Evading Disk Investigation and Forensics using a Cluster-Based Covert Channel ∗

Contemporary storage-based information hiding methods support plausible deniability by embedding encrypted information among bulk random content. Since the presence of random data is easily detected, these schemes facilitate plausible deniability by enabling disclosure of less sensitive information whilst concealing the existance of some other information. We propose a covert channel on storage media in which information is embedded by modifying the fragmentation patterns in the cluster distribution of an existing file. As opposed to existing schemes, the proposed covert channel does not require storage of any additional information on the filesystem. Since fragmentation also occurs through normal usage of a filesystem, our proposed channel allows one to conceal the very existence of hidden data, and consequently is the first storage-based covert channel to support an additional layer of two-fold plausible deniability.