Targeted hard drive fragmentation as a covert data channel

The distance between clusters indicates whether or not there is a change in bit state. A team of researchers has presented a steganographic technique which can be used to conceal data on a hard drive. The technique is essentially based on targeted fragmentation of clusters when saving a file in the FAT file system. When decoded, the distance between clusters reveals the binary sequence of the hidden data. Two (numerically) sequential clusters, for example, mean that the following bit is equal to the previous one.

If the distance to the next cluster is greater, this means that the next bit is not equal to the previous bit. In this way, a series of clusters making up a saved file yields a defined bit stream. If the reader knows the state of the starting bit, he is able to obtain the correct bit stream.

Writing the bit stream is performed in the same way as reading it. According to the research team from the University of Southern California and the National University of Science and Technology in Islamabad, Pakistan, at a cluster size of 2 KB, up to 20 MB can be hidden on a 160 GB drive. Standard files (cover files) are used to conceal the data, although the file names can contain data required to extract the information. The researchers developed a piece of software, which they intend to open source.

Because the drive does not contain any obviously encrypted data, users can plausibly deny that the drive contains hidden data. The authors note, however, that the technique has a couple of disadvantages. Foremost of these is that de-fragmenting the drive destroys the hidden data. Additionally, writing a cover file to a previously little used drive may reveal patterns which can lead to a conclusion that a covert channel is being used.

(crve)