Disk space is allocated in clusters of a certain size. When a file is written to disk and the file size is smaller than the cluster(s) allocated for it, there is an unused portion of varying size between the end of the file’s data and the end of the allocated clusters. This unused space is the slack space, it’s perfectly normal, and [Zachary Parish] had an idea to write a tool to hide data in it.
[Zachary]’s tool is in Python and can map available slack space and perform read and write operations on it, treating the disparate locations as a single unified whole in which to store arbitrary files. A little tar and gzip even helps makes things more efficient in the process.
There’s a whole demo implemented on Linux using a usb drive with some decoy files to maximize the slack space, and you can watch it in action in the video embedded below. It’s certainly more practical than hiding data in a podcast!
Note that this is just a demo of the concept. The approach does have potential for handling secret data, but [Zachary] points out that there are — from a serious data forensics point of view– a number of shortcomings in its current form. For example, the way the tool currently structures and handles data makes it quite obvious that something is going on in the slack space.
[Zachary] created this a few years ago and has some ideas about how to address those shortcomings and evolve the tool, so if you have ideas of your own or just want to try it out, the slack_hider GitHub repository is where you want to go.
Yea cute in the 286 age + python. I need to go barf now
Yo, dawg, I heard you like writing useless comments. So I put a useless comment in reply to your useless comment so you can read useless comments while you’re writing useless comments.
whining about python? you gonna cry about rust next? grow up.
I remember back in 90s when viruses were hiding in unused space of floppy disk.
Also it reminds me formatting 1.44Mb floppy disks to 1.7Mb
There is (/was?) a linux tool called bmap that does exactly the same:
https://linuxsecurity.com/features/linux-data-hiding-and-recovery
and of course there is another tool to reveal data hidden in slack space
https://github.com/rafa32/SPA
Windows-98 era.
Used to find all sorts of stuff tucked into the slack space. I’d always set any drive cleaners to sweep them. From what I can recall, seemed like a lot of trial-wares used the slack space to hide things.
Supposedly “un-copyable” streaming audio/video buffers seemed to get put there also.
If memory serves me correctly, “Cool Edit” (no working “save” function) trial version , did it with your project.
A fundamental part of any forensic drive exam (after imaging) is to look in the slack space. The good (expensive) tools even identify encryption indicators so that you are at least aware someone may be hiding something there.
Also, IIRC slack space is a good source of pieces of previously deleted files that have not been overwritten.
Am I missing something here? I’m surprised someone thinks this is new.
It might not be new to you, but I’ve never heard of the idea or the concept.
What you really want to do is hide encrypted random gibberish in most of the slack space so your adversary spends time on a wild goose chase.
Sure, it’s not super safe, but for going across a border where they just look at the files on your disk normally and quickly it’s not a bad idea.
Or you could memorize an URL and download the data on the other side. That’s how people who work with sensitive data do it.
Or a whole virtual machine, accessed via company main Web page.
Typically requires a Token key to establish a secure link.
For a second, I thought everybody was taking about using Slack messaging as file storage.
Same, and that would be a bit interesting 🤔
Years ago some systems had variable cluster sizes, maybe something like a meta filesystem that puts smaller clusters in a cluster.