow

    Enough said - and not particularly innovative, but that won't stop a patent being issued.

This topic is closed for new posts.

Other stories you might like