Posted by: Ken Harthun
Data Hiding, Encryption, Forensics, Steganography
Imagine a way to intentionally fragment files on a hard disk so that it appears to be just a normal disk that has had files written, deleted and rewritten, i.e., nothing to indicate any encryption has taken place. No red flags raised; nothing to indicate there is anything on the disk to hide, yet the data is effectively hidden.
It’s steganography applied to hard drives and the inventors, Hassan Khan at the University of Southern California in Los Angeles and colleagues at the National University of Science and Technology in Islamabad, Pakistan, claim that it hides data so well as to be “unreasonably complex” to detect. They have already managed to encode a 20-megabyte message on a 160-gigabyte portable hard drive.
The technique relies on the way hard drives store file data in numerous small chunks, called clusters. The drive controller stores these clusters all over the disc, wherever there is free space and keeps track of the positions of the clusters using a special database on the disk.
The software that Khan and his colleagues have developed overrides the disk controller chip and positions the clusters according to a code. On the other end, the person needs to know the code in order to read the data. The researchers intend to make their software open source.
But what if a forensic investigator gets hold of a disk that has hidden data on it?
“An investigator can’t tell the cluster fragmentation pattern is intentional- it looks like what you’d get after addition and deletion of files over time,” says Khan.
Tests show that the technique works fine as long as none of the files on the hard disk are modified before the disk is passed onto the recipient. SANS NewsBites editor, John Pescatore, is skeptical.
“Everyone of these schemes always has a “code” involved, and tends to smell very much like encryption – just done in a non-standard way. There are a lot of examples of home-grown approaches being about as secure as paper mache,” Pescatore said.
Doesn’t seem to me like the researchers are at the level of “home-grown,” but judge for yourself. You can read the entire research paper at Computers and Security, DOI: 10.1016/j.cose.2010.10.005.