You have some confidential stuffs that no one should read / watch? You need to keep your data save?
There are many things you can do to protect your data. One could mention encryption, to encrypt your data to unreadable data so just you who know the key can access it. Another trick is setting the permission of file or folder, or maybe get the confusing hierarchy of data. Oh, and not to mention if you are using Windows you can use Windows feature to hide your data. Well, that’s nice but let me tell you cool trick: hidden partition.
This article will discuss about Hidden Partition, and the trick from Linux perspective.
What is Hidden Partition?
Like implied by the name, hidden partition is a partition from disk or other storage media that hidden or invisible from system.
So, what’s so cool about hidden partition?
You can still use tricks like things we have mentioned above, but above all the partition we are playing with are invisible to the system. Imagine, how could (common) people do to your privacy if they can’t find the partition where you hide your stuffs. It’s like implementing hidden files/folders but in higher level: partition.
When people don’t aware there are some hidden partition, how can they browse or manipulate through it? Yes, that’s the point!
Partition is just an area in hard disk which is defined by start on certain sector and end on certain sector. Data on the disk are written to a small allocation unit called block. Each block has fix size, for example 4kB. A file system is a way to store, read, write, and delete data effectively. There are many filesystems, but we won’t cover it in detail. Some popular file systems are: FAT, NTFS, EXT series (2/3/4), HFS, ZFS, XFS, ReiserFS, etc.
Next, the big question is: how we know or aware of a partition?
For every storage media, there are a certain area in the front of disk. This area is called MBR or Master Boot Records. It is like a table which records what partition exists on the disk. The important parts is they records the beginning and ending of a partition.
Hidden partition is as simple as removing the entry of a partition from the MBR.
Wait! If we delete the entry, doesn’t that means we are removing a partition? Yes! However, the only missing is the entry, while the data are still exists on the partition area. In fact, unless you do a format, the file system is still accessible when you know where it is.
A normal people, even a system, won’t aware if there is a hidden partition unless you told there is. Your computer won’t notify you partition which doesn’t have record on MBR. And this is why it’s called hidden partition (or at least I called it as that)
Now, we will experiment on hidden partition. As suggested by the title, we will use Linux. In this article I use:
- Slackware64 14.0
- SD Card of 4GB as storage media
The Slackware is only proof of concept. You can use any linux available, no need to install Slackware just for this article.
The Slackware is running on Lenovo Ideapad z480.
The SD Card serves purpose as storage media which we will play with. It has 4GB of storage in total and divided into three partition.Using fdisk
got the list of storage media attached to my machine. In this case, the SD card is detected as /dev/sdb and the following is the partition list as the result of fdisk.
Disk /dev/sdb: 4008 MB, 4008706048 bytes 124 heads, 62 sectors/track, 1018 cylinders, total 7829504 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Device Boot Start End Blocks Id System /dev/sdb1 2048 206847 102400 b W95 FAT32 /dev/sdb2 206848 7500000 3646576+ 83 Linux /dev/sdb3 7501824 7829503 163840 7 HPFS/NTFS/exFAT
OK, we have plenty information there. Let’s focus on the partition informations. The three partitions has differents file system. Suppose we have format each of them to their respective filesystem.
Now in this article we will make the second partition (/dev/sdb2) hidden.
To remove a partition, it is as simple as remove the entry from the MBR. We can use tool such as fdisk to accomplish this.
And you will get to SD card. Type ‘d’ and enter number 2 (our partition /dev/sdb2 is on number 2). Once you done, write the progress to the disk.
Command (m for help): d Partition number (1-4): 2 Partition 2 is deleted Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks.
You can verify by invoking this command again:
It should be like this:
Disk /dev/sdb: 4008 MB, 4008706048 bytes 124 heads, 62 sectors/track, 1018 cylinders, total 7829504 sectors Units = sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Device Boot Start End Blocks Id System /dev/sdb1 2048 206847 102400 b W95 FAT32 /dev/sdb3 7501824 7829503 163840 7 HPFS/NTFS/exFAT
Now, see the gap? The first partition started from block 2048 and end on 206847. The third partition is from 7501824 to 7829503. Where’s the partition from 206848 to 7500000 like we see before? It’s hiding right now.
Now, test to mount it.
mount /dev/sdb2 /mnt/
And we get error! Well, not like this is unexpected. But how can we access the partition if we can’t mount it?
Hey! Who said we can’t mount it? We can but there is a trick to do that.
Actually, when we said mount a partition, mount will check whether a special device (/dev/sdb2 in this case) exists. If it is, mount will read the table to find where is the area of that partition. We got the area by start and end, right? And that’s how we will mount it. We will provide the start and the end, manually.
But, the start and end are not in term of sector or block. The partition are known as n bytes of offset from the start. Recall the location of partition 2, it is started from block 206848 to 7500000. Now see how bigh is each block. From the result of fdisk we know that each block is 512 bytes in size. Now, just multiply the block with 512 to get the size. Actually, we only need the start so calculate the value. If you are too lazy, you can skip it 😛
Now, to mount a hidden partition we need to invoke mount in special manner. We can’t access non existing /dev/sdb2, but we can still access /dev/sdb. So here is how I access the hidden partition
mount -o loop,offset=$((206848*512)) /dev/sdb /mnt/
ps: I’m lazy.
And, you now get the partition mounted on /mnt/
To unmount it, do following:
Isn’t that easy? 😀filesystem, linux