Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hiding and Recovering Data on Linux

Posted by CmdrTaco on from the hah-its-in-the-other-hand dept.

neuroticia writes "linuxsecurity.com has an interesting article on data hiding and recovery: "On a 4GB Linux partition, the block size is typically 4K (chosen automatically when the mke2fs utility is run to create a filesystem). Thus one can reliably hide up to 4KB of data per file if using a small file. The data will be invulnerable to disk usage, invisible from the filesystem, and, which is more exciting for some people, undetectable by file integrity checkers using file checksumming algorithms and MAC times. Ext2 floppy (with a block size of 1KB) allows hiding data as well, albeit in smaller chunks.""

5 of 151 comments (clear)

  1. Uses? by secondsun · · Score: 5, Funny

    Good for hiding all of my 1 - 4 kB pr0n.

    --
    There is nothing wrong with being gay. It's getting caught where the trouble lies.
  2. Does not work with ReiserFS by Anders · · Score: 5, Informative

    I did not see it mentioned that ReiserFS is able to "pack tails", which means that the ending parts of files that do not fill an entire disk block (typically 4KB) are not stored in their own block. Thereby, it does not waste (on average) 2KB per file.

    Actually using the disk blocks seems, to me, more appropriate than hiding stuff in them. There is even work in progress of an ext2 version of this technique.

  3. Won't hide from raw access by redelm · · Score: 5, Interesting
    File/block slack is hardly news. Nor is it even moderately secure.

    One of the first things a forensic analyst will do, mostly in search of deleted blocks is `strings /dev/hda1`. More likely off a ro image, but out everything ASCII will pop.

    Have a look at The Coroner's Toolkit

  4. I used to be paranoid.. by linuxrunner · · Score: 5, Interesting

    And I used to encrypt everything... Hide files, secure my boxes with passwords that were ridiculous!!!!

    Then..

    I had to stop and wonder why I was doing it. No one was writing e-mail to my using my PGP. Even though I made it available on my web site, and sent as attachments to people could e-mail me back using it. No one did.
    I bought secure removable media. A chain to keep it on me. And had it encrypted. Now i just keep it in a bag with my laptop and never bother to use it.
    My palm pilot has encrypted media.
    No ones ever touched it... I just keep it on my desk hooked up to my Linux box for easy syncing...

    What's my point.. Do I have one? MAYBE.

    I stopped because I was lazy. I didn't have anything to hide, nothing I do is that important that I have to encrypt it. My code is opensource, and my bank info and passwords, etc are kept on my linux laptop, not on a server.

    I guess, I'd like to know Who is using constant encryption and why?
    For me, Encryption needs to be strong, standard, and integrated, otherwise it's just a pain.

    This of this as an e-mail client. Kinda like PGP but easier.
    I write an e-mail. I click "send". My e-mail client checks the "encryption" server. It finds a match for the e-mail recipient I'm sending to and downloads the PGP file and encrypts the e-mail to the recipients specifications. I did not have to do anything. If no PGP key is found then it will be sent unencrypted and let you know that it is doing so.

    --
    www.slightlycrewed.com - Because aren't we all?
  5. I haven't seen anyone mention this... by SkyLeach · · Score: 5, Insightful

    There are several practical problems with this.

    First: defragmenting. If you run any utility to defragment your drive, the data will (probably) be lost.

    Second: Don't move that file! If you don't know what file space your "secret" data is stored in, then moving, adding, deleting, copying or otherwise altering (editing) any file may destroy some part of your hidden information. Remember that you only have 4k to work with at any given time. This isn't a huge amount of space. You start hiding data all over the place and you quickly start running into this risk.

    Third: The govm't and spies aren't stupid. They will have thought of this possibility. In order to implement such file-hiding techniques you would almost certainly need to implement some type of disk partition and format management system on top of the existing one in order to avoid the problems mentioned above. It isn't very hard to search for direct-to-disk calls, and checking the kernel source for partion management against current versions to see if it has been altered is easy too. Unless you hide the source code for your (ext3.01?) filesystem somewhere else or in your hidden system area (pretty hard to do) then the person searching for your data has some pretty clear evidence of where to look for your stuff and how to get at it.

    --
    My $0.02 will always be worth more than your â0.02, so :-p