In the first article we learned about the Partition Table and how it identifies the partitions on our storage device. We also saw how to hide a partition using the standard method of flipping the 5th bit of the partition ID. From this moment on we’re stepping off the tracks and will use the tools at our disposal for things other than they were intended.
This is part 2 in a series on how to hide your data.
Warning: Don’t rely on this tutorial actually hiding your data. This is for academic and experimental purposes only. Always complement using encryption and plausible deniability methods like TrueCrypt.
The Partition Table, Redux
Clever readers will have seen it coming when they read about the partition table in the previous article. Without those 64 bytes at the beginning of the disk, no one would know what partitions exist and where they are located. So that’s exactly what we’re going to fiddle with.
If we change the Partition Table, we don’t actually touch any of the real data on the disk. It’s the same thing with books: even if you remove the table of contents, you can still read the book, it’ll just be harder to find one specific chapter. If we remove the entry of a partition in the partition table, we’re not actually removing the partition, but just the info needed to know where it is. If you memorize this info, which are only 3 numbers, you can later add it back to the table, and access your data again.
A card with no partitions at all is suspicious, so we’ll create two partitions, and hide one of them afterwards.
Once again, we’re using sfdisk:
$ sudo sfdisk /dev/sde << EOF > 0,500,6 > ,508,6 > EOF
This is the result:
david@Seven:~$ sudo sfdisk -l /dev/sde Disk /dev/sde: 1009 cylinders, 4 heads, 62 sectors/track Units = cylinders of 126976 bytes, blocks of 1024 bytes, counting from 0 Device Boot Start End #cyls #blocks Id System /dev/sde1 0+ 499 500- 61999+ 6 FAT16 /dev/sde2 500 1007 508 62992 6 FAT16 /dev/sde3 0 - 0 0 0 Empty /dev/sde4 0 - 0 0 0 Empty
Put a FAT16 filesystem on the second partition…
$ sudo mkfs.vfat -F16 /dev/sde2 mkfs.vfat 2.11 (12 Mar 2005)
…mount it, and save your secret data on it.
Hang tight, here comes the dirty bit.
We know our secret partition starts right after the first partition, and is exactly 508 cylinders in size, with 0x6 as ID. You can memorize this data, or just copy the whole partition table to the end of the drive:
$ sudo dd bs=1 count=64 skip=446 seek=128118720 \ > if=/dev/sde of=/dev/sde 64+0 records in 64+0 records out 64 bytes (64 B) copied, 0.0282496 s, 2.3 kB/s
The Partition Table always starts at byte 446, so we skip those first few bytes. Byte 128118720 is the start of the last 64 bytes on my drive. You can calculate this by multiplying the size of a cylinder times the amount of cylinders – both can be found using the output of sfdisk -l – and subtracting 64. Note that we made sure our two partitions don’t fully utilize the disk, but leave 1 cylinder free, so that the last 126KB at the end of the drive are free for us to use.
Now let’s remove the partition from the partition table:
$ sudo sfdisk /dev/sde -N2 << EOF > 0,0,0 > EOF
Our partition has magically disappeared. No operating system will be able to find the missing partition, but there exist special tools to recover the partition table. They do this by scanning the whole drive and looking for patterns that look like the beginning of a partition.
The one visible partition will obviously be of a smaller size than the whole drive. If for example you’re using a 2GB SD-card and want to avoid suspicion, replace the label with one from a 1GB SD-card, and make sure the visible partition is 1GB in size. This way, the only way to notice something is amiss is to run a partition editor and notice there’s a large chunk of unallocated space at the end of your drive.
When you want to access your data again, you can just use sfdisk to recreate exactly the same partition using the numbers you memorized:
$ sudo sfdisk /dev/sde -N2 << EOF > ,508,6 > EOF
Or overwrite the partition table with the copy we made at the end of the drive:
$ sudo dd bs=1 count=64 skip=128118720 seek=446 \ > if=/dev/sde of=/dev/sde
Both methods don’t touch any of the data on the actual partitions, so are pretty safe to use, as long as you remember where your partition is located, and not format the partition afterwards.
- Almost undetectable
- Not accessible without changing the partition table (i.e. doing pretty advanced stuff)
- Possibly suspicious size discrepancy
- Detectable using partition editor