Snippets of recent article in the New Scientist..
“.. hide data on a hard drive without using encryption. Instead of using a cipher to scramble text, the method involves manipulating the location of data fragments.
– snip –
..possible to encode a 20-megabyte message on a 160-gigabyte portable hard drive. It hides data so well that its existence would be “unreasonably complex” to detect
– snip –
Encryption .. shows someone might have something to hide..
– snip –
steganography, hiding data in plain sight.. But these techniques are well known and easily detected, says Khan. So, with colleagues at the National University of Science and Technology in Islamabad, Pakistan, he has developed an alternative.
Their technique exploits the way hard drives store file data in numerous small chunks, called clusters. The operating system stores these clusters all over the disc, wherever there is free space between fragments of other files.
Khan and his colleagues have written software that ensures clusters of a file, rather than being positioned at the whim of the disc drive controller chip, as is usually the case, are positioned according to a code. All the person at the other end needs to know is which file’s cluster positions have been encoded.
The code depends on whether sequential clusters in a file are situated adjacent to each other on the hard disc or not. If they are adjacent, this corresponds to a binary 1 in the secret message. If sequential clusters are stored in different places on the disc, this encodes a binary 0 (Computers and Security, DOI: 10.1016/j.cose.2010.10.005). The recipient then uses the same software to tell them the file’s cluster positions, and hence the message. The researchers intend to make their software open source.
“An investigator can’t tell the cluster fragmentation pattern is intentional- it looks like what you’d get after addition and deletion of files over time,” says Khan. Tests show the technique works, as long as none of the files on the hard disc are modified before handover.
“The real strength of this technique is that even a completely full drive can still have secret data added to it – simply by rearranging the clusters,” adds Khan.
Others are impressed with the technique but see limitations.
“This type of steganography could be used by spies, police or informants – but the risk is that it requires direct contact to physically exchange the USB device containing the secret data,” says Wojciech Mazurcyk, a steganographer at Warsaw University of Technology in Poland. “So it lacks the flexibility of internet steganography. Once you embed the secret data on the disk it is not easy to modify it.”
– snip –
“It’s how security vulnerability disclosure works,” says Khan. “We have identified that this is possible. Now security agencies can devise techniques to detect it.” He adds that his team have had no issues with either US or Pakistani security agencies over their development of this secret medium – despite current political tensions between the two nations.
“The use of steganographic techniques like this is likely to increase,” says Fred Piper, director of information security at Royal Holloway, University of London. “Eavesdroppers can learn much from the fact that somebody is encrypting a message.”
“Covert hard drive fragmentation embeds a spy’s secrets”
Paul Marks, New Scientist.com, 21 April 2011
http://www.newscientist.com/article/mg21028095.200-covert-hard-drive-fragmentation-embeds-a-spys-secrets.html – last access 29 April 2011 – ( Full Article )
“.. A man wrongly accused in Britain’s largest ever child pornography investigation has won damages in the High Court after an eight-year legal battle.
Jeremy Clifford, 51, from Watford, was arrested and falsely charged in 2003 as part of Operation Ore. His credit card details had been found among those of thousands of British people on a list maintained by Landslide, a commercial provider of illegal pornography based in the US.
Hertfordshire Constabulary seized a computer that had belonged to Mr Clifford and discovered 10 illegal thumbnail images in its temporary internet files folder.
However, a senior High Court judge found on Friday that the arresting officer had been told by a computer forensics expert that the images were not sufficient evidence to charge.
“The images could have been received unsolicited by and even without the knowledge of the operator of the computer, for example as ‘pop-ups’,” said Mr Justice Mackay.
Despite this, the officer, Detective Constable Brian Hopkins, pressed three charges of possession of indecent images of children. Mr Justice Mackay said he cut a “rather pathetic figure” in the witness box, having initially claimed he could not give evidence because of a psychiatric condition.
– snip –
The finding was based on evidence the court heard from an internal investigation launched after Mr Clifford was formally cleared of all the allegations before trial. It found that Hertfordshire Constabulary’s forensics expert, George Fouhey, had advised against pressing charges ..”
“Judge hits police with massive bill over false Operation Ore charges”
Court correspondent, Policing, The Register UK, 4 April 2011
http://www.theregister.co.uk/2011/04/04/operation_ore_suspect_wins_damages/ – last access 5 April 2011 – ( Full Article )
“.. SSDs are different. Writing a virgin cell merely requires a write cycle. Rewriting a cell requires two cycles: an erase cycle and a write cycle. The erase cycle is governed by the physics, and takes time. Performance is improved by “pre-clearing” no longer needed cells (e.g., free space on the disk) during otherwise unused device cycles.
– snip –
A recent paper from Graeme Bell and Richard Boddington of Murdoch University in Perth, Solid State Drives: The Beginning of the End for Current Practices of Digital Forensic Recovery, documented several consequences of this implementation approach with respect to standard best practices for digital forensic acquisitions. In short, the autonomous pre-clearing function rendered free space unrecoverable on short order from the time that the drive was powered-on.
– snip –
As noted by Bell and Boddington, the automatic nature of the resetting function on space determined by the controller to be unallocated has several implications for standard forensics procedures:
data in unallocated space will quickly disappear on such a device (Quick format will actually cause the drive contents to be erased on short order)
the data recorded by a forensic acquisition with a write-blocker will be inconsistent with a subsequent acquisition until the reset process has completed. The cryptographic checksums (e.g., MD-5, SHA-1) generated on successive acquisitions will thus be inconsistent ..”
“Solid-State Disk Behavior Underlying Digital Forensics”
Robert Gezelter, InfoSecIsland.com , 7 March 2011
https://www.infosecisland.com/blogview/12375-Solid-State-Disk-Behavior-Underlying-Digital-Forensics.html – last access 1 April 2011 – ( Full Article )
“Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?”
Graeme B. Bell and Richard Boddington, 2010
Journal of Digital Forensics, Security and Law, Vol. 5(3)