Evading Disk Investigation and Forensics

Encrypting files and data is a good way to assure their confidentiality, but this will not prevent a third party person from detecting the encrypted storage.  Researcher at University of Southern California and Computer Sciences from NUST in Pakistan discovered an interesting way to secure data based on steganography techniques.

Presented technique allow a person to evade disk forensics by securely hiding data in a removable or permanent mass storage device, the study demonstrate two secure approaches, one allowing small storage capacity for covert channel and results in less fragmentation and an alternative approach that provides larger capacity but results in greater fragmentation on the storage medium.

To ensure evasion from a forensic investigator they only modifies the location of content of the cover medium and does not modify existing content or store any additional data that might arouse suspicion. The information to be hidden is embedded in the arrangement of the clusters of a file. Here it is important to note that the software makes it possible to store a 20-megabyte message on a 160-gigabyte portable hard drive.

For proposed covert channel based evasion approach there are some limitation such as difficulties to modify hidden data so if information is stored they are just for read and to modify you have to change many cover file chunks, Defragmentation or deletion of a cover file from the filesystem will result in loss of the hidden data, Maximum amount of hidden data that can be represented by one cover file would be constrained by the filesystem limitation (e.g., the maximum file size on a FAT32 filesystem is 4GiB) and renaming cover file may lead to lose all data.

Paper is very interesting that includes innovative technique to hide your data from most forensics tools I hope that we will find open source utility that apply this theory and move it to practice.


Designing a cluster-based covert channel to evade disk investigation and forensics:


Notify of
Inline Feedbacks
View all comments