Researchers use disk frag to hide data

Data is hidden in plain site as fragmented pieces

Researchers released a paper detailing how to hide data from prying legal eyes by exploiting disk fragmentation on a clustered file system, thereby hiding it in plain site.

The researchers at the University of Southern California at Los Angeles and the National University of Science and Technology (NUST) in Islamabad, Pakistan, stated that encryption is ineffective in a forensic investigation.

That is "mainly because the presence of encrypted data on a disk can be easily detected and disk owners can subsequently be forced (by law or other means) to release decryption keys," the researchers wrote in a summary of their paper.

The paper, "Designing a cluster-based covert channel to evade disk investigation and forensics," details how information can be hidden in the arrangement of the clusters of a file, which causes deliberate fragmentation, "a phenomenon that is not unusual to find on heavily-used file systems."

In order to evade forensic investigation, the researchers propose storing sensitive information on a covert channel as 24-bit fragments on half-empty drives on a clustered file system, allowing plausible deniability of the existence of the data by a user.

The data-hiding algorithm is created using FAT32-formatted disk drives and exploiting the way operating systems group consecutive sectors on a disk. Those sectors create the clusters that store the content.

"This approach works well until there are no consecutive unallocated clusters available. In that case, the contents of the file are scattered or fragmented across the file system," the research paper states.

The researchers also presented statistics about the incidence of file fragmentation on actual file systems from 52 disk drives belonging to a diverse set of users. Based on the statistics, they presented guidelines for selecting good cover files.

"Finally, we show that even if an investigator gets suspicious, he/she will incur an unreasonably high O(m2) complexity to reveal an m bit hidden message," they wrote.

Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian or subscribe to Lucas's RSS feed. His e-mail address is lmearian@computerworld.com.

Read more about storage in Computerworld's Storage Topic Center.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags e-commercedata securitysecuritystorageUniversity of Southern Californiadata protectioninternete-businessStorage Managementstorage software

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucas Mearian

Computerworld (US)

Most Popular Reviews

Follow Us

Best Deals on GoodGearGuide

Shopping.com

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Latest Jobs

Shopping.com

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?