Hide Data in Invisible Partitions

Posted on April 20, 2009 by David

This is part 2 in a series on how to hide your data.

First of all, the methods explained in this series are not secure. Anyone with some low-level knowledge of filesystems can tell there’s hidden data when looking at a raw image of your disk. Always complement these methods using encryption and plausible deniability methods. TrueCrypt is an excellent way to do this.

Introduction

In the first article we learned about the Partition Table and how it identifies the partitions on our storage device. We also saw how to hide a partition using the standard method of flipping the 5th bit of the partition ID. From this moment on we’re stepping off the tracks and will use the tools at our disposal for things other than they were intended.

The Partition Table, Redux

Clever readers will have seen it coming when they read about the partition table in the previous article. Without those 64 bytes at the beginning of the disk, no one would know what partitions exist and where they are located. So that’s exactly what we’re going to fiddle with.

If we change the Partition Table, we don’t actually touch any of the real data on the disk. It’s the same thing with books: even if you remove the table of contents, you can still read the book, it’ll just be harder to find one specific chapter. If we remove the entry of a partition in the partition table, we’re not actually removing the partition, but just the info needed to know where it is. If you memorize this info, which are only 3 numbers, you can later add it back to the table, and access your data again.

Practical

A card with no partitions at all is suspicious, so we’ll create two partitions, and hide one of them afterwards.

Once again, we’re using sfdisk:

$ sudo sfdisk /dev/sde << EOF
> 0,500,6
> ,508,6
> EOF

This is the result:

david@Seven:~$ sudo sfdisk -l /dev/sde

Disk /dev/sde: 1009 cylinders, 4 heads, 62 sectors/track
Units = cylinders of 126976 bytes, blocks of 1024 bytes, counting from 0

Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sde1          0+    499     500-     61999+   6  FAT16
/dev/sde2        500    1007     508      62992    6  FAT16
/dev/sde3          0       -       0          0    0  Empty
/dev/sde4          0       -       0          0    0  Empty

Put a FAT16 filesystem on the second partition…

$ sudo mkfs.vfat -F16 /dev/sde2
mkfs.vfat 2.11 (12 Mar 2005)

…mount it, and save your secret data on it.

Hang tight, here comes the dirty bit.

We know our secret partition starts right after the first partition, and is exactly 508 cylinders in size, with 0×6 as ID. You can memorize this data, or just copy the whole partition table to the end of the drive:

$ sudo dd bs=1 count=64 skip=446 seek=128118720 \
> if=/dev/sde of=/dev/sde
64+0 records in
64+0 records out
64 bytes (64 B) copied, 0.0282496 s, 2.3 kB/s

The Partition Table always starts at byte 446, so we skip those first few bytes. Byte 128118720 is the start of the last 64 bytes on my drive. You can calculate this by multiplying the size of a cylinder times the amount of cylinders—both can be found using the output of sfdisk -l —and subtracting 64. Note that we made sure our two partitions don’t fully utilize the disk, but leave 1 cylinder free, so that the last 126KB at the end of the drive are free for us to use.

Now let’s remove the partition from the partition table:

$ sudo sfdisk /dev/sde -N2 << EOF
> 0,0,0
> EOF

Our partition has magically disappeared. No operating system will be able to find the missing partition, but there exist special tools to recover the partition table. They do this by scanning the whole drive and looking for patterns that look like the beginning of a partition.

The one visible partition will obviously be of a smaller size than the whole drive. If for example you’re using a 2GB SD-card and want to avoid suspicion, replace the label with one from a 1GB SD-card, and make sure the visible partition is 1GB in size. This way, the only way to notice something is amiss is to run a partition editor and notice there’s a large chunk of unallocated space at the end of your drive.

The Invisible Partition in GParted, not quite invisible.

Revert

When you want to access your data again, you can just use sfdisk to recreate exactly the same partition using the numbers you memorized:

$ sudo sfdisk /dev/sde -N2 << EOF 
> ,508,6
> EOF

Or overwrite the partition table with the copy we made at the end of the drive:

$ sudo dd bs=1 count=64 skip=128118720 seek=446 \
> if=/dev/sde of=/dev/sde

Both methods don’t touch any of the data on the actual partitions, so are pretty safe to use, as long as you remember where your partition is located, and not format the partition afterwards.

Advantages

  • Almost undetectable
  • Not accessible without changing the partition table (i.e. doing pretty advanced stuff)

Disadvantages

  • Possibly suspicious size discrepancy
  • Detectable using partition editor
Posted in How To, Linux, Sysadmin | Tagged | 10 Comments

Hide Data in Hidden Partitions

Posted on April 15, 2009 by David

This is part 1 in a series on how to hide your data.

Introduction

First of all, the methods explained in this series are not secure. Anyone with some low-level knowledge of filesystems can tell there’s hidden data when looking at a raw image of your disk. Always complement these methods using encryption and plausible deniability methods. TrueCrypt is an excellent way to do this.

Second, these methods will destroy your data if you’re not careful. Use them at your own risk, and only on data you have backed up very well. These methods shouldn’t destroy your disk or memory card, since we’re purely toggling bits. However, I guarantee nothing. These methods should work on any general data storage device, be it hard disks, usb keys, or flash cards.

The Partition Table

The first sector on every disk contains the partition table. These are 64 bytes divided in 4 records of 16 bytes, one for each primary partition. This explains the mystery of why you can only create 4 primary partitions on a disk. Like most arbitrary limitations this is a remnant of history.

Next to parameters like the start and the size of the partition, these records also contain the partition-type descriptor, which is an 8 bit ID identifying the filesystem on the partition. We’ll call it the partition ID or ID from here on. In hexadecimal, the ID for FAT12 is 0×01. For ext2, reiserfs, and various other linux filesystems the ID is 0×83. Here’s a list of all the partition ID’s. Note that these are not regulated, and that the filesystem creators can decide for themselves what ID their system has. The partition ID is used by the OS to check if it can mount the specific filesystem on that partition or not, before actually trying to mount it.

Using sfdisk we can check out the partition table:

$ sudo sfdisk -l /dev/sdd

Disk /dev/sdd: 1009 cylinders, 9 heads, 56 sectors/track
Units = cylinders of 258048 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sdd1          0+   1008    1009-    254267+   6  FAT16
/dev/sdd2          0       -       0          0    0  Empty
/dev/sdd3          0       -       0          0    0  Empty
/dev/sdd4          0       -       0          0    0  Empty

This partition table comes from a 256MB compactflash card (on my PC, device /dev/sdd). As you can see, it only has one partition, encompassing all 1009 cylinders (minus 1 sector, see the addition and subtraction signs), and having ID 0×6, which is the standard for FAT16. This doesn’t mean that there’s a FAT16 filesystem on that partition, though. It just means that there’s probably a FAT16 filesystem on there.

The Standard Method

As weird as it sounds, there’s actually some kind of “standard” on hidden partitions. Using this method you’re not really hiding the data as much as putting it in a corner where no one can see it unless they turn their heads. Every operating system and partition manager will recognize it as a ‘hidden partition’, and thus, it’s not really hidden. It even gets mounted by default in certain Linux distributions.

Why use this then? It’s useful when you need to install multiple legacy operating systems that don’t like to work together (Windows, I’m looking at you here). Grub, a linux bootloader, actually has the commands hide and unhide, which implement this method. It’s also a quick and easy, non-desctructable method to make sure the data can’t be accessed without doing some effort. Useful to hide data from a layperson.

The method is simple: flip the 5th least significant bit of the partition ID. The 0×6 (binary 00000110) for FAT16 becomes 0×16 (000010110). The 0×83 for Linux partitions becomes 0×93. Let’s say we want to hide the partition on my compactflash card:

$ sudo sfdisk --change-id /dev/sdd 1 16

Ta-da! You’ve now officially hidden your partition. The “1″-parameter is the number of the partition on the specified disk you want to change. Change it to 2 if you want to change the second partition, etc.

Here’s how the table looks like now:

$ sudo sfdisk -l /dev/sdd

Disk /dev/sdd: 1009 cylinders, 9 heads, 56 sectors/track
Units = cylinders of 258048 bytes, blocks of 1024 bytes, counting from 0

   Device Boot Start     End   #cyls    #blocks   Id  System
/dev/sdd1          0+   1008    1009-    254267+  16  Hidden FAT16
/dev/sdd2          0       -       0          0    0  Empty
/dev/sdd3          0       -       0          0    0  Empty
/dev/sdd4          0       -       0          0    0  Empty

As you can see: hidden, but they still know it’s there.

Advantages

  • Standard, supported by many OS’s and applications
  • Easy and fast to hide and unhide

Disadvantages

  • Standard, thus easily detected
  • Mounted by default in linux, which easily defeats the purpose
Posted in How To, Linux, Sysadmin | Tagged | Leave a comment

IRC Quote (2)

Posted on March 6, 2009 by David

Zeus WPI has an IRC channel which at any one time contains two dozen geeks discussing a myriad of topics ranging from the latest XKCD to the physics behind not being able to reach absolute zero.

Such a cornucopia of madness wouldn’t be complete without a bot for certain administrative tasks such as keeping stats on each user.

The “riddle” I posted last year is a question we pondered about for a few days back then:

We keep a log-file of all that is said on our IRC channel. What’s the fastest way to extract one random line said by a specified person from that file, with every line having equal chance of being picked.

This we would use to implement a “quote”-command in our custom-made bot, which returns a quote for the named person.

To keep the problem interesting, no “persistent” data can be kept in memory over multiple queries, such as an index or a counter.

Adhemar was the only person to propose a solution, but we also asked our professor for Datastructures & Algorithms, Gunnar Brinkman. As it turns out Adhemar’s solution was very close to the one Prof. Brinkmann suggested.

Brinkmann’s Algorithm

This is the algorithm we were using:

totallines = 1
while not eof(logfile) do
   currentline = readline(logfile)
   if (rand() mod totallines) == 0 then
      currentqoute = currentline
   totallines++
done

In plain English:

For every line i, pick that line with chance 1/i.

Adhemar’s Algorithm

Adhemar’s solution however, is a tad faster on a real-life system because it does not need the relatively expensive mod-operation for every line:

currenthighest = 0
while not eof(logfile) do
   currentline = readline(logfile)
   currentrand = rand()
   if (currentrand >= currenthighest)
      currentquote = currentline
      currenthighest = currentrand
done

Or:

The player who rolls the highest dice gets picked.

Emperical data suggests the second algorithm is about 1% faster than the first. It’s obvious that this problem is an I/O-limited one, so these algorithms are probably as good as it gets without storing any data in memory.

Although the problem is relatively simple, the interesting thing to remember here is how to randomly pick an item from a set with an unknown amount of items.

Posted in Algorithms, Madness, Zeus | Tagged , , , | Leave a comment

Zenity and rsync

Posted on December 24, 2008 by David

Zenity is a neat little tool to create simple GUI’s for your shellscripts. One of its most useful features is the progress dialog, which allows one to show the progress of a command using the all-familiar GTK progress bar.

Zenity and rsync

Zenity uses pipes to send commands to the dialogs. Any number sent to the Zenity instance while in progress mode will make the progress bar move to that number as the percentage completed. Any text that starts with # is set as the label above the progress bar.

Here’s an example shamelessly stolen and abbreviated from the manual:

        #!/bin/sh
        (
        echo "10" ; sleep 1
        echo "# Updating mail logs" ; sleep 1
        echo "20" ; sleep 1
        echo "# Resetting cron jobs" ; sleep 1
        echo "75" ; sleep 1
        echo "# Rebooting system" ; sleep 1
        echo "100" ; sleep 1
        ) |
        zenity --progress \
          --title="Update System Logs" \
          --text="Scanning mail logs..." \
          --percentage=0

To shape the output of a real application into data fit for Zenity mostly requires some creative awking. I couldn’t find an example to parse rsync output, so I made this awk-script to show the progress of an rsync operation:

{
   if (index($0, "to-check=") > 0)
   {
	split($0, pieces, "to-check=")
	split(pieces[2], term, ")");
	split(term[1], division, "/");
	print (1-(division[1]/division[2]))*100"%"
   }
   else
   {
	print "#"$0;
   }
   fflush();
}

Save it as rsync.awk and use it like this:

$ rsync -av --progress /media/disk/ ~/backup/usbstick/ |
   awk -f rsync.awk |
   zenity --progress --title "Backing up USB-Stick" \
      --text="Scanning..." --percentage=0 --auto-kill

Mind how we use the parameter progress to tell how far we’ve progressed. This results in the dialog shown above.

Thanks to Florian Purucker for the awk-script update which fixed a bug causing the progress to be calculated incorrectly, and to Matt Raines for the tip on –auto-kill.

Posted in Linux, Sysadmin | Tagged , , | 5 Comments

Autographed

Posted on December 22, 2008 by David

Last Thursday I went on my annual visit to the Bookfestival in Expo, Ghent. While my dad was disappointed by the lack of good comic books this year, I was delighted being able to pick up Stephenson’s Confusion, Morrow’s The Last Witchfinder, Simmons’ Olympos and a boxed edition of Clarke’s Jonathan Strange & Mr. Norrell for less than €19. A steal!
Jonathan Strange & Mr. Norrell

I got even more excited when back home I turned the first page of Volume 1 of Jonathan Strange & Mr. Norrell: The signature of Susanna Clarke!
Susanna Clarke\'s Signature
I have no idea if it’s real or pressed on. There’s no impression of the pen, but it is in blue ink. Nonetheless, a pleasant surprise.

Posted in Books | Leave a comment

Bargain Hunting in the UK

Posted on December 20, 2008 by David

The pound sterling has taken a deep dive the last few months and continues to fall. Today it reached an amazing £1 = €1.07. For us euro-handlers this means we can pick up bargains on the other side of the pond. Since the UK is part of the European economic union, no import taxes need to be paid either.

Here’s a list of my favorite UK online stores:

The cheapest books can be found on The Book Depository, including worldwide free delivery. I’ve consistently had great experiences with them. Books ordered monday get delivered by friday.

Great gifts and gadgets can be had at Firebox.com. Shipping is a tad expensive though, at £13 to Belgium.

Play.com has always been my first stop to buy movies, music and games with good prices and free worldwide delivery. Unfortunately they use their own currency exchange rate which is still stuck at last decade’s £1 = €1.5. A great alternative is Amazon.co.uk, with excellent prices and cheap shipping. A CD or DVD is sent to Belgium for about £2, software for £5.

If anyone else knows of good UK shops, please post it in the comments. The more shops the better. Happy over-the-channel shopping!

Posted in Shops | 1 Comment

Samsung Loses, Ultimate Boot CD Wins

Posted on December 19, 2008 by David

To cut a long story short: I had 2 disks to test, one a Seagate and the other a Samsung.

Using Seagate’s diagnostics utility SeaTools was a very smooth experience. After booting from the CD, a GUI application automatically started, including mouse support. Even basic users would feel right at home.

Trying to get Samsung’s HUtil to work was a nightmare. Apparantly Samsung are as of yet unaware of the existence of SATA CD/DVD-drives. Using the CD my PC booted into FreeDOS just fine, but their script couldn’t detect the CD-drive so it couldn’t start the diagnostics utility. Trying it manually failed too because the included drivers simply don’t support SATA drives.

I spent half an hour going back and forth changing settings in the BIOS and rebooting to no avail. This worked for some people though, so ymmv. Check out any settings on SATA compatibility modes.

One post on the internet revealed a method of booting using the Ultimate Boot CD, then switching to Samsung’s CD, and running the diagnostics from there. After reading up on UBCD, turns out those last two steps aren’t even necessary. UBCD includes the latest diagnostics utility for any hard-drive out there! Just boot it, select the utility from the menu, and it automatically starts.

So if you ever need to do a diagnostics on a disk, don’t bother downloading and trying to boot the manufacturer’s utility. Just pop in the UBCD and you’re off. It also includes other stuff to do just about anything with your computer. Neat!

Posted in Sysadmin | Leave a comment

How-To: Wrap a romantic present using Schamper

Posted on December 17, 2008 by David

So you need to wrap a romantic present, but you’re all out of wrapping paper. Or you never had any. As a student, I face this situation constantly, and have become quite adapt at surviving it.

The Victims
Here are the victims. I’m going to scavenge an old issue of Schamper, our university’s awesome student magazine, for wrapping paper.

My Favorite Article
Rip out your favorite or most romantic articles to use as wrapping material.

Two articles fused together
Use tape to paste every page together to make a long enough string of mind-blowing literature.

Wrap around
Wrap the string around the present. Use tape to paste the two ends together.

Cornered
There’s supposed to be a certain technique to do the corners neatly, but let’s face it: you’re wrapping her present using an old magazine. She’s not going to care about the corners. Also, I forgot.

Use tape vigoriously to make sure the enlightening wrapping doesn’t fall apart.

Missing side
If you missed a side, a common error, just paste a page on top.

FixedThat’s the beauty of this method: you can screw up and she’s never going to notice.

Nice Wrappings
Nothing says I love you like a big bald face on top of her present.

A job well done, another potentially problematic situation solved. You can tell her you custom-made the wrapping paper yourself, because that’s how much you love her!

Posted in How To, Madness, Personal | Leave a comment

Make Athena Go Local

Posted on December 15, 2008 by David

If you’re a student at UGent and living in a dorm, you need to access the Internet through a VPN, but Minerva and Athena, a Citrix system, can be accessed locally. Using a clever line of commands, one can route all Athena traffic over the local network even though you’re connected through a VPN.

Obviously this will result in less lag when using Athena, but more importantly, it’ll also save precious megabytes of bandwidth from your VPN limit. All this while your regular internet connection remains untouched.

Type this in your shell:

for ip in `dig @ugdns1.ugent.be ugent.be axfr | grep citrix\
 | awk '{print $5}'`; do echo $ip;
sudo route add -net $ip netmask 255.255.255.255 eth0;
done;

It’ll find all Citrix-related addresses at UGent, and route them through your local network interface.

On the other hand, you need to connect through a VPN if you want to access Athena from outside of UGent. In this case, we can use our script to limit the VPN for Athena traffic only, and make all other Internet connections go locally. This will again save you precious megabytes from your VPN limit, while ensuring all other Internet traffic doesn’t get laggy.

sudo route add -net default eth0
for ip in `dig @ugdns1.ugent.be ugent.be axfr | grep citrix\
 | awk '{print $5}'`; do echo $ip;
sudo route add -net $ip netmask 255.255.255.255 tun0;
done;
Posted in How To, Linux, Sysadmin, UGent | 1 Comment

Shell-fu

Posted on December 11, 2008 by David 
alias webshare='python -c "import SimpleHTTPServer;\
SimpleHTTPServer.test()"'

Want to show something on your machine to someone over the web? Don’t copy it or upload it somewhere. Just run “webshare” and the current directory and everything beneath it will be served from a new web server listening on port 8000. When your pal is finished, hit control-c.

Awesome.

Gems like this can be found on the aptly named Shell-Fu.

Posted in Linux, Sysadmin | Leave a comment