Saturday, October 22, 2016

Data Gathering

There are many ways to accomplish hiding data on recordable media. Hiding data as random noise by encrypting it or using Steganography to embed the data within other data are two ways that get demonstrated often in media. (Provos & Honeyman, 2003) I will discuss two methods of hiding data which are based on the actual storage elements of the media itself. Our reading this week included a "Partial Overview of the Storage Media Ontology" (Dosis, Homem, & Popov, 2013) which describes the storage on a media: the physical space is logically split into partitions, data within partitions is mapped by a file system, and the file system maps chunks of data bytes to logical files.
The physical storage media breaks up stored data into sectors, typically 4096 or 512 bytes at a time. (Seagate, 2012) A sector is the smallest addressable allocation exposed to software programs. (DEW, 2002) File systems typically implement storage in clusters of sectors, rather than using sectors directly. (DEW, 2002) Each file system maps a collection of clusters to each file, resulting in a file consuming space equal the count of data bytes rounded up to the nearest multiple of cluster size. Each file system also records the true count of data bytes for the file. A careful eye will notice that this leaves a count of extra bytes, called slack space, which can be leveraged for secret storage. (Kaiwee, 2010) Small data can be stored in the slack space of a single file and larger amounts of data could be split across multiple slack spaces.
The second method of hiding information on a hard disk drive storage media depends on the fact that hard disk drives have seperate computing devices, Hard Disk Controllers (HDC), that sit between the system utilizing the stored information and the physical storage medium. (Holland & Vavaroutsos, 1994) The HDC contains the limits of storage capacity for the drive, which may not actually match the physical storage limits available. The ATA-4 standard allowed for a Host Protected Area, HPA, which is the space on the drive between the addressable capacity and the physical capacity. (Gupta, Hoeschele & Rogers, 2006) Someone hiding data in a Host Protected Area saves information to the highest addresses on a drive and then uses the SET MAX ADDRESS command to shrink the storage capacity to cap out before reaching that data. (Gupta, Hoeschele & Rogers, 2006) Normal disk operations, like with the BIOS or an operating system, do not see the HPA because the HDC reports that the storage capacity is only as large as the MAX ADDRESS that was set.

DEW. (2002). Hard Drive Clusters and File Allocation. DEW Associates Corporation.
Dosis, S., Homem, I., & Popov, O. (2013). Semantic representation and integration of digital evidence. Procedia Computer Science, 22, 1266-1275.
Gupta, M. R., Hoeschele, M. D., & Rogers, M. K. (2006). Hidden disk areas: HPA and DCO. International Journal of Digital Evidence, 5(1), 1-8.
Holland, A., & Vavaroutsos, P. G. (1994). U.S. Patent No. 5,367,669. Washington, DC: U.S. Patent and Trademark Office.
Kaiwee, C. (2010). Analysis of Hidden Data in NTFS File system.
Provos, N., & Honeyman, P. (2003). Hide and seek: An introduction to steganography. IEEE Security & Privacy, 1(3), 32-44.
Seagate. (2012). Desktop HDD Data Sheet.

No comments:

Post a Comment