Wednesday, October 1, 2014

Hiding Data in Slack space: USB Drive

What is slack space?
Slack space refers to portions of a hard drive that are not fully used by the current allocated file and which may contain data from a previously deleted file.
In this post, we will hide data on a USB Drive. The drive is formatted FAT with sectors of 512 bytes and cluster sizes of 2048 bytes.

There is one file on this drive which is 62 bytes

Considering the Cluster (allocation unit) is 2048 bytes and this file is 62 bytes, this means we should have slack space of 1986 bytes. Since the sector is 512 bytes and the file is 62 bytes, we have 450 bytes which will be padded by data as determined by the operating system. The other 1536 bytes we will use part of it to hide some data..

As can be seen above, we have now modified the raw bytes on the drives to put the data we would like to have there.
This concludes the series of posts on data hiding. Obviously there a number of ways of hiding data on a computer system, I just wanted to touch on a few to show what is possible.
Hope you enjoyed the reading