Tag Archive for 'Hide Data'

Hide Data in Bad Blocks

Published
by
David
on April 22, 2009
in How To, Linux and Sysadmin
.

This is part 3 in a series on how to hide your data.

First of all, the methods explained in this series are not secure. Anyone with some low-level knowledge of filesystems can tell there’s hidden data when looking at a raw image of your disk. Always complement these methods using encryption and plausible deniability methods. TrueCrypt is an excellent way to do this.

Introduction

When a sector on a disk gets damaged, it becomes unusable.  Modern disks have spare sectors that are used to replace these bad sectors, so they’re handled and fixed automatically. If you’re young enough, you might never have witnessed these bad sectors, because modern hardware handles them transparently.

When the disk runs out of spare sectors, or never had any in the first place (like 3.5″ disks, or very old hard disks), the filesystem is the second line of defense. Inside the filesystem a list of known bad blocks—blocks on bad sectors—is stored. The filesystem takes care not to use these blocks and just skips them.

We can’t force the disk to remap certain blocks to spare sectors, but we can tell the filesystem which blocks have (supposedly) gone bad. If the blocks aren’t really damaged, any data we put there will never be touched, because the filesystem thinks it’s garbage anyway. That, is exactly what we’re going to do.

Practical

To keep it simple and fast, we’ll hide a whole partition inside a burst of bad blocks. The partition we’ll create has to be small and reside somewhere in the middle of the disk. We can’t put the partition at the beginning or the end of the disk, because most likely the filesystem requires an intact header at the start and end of the partition.

Partition inside Bad Blocks

The partition has to be small enough to be able to fit inside the non-secret partition while not arousing suspicion. Some operating systems mark bad blocks as used blocks, which means if we put a 100MB partition inside bad blocks, the “parent” filesystem will always have at least 100MB in use. This could arouse suspicion when there aren’t any files on it.

I’ll be using my trusty 256MB Compactflash card for this, which is excellent for illustratory purposes.

Here’s what sfdisk has to say about it:

$ sudo sfdisk -l /dev/sde

Disk /dev/sde: 1009 cylinders, 9 heads, 56 sectors/track
Units = cylinders of 258048 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sde1          0       -       0          0    0  Empty
/dev/sde2          0       -       0          0    0  Empty
/dev/sde3          0       -       0          0    0  Empty
/dev/sde4          0       -       0          0    0  Empty

We can see the card is comprised of 1009 cylinders. I want to create a partition of about 20MB, which is about 82 cylinders on this disk (see the second line of sfdisk -l). Because we can’t create the partition at the start of the disk, let’s put it 214 cylinders in:

$ sudo sfdisk /dev/sde << EOF
214,82,6
EOF

Just like before, put FAT16 on it and transfer your secret data.

$ sudo mkfs.vfat -F16 /dev/sde1
mkfs.vfat 2.11 (12 Mar 2005)

If you want, you can copy the current partition table to the back of the disk for easy restoring, just like in the previous article.

Unmount it, and remove the partition:

$ sudo sfdisk /dev/sde << EOF
0,0,0
EOF

Now create the parent partition. This should at least encompass the whole secret partition. If you’ve copied the partition table to the back of the disk, make sure to leave at least the last cylinder free.

$ sudo sfdisk /dev/sde << EOF
,,6
EOF

Creating Bad Blocks

We need to calculate what blocks our secret partition resides on so we can mark them as bad. We know it starts at cylinder 214 and is 82 cylinders in size. Since on this disk, a cylinder is 258048 bytes big, the secret partition starts at byte 55222272. Divide this by the size of one block, which is 1024 bytes, and we get block 53928. Do the same for the size of the partition, and we find that 82 cylinders equal 20664 blocks. Now we know our partition starts at block 53928 and ends at block 74592. We’ll use a margin of 10 blocks on each side just in case our calculations aren’t precise.

Since we’re putting a FAT16 filesystem on it, we need to tell mkfs.vfat what blocks have supposedly gone bad. This is done by using a bad blocks file, which is a text-file with the address of each bad block on a new line. Let’s create our bad blocks file:

$ seq 53918 74602 > /tmp/badblocks

If you open /tmp/badblocks, you should see something like this:

53918
53919
53920
53921
...

To create the filesystem, we pass the bad blocks file using the -l parameter:

$ sudo mkfs.vfat -n "Camera" -l /tmp/badblocks /dev/sde1
mkdosfs 2.11 (12 Mar 2005)
20685 bad blocks

That’s it! You can now use your disk to your heart’s delight, nothing will touch your secret partition. One awesome way is to put the card in your camera and take some pictures with it. Your data will remain safe, and there’ll be nothing suspicious about a 4GB card “missing” some megabytes.

Revert

If you’ve smuggled your secret data across state borders, you’re ready to recover the secret partition. Just recreate the partition table to contain the secret partition:

$ sudo sfdisk /dev/sde << EOF
214,82,6
EOF

That’s it! You can even reuse the setup: by switching partition tables you’re effectively changing which partition is “active” on your card, and changing data in either partition won’t affect the other.

Advantages

  • Pretty much undetectable
  • Infinitely reusable
  • Bad blocks are less suspicious than unallocated space

Disadvantages

  • Quite complex to set up
  • Possibly suspicious size discrepancy in empty filesystems

Hide Data in Invisible Partitions

Published
by
David
on April 20, 2009
in How To, Linux and Sysadmin
.

This is part 2 in a series on how to hide your data.

First of all, the methods explained in this series are not secure. Anyone with some low-level knowledge of filesystems can tell there’s hidden data when looking at a raw image of your disk. Always complement these methods using encryption and plausible deniability methods. TrueCrypt is an excellent way to do this.

Introduction

In the first article we learned about the Partition Table and how it identifies the partitions on our storage device. We also saw how to hide a partition using the standard method of flipping the 5th bit of the partition ID. From this moment on we’re stepping off the tracks and will use the tools at our disposal for things other than they were intended.

The Partition Table, Redux

Clever readers will have seen it coming when they read about the partition table in the previous article. Without those 64 bytes at the beginning of the disk, no one would know what partitions exist and where they are located. So that’s exactly what we’re going to fiddle with.

If we change the Partition Table, we don’t actually touch any of the real data on the disk. It’s the same thing with books: even if you remove the table of contents, you can still read the book, it’ll just be harder to find one specific chapter. If we remove the entry of a partition in the partition table, we’re not actually removing the partition, but just the info needed to know where it is. If you memorize this info, which are only 3 numbers, you can later add it back to the table, and access your data again.

Practical

A card with no partitions at all is suspicious, so we’ll create two partitions, and hide one of them afterwards.

Once again, we’re using sfdisk:

$ sudo sfdisk /dev/sde << EOF
> 0,500,6
> ,508,6
> EOF

This is the result:

david@Seven:~$ sudo sfdisk -l /dev/sde

Disk /dev/sde: 1009 cylinders, 4 heads, 62 sectors/track
Units = cylinders of 126976 bytes, blocks of 1024 bytes, counting from 0

Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sde1          0+    499     500-     61999+   6  FAT16
/dev/sde2        500    1007     508      62992    6  FAT16
/dev/sde3          0       -       0          0    0  Empty
/dev/sde4          0       -       0          0    0  Empty

Put a FAT16 filesystem on the second partition…

$ sudo mkfs.vfat -F16 /dev/sde2
mkfs.vfat 2.11 (12 Mar 2005)

…mount it, and save your secret data on it.

Hang tight, here comes the dirty bit.

We know our secret partition starts right after the first partition, and is exactly 508 cylinders in size, with 0×6 as ID. You can memorize this data, or just copy the whole partition table to the end of the drive:

$ sudo dd bs=1 count=64 skip=446 seek=128118720 \
> if=/dev/sde of=/dev/sde
64+0 records in
64+0 records out
64 bytes (64 B) copied, 0.0282496 s, 2.3 kB/s

The Partition Table always starts at byte 446, so we skip those first few bytes. Byte 128118720 is the start of the last 64 bytes on my drive. You can calculate this by multiplying the size of a cylinder times the amount of cylinders—both can be found using the output of sfdisk -l —and subtracting 64. Note that we made sure our two partitions don’t fully utilize the disk, but leave 1 cylinder free, so that the last 126KB at the end of the drive are free for us to use.

Now let’s remove the partition from the partition table:

$ sudo sfdisk /dev/sde -N2 << EOF
> 0,0,0
> EOF

Our partition has magically disappeared. No operating system will be able to find the missing partition, but there exist special tools to recover the partition table. They do this by scanning the whole drive and looking for patterns that look like the beginning of a partition.

The one visible partition will obviously be of a smaller size than the whole drive. If for example you’re using a 2GB SD-card and want to avoid suspicion, replace the label with one from a 1GB SD-card, and make sure the visible partition is 1GB in size. This way, the only way to notice something is amiss is to run a partition editor and notice there’s a large chunk of unallocated space at the end of your drive.

The Invisible Partition in GParted, not quite invisible.

Revert

When you want to access your data again, you can just use sfdisk to recreate exactly the same partition using the numbers you memorized:

$ sudo sfdisk /dev/sde -N2 << EOF
> ,508,6
> EOF

Or overwrite the partition table with the copy we made at the end of the drive:

$ sudo dd bs=1 count=64 skip=128118720 seek=446 \
> if=/dev/sde of=/dev/sde

Both methods don’t touch any of the data on the actual partitions, so are pretty safe to use, as long as you remember where your partition is located, and not format the partition afterwards.

Advantages

  • Almost undetectable
  • Not accessible without changing the partition table (i.e. doing pretty advanced stuff)

Disadvantages

  • Possibly suspicious size discrepancy
  • Detectable using partition editor

Hide Data in Hidden Partitions

Published
by
David
on April 15, 2009
in How To, Linux and Sysadmin
.

This is part 1 in a series on how to hide your data.

Introduction

First of all, the methods explained in this series are not secure. Anyone with some low-level knowledge of filesystems can tell there’s hidden data when looking at a raw image of your disk. Always complement these methods using encryption and plausible deniability methods. TrueCrypt is an excellent way to do this.

Second, these methods will destroy your data if you’re not careful. Use them at your own risk, and only on data you have backed up very well. These methods shouldn’t destroy your disk or memory card, since we’re purely toggling bits. However, I guarantee nothing. These methods should work on any general data storage device, be it hard disks, usb keys, or flash cards.

The Partition Table

The first sector on every disk contains the partition table. These are 64 bytes divided in 4 records of 16 bytes, one for each primary partition. This explains the mystery of why you can only create 4 primary partitions on a disk. Like most arbitrary limitations this is a remnant of history.

Next to parameters like the start and the size of the partition, these records also contain the partition-type descriptor, which is an 8 bit ID identifying the filesystem on the partition. We’ll call it the partition ID or ID from here on. In hexadecimal, the ID for FAT12 is 0×01. For ext2, reiserfs, and various other linux filesystems the ID is 0×83. Here’s a list of all the partition ID’s. Note that these are not regulated, and that the filesystem creators can decide for themselves what ID their system has. The partition ID is used by the OS to check if it can mount the specific filesystem on that partition or not, before actually trying to mount it.

Using sfdisk we can check out the partition table:

$ sudo sfdisk -l /dev/sdd

Disk /dev/sdd: 1009 cylinders, 9 heads, 56 sectors/track
Units = cylinders of 258048 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sdd1          0+   1008    1009-    254267+   6  FAT16
/dev/sdd2          0       -       0          0    0  Empty
/dev/sdd3          0       -       0          0    0  Empty
/dev/sdd4          0       -       0          0    0  Empty

This partition table comes from a 256MB compactflash card (on my PC, device /dev/sdd). As you can see, it only has one partition, encompassing all 1009 cylinders (minus 1 sector, see the addition and subtraction signs), and having ID 0×6, which is the standard for FAT16. This doesn’t mean that there’s a FAT16 filesystem on that partition, though. It just means that there’s probably a FAT16 filesystem on there.

The Standard Method

As weird as it sounds, there’s actually some kind of “standard” on hidden partitions. Using this method you’re not really hiding the data as much as putting it in a corner where no one can see it unless they turn their heads. Every operating system and partition manager will recognize it as a ‘hidden partition’, and thus, it’s not really hidden. It even gets mounted by default in certain Linux distributions.

Why use this then? It’s useful when you need to install multiple legacy operating systems that don’t like to work together (Windows, I’m looking at you here). Grub, a linux bootloader, actually has the commands hide and unhide, which implement this method. It’s also a quick and easy, non-desctructable method to make sure the data can’t be accessed without doing some effort. Useful to hide data from a layperson.

The method is simple: flip the 5th least significant bit of the partition ID. The 0×6 (binary 00000110) for FAT16 becomes 0×16 (000010110). The 0×83 for Linux partitions becomes 0×93. Let’s say we want to hide the partition on my compactflash card:

$ sudo sfdisk --change-id /dev/sdd 1 16

Ta-da! You’ve now officially hidden your partition. The “1″-parameter is the number of the partition on the specified disk you want to change. Change it to 2 if you want to change the second partition, etc.

Here’s how the table looks like now:

$ sudo sfdisk -l /dev/sdd

Disk /dev/sdd: 1009 cylinders, 9 heads, 56 sectors/track
Units = cylinders of 258048 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sdd1          0+   1008    1009-    254267+  16  Hidden FAT16
/dev/sdd2          0       -       0          0    0  Empty
/dev/sdd3          0       -       0          0    0  Empty
/dev/sdd4          0       -       0          0    0  Empty

As you can see: hidden, but they still know it’s there.

Advantages

  • Standard, supported by many OS’s and applications
  • Easy and fast to hide and unhide

Disadvantages

  • Standard, thus easily detected
  • Mounted by default in linux, which easily defeats the purpose