Academic researchers have devised a new method to hide data files on hard drives from a third party "in plain sight."
A new application can hide sensitive data on a hard drive
without encrypting it or leaving any obvious signs that the data is present,
according to the academic researchers who developed it. This kind of a
technique would allow organizations to safely conceal private information from
The new software uses "steganography," or the process of
hiding data in plain sight, according to researchers from the University of
Southern California and the National University of Science and Technology in
Pakistan. The technique exploits the way the operating system normally splits
up file data in numerous small chunks, called clusters, and writes them
wherever there is free space on the hard drive.
Hassan Khan, Mobin Javed, Syed Ali Khayam and Fauzan Mirza
collaborated on the paper "Designing a Cluster-Based Covert Channel to Evade
Disk Investigation and Forensics.
" Khan and his colleagues claim the process
hides data so effectively that it would be "unreasonably complex" for a third-party
to detect it.
The method employs a "covert channel" to encode sensitive
information. Instead of the operating system writing small pieces of the file in
random areas on the hard drive, the software chooses the positions according to
a secret code. The person who wants to access the file just needs to know the
key to figure out where the fragments were written and reassemble the clusters
"We present a new, plausible deniability approach to store
sensitive information on a cluster-based filesystem," the researchers wrote in
The process doesn't leave behind any information about what
it did, so anyone looking at the hard disk drive cannot see the hidden
information or even be able to tell it exists, the researchers claimed. The hard
drive would look like any other moderately fragmented drive.
Currently, users interested in protecting data generally
wind up using encryption software. However, existing cryptographic methods
generally leave behind some indicators that that the file has been encrypted.
Attackers know there is something hidden and can try to use other methods to
obtain the secret key to access the data.
Other existing methods involve adding pixels in digital
images or changing the transmission timing of network packets. These are all
well-known techniques and easily detected, the researchers said.
"An investigator without the key cannot prove the presence
of hidden information," the authors wrote.
The researchers tested the process on a FAT32 file system,
which is accessible by the Windows operating system, Mac OS X and all major
Linux distributions. The researchers envisioned using the software to write
data onto a portable USB drive. The program won't work to hide data on a
Windows 7 laptop, for example, because the operating system can't be installed
If the drive is defragmented, the "hidden" file will no
longer be accessible.
The covert channel approach may cause a small performance
degradation on the system, but the developers claimed it isn't enough to be an
issue. They estimated that it would be
feasible to hide about 20MB of data on a typical 160GB hard disk drive.