CSE6273 Data Recovery Hiding

8/11/2019 CSE6273 Data Recovery Hiding

1/46

1

Intro to Cyber Crime andComputer Forensics

CSE 4273/6273March 18, 2013

MISSISSIPPI STATE UNIVERSITYDEPARTMENT OF COMPUTER SCIENCE


2/46

Data Recovery

Forensics without the legal junk! Data is lost for some reason

Intentional Data Deleted

Disgruntled Employee Hacker trying to cover tracks

Device Destroyed

Unintentional Heads Crash Oops, My Bad!


3/46

Data Recovery Techniques

Disk Editor Look at Metadata and try to discover location

of deleted data Forensics Software

FTK

FTK Imager Encase Autopsy


4/46

4

Data Hiding

Obfuscating Data Existence of the data is easy to see, but it is

difficult to determine what it is. Hiding Data

Existence of the data is hidden

Blinding Investigator Data not hidden, but normal tools not able todetect it, because they have been modified.


5/46

5

Obfuscating Data

Encryption Hides through changing the data according to some

algorithm. In order to see it, you must decrypt it. Compression

Hides through removing extraneous information in

the file, thus making it unreadable, and unsearchable. There are very good decompression programs.


6/46

6

Hiding Data

In plain site Shows up in directory listing, but not as what you are

looking for. Change file extension

Within file system in a file. Steganography Invisible Names Misleading names Obscure names No Names


7/46

7

Continued

Within a file system, but not in a file. Slack Space

Free Space Swap Space

Outside Computer SD Cards CDs/DVDs Zip Disks Thumb Drives


8/46

8

How to beat it?

In plain site Find the file signature and determine the type of the

file.

Within file system in a file. Steganography

Locate then crack

Invisible, misleading, or obscure names Keyword search on file system will find the file.

No Names Peculiar to unix and zero link files Must locate the files before shutting down the system, or they

will be lost.


9/46

9

Blinding the Investigator

Data not hidden, but tools used to view thesystem are modified to not see suspect data. Changing system commands

Changing DIR or ls to not see certain kinds of files Modifying windows apps like My Computer

Modifying the Operating System Changing the operating system to not look at certain

areas of the disk, except under certain circumstances(rootkits).


10/46

10

How to beat it?

Changing behavior of the systemcommands. Reload system commands, or move the data to

a new system. Compare hash values of known system files.

Changing behavior of the operating system. Ditto.


11/46

11

Steganography

Steganography Means covered or hidden writing Process of hiding a message in an appropriate

carrier (image, audio, or video) Prevents anyone else from knowing that a

message is being sent. Used by civil right organizations & Terrorists.


12/46

12

History of Steganography

First used by Greek historian Herodotus Text was written on tablets covered with wax Upon delivery wax would be melted. Also, slaves could be shaved and tattooed

After hair grows out, message could not be seen.


13/46

13

Computer Steganography

Computer Steganography Changes are made to digital carriers (images or

sounds) Changes represent the hidden image. Successful if not noticeable.

Emphasis on detecting hidden communicationshas become an important area since 9/11.


14/46

14

Steganography vs. Watermarking

Steganography Message that we are hiding is a secret

Not generally related to what we hide it in Watermarks

Message that we are hiding might not be a secret(Might not even hide)

Does relate to what we put it in Ex. Hold a $20 bill up to light to see watermark

(authenticity) , Company Logos (Ownership)


15/46

15

Various techniques in

Steganography Many approaches to hide data in a file Embedded bits can be inserted in any place

or in any order Areas that are less detectable or dispersed

through out the cover file are suitable Selection of cover medium will enhance

Steganography better.


16/46

16

Various techniques in

Steganography Substitution is the nave approach to this

problem

It replaces cover file bits with embedded file bits Replacing certain cover file bits are detectable Careful selection of bits in cover file is

important


17/46

17

Types of digital carriers

Common ways of hiding data- Data may be embedded in files as noise.

Properties of images: luminescence, contrastand color can be manipulated.

Audio files can be manipulated by introducing

small echoes or slight delays. Signals can be masked with sounds of higher

amplitude.


18/46

18


Common ways of hiding data- (contd.) Hidden in documents by manipulating the

positions of the lines of the words. Messages can be retrieved e.g. By taking

second letter of each word (null cipher).

Web browsers ignore spaces, tabs, certaincharacters & extra line breaks.


19/46

19


Common ways of hiding data- (contd.) Unused/Reserved space on a disc can be used.

OS allocates minimum amount of space for afile and some of it goes unused. Unused space in file headers, TCP/IP packet

headers.

Spread spectrum techniques can be used by placing an audio signal over a number ofdifferent frequencies.


20/46

20

Image Structure and Image

processing Digital Imaging

Most common type of carrier used

Produced by camera/scanner or other devices. Approximation of the original image. System producing image focuses a two

dimensional pattern of varying light intensityand color onto a sensor .


21/46

21



Pattern has a co-ordinate system . Origin Upper left hand corner Pattern described by function f(x, y)

Image can be described as an array of numbers

which represents light intensities at various points. The light intensities are called pixels.


22/46

22



Size of the image given in pixels. e.g. 640 x 480 (contains 307,200) pixels .

Spatial resolution of an image is the physicalsize of the pixel in the image.

Pixels are indexed by X & Y co-ordinates. Spatial Frequency Rate of change of f(x, y)

value as we move across the image.


23/46

23



Gradual changes in f(x,y) corresponds to low

spatial frequencies (Coarsely sampled image) Rapid changes correspond to high (must be

represented by densely sampled image)

Dense sampling produces high-resolutionimage (many pixels contribute a small part ofthe scene)


24/46

24


processing RGB Color Cube


25/46

25



Representing color by the relative intensity of

the three colors- red, green & blue. Absence yields black ( intersection of 3 axes ) Presence of all three colors yield white

Cyan 100% blue & 100% green Magenta 100% blue & 100% red Yellow 100% green & 100% red


26/46

26



Each RGB Component is specified by a single byte ( 8 bits ). Color intensity ( 0-255 ) This 24 bit encoding supports 16,777,216 (224)Colors Each picture element (pixel) encoded in 24 bits. Called 24

bit true-color. Can be represented by 32-bits (Extra bits Transparency)

0 (transparent) 255 (opaque) Some use 8 bit true-color .


27/46

27



Color palettes and 8-bit color used with GraphicsInterchange Format (GIF) and Bitmap (BMP) imageformats .

Value of pixel points color in the palette. When GIF image is displayed the software paints color

from the palette to the screen. Offers loss-less compression because the image

recovered after encoding and compression is bit-for-bitidentical to the original image.


28/46

28

Digital Carrier methods

Common methods of Digital Carrier Image and audio files easiest & common

carrier. Least significant bit substitution or overwriting.

Most Common method LSB term comes from the numeric significance MSB - 2 8 LSB - 2 0


29/46

29


Simple method of hiding . Hiding the character G across the following

eight bytes of a carrier file.1001010 1 0000110 1 1100100 1 1001011 00000111 1 1100101 1 1001111 1 0001000 0

ASCII value of G ( 71 01000111 )1001010 0 0000110 1 1100100 0 1001011 00000111 0 1100101 1 1001111 1 0001000 1


30/46

30


Simple method of hiding . Eight bit can be written to the LSB of each of

the 8 carrier bytes. Only half of the bytes changed (in this case) LSB substitution can be used to overwrite

RGB Color Encoding in GIF,BMP Pulse code modulation in audio files. Changing LSB changes numeric value very

little Least likely to be detected by human eye.


31/46

31

Detecting Steganography

Detection and Analysis should not result in destructionof the embedded message.

Types of analysis Stego-only attack

Stego-image available for analysis

Known-cover attack Original image also available for analysis

Color composition, luminance and pixel relationships compared. Known-message attack

If the hidden message is known Goal to locate stego-image


32/46

32

Basic Principles of

SteganographyTwo Principles:

Digital files can be altered to a certaindegree without losing functionality

Human senses are not acute enough todistinguish minor changes in altered files


33/46

33

Masking

Masking :

Masking is another way used to conceal data Definition:

Sound A interferes (masks) with sound B with regardsto audio files

Human perception is the key as we are not able to pick up on the subtleties


34/46

34

Forensics and Steganography

The use of steganography toolkits can thwart thecompletion of a successful forensic analysis

The odds of every piece of potential evidencehidden within cover images are slim Even if a stego file is found and the secret data is

extracted successfully, what about encryption ?


35/46

35

Forensics and Steganography

As of today, few stego programs have beenanalyzed such that searching for file headers can

be performed

Part of the problem is that some stego programsallow us to encrypt the header

Which stego program was used, and if encrypted,what is the stego key ?


36/46

36

Detecting and cracking

Steganography Reading and detecting covert files is a challenging

task for Forensic investigators

Steganalysts can join with cryptanalysts Steganalysis is a time consuming process Forensic investigator should also track the original

carrier file(host file)


37/46

37

Examples of Hiding data in

various carriers Hiding Burlington International Airport Map


38/46

38


various carriers (Contd.) A GIF Carrier file containing the airport map


39/46

39


various carriers (Contd.) Example employs Gif-it-Up, Nelsonsoft

program

Hides information using LSB Substitution Includes encryption option Original Carrier (Mall GIF) 632,778 bytes

Steganography file 677,733 bytes


40/46

40


various carriers (Contd.) A JPEG Carrier file containing the airport map


41/46

41


various carriers (Contd.) Method JP Hide & Seek (JPHS) by Allan

Latham

Hides information using LSB Substitution Blowfish crypto algorithm used for

randomization and encryption. Original Carrier 207,244 bytes Steganography file 227,870 bytes


42/46

42

Signal level comparisons between a WAV carrierfile before (above) and after (below) insertion.


43/46

43

What Can Be Done?

Use steganographic toolkits so that you becomeknowledgeable

Know what files are installed when a stego program is installed Know what files are left behind (or registry keys)

when a stego program is removed You may get lucky and find that no encryption

was applied


44/46

44

(Cont.)

Compare the cover file to the suspicious file,looking for distortions

Work with people who have analyzed stego toolsas these tools have unique characteristics


45/46

45

Steganography Good /Bad ?

Good to hide watermarks Authenticate information

Proves ownership My watermark so mine

Copy Control Bad for those who like free music from the internet.

Bad Mostly used by terrorists


46/46

46

Questions?

CSE6273 Data Recovery Hiding

Documents