If I have root on a system and really want to hide a file, the obvious answer is a rootkit, which can hide any files I want from almost all detection, by hooking filesystem reads etc. Rootkits are incredibly hard to find in a normal working environment, as you can't trust anything the OS reports. If you have Tripwire on a system, working correctly and monitoring the entire filesystem, the installation of a rootkit should be detected - however if an attacker can get root and has access to the Tripwire systems, then all bets are off.
What is much more likely in practice, however, is for files to be hidden in the depths of the filesystem, perhaps under . directories so they don't show to a normal ls, or perhaps as innocuously named files. The good thing is that more linux admins seem to know what files should exist than windows admins, probably more down to the fact that windows is managed typically through a gui, however with greater usage of Powershell this is changing.
Writing files to an unused portion of a disk can work, however in an enterprise environment you tend to find disks fully utilised, so an attacker would first need to either alter a partition or find some way to hide the use of a section of existing filesystem. It happens, but not as often as you may think.
Steganography is not used very much. Malicious executables are found in innocuous looking files, but usually as a vector, not in storage.
In summary, from a defenders perspective, protect root, patch regularly and use Tripwire or an equivalent.