I get that hidden volumes will stick out, but what about hidden volumes that are relatively small in size -- let's say about 500K - 1MB? Would that still stick out as its footprint is smaller or is that not the right way to look at hidden volumes?
Structured data has a 'histogram' that is vastly different than CBC encrypted data. CBC encrypted data has a 'flat' histogram, where as structured data has a different signature.
Create a program that creates data histograms and you'll see what I mean. There are much easier ways to tell as well, like FOURCC or magic bits for files, for instance a gif file always starts with GIF89, or JPEGs start with JFIF, same with zip files, tar, etc. Almost every file can be recognized independently of it's name, by it's structure.
If you reverse engineer stuff sometimes you'll be given files that you don't even know the structure of and have to figure out what are offsets and what is data. Samething with reverse engineering compiled code.
