Data hiding and finding on Linux
Anton Chuvakin, Ph.D.
:Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of changeto be accelerating. On top of that, to be able to stay in touch with such ever-changingreality, one has to evolve with the space as well. Thus, even though I hope that thisdocument will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around.
The article briefly touches upon hiding, finding and destroying dataon Linux file systems. It should become clear that the area of computerforensics, aimed at recovering the evidence from captured disk drives,has many challenges, requiring knowledge of hardware, operatingsystems and application software.It is common knowledge, that what is deleted from the computer cansometimes be brought back. Recent analysis of security implicationsof "alternative datastreams" on Windows NT by Kurt Seifried(http://seifried.org/security/advisories/kssa-003.html) has shown thatWindows NTFS filesystem allows data hiding in "alternativedatastreams" connected to files. These datastreams are not destroyedby many file wiping utilities that promise irrecoverable removal of information. Wiping the file means "securely" deleting it from disk(unlike the usual removal of file entries from directories), so thatfile restoration becomes extremely expensive or impossible.