A group of researchers has developed a new application that can hide sensitive data on a hard drive without encrypting it or leaving any obvious signs that the data is present. The new steganography system relies on the old principle of hiding valuables in plain sight.
Developed by a group of academic researchers in the U.S. and Pakistan, the system can be used to embed secret data in existing structures on a given HDD by taking advantage of the way that file systems are designed and implemented. The software does this by breaking a file to be hidden into a number of fragments and placing the individual pieces in clusters scattered around the hard drive.
The method is the work of Hassan Khan, Mobin Javed, Syed Ali Khayam and Fauzan Mirza of the University of Southern California and the National University of Science and Technology in Pakistan.
The authors estimate that it would be feasible to hide about 20 MB of data on a typical 160 GB HDD.
“In this paper, we present a new, plausible deniability approach to
store sensitive information on a cluster-based filesystem. Under the
proposed approach, a covert channel is used to encode the sensitive
information by modifying the fragmentation patterns in the cluster
distribution of an existing file. As opposed to existing schemes, the
proposed covert channel does not require storage of any
additional information on the filesystem. Moreover, the channel provides
two-fold plausible deniability so that an investigator without the key
cannot prove the presence of hidden information,” the authors wrote in their paper, “Designing a Cluster-Based Covert Channel to Evade Disk Investigation and Forensics.”
Right now, most users who are interested in keeping some amount of data on their computers secret turn to encryption software. Modern cryptosystems are very effective at preventing adversaries from reading the encrypted data, but they’re not so good at hiding the presence of that data. Forensic techniques can easily identify encrypted files and attackers can then use other means to perhaps force a user into divulging the secret key to decrypt them.
The method that Khan and his colleagues developed avoids this problem by hiding small pieces of a sensitive file various random places on a hard drive. The authors’ system has the added advantage of allowing a user to truthfully deny that there is any hidden data on the system, as the sensitive files are not actually hidden but rather dispersed in pieces. In the paper, the researchers use their approach to embed a file on a FAT32 file system commonly used on Windows PCs.
“In order to hide a binary message, a cluster is chained with a
consecutive cluster if the bit encountered in the message is similar to
the previous bit and a cluster is chained with a non-consecutive cluster
if the message bit is different from the previous message bit. The
implementation of proposed covert channel requires modification of the
starting cluster of a file in the directory entry table and modification
of the FAT structure. If the simple FAT structure’s chaining is
maintained, the filesystem remains in a consistent state,” they say in the paper.
The authors acknowledge that their approach may cause a small performance degradation on a system, but not enough to be an issue. In their paper, Khan and his co-authors lay out several different approaches to implementing their method, some of which require that the sender and the recipient know some shared secret.