Hiding data in plain sight on a disk

A researchers have developed a new way to hide data on a disk drive: structure disk clusters to encode data. Here's how it works.

Researchers have developed a new way to hide data on a disk drive: structure disk clusters to encode data. Here's how it works.

Disk clusters In a FAT file system a cluster (or allocation unit) is a group of consecutive disk sectors the file system allocates to store a file. The number of sectors in a cluster is a power of 2.

You don't worry about clusters because they are handled by the file system. But they can be manipulated to hide data in plain sight, the definition of steganography.

A cluster can be a single sector or many sectors. The file system uses clusters to reduce the overhead required to keep track of disk capacity.

A single file can be stored in contiguous sectors or non-contiguous sectors. That's the key to encoding hidden data.

Why not simply encrypt the data using available tools? Because encrypted files are easily detected and may cause suspicion.

The encoding process Computer scientists at the University of Southern California, working with colleagues at National University of Science and Technology in Islamabad, Pakistan, realized that if the clusters were manipulated to be contiguous or non-contiguous, data could be encoded.

To hide a binary message, a cluster is kept with a contiguous cluster if the bit in the message is the same as the prior bit. If a the next cluster is non-contiguous the message bit is different from the prior message bit.

Using this basic mechanism a variety of encoding schemes can be designed to improve both the data capacity and the encoded data access times.

Of course, one wants to encode in a way that does not draw attention to the attempt. With modern background defrag in Windows 7 and OS X a heavily-fragmented file system could look suspicious.

On a 160GB disk, 4kb cluster size, 25% allocated and 2% file fragmentation the researchers calculate that a 20MB file could be invisibly encoded.

The Storage Bits take Given that a possible majority of the US Supreme Court believes that Americans have no privacy rights, it falls to liberty-loving citizens to arm themselves with the tools needed to carve out their own private (cyber)space.

Those who worry more about their own skins than they do the death of liberty will object that such technology could be used by bad guys to do bad things. But any tool can be used destructively.

In another decade it will be feasible to gather and store incredibly detailed records of your life - where you go, what you eat, where you surf, who you meet and, by analysis, what you think and believe - so the threat to individual liberty has never been greater. We need tools like this to ensure that the free flow of information is never entirely cut off.

And so do the folks in other countries fighting much more repressive governments than our own.

Comments welcome, of course. Get a pdf of Designing a cluster-based covert channel to evade disk investigation and forensics by Hassan Khan, Mobin Javed, Syed Ali Khayam and Fauzan Mirza here.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All