Hiding large amounts of data in virtual disk images

author: Gašper Fele-Žorž, Faculty of Computer and Information Science, University of Ljubljana
published: July 24, 2017,   recorded: May 2017,   views: 844


Related Open Educational Resources

Related content

Report a problem or upload files

If you have found a problem with this lecture or would like to send us extra material, articles, exercises, etc., please use our ticket system to describe your request and upload the data.
Enter your e-mail into the 'Cc' field, and we will keep you updated with your request's status.
Lecture popularity: You need to login to cast your vote.


Over the past few decades, multiple methods for hiding data in on hard drives have been devised. Most of these depend on unallocated space either between or within filesystems. Since methods for hiding data may also be used by criminals, they are of interest to digital forensic investigators. Tools used by investigators therefore usually support features which can be used to inspect data within places where data may be hidden, such as deleted files, unallocated sectors or alternate data streams. Widely available virtualization of and on personal computers can be used to support old software which might otherwise not run on modern hardware. Virtualization is also essential in developing low-level software, such as operating systems, and is an essential component of all solutions for cloud computing. Virtualization technologies are therefore widely used and will likely remain popular in the foreseeable future. With virtual computers it is often more convenient to use files as virtual hard drives instead of physical disks. These files are typically large, so data could potentially be hidden within them, depending on the virtual disk image format. We have analyzed the most popular virtual disk image file formats and devised three general approaches for hiding data within such files. Two of these approaches allow large amounts of data to be hidden. The hidden data is unlikely to be detected by current digital forensics tools. New techniques and procedures will have to be developed to detect such data. We have implemented one of the approaches which can be used to store practically unlimited amounts of data in a library which is freely available

Link this page

Would you like to put a link to this lecture on your homepage?
Go ahead! Copy the HTML snippet !

Write your own review or comment:

make sure you have javascript enabled or clear this field: