Researchers Devise Way to Hide Files on Hard Drives Without Encryption

Academic researchers have devised a new method to hide data files on hard drives from a third party "in plain sight."

A new application can hide sensitive data on a hard drive without encrypting it or leaving any obvious signs that the data is present, according to the academic researchers who developed it. This kind of a technique would allow organizations to safely conceal private information from unauthorized users.

The new software uses "steganography," or the process of hiding data in plain sight, according to researchers from the University of Southern California and the National University of Science and Technology in Pakistan. The technique exploits the way the operating system normally splits up file data in numerous small chunks, called clusters, and writes them wherever there is free space on the hard drive.

Hassan Khan, Mobin Javed, Syed Ali Khayam and Fauzan Mirza collaborated on the paper "Designing a Cluster-Based Covert Channel to Evade Disk Investigation and Forensics." Khan and his colleagues claim the process hides data so effectively that it would be "unreasonably complex" for a third-party to detect it.

The method employs a "covert channel" to encode sensitive information. Instead of the operating system writing small pieces of the file in random areas on the hard drive, the software chooses the positions according to a secret code. The person who wants to access the file just needs to know the key to figure out where the fragments were written and reassemble the clusters accordingly.

"We present a new, plausible deniability approach to store sensitive information on a cluster-based filesystem," the researchers wrote in the paper.

The process doesn't leave behind any information about what it did, so anyone looking at the hard disk drive cannot see the hidden information or even be able to tell it exists, the researchers claimed. The hard drive would look like any other moderately fragmented drive.

Currently, users interested in protecting data generally wind up using encryption software. However, existing cryptographic methods generally leave behind some indicators that that the file has been encrypted. Attackers know there is something hidden and can try to use other methods to obtain the secret key to access the data.

Other existing methods involve adding pixels in digital images or changing the transmission timing of network packets. These are all well-known techniques and easily detected, the researchers said.

"An investigator without the key cannot prove the presence of hidden information," the authors wrote.

The researchers tested the process on a FAT32 file system, which is accessible by the Windows operating system, Mac OS X and all major Linux distributions. The researchers envisioned using the software to write data onto a portable USB drive. The program won't work to hide data on a Windows 7 laptop, for example, because the operating system can't be installed on FAT32.

If the drive is defragmented, the "hidden" file will no longer be accessible.

The covert channel approach may cause a small performance degradation on the system, but the developers claimed it isn't enough to be an issue.  They estimated that it would be feasible to hide about 20MB of data on a typical 160GB hard disk drive.