File System Steganography

    Hi, Habr.


    I want to introduce you to a small project on steganography made in your free time from studies.


    I made a project for the hidden storage of information in a file system (hereinafter referred to as the FS ).
    It can be appliedto steal confidential information for educational purposes.


    Image


    A very old Linux ext2 FS was chosen as a prototype .



    Implementation


    Implementation Considerations


    If it is good to “extort” the ext2 standard, then it can be replaced that in the FS there is the so-called Superblocks , which gives basic information about the system. After me Block Bitmap and Inode Table were found . Almost immediately, the idea was born of recording information in currently empty FS blocks. Now it was worth considering protection from a programmer armed with a hex editor .


    If you store hidden information without encryption, then, despite its FS blur, it will still be too conspicuous, especially if the programmer knows what to look for. Therefore, it was decided to encrypt all blocks of the source file. I chose the block cipher AES , but as you know, this is not important.


    To separate the necessary blocks from all the others when reading, it was decided to add to each block by a special marker at the beginning of the block. This token was encrypted depending on the block number in the source file. Such a trick immediately allowed not only to find the necessary blocks, but also to find out their correct order.


    The general principle of the system.


    image


    Recording algorithm


    The points:


    • First, write some information to the source file system;
    • Delete this information (not necessarily all);
    • Divide the file for hiding into blocks of the same length by adding a marker;
    • Encrypt these blocks;
    • Place encrypted blocks in empty FS blocks.

    For lovers of flowcharts

    Below is a block diagram of the recording algorithm. At the input, the algorithm receives four files:
    -An image of a modifiable file system;
    -Steganography file;
    -File with encryption key for AES;
    -File with marker.
    image


    It should be noted right away that this algorithm has one drawback: after writing a file to the FS, it is impossible to write anything new to the FS, since any new information can fall into the blocks that we allocated to our zipped file, though this opens up the possibility "Sweeping tracks."


    But it’s quite obvious how this can be fixed: it is necessary to rewrite the algorithm for writing blocks to the FS. This is a clear, but incredibly time-consuming task.
    For Proof Of Consept, I did not implement this.


    As a result, the following changes in the FS will be obtained, so the FS looks like before steganography (an audio file was previously recorded).
    image
    And it looks like a FS with already zaghestanografirovannoy information.
    image


    Reading algorithm


    The points:


    • With the knowledge of the key and the method of constructing markers, compose the first N markers, with the guarantee that N multiplied by the length of the file system block is greater than the length of the zipped file;
    • Search for blocks in the FS starting with markers;
    • Decrypt the received blocks and separate the markers;
    • Collect the received blocks in the correct order and get the source file.

    For lovers of flowcharts

    Below is a block diagram of the recording algorithm. At the input, the algorithm receives three files:
    -A file system image;
    -File with encryption key for AES;
    -File with marker.
    image


    After the program runs, a Read file appears, which will be extracted from the steganographed FS file; if the key or marker was incorrect, the Read file will be empty.
    (for lovers of prettiness, you can intersperse not only a file, but a "header" containing meta-information: file name, rights, time of the last change, etc.)


    Startup automation


    For convenience, bash scripts were written that automate the launch on Linux (tested on Ubuntu 16.04.3 LTS).
    We will analyze the launch in steps.
    Record:


    1. sudo Copy_Flash.sh “DEVICE” - get the image of the FS from DEVICE (flash);
    2. ./Write.sh “FILE” “KEY” “MARKER” - create a virtual environment, download the necessary libraries and run the script to record;
    3. sudo ./Write_Flash.sh “DEVICE” - write the changed file system back to DEVICE.

    Reading:


    1. sudo Copy_Flash.sh “DEVICE” - get the image of the FS from DEVICE (flash);
    2. ./Read.sh “KEY” 'MARKER ”- create a virtual environment, download the necessary libraries and run the script to read;
    3. In the current directory, open the Read file - this is the zagheganografirovannaya information.

    Conclusion


    This steganography method probably needs refinement, additional testing, and expansion to more popular file systems such as Fat32 , NTFS, and ext4 .
    But the aim of this work was to show the principle by which it is possible to carry out the hidden storage of information in the file system.
    Using such algorithms, you can safely store information, and if knowing a key it is possible to crack such a system not by exhaustive search (but by a very long algorithm), then without knowing the key this system seems absolutely stable, however, this may serve as a reason for a separate article.


    All code is implemented in Python version 3.5.2. An example of work is presented on my youtube channel. The full project code is posted on github .
    (Yes, I know that for the production version you need to write in something "fast", for example in C;))
    In this implementation, the size of the input file for steganography should not exceed 1000 kB.


    I would like to thank the user PavelMSTU for valuable advice in planning the study and recommendations for the design of the article.


    Also popular now: