Data confidentiality on a computer can be achieved using encryption. However, encryption is ineffective under a forensic investigation mainly because the presence of encrypted data on a disk can be easily detected and disk owners can subsequently be forced (by law or other means) to release decryption keys. To evade forensic investigation, intelligent information hiding techniques that support plausible deniability have been proposed as an alternative to encryption; plausible deniability allows an evader to hide data in a manner such that he/she can deny the very existence of the data.

In this paper, we present a new, plausible deniability approach to store sensitive information on a cluster-based filesystem. Under the proposed approach, a covert channel is used to encode the sensitive information by modifying the fragmentation patterns in the cluster distribution of an existing file. As opposed to existing schemes, the proposed covert channel does not require storage of any additional information on the filesystem. Moreover, the channel provides two-fold plausible deniability so that an investigator without the key cannot prove the presence of hidden information.

We derive the theoretical capacity of the covert channel and show that a capacity of up to 24 bits/cluster can be achieved on a half-empty disk. The proposed data hiding and recovery algorithms are implemented on FAT32 based disk drives and we show that the disk (read/write) access time of the algorithms is quite low as compared to the contemporary approaches. We also present statistics about the incidence of file fragmentation on actual file systems from 52 disk drives belonging to a diverse set of users. Based on these statistics, we present guidelines for selecting good cover files. Finally, we show that even if an investigator gets suspicious, he/she will incur an unreasonably high O(m2) complexity to reveal an m bit hidden message.