MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE Data Recovery Forensics without the legal junk! Data is lost for some reason Intentional Data Deleted Disgruntled Employee Hacker trying to cover tracks Device Destroyed Unintentional Heads Crash Oops, My Bad!
Data Recovery Techniques Disk Editor Look at Metadata and try to discover location of deleted data Forensics Software FTK FTK Imager Encase Autopsy 4 Data Hiding Obfuscating Data Existence of the data is easy to see, but it is difficult to determine what it is. Hiding Data Existence of the data is hidden Blinding Investigator Data not hidden, but normal tools not able to detect it, because they have been modified. 5 Obfuscating Data Encryption Hides through changing the data according to some algorithm. In order to see it, you must decrypt it. Compression Hides through removing extraneous information in the file, thus making it unreadable, and unsearchable. There are very good decompression programs. 6 Hiding Data In plain site Shows up in directory listing, but not as what you are looking for. Change file extension Within file system in a file. Steganography Invisible Names Misleading names Obscure names No Names 7 Continued Within a file system, but not in a file. Slack Space Free Space Swap Space Outside Computer SD Cards CDs/DVDs Zip Disks Thumb Drives
8 How to beat it? In plain site Find the file signature and determine the type of the file. Within file system in a file. Steganography Locate then crack Invisible, misleading, or obscure names Keyword search on file system will find the file. No Names Peculiar to unix and zero link files Must locate the files before shutting down the system, or they will be lost. 9 Blinding the Investigator Data not hidden, but tools used to view the system are modified to not see suspect data. Changing system commands Changing DIR or ls to not see certain kinds of files Modifying windows apps like My Computer Modifying the Operating System Changing the operating system to not look at certain areas of the disk, except under certain circumstances (rootkits). 10 How to beat it? Changing behavior of the system commands. Reload system commands, or move the data to a new system. Compare hash values of known system files. Changing behavior of the operating system. Ditto. 11 Steganography Steganography Means covered or hidden writing Process of hiding a message in an appropriate carrier (image, audio, or video) Prevents anyone else from knowing that a message is being sent. Used by civil right organizations & Terrorists.
12 History of Steganography First used by Greek historian Herodotus Text was written on tablets covered with wax Upon delivery wax would be melted. Also, slaves could be shaved and tattooed After hair grows out, message could not be seen.
13 Computer Steganography Computer Steganography Changes are made to digital carriers (images or sounds) Changes represent the hidden image. Successful if not noticeable. Emphasis on detecting hidden communications has become an important area since 9/11. 14 Steganography vs. Watermarking Steganography Message that we are hiding is a secret Not generally related to what we hide it in Watermarks Message that we are hiding might not be a secret (Might not even hide) Does relate to what we put it in Ex. Hold a $20 bill up to light to see watermark (authenticity) , Company Logos (Ownership) 15 Various techniques in Steganography Many approaches to hide data in a file Embedded bits can be inserted in any place or in any order Areas that are less detectable or dispersed through out the cover file are suitable Selection of cover medium will enhance Steganography better. 16 Various techniques in Steganography Substitution is the nave approach to this problem It replaces cover file bits with embedded file bits Replacing certain cover file bits are detectable Careful selection of bits in cover file is important 17 Types of digital carriers Common ways of hiding data- Data may be embedded in files as noise. Properties of images: luminescence, contrast and color can be manipulated. Audio files can be manipulated by introducing small echoes or slight delays. Signals can be masked with sounds of higher amplitude. 18 Types of digital carriers Common ways of hiding data- (contd.) Hidden in documents by manipulating the positions of the lines of the words. Messages can be retrieved e.g. By taking second letter of each word (null cipher). Web browsers ignore spaces, tabs, certain characters & extra line breaks. 19 Types of digital carriers Common ways of hiding data- (contd.) Unused/Reserved space on a disc can be used. OS allocates minimum amount of space for a file and some of it goes unused. Unused space in file headers, TCP/IP packet headers. Spread spectrum techniques can be used by placing an audio signal over a number of different frequencies. 20 Image Structure and Image processing Digital Imaging Most common type of carrier used Produced by camera/scanner or other devices. Approximation of the original image. System producing image focuses a two dimensional pattern of varying light intensity and color onto a sensor. 21 Image Structure and Image processing Digital Imaging Pattern has a co-ordinate system. Origin Upper left hand corner Pattern described by function f(x, y) Image can be described as an array of numbers which represents light intensities at various points. The light intensities are called pixels. 22 Image Structure and Image processing Digital Imaging Size of the image given in pixels. e.g. 640 x 480 (contains 307,200) pixels. Spatial resolution of an image is the physical size of the pixel in the image. Pixels are indexed by X & Y co-ordinates. Spatial Frequency Rate of change of f(x, y) value as we move across the image. 23 Image Structure and Image processing Digital Imaging Gradual changes in f(x,y) corresponds to low spatial frequencies (Coarsely sampled image) Rapid changes correspond to high (must be represented by densely sampled image) Dense sampling produces high-resolution image (many pixels contribute a small part of the scene) 24 Image Structure and Image processing RGB Color Cube 25 Image Structure and Image processing RGB Color Cube Representing color by the relative intensity of the three colors- red, green & blue. Absence yields black (intersection of 3 axes) Presence of all three colors yield white Cyan 100% blue & 100% green Magenta 100% blue & 100% red Yellow 100% green & 100% red 26 Image Structure and Image processing RGB Color Cube Each RGB Component is specified by a single byte (8 bits). Color intensity (0-255) This 24 bit encoding supports 16,777,216 (224)Colors Each picture element (pixel) encoded in 24 bits. Called 24 bit true-color. Can be represented by 32-bits (Extra bits Transparency) 0 (transparent) 255 (opaque) Some use 8 bit true-color. 27 Image Structure and Image processing RGB Color Cube Color palettes and 8-bit color used with Graphics Interchange Format (GIF) and Bitmap (BMP) image formats. Value of pixel points color in the palette. When GIF image is displayed the software paints color from the palette to the screen. Offers loss-less compression because the image recovered after encoding and compression is bit-for-bit identical to the original image. 28 Digital Carrier methods Common methods of Digital Carrier Image and audio files easiest & common carrier. Least significant bit substitution or overwriting. Most Common method LSB term comes from the numeric significance MSB - 2 8 LSB - 2 0
29 Digital Carrier methods Simple method of hiding. Hiding the character G across the following eight bytes of a carrier file. 10010101 00001101 11001001 10010110 00001111 11001011 10011111 00010000 ASCII value of G ( 71 01000111) 10010100 00001101 11001000 10010110 00001110 11001011 10011111 00010001 30 Digital Carrier methods Simple method of hiding. Eight bit can be written to the LSB of each of the 8 carrier bytes. Only half of the bytes changed (in this case) LSB substitution can be used to overwrite RGB Color Encoding in GIF,BMP Pulse code modulation in audio files. Changing LSB changes numeric value very little Least likely to be detected by human eye. 31 Detecting Steganography Detection and Analysis should not result in destruction of the embedded message. Types of analysis Stego-only attack Stego-image available for analysis Known-cover attack Original image also available for analysis Color composition, luminance and pixel relationships compared. Known-message attack If the hidden message is known Goal to locate stego-image 32 Basic Principles of Steganography Two Principles:
Digital files can be altered to a certain degree without losing functionality Human senses are not acute enough to distinguish minor changes in altered files
33 Masking Masking:
Masking is another way used to conceal data Definition: Sound A interferes (masks) with sound B with regards to audio files Human perception is the key as we are not able to pick up on the subtleties
34 Forensics and Steganography The use of steganography toolkits can thwart the completion of a successful forensic analysis The odds of every piece of potential evidence hidden within cover images are slim Even if a stego file is found and the secret data is extracted successfully, what about encryption?
35 Forensics and Steganography As of today, few stego programs have been analyzed such that searching for file headers can be performed
Part of the problem is that some stego programs allow us to encrypt the header
Which stego program was used, and if encrypted, what is the stego key ?
36 Detecting and cracking Steganography Reading and detecting covert files is a challenging task for Forensic investigators Steganalysts can join with cryptanalysts Steganalysis is a time consuming process Forensic investigator should also track the original carrier file(host file) 37 Examples of Hiding data in various carriers Hiding Burlington International Airport Map
38 Examples of Hiding data in various carriers (Contd.) A GIF Carrier file containing the airport map 39 Examples of Hiding data in various carriers (Contd.) Example employs Gif-it-Up, Nelsonsoft program Hides information using LSB Substitution Includes encryption option Original Carrier (Mall GIF) 632,778 bytes Steganography file 677,733 bytes
40 Examples of Hiding data in various carriers (Contd.) A JPEG Carrier file containing the airport map 41 Examples of Hiding data in various carriers (Contd.) Method JP Hide & Seek (JPHS) by Allan Latham Hides information using LSB Substitution Blowfish crypto algorithm used for randomization and encryption. Original Carrier 207,244 bytes Steganography file 227,870 bytes
42 Signal level comparisons between a WAV carrier file before (above) and after (below) insertion. 43 What Can Be Done? Use steganographic toolkits so that you become knowledgeable Know what files are installed when a stego program is installed Know what files are left behind (or registry keys) when a stego program is removed You may get lucky and find that no encryption was applied 44 (Cont.) Compare the cover file to the suspicious file, looking for distortions
Work with people who have analyzed stego tools as these tools have unique characteristics
45 Steganography Good /Bad ? Good to hide watermarks Authenticate information Proves ownership My watermark so mine Copy Control Bad for those who like free music from the internet. Bad Mostly used by terrorists