Hide Data in Hidden Partitions

Posted on April 15, 2009 by David

This is part 1 in a series on how to hide your data.

Introduction

First of all, the methods explained in this series are not secure. Anyone with some low-level knowledge of filesystems can tell there’s hidden data when looking at a raw image of your disk. Always complement these methods using encryption and plausible deniability methods. TrueCrypt is an excellent way to do this.

Second, these methods will destroy your data if you’re not careful. Use them at your own risk, and only on data you have backed up very well. These methods shouldn’t destroy your disk or memory card, since we’re purely toggling bits. However, I guarantee nothing. These methods should work on any general data storage device, be it hard disks, usb keys, or flash cards.

The Partition Table

The first sector on every disk contains the partition table. These are 64 bytes divided in 4 records of 16 bytes, one for each primary partition. This explains the mystery of why you can only create 4 primary partitions on a disk. Like most arbitrary limitations this is a remnant of history.

Next to parameters like the start and the size of the partition, these records also contain the partition-type descriptor, which is an 8 bit ID identifying the filesystem on the partition. We’ll call it the partition ID or ID from here on. In hexadecimal, the ID for FAT12 is 0×01. For ext2, reiserfs, and various other linux filesystems the ID is 0×83. Here’s a list of all the partition ID’s. Note that these are not regulated, and that the filesystem creators can decide for themselves what ID their system has. The partition ID is used by the OS to check if it can mount the specific filesystem on that partition or not, before actually trying to mount it.

Using sfdisk we can check out the partition table:

$ sudo sfdisk -l /dev/sdd

Disk /dev/sdd: 1009 cylinders, 9 heads, 56 sectors/track
Units = cylinders of 258048 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sdd1          0+   1008    1009-    254267+   6  FAT16
/dev/sdd2          0       -       0          0    0  Empty
/dev/sdd3          0       -       0          0    0  Empty
/dev/sdd4          0       -       0          0    0  Empty

This partition table comes from a 256MB compactflash card (on my PC, device /dev/sdd). As you can see, it only has one partition, encompassing all 1009 cylinders (minus 1 sector, see the addition and subtraction signs), and having ID 0×6, which is the standard for FAT16. This doesn’t mean that there’s a FAT16 filesystem on that partition, though. It just means that there’s probably a FAT16 filesystem on there.

The Standard Method

As weird as it sounds, there’s actually some kind of “standard” on hidden partitions. Using this method you’re not really hiding the data as much as putting it in a corner where no one can see it unless they turn their heads. Every operating system and partition manager will recognize it as a ‘hidden partition’, and thus, it’s not really hidden. It even gets mounted by default in certain Linux distributions.

Why use this then? It’s useful when you need to install multiple legacy operating systems that don’t like to work together (Windows, I’m looking at you here). Grub, a linux bootloader, actually has the commands hide and unhide, which implement this method. It’s also a quick and easy, non-desctructable method to make sure the data can’t be accessed without doing some effort. Useful to hide data from a layperson.

The method is simple: flip the 5th least significant bit of the partition ID. The 0×6 (binary 00000110) for FAT16 becomes 0×16 (000010110). The 0×83 for Linux partitions becomes 0×93. Let’s say we want to hide the partition on my compactflash card:

$ sudo sfdisk --change-id /dev/sdd 1 16

Ta-da! You’ve now officially hidden your partition. The “1″-parameter is the number of the partition on the specified disk you want to change. Change it to 2 if you want to change the second partition, etc.

Here’s how the table looks like now:

$ sudo sfdisk -l /dev/sdd

Disk /dev/sdd: 1009 cylinders, 9 heads, 56 sectors/track
Units = cylinders of 258048 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sdd1          0+   1008    1009-    254267+  16  Hidden FAT16
/dev/sdd2          0       -       0          0    0  Empty
/dev/sdd3          0       -       0          0    0  Empty
/dev/sdd4          0       -       0          0    0  Empty

As you can see: hidden, but they still know it’s there.

Advantages

  • Standard, supported by many OS’s and applications
  • Easy and fast to hide and unhide

Disadvantages

  • Standard, thus easily detected
  • Mounted by default in linux, which easily defeats the purpose
This entry was posted in How To, Linux, Sysadmin and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">