New Tool Hides Data In Plain Sight On HDDs
Trailrunner7 writes "A group of researchers has developed a new application that can hide sensitive data on a hard drive without encrypting it or leaving any obvious signs that the data is present. The new steganography system relies on the old principle of hiding valuables in plain sight. Developed by a group of academic researchers in the US and Pakistan, the system can be used to embed secret data in existing structures on a given HDD by taking advantage of the way file systems are designed and implemented. The software does this by breaking a file to be hidden into a number of fragments and placing the individual pieces in clusters scattered around the hard drive."
Congratulations, you're reinvented the wheel.
scandisk will just remove this
It won't stop them from raiding your house, or taking your machine from you at the airport, and just keeping it. Waddya gonna do about it? Eh? A bunch of nothing, that;'s what...
For justice, we must go to Don Corleone
They hide data by splitting it into small pieces, writing it to disk in random order and marking that sector empty. Sounds like a disaster to me, all you need to do is to use the disk, just defrag it and your hidden data is gone.
There are no atheists when recovering from tape backup.
"The software does this by breaking a file to be hidden into a number of fragments and placing the individual pieces in clusters scattered around the hard drive."
NTFS has been doing that for years.
When I read the headline, I immediately thought of putting sticky-notes on HDDs.
Wow, isn't that useful.
Did you say "insightful" or "inciteful"?
Just because you're encoding the information in the fragmentation patterns of the underlying filesystem it doesn't mean you're not engaging in encryption. The encryption is the key input to the algorithm to identify how to turn that apparently random pattern back into plaintext - otherwise we'd be able to say, "OK, let's check he's not using this method," without any secrets.
tl;dr Steganography is useless without encryption.
Steganography will probably become illegal exactly when encryption becomes illegal.
It may be best to hid the steganography-generated content in a bunch of SPAM emails, in the SPAM folder of whatever email program you use...
Kind of like:
http://www.spammimic.com/explain.shtml
It's the first thing most law-enforcement people would delete, or ignore...
Hiding things in plain sight is extremely useful until you know where it is. Then the game is up. Funny thing is, now that the method is out there for everyone to see, one could hardly argue that such data was hidden at all.
If it can work in the filesystem, it can work theoretically at the network packet level...
You get very little data to store, but this looks like it will be secure and, for a change, really hard or impossible to detect.
Of course a dead giveaway is the access software needed, so this works only for hiding data that the holder cannot access. That and the low data volume (20MB in 160GB are given as example) limits the usefulness to a nice but very academic idea.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Doesn't TrueCrypt's plausible deniability get the same effect without depending on a loose file system hack?
This comment may contain speech figures. Reader discretion is advised.
Moreover, the channel provides two-fold plausible deniability so that an investigator without the key cannot prove the presence of hidden information,"
So what encryption scheme are they using before storing the data? I didn't find it in the article. Hopefully not something as dumb as XOR using the "key" or using the key as a step size when encoding or something like that.
Unless they encrypt the data before encoding the fragmentation,a glance at the frag pattern will show a distinct and obvious pattern based on the stored data. If the data is UTF-8 text using non-ascii glyphs, its gonna be pretty obvious when every other byte is a UTF-8 shift header thingy. If its plain ole ascii text its going to be pretty obvious the 8th bit is almost always 0. If the data is semi-packetized like video frames, its gonna be pretty obvious. If the data is stored emails with semi-known plaintext headers, its gonna be pretty obvious. Theres only so many ways to encode 1 and 0 into the frag pattern so playing games like encoding it backwards isn't going to help.
I'm guessing its not going to be plausibly deniable at all... The other part of the deniability problem is how to deny the presence of the decryption tools in the filesystem, or in unused blocks of the FS. Hmm. You could delete the tools, and then defrag the hard drive to sorta-wipe it. Oh wait...
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
And I just deleted my porn folder...
Hmm, there is always a way to read a HDD.
I the wonder how password they could do is this in plain swordfish sight
"A group of researchers I has developed a new think application that can hide this sensitive data is on a hard drive a without encrypting it bunch or leaving any of obvious signs that the data is crap present."
Have gnu, will travel.
the data isn't even written to sectors marked empty, the data is written to empty air!
http://blog.jitbit.com/2011/04/chinese-magic-drive.html
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
DOS sez:
copy file1+file2 file3
NOW I HID FILE2 IN FILE1! THIS IS SUPER BED TIME READING!
There are a lot of things that someone might want to hide for a short while. It could work well on networks, too, using a predictive coding scheme like Trellis. The message would be almost impossible to detect. On the other hand, the sender and receiver need to be intimately involved, and in there lies the rub.
Know how I know you did not read the article? This method is rearranging existing data so the FAT itself holds the data. This is not including the data at the end of a cluster, or putting it in empty clusters.
If you want to encode a 0, put the first block at an even numbered sector. If you want to encode a 1, put it at an odd numbered sector. There are other ways to do it, but that's just one example.
There is no data on the drive itself to analyze, it's all in the fragmentation of the FAT.
Comment removed based on user account deletion
It's easier to put your sensitive data on a micro SD card, and hide that somewhere.
For example, place the hard drive in the shell of a real but non functional printer. If it doesn't need to be connected, alternately hollow out a book and hide it in there, etc.
Steganographically encode info in trolls!
Did you exactly document the shades of red in Goatse? How do you know those aren't orange-shifted to encode data?
Talk about in plain sight! Yikes!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Security through obscurity never works, nor should it be tried.
Just worth pointing out that this will be blindingly obvious to anybody that wants to look for hidden data. Plus most operating systems screw around with this all the time... won't work.. stupid idea... go back to truecrypt
"His bowtie is really a camera..."
Table-ized A.I.
They reorder full blocks to encode data in the orderings within the list of blocks for a given file. That's why they "do not require storage of any additional information on the filesystem" and why "a capacity of up to 24 bits/cluster can be achieved on a half-empty disk".
If they wrote to additional blocks they (1) would be adding additional data to the filesystem, (2) would have no limit to the data that could be hidden and (3) would lose it as soon as one started writing additional information to the disk and used the empty blocks.
See instead the abstract from Science Direct:
http://www.sciencedirect.com/science?_ob=ArticleURL&_udi=B6V8G-51BBKRS-1&_user=10&_coverDate=01%2F31%2F2011&_rdoc=1&_fmt=high&_orig=gateway&_origin=gateway&_sort=d&_docanchor=&view=c&_acct=C000050221&_version=1&_urlVersion=0&_userid=10&md5=ee913861b3d05b46b905bd4d52ca9380&searchtype=a
davecb@spamcop.net
Or, place it inside a fully functional printer, directly wired to the USB line, hiding in the back of an unused paper tray slot of a multi-slot computer... then, with the printer connected, the Hard Drive can also be connected (or easily disconnected). Add a switch internally if you're paranoid, or set the power such that turning off the printer turns on the hard drive and vice versa.
Before commenting on the Bible, please read it first
I am fine. Fuck the Zionist Occupied Government. Google is their puppet. Founded by Jews and Controlled by Jews.
Twitter: @dainsanefh
This is basically security through obfuscation and we all know how well that works in the long run.
If you're going to assume that they won't do a thorough physical search, you might as well just put a second hard drive in the computer but disconnect the data cable. Any search too cursory to find it in a hollow book won't find it in the spare internal drive bay either.
This approach fails badly, though: if they do any kind of serious physical search, the gig is up.
Cut that out, or I will ship you to Norilsk in a box.
I think we can rely on the police to be lazy in general, and likely the search warrant would be for computer equipment. If you keep your naughty data in a spare small PC in a dusty box in the attic which you access wirelessly, and don't give them any special reason to think you have one up there, they could easily miss it.
If you have an old style rear projection TV you can easily fit an entire PC inside it, and transmit data via the coax cable.
At last a use for the cloud: register under a fake account name, say, that of your local prosecutor, and store your naughty files encrypted on there.
[Note: by "naughty" I don't mean sexual necessarily, I mean anything the powerful don't want you to have]
I think we can rely on the police to be lazy in general, and likely the search warrant would be for computer equipment. If you keep your naughty data in a spare small PC in a dusty box in the attic which you access wirelessly, and don't give them any special reason to think you have one up there, they could easily miss it.
If they seized your computer and did forensics on it, they would see you accessing some wifi box "dirtydatamachine". They walk up to your premise with a wifi scanner, and wonder why there there is an AP without and SSID being broadcast, that happens to respond with "dirtydatamachine".
The only thing that will really work with this is to encrypt the drive with truecrypt and only give up the decoy password, at which point there is no reason to bother with the WiFi box.
a cluster is chained with a consecutive cluster if the bit encountered in the message is similar to the previous bit and a cluster is chained with a non-consecutive cluster if the message bit is different from the previous message bit.
Then, even if the data is encrypted with an unknown key, we can expect almost exactly half the clusters to be chained to consecutive ones, and they are distributed a random fashion. By counting the length of consecutive cluster blocks, we should see that 1/2 of them have 1 cluster, 1/4 have 2 clusters, 1/8 have 3 clusters and so on, and they are evenly distributed along the drive.
It's very unlikely that such a distribution would appear spontaneously on a disk by just using it normally, so someone who knows that this scheme exists can check whether it is present on the disk, even if they're not able to decode the data.
(Disclaimer: I haven't read the actual paper, they may have addressed this. Or the claim in the article may be incorrect.)
A hollowed out battery casing in a common form-factor (think C, D, or 9V) containing an SD card or USB stick would even be easier. Besides, something like that can easily be put in with the batteries on a travel radio or battery operated toy and (if done correctly) all you're going to see on an X-ray is the same metal casing as on the other batteries. Not to mention that when considering the inconvenience and difficulty in carrying it out, it's unlikely customs or baggage checks is going to confiscate batteries out of everything that passes their way.
Why people go for a hard drive to hold such a small amount of encrypted data when easier methods are available appears a little silly.
It seems like a method that's probably more useful to log and hide data about the computer it's on with a low probability of detection. Like something for a hard to detect trojan or key-logger with low network usage that piggy-backs its activity with other more legit network activity. Whether or not it's applied that way is another question.
Bollocks indeed:
a) Even with small amounts of hidden data (20 MB in 160 GB was quoted), you will still end up with an _extremely_ fragmented file system:
Each hidden bit requires either a sequential or fragmented block placement, which means that 20 MB needs 160 Mbit or 160 million frag/nofrag chaining decisions.
This works out to one such block per kB of disk space, but since the FAT32 filesystem normally uses 4 KB (or larger) clusters, you would have to decrease the block size to either 1 KB or 512 bytes (the sector size, so the minimum possible).
Since the (presumably compressed and encrypted) data to be hidden will have 50% 0 and 1 bits, the allocation run lengths in the file system will average just two clusters, this would be extremely obvious on any low-level scan of the file system.
I.e. you could make this system work, but only in order to hide a few KB of data, not MB!
Terje
"almost all programming can be viewed as an exercise in caching"
For example, place the hard drive in the shell of a real but non functional printer. If it doesn't need to be connected, alternately hollow out a book and hide it in there, etc.
lol, spot on.
And when they x-ray your book and find a hard drive inside?
1. It would work through your regular AP (no mysterious unidentified APs)
2. By the time they've carted off your main computer and done forensics on it, you've had time to dispose of the machine containing your illicit data.
3. In the UK you can be locked up for failing to disclose your encryption keys when asked, I don't fancy trying to convince them I haven't got any hidden Truecrypt volumes. You could deny having them, but the question is: can they lock you up anyway if they think you have one? I don't think that question has been tested yet. So keeping your illicit data on a box they won't find in the first raid may be safer whether it is encrypted on the hidden box or not.