Hiding large amounts of data in virtual disk images

Over the past few decades, multiple methods for hiding data in on hard drives have been devised. Most of these depend on unallocated space either between or within filesystems. Since methods for hiding data may also be used by criminals, they are of interest to digital forensic investigators. Tools used by investigators therefore usually support features which can be used to inspect data within places where data may be hidden, such as deleted files, unallocated sectors or alternate data streams. Widely available virtualization of and on personal computers can be used to support old software which might otherwise not run on modern hardware. Virtualization is also essential in developing low-level software, such as operating systems, and is an essential component of all solutions for cloud computing. Virtualization technologies are therefore widely used and will likely remain popular in the foreseeable future. With virtual computers it is often more convenient to use files as virtual hard drives instead of physical disks. These files are typically large, so data could potentially be hidden within them, depending on the virtual disk image format. We have analyzed the most popular virtual disk image file formats and devised three general approaches for hiding data within such files. Two of these approaches allow large amounts of data to be hidden. The hidden data is unlikely to be detected by current digital forensics tools. New techniques and procedures will have to be developed to detect such data. We have implemented one of the approaches which can be used to store practically unlimited amounts of data in a library which is freely available