Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hiding and Recovering Data on Linux

Posted by CmdrTaco on from the hah-its-in-the-other-hand dept.

neuroticia writes "linuxsecurity.com has an interesting article on data hiding and recovery: "On a 4GB Linux partition, the block size is typically 4K (chosen automatically when the mke2fs utility is run to create a filesystem). Thus one can reliably hide up to 4KB of data per file if using a small file. The data will be invulnerable to disk usage, invisible from the filesystem, and, which is more exciting for some people, undetectable by file integrity checkers using file checksumming algorithms and MAC times. Ext2 floppy (with a block size of 1KB) allows hiding data as well, albeit in smaller chunks.""

4 of 151 comments (clear)

  1. Re:Some questions... by redhog · · Score: 4, Insightful

    This is a question of security by obscurity. If everyone used exactly this technic to hide their data, everyone and their dog will be able to recover it. But if everyone hides their data at different places (I hide mine in the most insinificant bits in a picture, you hide yours in teh filesystem, etc), we'l increase the workd needed to find any given information.

    If you think that "if you are innocent, you have nothing to hide", then certainly, this has no uses. Otherwise, it has lots of uses :)

    Hiding dirty pictures of you and your SO from parents perheaps?

    No, just _moving_ it does not free the block. You must either move it to another disk, or copy it and remove all had links to it.

    --
    --The knowledge that you are an idiot, is what distinguishes you from one.
  2. I haven't seen anyone mention this... by SkyLeach · · Score: 5, Insightful

    There are several practical problems with this.

    First: defragmenting. If you run any utility to defragment your drive, the data will (probably) be lost.

    Second: Don't move that file! If you don't know what file space your "secret" data is stored in, then moving, adding, deleting, copying or otherwise altering (editing) any file may destroy some part of your hidden information. Remember that you only have 4k to work with at any given time. This isn't a huge amount of space. You start hiding data all over the place and you quickly start running into this risk.

    Third: The govm't and spies aren't stupid. They will have thought of this possibility. In order to implement such file-hiding techniques you would almost certainly need to implement some type of disk partition and format management system on top of the existing one in order to avoid the problems mentioned above. It isn't very hard to search for direct-to-disk calls, and checking the kernel source for partion management against current versions to see if it has been altered is easy too. Unless you hide the source code for your (ext3.01?) filesystem somewhere else or in your hidden system area (pretty hard to do) then the person searching for your data has some pretty clear evidence of where to look for your stuff and how to get at it.

    --
    My $0.02 will always be worth more than your â0.02, so :-p
  3. Re:Nonsense by bourne · · Score: 4, Insightful

    If you are able to store data in the slack space of binary executables, you're presumably root, in which case why not secure your data in a more sensible way.



    Unless, of course, you're just "borrowing" root access from the chappie who actually owns the box.



    A skilled attacker will hide as many signs of his intrusion as possible. This is one more method he may use, to avoid file integrity checkers like Tripwire, AIDE, and FCheck.



    As for what he's hiding? Let's say he puts a trojan sshd in place to grab passwords - those passwords could be conveniently hidden until Bad Guy can come around and collect them.


  4. Re:Nonsense by zCyl · · Score: 4, Insightful

    Sorry, I fail to see how this is news (block sizes and slack space have been well known for years) or a useful technique

    Remove yourself from that high equine animal you are saddled upon. Yes, to many of us here, the idea of storing data in unused sections of a drive is old hat, and many of us have even used such a technique before for various purposes such as for copy protection flags, or for hiding information where people wouldn't think to look, etc. (which are examples of where it would be useful) The "news" in this post is not that you can hide data in the unused portions of blocks, but that a new article overviewing this technique was recently posted, so that those who are not familiar with the concept can go read it and learn about it. These are important concepts that system administrators should know about, so that they know when they can and cannot trust what the tools at their disposal (such as ls, for example) tell them about the contents of their system.

    By itself, hiding something in a system doesn't provide a very good amount of security, but in combination with other things, it can be the best form of security possible. Never underestimate the value of other people not even knowing there is a secret they need to look for.