Slashdot Mirror
New Tool Hides Data In Plain Sight On HDDs
Trailrunner7 writes "A group of researchers has developed a new application that can hide sensitive data on a hard drive without encrypting it or leaving any obvious signs that the data is present. The new steganography system relies on the old principle of hiding valuables in plain sight. Developed by a group of academic researchers in the US and Pakistan, the system can be used to embed secret data in existing structures on a given HDD by taking advantage of the way file systems are designed and implemented. The software does this by breaking a file to be hidden into a number of fragments and placing the individual pieces in clusters scattered around the hard drive."
scandisk will just remove this
"The software does this by breaking a file to be hidden into a number of fragments and placing the individual pieces in clusters scattered around the hard drive."
NTFS has been doing that for years.
They hide data by splitting it into small pieces, writing it to disk in random order and marking that sector empty. Sounds like a disaster to me, all you need to do is to use the disk, just defrag it and your hidden data is gone.
Yeah that was my thought too. Although you could consider defrag to be a secure destruct mechanism... ;)
When I read the headline, I immediately thought of putting sticky-notes on HDDs.
Wow, isn't that useful.
Did you say "insightful" or "inciteful"?
US and Pakistan.
Together. CIA and ISI?
Here's your backdoor Trojan from hell.
"Flyin' in just a sweet place,
Never been known to fail..."
Congratulations, you've failed to read the first two sentences of the article summary! :P
Just because you're encoding the information in the fragmentation patterns of the underlying filesystem it doesn't mean you're not engaging in encryption. The encryption is the key input to the algorithm to identify how to turn that apparently random pattern back into plaintext - otherwise we'd be able to say, "OK, let's check he's not using this method," without any secrets.
tl;dr Steganography is useless without encryption.
Steganography will probably become illegal exactly when encryption becomes illegal.
Yeah that was my thought too. Although you could consider defrag to be a secure destruct mechanism... ;)
That's the beauty of this sort of thing. Not for storing your routine Porn^HDocuments, but for really sensitive stuff that can be destroyed quickly and 'innocently'.
"Well, sir, the computer was running a bit slow, so I defragged it yesterday. Is that a problem?"
Faster! Faster! Faster would be better!
It may be best to hid the steganography-generated content in a bunch of SPAM emails, in the SPAM folder of whatever email program you use...
Kind of like:
http://www.spammimic.com/explain.shtml
It's the first thing most law-enforcement people would delete, or ignore...
Hiding things in plain sight is extremely useful until you know where it is. Then the game is up. Funny thing is, now that the method is out there for everyone to see, one could hardly argue that such data was hidden at all.
But how many words per minute can it type?
PocketPermissions Android Permission Guide
Yes, but it would require the user to know to actually defrag the hard drive.
Also, that's even better than you might think, makes obliterating the data even easier if you suspect it'll be found, or as a way to ensure it's destroyed. As long as you're not writing to the volatile part of the HD, you'll be fine for normal operation.
"Our goal each year should be to increase the number of goals we set for ourselves!"
If it can work in the filesystem, it can work theoretically at the network packet level...
Or require a FS that fragments
You get very little data to store, but this looks like it will be secure and, for a change, really hard or impossible to detect.
Of course a dead giveaway is the access software needed, so this works only for hiding data that the holder cannot access. That and the low data volume (20MB in 160GB are given as example) limits the usefulness to a nice but very academic idea.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Doesn't TrueCrypt's plausible deniability get the same effect without depending on a loose file system hack?
This comment may contain speech figures. Reader discretion is advised.
Moreover, the channel provides two-fold plausible deniability so that an investigator without the key cannot prove the presence of hidden information,"
So what encryption scheme are they using before storing the data? I didn't find it in the article. Hopefully not something as dumb as XOR using the "key" or using the key as a step size when encoding or something like that.
Unless they encrypt the data before encoding the fragmentation,a glance at the frag pattern will show a distinct and obvious pattern based on the stored data. If the data is UTF-8 text using non-ascii glyphs, its gonna be pretty obvious when every other byte is a UTF-8 shift header thingy. If its plain ole ascii text its going to be pretty obvious the 8th bit is almost always 0. If the data is semi-packetized like video frames, its gonna be pretty obvious. If the data is stored emails with semi-known plaintext headers, its gonna be pretty obvious. Theres only so many ways to encode 1 and 0 into the frag pattern so playing games like encoding it backwards isn't going to help.
I'm guessing its not going to be plausibly deniable at all... The other part of the deniability problem is how to deny the presence of the decryption tools in the filesystem, or in unused blocks of the FS. Hmm. You could delete the tools, and then defrag the hard drive to sorta-wipe it. Oh wait...
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Correct me if I'm wrong (I often am about Windows) but aren't there several types of sectors reserved for system uses and not touched by defrag? I know I've seen the defrag graphic when fixing some friends borked up PC and seen something like this.
All that would have to be done is to mark the hidden data as system sectors not to be messed with by defrag. Of course, knowing this, it would make a search for said data much easier.
Have gnu, will travel.
And Windows 7 does a defrag automatically! See : http://www.i-programmer.info/news/149-security/2352-hiding-data-in-disk-fragmentation.html for some of the problems.
And I just deleted my porn folder...
I the wonder how password they could do is this in plain swordfish sight
Based on TFA, and even TFS, it would be more accurate to say they've found a novel way to use the wheel.
They say a little knowledge is a dangerous thing, but it's not one half so bad as a lot of ignorance. - Terry Pratchett
None. Counting typing speed is haram.
"A group of researchers I has developed a new think application that can hide this sensitive data is on a hard drive a without encrypting it bunch or leaving any of obvious signs that the data is crap present."
Have gnu, will travel.
the data isn't even written to sectors marked empty, the data is written to empty air!
http://blog.jitbit.com/2011/04/chinese-magic-drive.html
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
DOS sez:
copy file1+file2 file3
NOW I HID FILE2 IN FILE1! THIS IS SUPER BED TIME READING!
What sort of thought process leads to a stupid comment like this? Somebody creates a new plastic: "Congratulations, you've reinvented polymerization!" Somebody makes a better and faster computer chip: "Congratulations, you've reinvented computing!"
Everything is built on something else. For most of us, that's obvious. I guess not for some. For you, new ideas must leap fully formed from a different universe accompanied by a huge explosion in order to be interesting, I guess.
There are a lot of things that someone might want to hide for a short while. It could work well on networks, too, using a predictive coding scheme like Trellis. The message would be almost impossible to detect. On the other hand, the sender and receiver need to be intimately involved, and in there lies the rub.
They hide data by splitting it into small pieces, writing it to disk in random order and marking that sector empty. Sounds like a disaster to me, all you need to do is to use the disk, just defrag it and your hidden data is gone.
This is called fragility, and depending on context, is a desired feature.
Know how I know you did not read the article? This method is rearranging existing data so the FAT itself holds the data. This is not including the data at the end of a cluster, or putting it in empty clusters.
If you want to encode a 0, put the first block at an even numbered sector. If you want to encode a 1, put it at an odd numbered sector. There are other ways to do it, but that's just one example.
There is no data on the drive itself to analyze, it's all in the fragmentation of the FAT.
Comment removed based on user account deletion
It's easier to put your sensitive data on a micro SD card, and hide that somewhere.
For example, place the hard drive in the shell of a real but non functional printer. If it doesn't need to be connected, alternately hollow out a book and hide it in there, etc.
You are wrong.
The system sectors are actual files. Files are marked as DO NOT MOVE because of various things that happens with these files. Empty space cannot be marked as unmoveable.
... wtf, all they did was reverse the process of defragmentation. THAT'S BEEN DONE ALREADY, FOR ONE THING. calling it steganography is stupid... the file system will have to take all these scattered clusters into account in order to avoid over writing them. this is only 'hiding' the data if you have a drive plate with no file system intact and have to scrub it for the data. nobody is ever in that situation. your drive at home will have the file system intact, and there will be headers linking all these 'scattered' segments together. puh fucking LEASE. it was worse than reinventing the wheel, it doesn't even sound good. 'wheel' sounds good!
Because there is no "invention" here. Chopping up data into pieces and scattering them around a drive has been a known technique for nearly 30 years. There is no invention involved for "finding other cracks for the pieces to fit into".
In addition, steganography and similar technologies are very poor choice for hiding data, because detecting the hidden data can be easily automated.
Steganographically encode info in trolls!
Did you exactly document the shades of red in Goatse? How do you know those aren't orange-shifted to encode data?
Talk about in plain sight! Yikes!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
No they do not. You just totally invented that.
I know this is Slashdot and not reading TFA is a rite of passage, but at least don't try to "inform" when you have no idea about something.
None of the secret data is written to disk at all. As the researchers explain clearly (they're quoted in TFA), the data is encoded in the pattern of cluster allocations used for storing the non-hidden files already present on the drive. They even describe the RLE-based algorithm used for cluster-chain encoding. The size of existing files remains the same, the amount of disk space used and unused in the filestore remains the same, and the contents of all the files remain the same after this process.
So your explanation couldn't be more wrong. And the moderators who gave you a +5 Informative failed to understand the method as well.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
Just write to /dev/null and save yourself the trouble.
I can certainly see how his comment could come off as sarcastic and acerbic.
However, he does have a point. There is nothing new about the approach. They even claim new, but from reading the article, this is not new.
I see no reason to make a comparison between new and old stenographic methods. At most splitting the chunks against multiple files is a different implementation of the exact same idea. Nothing Earth shattering, and I can see a couple of issues already.
If it is split across multiple files and not encrypted, then technically the safety of your data is only as safe as how limited the ability of an attacker is to perform analysis and reconstruction. There are companies out there that make tens of thousands of dollars doing just that.
If my file is split across 349 files what happens when file# 235 is modified or deleted? Do they have a system wide monitoring process? Redundant processes similar to RAID to accept small degradations like that? Just how inefficient is the process then? Like RAID 5 do you need to lose an additional 20% of total storage space on a 4 drive implementation?
I can kind of see the "Congratulations" statement here. It is stenographic, just not radically different than other methods, and ostensibly with some serious caveats.
I think I will stick with TrueCrypt for now which actually encrypts my data is reliant upon a simple and hard to defeat denial mechanism. That being, "But I gave you the password. You can see the files".
Security through obscurity never works, nor should it be tried.
Not very many, but it's amazing to watch it using that spiky tail at all...
Just worth pointing out that this will be blindingly obvious to anybody that wants to look for hidden data. Plus most operating systems screw around with this all the time... won't work.. stupid idea... go back to truecrypt
stenography is the word you are looking for?
Except this doesn't seem "better" since it's just one fsck away from obliterating everything.
"His bowtie is really a camera..."
Table-ized A.I.
fuck religious people in general
Can I start with the cute ones, please?
Quidnam Latine loqui modo coepi?
They reorder full blocks to encode data in the orderings within the list of blocks for a given file. That's why they "do not require storage of any additional information on the filesystem" and why "a capacity of up to 24 bits/cluster can be achieved on a half-empty disk".
If they wrote to additional blocks they (1) would be adding additional data to the filesystem, (2) would have no limit to the data that could be hidden and (3) would lose it as soon as one started writing additional information to the disk and used the empty blocks.
See instead the abstract from Science Direct:
http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8G-51BBKRS-1&_user=10&_coverDate=01%2F31%2F2011&_rdoc=1&_fmt=high&_orig=gateway&_origin=gateway&_sort=d&_docanchor=&view=c&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=ee913861b3d05b46b905bd4d52ca9380&searchtype=a
davecb@spamcop.net
My thoughts exactly... both are abominations by themselves, but have them "cooperate" on a project and the result can be quite disastrous. I'm sure the biggest terrorist attack of our century rings a bell...
Grammar nazis are to this community what excrements are to gold.
It seems like TFA's author might have made the same mistake, or their wording is extremely poor. They say
The software does this by breaking a file to be hidden into a number of fragments and placing the individual pieces in clusters scattered around the hard drive. [...] The method that Khan and his colleagues developed avoids this problem by hiding small pieces of a sensitive file various random places on a hard drive. [...] as the sensitive files are not actually hidden but rather dispersed in pieces.
The file is broken into bits and placed in the arrangement of clusters--these bits are not literally written to the hard drive.
Defrag? What is defrag? Oh, I know. You use one of those "archeological relic from the past" operating systems that don't have self-cleaning file systems. The patent expired on this stuff more than 20 years ago. IBM developed and implemented it in 1968. It was hot stuff back then. Defrag, oh, and vote for Hubert Humphrey, don't vote for that Nixon! I see political scandal in his future! Perhaps next time you could describe problems with file systems whos' design is newer than 40 years old? Is your 160kB 5 1/4" floppy disk ok? Have you ever gotten a punched card misplaced in your card deck? You sure find out in less than an hour when you get the printout from the teletypewriter! Oh, and defrag!
Start with the girls of the IDF and work your way through the middle east from there.
If all else fails, immortality can always be assured by spectacular error.
Or, place it inside a fully functional printer, directly wired to the USB line, hiding in the back of an unused paper tray slot of a multi-slot computer... then, with the printer connected, the Hard Drive can also be connected (or easily disconnected). Add a switch internally if you're paranoid, or set the power such that turning off the printer turns on the hard drive and vice versa.
Before commenting on the Bible, please read it first
I have an SSD, you insensitive clod!
Look at copyright and patenting lawsuits and you will realize that he is not alone. We used to stand on the shoulders of giants. Nowadays these giants ask so much rent you can't stand on their shoulders.
Even if standing on their shoulders would mean you could drag them out of the pit, they rather get money then be saved.
Don't fight for your country, if your country does not fight for you.
Do you think there is an "intelligence" organisation in the world, that is no co-opted and part of the secret government operations?
"Flyin' in just a sweet place,
Never been known to fail..."
This is basically security through obfuscation and we all know how well that works in the long run.
If you're going to assume that they won't do a thorough physical search, you might as well just put a second hard drive in the computer but disconnect the data cable. Any search too cursory to find it in a hollow book won't find it in the spare internal drive bay either.
This approach fails badly, though: if they do any kind of serious physical search, the gig is up.
Cut that out, or I will ship you to Norilsk in a box.
I am really surprised Garfinkel, who is on the editorial board for the journal, let it be published. They should have read through the BlackHat and DefCon archives before publishing. They are not just trying to stand on the shoulders of giants, but failing to credit those giants.
At Blackhat Federal 2006 The Grudd and I were discussing various places to hide data. He brought up this exact method but we dismissed it because file systems were starting to do automatic file defragmentation. These researchers get credit for coming up with it separately and getting it published. However, they had to use FAT because it is one of the few file system in use today where the method will still reliably work.
Today NTFS is the primary file system on over 90% of home computers, making research based on the archaic FAT file system nearly meaningless. USB drives and XBoxs still use FAT so legitimate forsenic of anti-forsenic research papers often include sections on FAT, but no serious paper only covers FAT.
I think we can rely on the police to be lazy in general, and likely the search warrant would be for computer equipment. If you keep your naughty data in a spare small PC in a dusty box in the attic which you access wirelessly, and don't give them any special reason to think you have one up there, they could easily miss it.
If you have an old style rear projection TV you can easily fit an entire PC inside it, and transmit data via the coax cable.
At last a use for the cloud: register under a fake account name, say, that of your local prosecutor, and store your naughty files encrypted on there.
[Note: by "naughty" I don't mean sexual necessarily, I mean anything the powerful don't want you to have]
I think we can rely on the police to be lazy in general, and likely the search warrant would be for computer equipment. If you keep your naughty data in a spare small PC in a dusty box in the attic which you access wirelessly, and don't give them any special reason to think you have one up there, they could easily miss it.
If they seized your computer and did forensics on it, they would see you accessing some wifi box "dirtydatamachine". They walk up to your premise with a wifi scanner, and wonder why there there is an AP without and SSID being broadcast, that happens to respond with "dirtydatamachine".
The only thing that will really work with this is to encrypt the drive with truecrypt and only give up the decoy password, at which point there is no reason to bother with the WiFi box.
a cluster is chained with a consecutive cluster if the bit encountered in the message is similar to the previous bit and a cluster is chained with a non-consecutive cluster if the message bit is different from the previous message bit.
Then, even if the data is encrypted with an unknown key, we can expect almost exactly half the clusters to be chained to consecutive ones, and they are distributed a random fashion. By counting the length of consecutive cluster blocks, we should see that 1/2 of them have 1 cluster, 1/4 have 2 clusters, 1/8 have 3 clusters and so on, and they are evenly distributed along the drive.
It's very unlikely that such a distribution would appear spontaneously on a disk by just using it normally, so someone who knows that this scheme exists can check whether it is present on the disk, even if they're not able to decode the data.
(Disclaimer: I haven't read the actual paper, they may have addressed this. Or the claim in the article may be incorrect.)
A hollowed out battery casing in a common form-factor (think C, D, or 9V) containing an SD card or USB stick would even be easier. Besides, something like that can easily be put in with the batteries on a travel radio or battery operated toy and (if done correctly) all you're going to see on an X-ray is the same metal casing as on the other batteries. Not to mention that when considering the inconvenience and difficulty in carrying it out, it's unlikely customs or baggage checks is going to confiscate batteries out of everything that passes their way.
Why people go for a hard drive to hold such a small amount of encrypted data when easier methods are available appears a little silly.
It seems like a method that's probably more useful to log and hide data about the computer it's on with a low probability of detection. Like something for a hard to detect trojan or key-logger with low network usage that piggy-backs its activity with other more legit network activity. Whether or not it's applied that way is another question.
Bollocks indeed:
a) Even with small amounts of hidden data (20 MB in 160 GB was quoted), you will still end up with an _extremely_ fragmented file system:
Each hidden bit requires either a sequential or fragmented block placement, which means that 20 MB needs 160 Mbit or 160 million frag/nofrag chaining decisions.
This works out to one such block per kB of disk space, but since the FAT32 filesystem normally uses 4 KB (or larger) clusters, you would have to decrease the block size to either 1 KB or 512 bytes (the sector size, so the minimum possible).
Since the (presumably compressed and encrypted) data to be hidden will have 50% 0 and 1 bits, the allocation run lengths in the file system will average just two clusters, this would be extremely obvious on any low-level scan of the file system.
I.e. you could make this system work, but only in order to hide a few KB of data, not MB!
Terje
"almost all programming can be viewed as an exercise in caching"
For example, place the hard drive in the shell of a real but non functional printer. If it doesn't need to be connected, alternately hollow out a book and hide it in there, etc.
lol, spot on.
And when they x-ray your book and find a hard drive inside?
1. It would work through your regular AP (no mysterious unidentified APs)
2. By the time they've carted off your main computer and done forensics on it, you've had time to dispose of the machine containing your illicit data.
3. In the UK you can be locked up for failing to disclose your encryption keys when asked, I don't fancy trying to convince them I haven't got any hidden Truecrypt volumes. You could deny having them, but the question is: can they lock you up anyway if they think you have one? I don't think that question has been tested yet. So keeping your illicit data on a box they won't find in the first raid may be safer whether it is encrypted on the hidden box or not.