Hiding data in bad blocks?

I am here because I am taking a class in which we are required to frequent a computer forensic forum and report back on things. It seems that every time I find a topic that is of interest to me the conversation is hijacked by jaclaz.

Its very frustrating and disappointing to see a thread that has an interesting question and then read pages of sarcasm.

You might be happy to know that jaclaz is member of this computer forensic focus ONLY, so, if you find his posts too sarcastic for your tastes, you may well choose to frequent another computer forensic forum to fulfill your assignment thus avoiding his perverted humour.

I too have heard that you can hide data this way. Exactly how it works, I am not sure of which is why I wanted to read more about this topic on this thread. It is a shame a real conversation couldn't take place about this topic.

The original poster might be interested in this http//www.berghel.net/publications/data_hiding/data_hiding.php

The whole point - if you can bear with me without being too frustrated or disappointed - is that these kind of topics are invariably originated by

1. hearsay
2. nice theoretical papers about obsolete or specific hardware or filesystems or arcane operating systems or incomplete or "limited" in practice articles or POC's
3. nice ideas/approaches that are extremely complex or inconvenient to be put into practice, involving high cost specialized hardware and what not
4. vague anecdotal reports

[/listo]

If you read attentively the (BTW really nice) article you linked to, you will see how while it provides a set of very good example cases, it is essentially a "warning" article, in the sense that it says "Be aware that this and this other is possible and the single tool we used was not capable of finding the hidden data in all cases. Something should be done for this."

Now, when we go for "bad sectors", they can be made "bad" (or inaccessible or "hidden") in two ways

[1] at a "logical" level inside the filesystem or in the partitioning scheme
[2] at a "physical" level inside the actual hard disk (or more generally mass storage) device firmware/structures
[/listo]

The difference is not-so-trifling_
#1 can be created, found, detected, read, accessed by *any* tool capable to access the disk sectors directly or at "physical level", let's say for the sake of it the almost ubiquitous "dd"
#2 cannot be created, detected, read, accessed if not (maybe) on a number of specific devices, using specific hardware tools.

As an example, it would be much more convenient for #2 to use instead of a modern hard disk a USB memory stick as the tools needed to program/connect the device are entirely software (but then you will need to hide the "special" software too, as it would raise suspicions if found).

The concept of hiding data is derived by the physical world where you want to hide physical objects, but usually even in the physical world you want to hide things and retrieve them when needed in a convenient and inconspicuous manner, i.e. (example) if you want to hide the US$ 100,000.00 you just got by robbing the bank, you want to put it in a zip bag (to protect them from degradation), inside a wooden or metal box (to protect them for other accidental damages) and put it in a cavity under a loose plank of your wood floor.
You could actually put them in just a zip bag and have it inside the concrete cast of your floor, but retrieving them when needed would take a long time and make a lot of noise.

Now, in order to further hijack the topic, a completely random example of another data hiding technique.

Take a MicroSD card
http//it.wikipedia.org/wiki/Secure_Digital#mediaviewer/FileSD_Cards.svg
Save your data to be hidden (Gbytes of it) on it (possibly in an encrypted form).
Get (say) this SSD
http//www.legitreviews.com/intel-520-cherryville-series-240gb-ssd-review-in-raid-0_1815/2
open it's case and put the microSD in it securing it with a bit of double sided adhesive tape.

How much probabilities are there that the SSD case will be opened or X-rayed (and the microSD card found)?
How difficult/complex is to reopen the SSD case and retrieve the microSD (and the data)?
Which tools are needed to retrieve it?
Should all SSD's cases (and all hard disks for that matter) be opened and inspected for hidden microSD's?

jaclaz