Researchers released a paper detailing how to hide data from prying legal eyes by exploiting disk fragmentation on a clustered file system, thereby hiding it in plain sight.
The researchers at the University of Southern California at Los Angeles and the National University of Science and Technology (NUST) in Islamabad, Pakistan, stated that encryption is ineffective in a forensic investigation.
That is “mainly because the presence of encrypted data on a disk can be easily detected and disk owners can subsequently be forced (by law or other means) to release decryption keys,” the researchers wrote in a summary of their paper.
The paper, “Designing a cluster-based covert channel to evade disk investigation and forensics,” details how information can be hidden in the arrangement of the clusters of a file, which causes deliberate fragmentation, “a phenomenon that is not unusual to find on heavily-used file systems.”
In order to evade forensic investigation, the researchers propose storing sensitive information on a covert channel as 24-bit fragments on half-empty drives on a clustered file system, allowing plausible deniability of the existence of the data by a user.
The data-hiding algorithm is created using FAT32-formatted disk drives and exploiting the way operating systems group consecutive sectors on a disk. Those sectors create the clusters that store the content.
“This approach works well until there are no consecutive unallocated clusters available. In that case, the contents of the file are scattered or fragmented across the file system,” the research paper states.
The researchers also presented statistics about the incidence of file fragmentation on actual file systems from 52 disk drives belonging to a diverse set of users. Based on the statistics, they presented guidelines for selecting good cover files.
“Finally, we show that even if an investigator gets suspicious, he/she will incur an unreasonably high O(m2) complexity to reveal an m bit hidden message,” they wrote.
[Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at @lucasmearian
or subscribe to Lucas’s RSS feed. His e-mail address is firstname.lastname@example.org.]