Forgot your password?
typodupeerror
Security IT

New Tool Hides Data In Plain Sight On HDDs 136

Posted by CmdrTaco
from the just-don't-defrag dept.
Trailrunner7 writes "A group of researchers has developed a new application that can hide sensitive data on a hard drive without encrypting it or leaving any obvious signs that the data is present. The new steganography system relies on the old principle of hiding valuables in plain sight. Developed by a group of academic researchers in the US and Pakistan, the system can be used to embed secret data in existing structures on a given HDD by taking advantage of the way file systems are designed and implemented. The software does this by breaking a file to be hidden into a number of fragments and placing the individual pieces in clusters scattered around the hard drive."
This discussion has been archived. No new comments can be posted.

New Tool Hides Data In Plain Sight On HDDs

Comments Filter:
  • "The software does this by breaking a file to be hidden into a number of fragments and placing the individual pieces in clusters scattered around the hard drive."

    NTFS has been doing that for years.
  • The authors estimate that it would be feasible to hide about 20 MB of data on a typical 160 GB HDD.

    Wow, isn't that useful.

    • by axx (1000412) on Monday April 25, 2011 @12:44PM (#35930820) Homepage

      I thought the same thing at first, but in all fairness 20 MB of critical data can go a long way.

      Hiding stuff doesn't have to mean hiding video. A .pdf file can be all you want to hide in some cases, and you might want to do so without attracting attention with cryptography.

      Let's just say this could have its uses.

      Especially since I don't know of another steganography FS that is being maintained ? (RubberhoseFS was a nice idea)

      • by lomedhi (801451)
        Yes, I suppose you're right; there are definitely use cases in that range. And most hard drives are a lot bigger than that these days anyway.
      • There are a million ways to do this... You can hide data in photo's.. Videos... MP3's... just about any innocent file can have a hidden payload in it if you know what to look for.. The big key is that you just can't have a hunt/find/decrypt executable on that pc..

        • This is probably key really - at the end of the day it can't "look" like you've hidden something, so you'd be just as well off using a hidden partition with something like Truecrypt, since you'll have to keep the decoding program on a portable key of some kind.

    • Yes because text files and VGA/SVGA/XGA quality images are large files sizes...
    • by MightyYar (622222) on Monday April 25, 2011 @12:49PM (#35930906)

      Wow, isn't that useful.

      It rather depends on what is in that 20MB. How many diplomatic cables would fit into 20MB? Or 200MB, since 2TB drives are commodities now.

    • by Random2 (1412773)

      What type of text files do you write that take up 20 MB?

    • It could be the software and key to turn a different block of random data into actual data.

    • by RockDoctor (15477)

      Wow, isn't that useful.

      As you've later agreed ... 20MB is actually reasonably useful. The problem with this techniques is that you're going to need in the order of 160GB of non-infringing data to hide the 20MB in. And if you're wanting to do this routinely, you're going to need a lot more, otherwise it's going to start to look suspicious. Lots of Jason Bourne lookalikes crossing your borders, all carrying laptops with the same collection of movies on them ... peculiar. Attention-attracting.

      Actually ... a r

  • by Hazel Bergeron (2015538) on Monday April 25, 2011 @12:37PM (#35930702) Journal

    Just because you're encoding the information in the fragmentation patterns of the underlying filesystem it doesn't mean you're not engaging in encryption. The encryption is the key input to the algorithm to identify how to turn that apparently random pattern back into plaintext - otherwise we'd be able to say, "OK, let's check he's not using this method," without any secrets.

    tl;dr Steganography is useless without encryption.

    • by X0563511 (793323)

      The point of Steganography is not to make it hard to find the information. It's point is to avoid even being looked for. That's what the whole "hide in plain sight" bit means, you know.

      • That reasoning has always been specious. It's trivial to compile a list of published steganographic methods and engineer some check for them. The method must involve some form of key and encryption to make the check unlikely to succeed.

        • by vlm (69642)

          That reasoning has always been specious. It's trivial to compile a list of published steganographic methods and engineer some check for them. The method must involve some form of key and encryption to make the check unlikely to succeed.

          The way the check might fail is by finding random weirdness. Right off the top of my head, a graph of file length vs frags is probably going to be distorted by this storage mechanism... Also a graph of filesystem age or filesystem size vs frag level is probably going to show this mechanism as an outlier.

          Since fragmentation is not random, hiding anything using it is going to be very tricky... Plenty of room for honest error and/or snake oil and/or back doors.

        • by mlts (1038732) *

          Encryption is done beforehand for three reasons:

          1: The hidden data is essentially static, with no discernible patterns.

          2: If the stegoed data is located, it cannot be used as plain text.

          3: Plausible deniability. If a stego detector finds random numbers, that is one thing, versus plaintext as another.

          Don't forget -- a lot of encrypted files have a pattern to them, such as PGP, ZIP, etc. One will need to find a utility that does to files what TrueCrypt does to partitions and has a complete unreadable str

    • by kesuki (321456)

      i think the real life analogue of this software is a pair of paper scissors and hiding fragments in unmarked folders. even if you know what the computer is about to do, finding all the 'misplaced' folders is something likely to take several hours per incident. if this technique was used to protect a whole lot of folders it might not be reversible at any level.

    • Bollocks indeed:

      a) Even with small amounts of hidden data (20 MB in 160 GB was quoted), you will still end up with an _extremely_ fragmented file system:

      Each hidden bit requires either a sequential or fragmented block placement, which means that 20 MB needs 160 Mbit or 160 million frag/nofrag chaining decisions.

      This works out to one such block per kB of disk space, but since the FAT32 filesystem normally uses 4 KB (or larger) clusters, you would have to decrease the block size to either 1 KB or 512 bytes (t

  • If it can work in the filesystem, it can work theoretically at the network packet level...
    • by MacTenchi (104785)

      Except that any router passing your packets might choose to re-fragment or recombine your packets, destroying your message.

    • by sgt scrub (869860)

      in addition to MacTenchi's comment.. out of order fragments will get dropped by any good router or ips so you can't go that way and duplicate fragments are discarded by every decent firewall. now udp packets echo'd from client to random client until they need to be re-assembled is another story. the greater the ratio of client to packets you have the greater the difficulty for someone to re assemble it.

  • Purely academic (Score:4, Interesting)

    by gweihir (88907) on Monday April 25, 2011 @12:52PM (#35930962)

    You get very little data to store, but this looks like it will be secure and, for a change, really hard or impossible to detect.

    Of course a dead giveaway is the access software needed, so this works only for hiding data that the holder cannot access. That and the low data volume (20MB in 160GB are given as example) limits the usefulness to a nice but very academic idea.

    • by jmorris42 (1458) *

      > Of course a dead giveaway is the access software needed, so this works
      > only for hiding data that the holder cannot access.

      Lots of use cases for that. You encode a hard drive at your embassy and send it back with an unsuspecting minion. When they get home your people there do a 'routine check' on the laptop and extract the too hot for ordinary channels memo, again with the user totally unsuspecting that he was a courier.

      Human rights group in hellhole country wants to get a release out? Find some

      • by gweihir (88907)

        Completely bogus.

        Embassies have diplomatic couriers that are explicitly allowed to carry encrypted data and make regular travels. Embassies also typically have very secure encrypted communications.

        "Human rights group.": The tourist will likely be an informer or watched and needs to be extremely careful not to be entrapped. This scenario is completely unrealistic. Also, if the "Human rights group" has the software or even the paper, then they already have channels that actually work. If the tourist's laptop

        • How would the change in the fragmentation pattern be glaringly obvious? I don't think they're going to create a complete image of every hard driver entering or leaving the country. Or the carrier might just bring a drive bought inside the country, etc etc.

          I agree that it's largely artificial, though; with capacities in the sub-gigabyte range, transmitting the data via the internet or a cellular link is going to be much easier than physically carrying around drives. Most places that have tourists going in al

          • by gweihir (88907)

            The change is of course only obvious if they are looking for it. But they do not need the whole disk, just the FAT and that is far, far smaller and there such a change is glaringly obvious.

            Anyways, I doubt anybody is really worried about preventing a few megabytes from being smuggled. There are a lot of ways to do that and the threat represented by this is rather small.

    • by jonadab (583620)

      Actually, the real problem is that normal usage of the drive would typically change where some files are stored and how they are fragmented. If you used it on your main system drive (i.e., the filesystem whereupon the OS is installed), merely booting up your operating system would very likely make some of your hidden data irretrievable.

      (There's also the small matter of FAT32 no longer being terribly useful on hard drives, but in principle the method would be applicable to other filesystems, though the impl

      • You beat me to it. It seems to me that since slack space is not protected by either the FS or the OS, it would be vulnerable to everyday use of the drive.
    • You get very little data to store, but this looks like it will be secure and, for a change, really hard or impossible to detect.

      Of course a dead giveaway is the access software needed, so this works only for hiding data that the holder cannot access. That and the low data volume (20MB in 160GB are given as example) limits the usefulness to a nice but very academic idea.

      I agree... and this made me think: a good method I saw for steganography uses forums and blogs to embed the data in public site inside other documents.

      However, why not do something like store the data in a Fake Antivirus program, or even web cookies forged for various sites? Both give you true plausible deniability, as you can deny you ever wanted the data on your machine in the first place... and with the second, you can make the data expire, and even have a remote website that'll automatically reconstitu

      • 2nd thought: you can even hide the data on OTHER people's computers using this method, assuming you have access to a few domain names and web servers. You could also initiate a remote expiry/rewrite of key cookies, so the data can be remotely revoked, assuming the person visits somewhere that'll reset the cookie.

        You could even overwrite common cookies (store the data in ad cookies, and then usually run ad blocking software). To erase, you disable your ad blocking software, and the ads wipe the data for yo

  • by aylons (924093) <slashdot-servico ... s DOT com DOT br> on Monday April 25, 2011 @12:54PM (#35931014) Homepage

    Doesn't TrueCrypt's plausible deniability get the same effect without depending on a loose file system hack?

    • by gnapster (1401889)

      That might be part of it. However, the main aspect of plausible deniability for TrueCrypt is that the blob of encrypted data may hold two volumes, each accessed by a different passphrase. Then, I can have the software installed on my computer, and it is easy to see that I am probably using the software for hiding data. But it is impossible to tell whether I am only using one encrypted volume, or two. I can deny that I have created a passphrase for the second one, and there is no way to tell how much of

      • by fatphil (181876)
        The guys who are using two will probably give up the information they were trying to keep secret, and if so possibly survive.

        The guys who are only using one will not survive.

        So there's no incentive for the latter set to use it at all.

        *Everything* about using TrueCrypt says "keep beating me with the rubber hose".
    • by Chemisor (97276)

      Deniability gets less and less plausible every time you get hit with a $5 wrench [xkcd.com].

      • by Urkki (668283)

        Deniability gets less and less plausible every time you get hit with a $5 wrench [xkcd.com].

        No, the deniability gets more and more plausible every time you get hit with the wrench and still just keep begging for mercy. It's just that it gets harder and harder too with every impact. But I'm sure that's what you actually meant, so this is just nitpicking.

        Then the question becomes: Will they keep hitting you with the wrench until you die just in case, even if they start to believe you're telling the truth?

        And then: If you're still alive when they're through with using the wrench, are they going to bu

  • by vlm (69642) on Monday April 25, 2011 @12:54PM (#35931018)

    Moreover, the channel provides two-fold plausible deniability so that an investigator without the key cannot prove the presence of hidden information,"

    So what encryption scheme are they using before storing the data? I didn't find it in the article. Hopefully not something as dumb as XOR using the "key" or using the key as a step size when encoding or something like that.

    Unless they encrypt the data before encoding the fragmentation,a glance at the frag pattern will show a distinct and obvious pattern based on the stored data. If the data is UTF-8 text using non-ascii glyphs, its gonna be pretty obvious when every other byte is a UTF-8 shift header thingy. If its plain ole ascii text its going to be pretty obvious the 8th bit is almost always 0. If the data is semi-packetized like video frames, its gonna be pretty obvious. If the data is stored emails with semi-known plaintext headers, its gonna be pretty obvious. Theres only so many ways to encode 1 and 0 into the frag pattern so playing games like encoding it backwards isn't going to help.

    I'm guessing its not going to be plausibly deniable at all... The other part of the deniability problem is how to deny the presence of the decryption tools in the filesystem, or in unused blocks of the FS. Hmm. You could delete the tools, and then defrag the hard drive to sorta-wipe it. Oh wait...

  • by gmuslera (3436)
    I the wonder how password they could do is this in plain swordfish sight
  • by PPH (736903) on Monday April 25, 2011 @01:03PM (#35931144)
    "A group of researchers I has developed a new think application that can hide this sensitive data is on a hard drive a without encrypting it bunch or leaving any of obvious signs that the data is crap present."
    • come on... Maybe Everyone is Exceptionally stupid, Truly... At least Try to Make it less Obvious. Each Secret system has it's own way of passing data... I can think of 8 off the top of my head, but none are that ridiculously easy to spot. Perhaps More effort is needed to create a good example? even this one is pathetic, but it's more realistic than what you are showing, and more accurately to the point (somewhat).

  • the data isn't even written to sectors marked empty, the data is written to empty air!

    http://blog.jitbit.com/2011/04/chinese-magic-drive.html [jitbit.com]

  • There are a lot of things that someone might want to hide for a short while. It could work well on networks, too, using a predictive coding scheme like Trellis. The message would be almost impossible to detect. On the other hand, the sender and receiver need to be intimately involved, and in there lies the rub.
    • Steganographically encode info in trolls!

      Did you exactly document the shades of red in Goatse? How do you know those aren't orange-shifted to encode data?

      Talk about in plain sight! Yikes!

  • It's easier to put your sensitive data on a micro SD card, and hide that somewhere.

    • It's easier to put your sensitive data on a micro SD card, and hide that somewhere.

      I once setup a computer on an SD card, but also setup a partition to be used as memory for my digital camera. In this way I could put the memory into my SD camera and the camera would operate in all normal ways if searched. But I could also remove the memory from my camera and put it into a computer. Furthermore, I didn't just put data on the SD card. I put the entire operating system on it. So I could essentially travel anywhere with only my camera in hand and when I arrive at my destination, I could put t

  • For example, place the hard drive in the shell of a real but non functional printer. If it doesn't need to be connected, alternately hollow out a book and hide it in there, etc.

    • Or, place it inside a fully functional printer, directly wired to the USB line, hiding in the back of an unused paper tray slot of a multi-slot computer... then, with the printer connected, the Hard Drive can also be connected (or easily disconnected). Add a switch internally if you're paranoid, or set the power such that turning off the printer turns on the hard drive and vice versa.

    • by jonadab (583620)
      If you're going to assume that they won't do a thorough physical search, you might as well just put a second hard drive in the computer but disconnect the data cable. Any search too cursory to find it in a hollow book won't find it in the spare internal drive bay either.

      This approach fails badly, though: if they do any kind of serious physical search, the gig is up.
      • I think we can rely on the police to be lazy in general, and likely the search warrant would be for computer equipment. If you keep your naughty data in a spare small PC in a dusty box in the attic which you access wirelessly, and don't give them any special reason to think you have one up there, they could easily miss it.

        If you have an old style rear projection TV you can easily fit an entire PC inside it, and transmit data via the coax cable.

        At last a use for the cloud: register under a fake account name

        • by PhrstBrn (751463)

          I think we can rely on the police to be lazy in general, and likely the search warrant would be for computer equipment. If you keep your naughty data in a spare small PC in a dusty box in the attic which you access wirelessly, and don't give them any special reason to think you have one up there, they could easily miss it.

          If they seized your computer and did forensics on it, they would see you accessing some wifi box "dirtydatamachine". They walk up to your premise with a wifi scanner, and wonder why there there is an AP without and SSID being broadcast, that happens to respond with "dirtydatamachine".

          The only thing that will really work with this is to encrypt the drive with truecrypt and only give up the decoy password, at which point there is no reason to bother with the WiFi box.

  • Security through obscurity never works, nor should it be tried.
  • "His bowtie is really a camera..."

  • From the article:

    a cluster is chained with a consecutive cluster if the bit encountered in the message is similar to the previous bit and a cluster is chained with a non-consecutive cluster if the message bit is different from the previous message bit.

    Then, even if the data is encrypted with an unknown key, we can expect almost exactly half the clusters to be chained to consecutive ones, and they are distributed a random fashion. By counting the length of consecutive cluster blocks, we should see that 1/2 of them have 1 cluster, 1/4 have 2 clusters, 1/8 have 3 clusters and so on, and they are evenly distributed along the drive.

    It's very unlikely that such a distribution would appear spontaneously on a disk by just using it normally, so

Whenever a system becomes completely defined, some damn fool discovers something which either abolishes the system or expands it beyond recognition.

Working...