Slashdot Mirror
Hiding and Recovering Data on Linux
neuroticia writes "linuxsecurity.com has an interesting article on data hiding and recovery:
"On a 4GB Linux partition, the block size is typically 4K (chosen automatically when the mke2fs utility is run to create a filesystem). Thus one can reliably hide up to 4KB of data per file if using a small file. The data will be invulnerable to disk usage, invisible from the filesystem, and, which is more exciting for some people, undetectable by file integrity checkers using file checksumming algorithms and MAC times. Ext2 floppy (with a block size of 1KB) allows hiding data as well, albeit in smaller chunks.""
Sorry, I fail to see how this is news (block sizes and slack space have been well known for years) or a useful technique - you'd need to have a large number of known unchanging files to store any sensible quantity of data. The obvious source would be binary executables. If you are able to store data in the slack space of binary executables, you're presumably root, in which case why not secure your data in a more sensible way.
Better yet, how about combining the "slack space" concept with that of a steganographic filesystem? In fact, the two concepts fit together very well...
The illegal we do immediately. The unconstitutional takes a little longer.
--Henry Kissinger
This trick is more useful on other OSs that copy using entire blocks.
for example data hidden in the tail portion of 512 bytes on a mac will be copied from one floppy to another on the Mac OS for the last 18 years.
Using modern network protocols or file compression will lose these tail end bytes.
A way of hiding data in a Mc file that survives network and file compression is to store data in the 12 byte undefined section of a resource fork header.
Some people write 12 byte hole scanners to search for passwords and credit card numbers and somwtimes find them according to legend.
But the mac has a concept of a physical file length and a logical file length, and the two values do not have to equal each other, and the physical file length has to be modulo 512 minimum.
But hiding data can get easily lost, its better to hide such data in node cluster control areas rather than file tail ends.
Of course! Copy the requisite illegal plans to a floppy, jam it in a bag, and bury it in your garden. Of course, if you have a dog, he might dig it up and nark on you to the feds, but that's life I suppose :)
Personally, my data is about as interesting as a box of dry Jacob's cream crackers, so I ain't about to go hiding it, either in my slack space *or* my window box!!!
Tom Newton
This is a question of security by obscurity. If everyone used exactly this technic to hide their data, everyone and their dog will be able to recover it. But if everyone hides their data at different places (I hide mine in the most insinificant bits in a picture, you hide yours in teh filesystem, etc), we'l increase the workd needed to find any given information.
:)
If you think that "if you are innocent, you have nothing to hide", then certainly, this has no uses. Otherwise, it has lots of uses
Hiding dirty pictures of you and your SO from parents perheaps?
No, just _moving_ it does not free the block. You must either move it to another disk, or copy it and remove all had links to it.
--The knowledge that you are an idiot, is what distinguishes you from one.
Good for hiding all of my 1 - 4 kB pr0n.
There is nothing wrong with being gay. It's getting caught where the trouble lies.
They didn't mention...
...in the article. It beats writing /dev/zero to your entire free space. Besides, if you try and overwrite your free space by dd'ing from /dev/zero, won't the outfile top out at 2 gigs on ext2?
shred -u [filename]
Just make sure you don't use a smart filesystem like ReiserFS, which can use the slack space for storage. If you try to put something in its slack space you might find yourself a bit lost...
I did not see it mentioned that ReiserFS is able to "pack tails", which means that the ending parts of files that do not fill an entire disk block (typically 4KB) are not stored in their own block. Thereby, it does not waste (on average) 2KB per file.
Actually using the disk blocks seems, to me, more appropriate than hiding stuff in them. There is even work in progress of an ext2 version of this technique.
This technique is really *old*. I once had a DOS game that used this to prevent casual copying - the installer was writing additional data into the slack space at the end of it's main executable. There was something similar on the floppy too. I think what it was doing was hashing the data on the floppy with whatever was generated on the HDD, but since I just NOP'ed over the subroutine call, I really didn't need to look too closely. Or require my diskette to play the game for that matter. ;)
UNIX? They're not even circumcised! Savages!
One of the first things a forensic analyst will do, mostly in search of deleted blocks is `strings /dev/hda1`. More likely off a ro image, but out everything ASCII will pop.
Have a look at The Coroner's Toolkit
And I used to encrypt everything... Hide files, secure my boxes with passwords that were ridiculous!!!!
Then..
I had to stop and wonder why I was doing it. No one was writing e-mail to my using my PGP. Even though I made it available on my web site, and sent as attachments to people could e-mail me back using it. No one did.
I bought secure removable media. A chain to keep it on me. And had it encrypted. Now i just keep it in a bag with my laptop and never bother to use it.
My palm pilot has encrypted media.
No ones ever touched it... I just keep it on my desk hooked up to my Linux box for easy syncing...
What's my point.. Do I have one? MAYBE.
I stopped because I was lazy. I didn't have anything to hide, nothing I do is that important that I have to encrypt it. My code is opensource, and my bank info and passwords, etc are kept on my linux laptop, not on a server.
I guess, I'd like to know Who is using constant encryption and why?
For me, Encryption needs to be strong, standard, and integrated, otherwise it's just a pain.
This of this as an e-mail client. Kinda like PGP but easier.
I write an e-mail. I click "send". My e-mail client checks the "encryption" server. It finds a match for the e-mail recipient I'm sending to and downloads the PGP file and encrypts the e-mail to the recipients specifications. I did not have to do anything. If no PGP key is found then it will be sent unencrypted and let you know that it is doing so.
www.slightlycrewed.com - Because aren't we all?
There are several practical problems with this.
First: defragmenting. If you run any utility to defragment your drive, the data will (probably) be lost.
Second: Don't move that file! If you don't know what file space your "secret" data is stored in, then moving, adding, deleting, copying or otherwise altering (editing) any file may destroy some part of your hidden information. Remember that you only have 4k to work with at any given time. This isn't a huge amount of space. You start hiding data all over the place and you quickly start running into this risk.
Third: The govm't and spies aren't stupid. They will have thought of this possibility. In order to implement such file-hiding techniques you would almost certainly need to implement some type of disk partition and format management system on top of the existing one in order to avoid the problems mentioned above. It isn't very hard to search for direct-to-disk calls, and checking the kernel source for partion management against current versions to see if it has been altered is easy too. Unless you hide the source code for your (ext3.01?) filesystem somewhere else or in your hidden system area (pretty hard to do) then the person searching for your data has some pretty clear evidence of where to look for your stuff and how to get at it.
My $0.02 will always be worth more than your â0.02, so