Computerworld - Researchers have released a paper detailing a way to conceal data from the prying eyes of law enforcement officials by exploiting disk fragmentation on a clustered file system, thereby hiding it in plain sight.
The researchers, from the University of Southern California and the National University of Science and Technology (NUST) in Islamabad, Pakistan, stated that encryption is ineffective as a means of hiding data from law enforcement officials who undertake a forensic investigation of a computer system.
That is "mainly because the presence of encrypted data on a disk can be easily detected and disk owners can subsequently be forced (by law or other means) to release decryption keys," the researchers wrote in a summary of their paper.
The paper, "Designing a Cluster-based Covert Channel to Evade Disk Investigation and Forensics," details how information can be hidden in the arrangement of the clusters of a file, which causes deliberate fragmentation -- "a phenomenon that is not unusual to find on heavily-used file systems," according to the report.
In order to keep data from being detected during a forensic investigation, the researchers propose storing sensitive information on a covert channel as 24-bit fragments on half-empty drives on a clustered file system, allowing the user to plausibly deny any knowledge of the existence of the data.
The data-hiding algorithm is created using FAT32-formatted disk drives and exploiting the way operating systems group consecutive sectors on a disk. Those sectors create the clusters that store the content.
"This approach works well until there are no consecutive unallocated clusters available. In that case, the contents of the file are scattered or fragmented across the file system," the research paper states.
The researchers also presented statistics about the incidence of file fragmentation on actual file systems from 52 disk drives belonging to a diverse set of users. Based on the statistics, they presented guidelines for selecting good cover files.
"Finally, we show that even if an investigator gets suspicious, he/she will [have difficulty uncovering a] hidden message," they wrote.
Lucas Mearian covers storage, disaster recovery and business continuity, financial services infrastructure and health care IT for Computerworld. Follow Lucas on Twitter at 
@lucasmearian or subscribe to Lucas's RSS feed 
. His email address is lmearian@computerworld.com.
Read more about Storage in Computerworld's Storage Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
