This is part 1 in a series on how to hide your data.
First of all, the methods explained in this series are not secure. Anyone with some low-level knowledge of filesystems can tell there’s hidden data when looking at a raw image of your disk. Always complement these methods using encryption and plausible deniability methods. TrueCrypt is an excellent way to do this.
Second, these methods will destroy your data if you’re not careful. Use them at your own risk, and only on data you have backed up very well. These methods shouldn’t destroy your disk or memory card, since we’re purely toggling bits. However, I guarantee nothing. These methods should work on any general data storage device, be it hard disks, usb keys, or flash cards.
The Partition Table
The first sector on every disk contains the partition table. These are 64 bytes divided in 4 records of 16 bytes, one for each primary partition. This explains the mystery of why you can only create 4 primary partitions on a disk. Like most arbitrary limitations this is a remnant of history.
Next to parameters like the start and the size of the partition, these records also contain the partition-type descriptor, which is an 8 bit ID identifying the filesystem on the partition. We’ll call it the partition ID or ID from here on. In hexadecimal, the ID for FAT12 is 0x01. For ext2, reiserfs, and various other linux filesystems the ID is 0x83. Here’s a list of all the partition ID’s. Note that these are not regulated, and that the filesystem creators can decide for themselves what ID their system has. The partition ID is used by the OS to check if it can mount the specific filesystem on that partition or not, before actually trying to mount it.
Using sfdisk we can check out the partition table:
$ sudo sfdisk -l /dev/sdd Disk /dev/sdd: 1009 cylinders, 9 heads, 56 sectors/track Units = cylinders of 258048 bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sdd1 0+ 1008 1009- 254267+ 6 FAT16 /dev/sdd2 0 - 0 0 0 Empty /dev/sdd3 0 - 0 0 0 Empty /dev/sdd4 0 - 0 0 0 Empty
This partition table comes from a 256MB compactflash card (on my PC, device /dev/sdd). As you can see, it only has one partition, encompassing all 1009 cylinders (minus 1 sector, see the addition and subtraction signs), and having ID 0x6, which is the standard for FAT16. This doesn’t mean that there’s a FAT16 filesystem on that partition, though. It just means that there’s probably a FAT16 filesystem on there.
The Standard Method
As weird as it sounds, there’s actually some kind of “standard” on hidden partitions. Using this method you’re not really hiding the data as much as putting it in a corner where no one can see it unless they turn their heads. Every operating system and partition manager will recognize it as a ‘hidden partition’, and thus, it’s not really hidden. It even gets mounted by default in certain Linux distributions.
Why use this then? It’s useful when you need to install multiple legacy operating systems that don’t like to work together (Windows, I’m looking at you here). Grub, a linux bootloader, actually has the commands hide and unhide, which implement this method. It’s also a quick and easy, non-desctructable method to make sure the data can’t be accessed without doing some effort. Useful to hide data from a layperson.
The method is simple: flip the 5th least significant bit of the partition ID. The 0x6 (binary 00000110) for FAT16 becomes 0x16 (000010110). The 0x83 for Linux partitions becomes 0x93. Let’s say we want to hide the partition on my compactflash card:
$ sudo sfdisk --change-id /dev/sdd 1 16
Ta-da! You’ve now officially hidden your partition. The “1”-parameter is the number of the partition on the specified disk you want to change. Change it to 2 if you want to change the second partition, etc.
Here’s how the table looks like now:
$ sudo sfdisk -l /dev/sdd Disk /dev/sdd: 1009 cylinders, 9 heads, 56 sectors/track Units = cylinders of 258048 bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sdd1 0+ 1008 1009- 254267+ 16 Hidden FAT16 /dev/sdd2 0 - 0 0 0 Empty /dev/sdd3 0 - 0 0 0 Empty /dev/sdd4 0 - 0 0 0 Empty
As you can see: hidden, but they still know it’s there.
- Standard, supported by many OS’s and applications
- Easy and fast to hide and unhide
- Standard, thus easily detected
- Mounted by default in linux, which easily defeats the purpose