Embedding spy secrets in the hard drive fragments

Apr 26, 2011 by Katie Gatto weblog

(PhysOrg.com) -- A new way to hide your secrets has been created, which is good news for both the spies and the generally duplicitous regular people of the world. This new system, instead of relying on traditional methods of hiding data such as encryption to scramble the text, hides information in an entirely different way. The newest thing in covert operations it to manipulate the location of data fragments. Essentially, the data is still being scrambled, but it is in an entirely different way.

The system uses a 160-gigabyte portable hard drive to hide a 20-megabyte message. The system then scrambles the data in order to hide the text and create a message that is very hard to find, unless you happen to know how to find it, that is. This method is, in some ways, preferable to the idea of . It is not that encryption is, or is not, inherently less secure, it is just that encrypted file kind of gives itself away. It makes it obvious that someone is trying to hide what is in the files. This system does not have any kind of a dead giveaway.

That is where the fine art of steganography, or hiding information in plain sight comes into play. A more traditional version of steganography involves added extra to the pixels in that when properly decoded will reveal a message, but like all information smuggling techniques once it is discovered, it cannot be used anymore. This new system may last a bit longer because it depends not on adding new data to a , but by looking at whether or not the files are arranged sequentially. The end result looks like common usage over time, with the adding and deleting of files.

The researchers, who hailed from the University of Southern California in Los Angeles and the National University of Science and Technology in Islamabad, Pakistan, have published a paper on this new data embedding method in the Computers & Security journal.

Explore further: Artificial intelligence identifies the musical progression of the Beatles

More information: Designing a cluster-based covert channel to evade disk investigation and forensics, Computers & Security, Volume 30, Issue 1, January 2011, Pages 35-49, doi:10.1016/j.cose.2010.10.005

Abstract
Data confidentiality on a computer can be achieved using encryption. However, encryption is ineffective under a forensic investigation mainly because the presence of encrypted data on a disk can be easily detected and disk owners can subsequently be forced (by law or other means) to release decryption keys. To evade forensic investigation, intelligent information hiding techniques that support plausible deniability have been proposed as an alternative to encryption; plausible deniability allows an evader to hide data in a manner such that he/she can deny the very existence of the data. In this paper, we present a new, plausible deniability approach to store sensitive information on a cluster-based filesystem. Under the proposed approach, a covert channel is used to encode the sensitive information by modifying the fragmentation patterns in the cluster distribution of an existing file. As opposed to existing schemes, the proposed covert channel does not require storage of any additional information on the filesystem. Moreover, the channel provides two-fold plausible deniability so that an investigator without the key cannot prove the presence of hidden information. We derive the theoretical capacity of the covert channel and show that a capacity of up to 24 bits/cluster can be achieved on a half-empty disk. The proposed data hiding and recovery algorithms are implemented on FAT32 based disk drives and we show that the disk (read/write) access time of the algorithms is quite low as compared to the contemporary approaches. We also present statistics about the incidence of file fragmentation on actual file systems from 52 disk drives belonging to a diverse set of users. Based on these statistics, we present guidelines for selecting good cover files. Finally, we show that even if an investigator gets suspicious, he/she will incur an unreasonably high O(m2) complexity to reveal an m bit hidden message.

via Newscientist and Register

Related Stories

Researchers detect secret files lurking within digital images

May 24, 2006

Keeping computer files private requires only the use of a simple encryption program. For criminals or terrorists wanting to conceal their activities, however, attaching an encrypted file to an e-mail message is sure to raise ...

Hitachi Ships Quarter-terabyte Laptop Hard Drive

Jun 05, 2007

Hitachi Global Storage Technologies is today announcing volume shipment of the industry’s highest-performing and lowest power-consuming laptop hard disk drive at a quarter terabyte of capacity.

XBox forensics

Apr 30, 2009

A forensics toolkit for the Xbox gaming console is described by US researchers in the latest issue of the International Journal of Electronic Security and Digital Forensics. The toolkit could allow law en ...

Recommended for you

Designing exascale computers

Jul 23, 2014

"Imagine a heart surgeon operating to repair a blocked coronary artery. Someday soon, the surgeon might run a detailed computer simulation of blood flowing through the patient's arteries, showing how millions ...

User comments : 24

Adjust slider to filter visible comments by rank

Display comments: newest first

Nik_2213
1 / 5 (1) Apr 26, 2011
Then your tool-box suite 'optimises' your drive in the back-ground and scrambles everything ??
J-n
not rated yet Apr 26, 2011
Now this is interesting. Steganography has always been interesting to me, but this, hiding data in the empty spaces, so it looks like data that has yet to be deleted, and fragmenting it so it is not contiguous, and then encrypting it (not necessarily in that order)seems like a VERY slick way of hiding very sensitive data, as the time involved to find out IF you've hidden something, let alone reconstructing it and unencrypting it, will take significant time.
CSharpner
not rated yet Apr 26, 2011
Then your tool-box suite 'optimises' your drive in the back-ground and scrambles everything ??

EXACTLY!

And would it be too much to ask for the physorg staff to proof read these articles? Some of the "sentences" make no sense due to missed words and sloppiness. Maybe this is their own form of steganography?
stealthc
5 / 5 (1) Apr 26, 2011
why not combine this system with current encryption techniques? Doubly secure. Why not apply the concept to p2p --> impossible to break if done right; and quite easily delivered.
CSharpner
5 / 5 (1) Apr 27, 2011
why not combine this system with current encryption techniques? Doubly secure. Why not apply the concept to p2p --> impossible to break if done right; and quite easily delivered.

Nothing's impossible to break. It can become more and more difficult, but never impossible.

There are all sorts of ways to hide data in plain site. This article just mentions one of an almost infinite number of ways. I've always imagined innocent looking posts to newsgroups (or forums like here). Taken individually, they look like normal posts, but if you know which posts to look at, you can get metrics of them and form the hidden data (length, use of certain words, order of words, word count, paragraph count, etc...) A poetry newsgroup would work great because people wouldn't question odd word usage and phrases. Incorporate your P2P idea too for more scattering. I've actually seen some odd looking ng posts years ago that many people assumed was some form of this. Lots of fun can had with this.
CSharpner
not rated yet Apr 27, 2011
You could also include public sites that don't keep data for too long to make your steganographed data irretrievable after a certain amount of time -- when the first volatile post that's part of the group of posts that make up your data rolls off one of the public site.
deepsand
4.4 / 5 (7) Apr 27, 2011
For those who did not read the cited paper, NO MESSAGE DATA IS STORED. The title of this article is misleading.

The hidden message is encoded in the CLUSTER NUMBER. In the simplest form, the parity of the cluster number denotes the parity of the message bit.

For example, if the message consisted, at the BIT level, of the string "10011010," then the carrier file would be deliberately fragmented so that its 1st, 4th, 5th & 7th clusters were ODD numbered ones, with the 2nd, 3rd, 6th & 8th clusters being EVEN numbered.

(cont. below)
deepsand
4.4 / 5 (7) Apr 27, 2011
As for the clusters of the carrier file being relocated by defragmentation, there are defrag applications with provide for specifying files that are not to be moved. While one could, of course, use other available system's methods for marking a file as unmovable, that would leave a telltale, in that such attributes are normally reserved for critical system files.

Of course, the application that writes and reads the carrier files would need to not be permanently stored on the hard drive, so as to avoid its being discovered by an examiner.
6_6
1 / 5 (4) Apr 29, 2011
impractical. there are simpler ways that exist already and do as good a job.
deepsand
4.3 / 5 (6) Apr 29, 2011
impractical. there are simpler ways that exist already and do as good a job.

The degree to which this particular method is practical depends primarily on two factors:
The volatility of the data to be hidden; and,
The level of importance of maintaining plausible deniability.

It is the latter that is not afforded by encryption.

Skeptic_Heretic
1 / 5 (1) Apr 29, 2011
This is an old trick employed by a multitude of independent parties.
deepsand
4.3 / 5 (6) Apr 29, 2011
This is an old trick employed by a multitude of independent parties.

While stenography is of course quite old, what previous method(s) employed deliberate fragmentation that gives the appearance of owing to normal usage?
Skeptic_Heretic
3.7 / 5 (3) Apr 29, 2011
This is an old trick employed by a multitude of independent parties.

While stenography is of course quite old, what previous method(s) employed deliberate fragmentation that gives the appearance of owing to normal usage?
Multitiered master splitting at the block level for one. I remember being asked if I could read out the RAM in someone's laserjet 4 to see if they hid components of files that were presumably part of industrial espionage. I could, and did.

Random fragmentation has been a commonly used file mask method for a long long time. It was the easiest and cheapest way a cracker could obfuscate data and transport it into or out of a building without the giant red flag of encryption.
deepsand
4.3 / 5 (6) Apr 29, 2011
But, the subject here is not one of fragmenting the data to be hidden - in fact, the secret data itself is explicitly absent - but of fragmenting a carrier file.
Skeptic_Heretic
3 / 5 (2) Apr 29, 2011
But, the subject here is not one of fragmenting the data to be hidden - in fact, the secret data itself is explicitly absent - but of fragmenting a carrier file.

No that's not accurate. This is akin to taking a file and subdividing it then scattering it to random places on a sector set based on a privately known key set. It is not new or interesting.
deepsand
4.3 / 5 (6) Apr 29, 2011
But, the subject here is not one of fragmenting the data to be hidden - in fact, the secret data itself is explicitly absent - but of fragmenting a carrier file.

No that's not accurate. This is akin to taking a file and subdividing it then scattering it to random places on a sector set based on a privately known key set. It is not new or interesting.

Please read the cited article at http://dx.doi.org...0.10.005 .

The secret data is encoded in the CLUSTER NUMBERS, not within the actual data.
Skeptic_Heretic
1 / 5 (1) Apr 30, 2011
The secret data is encoded in the CLUSTER NUMBERS, not within the actual data.
All data includes cluster number and sector count, that is the address of the data.
deepsand
4.3 / 5 (6) Apr 30, 2011
The fact remains that the secret data are only implicitly present, in the form of meta data.

This is quite different from the earlier methods cited by you.
Skeptic_Heretic
1 / 5 (1) May 01, 2011
The fact remains that the secret data are only implicitly present, in the form of meta data.

This is quite different from the earlier methods cited by you.

No that data is present, the metadata is used to decode it.

This is akin to deduplication. The original data is reduces by consistency, then metadata or pointers are used to store and recall whole data. It's not that novel a method.
deepsand
4.3 / 5 (6) May 01, 2011
The fact remains that using the cluster number of a carrier file on a hard drive as meta data that describes data that is physically absent is a form of stenography not previously employed.
CSharpner
3 / 5 (2) May 01, 2011
There are an infinite number of ways to do this and anyone on the planet could come up with a unqiue place to do it (sector numbers, file sizes, file order, news group posts, poetry, etc... None of them are worth publishing an article about. They're all employing the same concept; "stenography".
deepsand
4.3 / 5 (6) May 01, 2011
There are an infinite number of ways to do this and anyone on the planet could come up with a unqiue place to do it (sector numbers, file sizes, file order, news group posts, poetry, etc... None of them are worth publishing an article about. They're all employing the same concept; "stenography".

One could say the same re. virtually anything.

Then we'd either all be constantly reinventing the same things, or inventing nothing at all.
frajo
5 / 5 (1) May 02, 2011
There are an infinite number of ways to do this and anyone on the planet could come up with a unqiue place to do it (sector numbers, file sizes, file order, news group posts, poetry, etc... None of them are worth publishing an article about. They're all employing the same concept
It's always for money's sake that people are trying to put variation == invention. I couldn't care less who used the method of concealed writing first time. Probably some clever merchant 4500 years ago, trying to cheat his king.

Btw: It's the art of steganography (steganos = sealed, concealed). Stenography is shorthand.
S_Bilderback
not rated yet May 02, 2011
Quantum computing encryption cannot be broken - 25 years away.