1

Intro to Cyber Crime and

Computer Forensics
CSE 4273/6273
March 18, 2013

MISSISSIPPI STATE UNIVERSITY
DEPARTMENT OF COMPUTER SCIENCE
Data Recovery
Forensics without the legal junk!
Data is lost for some reason
Intentional
Data Deleted
Disgruntled Employee
Hacker trying to cover tracks
Device Destroyed
Unintentional
Heads Crash
Oops, My Bad!

Data Recovery Techniques
Disk Editor
Look at Metadata and try to discover location
of deleted data
Forensics Software
FTK
FTK Imager
Encase
Autopsy
4
Data Hiding
Obfuscating Data
Existence of the data is easy to see, but it is
difficult to determine what it is.
Hiding Data
Existence of the data is hidden
Blinding Investigator
Data not hidden, but normal tools not able to
detect it, because they have been modified.
5
Obfuscating Data
Encryption
Hides through changing the data according to some
algorithm. In order to see it, you must decrypt it.
Compression
Hides through removing extraneous information in
the file, thus making it unreadable, and unsearchable.
There are very good decompression programs.
6
Hiding Data
In plain site
Shows up in directory listing, but not as what you are
looking for.
Change file extension
Within file system in a file.
Steganography
Invisible Names
Misleading names
Obscure names
No Names
7
Continued
Within a file system, but not in a file.
Slack Space
Free Space
Swap Space
Outside Computer
SD Cards
CDs/DVDs
Zip Disks
Thumb Drives

8
How to beat it?
In plain site
Find the file signature and determine the type of the
file.
Within file system in a file.
Steganography
Locate then crack
Invisible, misleading, or obscure names
Keyword search on file system will find the file.
No Names
Peculiar to unix and zero link files
Must locate the files before shutting down the system, or they
will be lost.
9
Blinding the Investigator
Data not hidden, but tools used to view the
system are modified to not see suspect data.
Changing system commands
Changing DIR or ls to not see certain kinds of files
Modifying windows apps like My Computer
Modifying the Operating System
Changing the operating system to not look at certain
areas of the disk, except under certain circumstances
(rootkits).
10
How to beat it?
Changing behavior of the system
commands.
Reload system commands, or move the data to
a new system.
Compare hash values of known system files.
Changing behavior of the operating system.
Ditto.
11
Steganography
Steganography
Means covered or hidden writing
Process of hiding a message in an appropriate
carrier (image, audio, or video)
Prevents anyone else from knowing that a
message is being sent.
Used by civil right organizations & Terrorists.

12
History of Steganography
First used by Greek historian Herodotus
Text was written on tablets covered with wax
Upon delivery wax would be melted.
Also, slaves could be shaved and tattooed
After hair grows out, message could not be seen.


13
Computer Steganography
Computer Steganography
Changes are made to digital carriers (images or
sounds)
Changes represent the hidden image.
Successful if not noticeable.
Emphasis on detecting hidden communications
has become an important area since 9/11.
14
Steganography vs. Watermarking
Steganography
Message that we are hiding is a secret
Not generally related to what we hide it in
Watermarks
Message that we are hiding might not be a secret
(Might not even hide)
Does relate to what we put it in
Ex. Hold a $20 bill up to light to see watermark
(authenticity) , Company Logos (Ownership)
15
Various techniques in
Steganography
Many approaches to hide data in a file
Embedded bits can be inserted in any place
or in any order
Areas that are less detectable or dispersed
through out the cover file are suitable
Selection of cover medium will enhance
Steganography better.
16
Various techniques in
Steganography
Substitution is the nave approach to this
problem
It replaces cover file bits with embedded file bits
Replacing certain cover file bits are detectable
Careful selection of bits in cover file is
important
17
Types of digital carriers
Common ways of hiding data-
Data may be embedded in files as noise.
Properties of images: luminescence, contrast
and color can be manipulated.
Audio files can be manipulated by introducing
small echoes or slight delays.
Signals can be masked with sounds of higher
amplitude.
18
Types of digital carriers
Common ways of hiding data- (contd.)
Hidden in documents by manipulating the
positions of the lines of the words.
Messages can be retrieved e.g. By taking
second letter of each word (null cipher).
Web browsers ignore spaces, tabs, certain
characters & extra line breaks.
19
Types of digital carriers
Common ways of hiding data- (contd.)
Unused/Reserved space on a disc can be used.
OS allocates minimum amount of space for a
file and some of it goes unused.
Unused space in file headers, TCP/IP packet
headers.
Spread spectrum techniques can be used by
placing an audio signal over a number of
different frequencies.
20
Image Structure and Image
processing
Digital Imaging
Most common type of carrier used
Produced by camera/scanner or other devices.
Approximation of the original image.
System producing image focuses a two
dimensional pattern of varying light intensity
and color onto a sensor.
21
Image Structure and Image
processing
Digital Imaging
Pattern has a co-ordinate system.
Origin Upper left hand corner
Pattern described by function f(x, y)
Image can be described as an array of numbers
which represents light intensities at various
points.
The light intensities are called pixels.
22
Image Structure and Image
processing
Digital Imaging
Size of the image given in pixels.
e.g. 640 x 480 (contains 307,200) pixels.
Spatial resolution of an image is the physical
size of the pixel in the image.
Pixels are indexed by X & Y co-ordinates.
Spatial Frequency Rate of change of f(x, y)
value as we move across the image.
23
Image Structure and Image
processing
Digital Imaging
Gradual changes in f(x,y) corresponds to low
spatial frequencies (Coarsely sampled image)
Rapid changes correspond to high (must be
represented by densely sampled image)
Dense sampling produces high-resolution
image (many pixels contribute a small part of
the scene)
24
Image Structure and Image
processing
RGB Color Cube
25
Image Structure and Image
processing
RGB Color Cube
Representing color by the relative intensity of
the three colors- red, green & blue.
Absence yields black (intersection of 3 axes)
Presence of all three colors yield white
Cyan 100% blue & 100% green
Magenta 100% blue & 100% red
Yellow 100% green & 100% red
26
Image Structure and Image
processing
RGB Color Cube
Each RGB Component is specified by a single byte (8 bits).
Color intensity (0-255)
This 24 bit encoding supports 16,777,216 (224)Colors
Each picture element (pixel) encoded in 24 bits. Called 24
bit true-color.
Can be represented by 32-bits (Extra bits Transparency)
0 (transparent) 255 (opaque)
Some use 8 bit true-color.
27
Image Structure and Image
processing
RGB Color Cube
Color palettes and 8-bit color used with Graphics
Interchange Format (GIF) and Bitmap (BMP) image
formats.
Value of pixel points color in the palette.
When GIF image is displayed the software paints color
from the palette to the screen.
Offers loss-less compression because the image
recovered after encoding and compression is bit-for-bit
identical to the original image.
28
Digital Carrier methods
Common methods of Digital Carrier
Image and audio files easiest & common
carrier.
Least significant bit substitution or overwriting.
Most Common method
LSB term comes from the numeric significance
MSB - 2
8
LSB - 2
0


29
Digital Carrier methods
Simple method of hiding.
Hiding the character G across the following
eight bytes of a carrier file.
10010101 00001101 11001001 10010110
00001111 11001011 10011111 00010000
ASCII value of G ( 71 01000111)
10010100 00001101 11001000 10010110
00001110 11001011 10011111 00010001
30
Digital Carrier methods
Simple method of hiding.
Eight bit can be written to the LSB of each of
the 8 carrier bytes.
Only half of the bytes changed (in this case)
LSB substitution can be used to overwrite
RGB Color Encoding in GIF,BMP
Pulse code modulation in audio files.
Changing LSB changes numeric value very
little
Least likely to be detected by human eye.
31
Detecting Steganography
Detection and Analysis should not result in destruction
of the embedded message.
Types of analysis
Stego-only attack
Stego-image available for analysis
Known-cover attack
Original image also available for analysis
Color composition, luminance and pixel relationships compared.
Known-message attack
If the hidden message is known
Goal to locate stego-image
32
Basic Principles of
Steganography
Two Principles:

Digital files can be altered to a certain
degree without losing functionality
Human senses are not acute enough to
distinguish minor changes in altered files

33
Masking
Masking:

Masking is another way used to conceal data
Definition:
Sound A interferes (masks) with sound B with regards
to audio files
Human perception is the key as we are not able to
pick up on the subtleties


34
Forensics and Steganography
The use of steganography toolkits can thwart the
completion of a successful forensic analysis
The odds of every piece of potential evidence
hidden within cover images are slim
Even if a stego file is found and the secret data is
extracted successfully, what about encryption?

35
Forensics and Steganography
As of today, few stego programs have been
analyzed such that searching for file headers can
be performed

Part of the problem is that some stego programs
allow us to encrypt the header

Which stego program was used, and if encrypted,
what is the stego key ?


36
Detecting and cracking
Steganography
Reading and detecting covert files is a challenging
task for Forensic investigators
Steganalysts can join with cryptanalysts
Steganalysis is a time consuming process
Forensic investigator should also track the original
carrier file(host file)
37
Examples of Hiding data in
various carriers
Hiding Burlington International Airport Map

38
Examples of Hiding data in
various carriers (Contd.)
A GIF Carrier file containing the airport map
39
Examples of Hiding data in
various carriers (Contd.)
Example employs Gif-it-Up, Nelsonsoft
program
Hides information using LSB Substitution
Includes encryption option
Original Carrier (Mall GIF) 632,778 bytes
Steganography file 677,733 bytes

40
Examples of Hiding data in
various carriers (Contd.)
A JPEG Carrier file containing the airport map
41
Examples of Hiding data in
various carriers (Contd.)
Method JP Hide & Seek (JPHS) by Allan
Latham
Hides information using LSB Substitution
Blowfish crypto algorithm used for
randomization and encryption.
Original Carrier 207,244 bytes
Steganography file 227,870 bytes

42
Signal level comparisons between a WAV carrier
file before (above) and after (below) insertion.
43
What Can Be Done?
Use steganographic toolkits so that you become
knowledgeable
Know what files are installed when a stego
program is installed
Know what files are left behind (or registry keys)
when a stego program is removed
You may get lucky and find that no encryption
was applied
44
(Cont.)
Compare the cover file to the suspicious file,
looking for distortions

Work with people who have analyzed stego tools
as these tools have unique characteristics

45
Steganography Good /Bad ?
Good to hide watermarks
Authenticate information
Proves ownership
My watermark so mine
Copy Control
Bad for those who like free music from the internet.
Bad Mostly used by terrorists

46
Questions?