Researchers Propose New Steganography System for Hiding Data

A group of researchers has developed a new application that can hide sensitive data on a hard drive without encrypting it or leaving any obvious signs that the data is present. The new steganography system relies on the old principle of hiding valuables in plain sight.

A group of researchers has developed a new application that can hide sensitive data on a hard drive without encrypting it or leaving any obvious signs that the data is present. The new steganography system relies on the old principle of hiding valuables in plain sight.

Developed by a group of academic researchers in the U.S. and Pakistan, the system can be used to embed secret data in existing structures on a given HDD by taking advantage of the way that file systems are designed and implemented. The software does this by breaking a file to be hidden into a number of fragments and placing the individual pieces in clusters scattered around the hard drive.

The method is the work of Hassan Khan, Mobin Javed, Syed Ali Khayam and Fauzan Mirza of the University of Southern California and the National University of Science and Technology in Pakistan.

The authors estimate that it would be feasible to hide about 20 MB of data on a typical 160 GB HDD.

“In this paper, we present a new, plausible deniability approach to
store sensitive information on a cluster-based filesystem. Under the
proposed approach, a covert channel is used to encode the sensitive
information by modifying the fragmentation patterns in the cluster
distribution of an existing file. As opposed to existing schemes, the
proposed covert channel does not require storage of any
additional information on the filesystem. Moreover, the channel provides
two-fold plausible deniability so that an investigator without the key
cannot prove the presence of hidden information,” the authors wrote in their paper, “Designing a Cluster-Based Covert Channel to Evade Disk Investigation and Forensics.”

Right now, most users who are interested in keeping some amount of data on their computers secret turn to encryption software. Modern cryptosystems are very effective at preventing adversaries from reading the encrypted data, but they’re not so good at hiding the presence of that data. Forensic techniques can easily identify encrypted files and attackers can then use other means to perhaps force a user into divulging the secret key to decrypt them.

The method that Khan and his colleagues developed avoids this problem by hiding small pieces of a sensitive file various random places on a hard drive. The authors’ system has the added advantage of allowing a user to truthfully deny that there is any hidden data on the system, as the sensitive files are not actually hidden but rather dispersed in pieces. In the paper, the researchers use their approach to embed a file on a FAT32 file system commonly used on Windows PCs.

“In order to hide a binary message, a cluster is chained with a
consecutive cluster if the bit encountered in the message is similar to
the previous bit and a cluster is chained with a non-consecutive cluster
if the message bit is different from the previous message bit. The
implementation of proposed covert channel requires modification of the
starting cluster of a file in the directory entry table and modification
of the FAT structure. If the simple FAT structure’s chaining is
maintained, the filesystem remains in a consistent state,” they say in the paper.

The authors acknowledge that their approach may cause a small performance degradation on a system, but not enough to be an issue. In their paper, Khan and his co-authors lay out several different approaches to implementing their method, some of which require that the sender and the recipient know some shared secret.

Suggested articles


  • SW on

    Surely some kind of software that makes this data hiding possible needs to be installed on the system, and its presence (as opposed to the payload data) is difficult to deny? -- Stephan

  • Anonymous on

    The authors point out defragmenting the drive destroys the hidden data.  Persistence on Windows 7 would be a problem.

  • Anonymous on

    Protections by fragmentation? That seems interesting... 

  • Anonymous on

    Whats New about this?

  • Anonymous on

    So the next logical step would be to use a "Defrag Logic Bomb," right? This could be fun...

  • FatPhil on

    What's new about this is that it's dumber than anything that's been proposed before. Screw defragmenting as a threat to the data - just moving a file or copying it is enough to damage it. And unusually fragmented files are a clear indicator that this scheme may be in use. Proper steganography does not advertise its presence so loudly.
  • Anonymous on

    Very effective for couriers carrying media that is not intended for them to use, but for them to deliver.
  • Concerned on

    This is ridiculous.  A perfect example of why the peer review system is broken.  This doesn't belong in a scientific journal.  This doesn't belong anywhere.

  • Tony Anonymous on

    Basically what it all means that defragmenting your hard drive is an instant admission of guilt of hiding secret data. Doh!

  • Anonymous on

    Great work

  • Anonymous on

    This is great piece of work.

  • Anonymous on

    Would you do business, especially security business, with Pakistan right now?


  • Anonymous on

    Camoflage is a neat little program that comouflages your data as another file for instance you could hide a mp3 within a picture but yet the picture would still look and function like the picture but it would contain an encrypted mp3 with your own secret password. This to me seems like a good approach.

    There is another program called Truecrypt which can encrypt entire hard drives or use unpartioned hard drive space as an encrypted volume. AKA hidden volume.

    So far these are the two most beautiful ways I a found as a way of protecting your private data weather it would be a list of your passwords in a txt document or your top secret invention to provide the world with free electricity.

    You could easily add two more layers of encryption to this by encrypting the file with Axcrypt then putting it in a password protected RAR or Zip archive then you could obfuscate the name of the file say if the name of your file is mypasswords.txt you could rename it to mygosh.mp3 to add even yet more layers of security.

    These additions would make life a grand headache for any cryptogenius to figure out just what the data is you are trying to protect.

    It does however come with one downfall the more layers you have to go through the more of a pain in the rear it will be for you to access this data...

    However there is hope if someone were to make a software to access the data via a flash drive that used passwords stored in a list for each layer of encryption and a name of the file based on some hash or computation of a password as well. This method would be the way to go. We could even make the encryption type order user selectable and add every freeware encrytion program possible. And have a decrypt file that its saved as a result to the flash drive for the said file.

    There is so much that is possible that is not even attempted!

    This was an interesting attempt albiet not really the most useful attempt at really doing this I knew a group of file sharing people at one time who have this private network which could build a file from blocks of data it could download that block of data from any file for instance a linux iso could contain blocks of data that could potentially build any file and also a copy of the king james bible could contain blocks of data that are in the linux iso ....

    Think of the possibilites with beyond a reasonable doubt with a program like this one ...

    Really you could just have a humgous pile of blocks of data and you could retrieve the file from this humongus pile of just random data if you possesed the key to pull this data from the pile it would be like creating something from nothing with storage prices as low as they are I see potential for such a thing.

    Imagine if some guy was just selling a hard drive just full of data blocks and from it you could retrieve nearly any file one could imagine with the proper keys I could see this as a big grey market from which people could profit big from if they got too heavy on lawsuits the guy selling the hard drive would just be selling a harddrive full of copywrighted blocks of data and from that data users could purchase keys which would retireve anything they need.


  • Chuck on

    This would be a great idea if you were using Windows Me ... everyone would be laughing so hard they wouldn't think you were capable of hiding data in plain sight.  Me ... I think I'll stick with TrueCrypt. 

    Maybe a degree in Inflight Missile Repair is more in line with their thought processes?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.