Bill FanelliPrincipal Architect Carlton Jeffcoat
VP Allen Corporation of America
The Message Within: Data Sheet
Cyber Security Technologies Division
gExtending DLP to target Steganography
Steganography
Discovering Critical Evidence - hidden in plain sight -
Introduction
• Data Leakage greatly concerns certain industries – High value intellectual property
• Pharmaceutical formulas • Proprietary software algorithms p y g
– Highly sensitive legal documents
• Data Loss Prevention (DLP) explicitly prevents th l k f thi d t t f i ti the leakage of this data out of an organization. – DLP monitors the movement of tagged files and data
with keyword content. – DLP technology is uniquely positioned to help with
forensics efforts in identifying hidden message carriers.
PAGE 4
How to use DLP in Steganography Detection
• DLP can monitor the movement of likely carrier files such as image and music files– DLP will copy these files to a forensic archive – Other tools can then scan these files for the – Other tools can then scan these files for the
presence of hidden data
• This presentation will:– Describe these forensic procedures – Detail an implementation of the required workflow
PAGE 5
Definition
• Steganography– Hiding the existence of the message
• Vs. CryptographyOb e the me ning of me ge– Obscures the meaning of a message
– Does not conceal the fact that there is a message
• Steganalysisg y– Detecting the presence of messages hidden using
steganography
• Legitimate uses of steganography• Legitimate uses of steganography– Digital Watermarking
PAGE 6
Steganography - Ancient MethodsWax Tablets
• Demaratus of Ariston, exiled in Persia, received news that Xerxes was to invade Greece.
• To get word to Sparta he • To get word to Sparta, he scraped the wax off writing tablets and carved a warning
h dmessage in the wood. He then covered the wood with a fresh coat of wax.
• The tablet was passed by the sentries without raising any s spicion
PAGE 7
suspicion.
Steganography - Modern MethodsNull Cipher Messages
• The German Embassy in Washington, DC, y g , ,sent these messages during World War I– Apparently neutral’s protest is thoroughly
discounted and ignored Isman hard hit Blockade discounted and ignored Isman hard hit. Blockade issue affects pretext for embargo on by-products, ejecting suet's and vegetable oils
D di h b i h • Decoding the message by extracting the second letter from each word reveals the actual messageactual message– PERSHING SAILS FROM N.Y. JUNE 1
PAGE 8
Technical Steganography
• Uses scientific methods to hide a message, g ,such as the use of invisible ink or microdots I 1941 th FBI di d Mi D t • In 1941 the FBI discovered a Micro Dot carried on a letter from a suspected agent– Micro Dot productionp
• Create a postage stamp sized secret message• Reduce this in size using a reverse microscope
producing an image .05 inches in diameter
– The dot was pressed onto a piece of paper using a hypodermic needle in place of a period
Mark IV microdot camera
PAGE 9
p
Simple Example
Once upon a our poets eve
With darkened sky’s and fallen leaves
The raven came to call outside the door
Time it said always flows through your life Time it said, always flows, through your life
and through the throws,
running faster ever than before
And if you wish to beat the game,
to live a life of wealth and fame to live a life of wealth and fame,
then try to follow me forever more
For here within the words it said
Like a dream within your head
A secret waits to lead you out the door A secret waits to lead you out the door
Within a code that Bacon knew
In letters just a bit askew
The raven whispers secrets evermore!
Once upon a our poets eve
With darkened sky’s and fallen leaves
The raven came to call outside the door
Time it said always flows through your life Time it said, always flows, through your life
and through the throws,
running faster ever than before
And if you wish to beat the game,
to live a life of wealth and fame to live a life of wealth and fame,
then try to follow me forever more
For here within the words it said
Like a dream within your head
A secret waits to lead you out the door A secret waits to lead you out the door
Within a code that Bacon knew
In letters just a bit askew
The raven whispers secrets evermore!
Once upon a our poets eve
With darkened sky’s and fallen leaves
The raven came to call outside the door
Time it said always flows through your life Time it said, always flows, through your life
and through the throws,
running faster ever than before
And if you wish to beat the game,
to live a life of wealth and fame to live a life of wealth and fame,
then try to follow me forever more
For here within the words it said
Like a dream within your head
A secret waits to lead you out the door A secret waits to lead you out the door
Within a code that Bacon knew
In letters just a bit askew
The raven whispers secrets evermore!
Once upon a our poets eve
With darkened sky’s and fallen leaves
The raven came to call outside the door
Time it said always flows through your life Time it said, always flows, through your life
and through the throws,
running faster ever than before
And if you wish to beat the game,
to live a life of wealth and fame to live a life of wealth and fame,
then try to follow me forever more
For here within the words it said
Like a dream within your head
A secret waits to lead you out the door A secret waits to lead you out the door
Within a code that Bacon knew
In letters just a bit askew
The raven whispers secrets evermore!
Concerns to Business
• Data loss– Covert transmission of corporate IP
• Pharmaceutical formulas • Proprietary software algorithms p y g
– Highly sensitive legal documents
• Hiding illicit activity– Non-job related activity that potentially puts the
organization at risk• Gambling• Pornography• Credit card fraud• Terrorism
PAGE 14
How big is the problem?
505
400
500
600 Steganography Programs in the Wild
100
200
300
400
According to WetStone’s Chief Scientist Chet Hosmer
• Where to find them
0
100
2001 2002 2003 2004 2005 2006 Today
• Where to find them– Neil Johnsons’ Steganography and Digital
Watermarking web site• http://www.jjtc.com/Steganography/toolmatrix.htm
– StegoArchive.com– Neil Johnsons’ Steganalysis web site
PAGE 15
g y• http://www.jjtc.com/Steganalysis/
Steganalysis Tools
• For our discussions, we will reference the following steganalysis and malware detection g g ytools from Allen Corporation’s WetStone Technologies
Stego Suite– Stego Suite– Gargoyle– Live Wire Investigator
PAGE 16
– Stego Suite• Stego Watch
Scan a file system and flag suspected files – Scan a file system and flag suspected files – Derived from the WetStone’s Steganography and Recovery
Toolkit (S-DART) research project for US Air Force Research Laboratory
– Exposes an API for researches and developers that allows for new research and steganography detectors
• Stego Analyst Imaging and analysis tool to identify visual clues that – Imaging and analysis tool to identify visual clues that steganography is in use in both image and audio files
• Stego Break – Obtain the pass phrase that has been used p p
– Gargoyle• Hostile program detector with steganography dataset
– Malware tool discovery over the network
PAGE 17
Malware tool discovery over the network – Target at computers where suspect files originated
Known Methods of Steganography
CovertChannels
ColorPalette24-Bit LSB Palette
ModificationEncodingAlgorithm
Encoding
FormattingModification
WordSubstitution
gModification
DataAppending
ModificationSubstitution
PAGE 18
Appending
Least Significant Bit Encoding
• This is the most common steganographic method used with audio and image filesmethod used with audio and image files
• Used to overwrite – Legitimate RGB color codings or palette pointers in g g p p
GIF and BMP files– Coefficients in JPEG files– Pulse Code Modulation in WAV files– Pulse Code Modulation in WAV files
REDBefore Combined ColorIndividual Colors
After
01 0 1 1 0 1 0LSB Substitution
RED
GREEN
BLUE
Before After01 0 1 1 0 1 0
1 1 0 0 0 1 1 1
PAGE 19
BLUE 1 1 1 0 0 0 0 0
Adding a Payload to a Carrier
PAGE 20
Steganalysis
PAGE 21
Image Filtering
PAGE 22
Implementation – Policy & Procedure
• Use of these capabilities is driven by risk t d A t bl U P liassessment and Acceptable Use Policy
– High risk• E.G., Government Classified, Corporate Legal, Research Labg• Policy – Not Allowed• Technical Action – Block, Archive, Examine Content, Scan
Source Computer• Personnel Action – Possible Termination
– Medium Risk• E.G., Human Resources, Contracts, Software Development, , , p• Policy – Not Allowed• Technical Action – Log, Archive, Spot Investigations• Personnel Action – Possible Termination
PAGE 23
Implementation - Technology
• DLPD t t t f t ti l i– Detect movement of potential carriers
– Copy to DLP archive
• Steganography scang g p y– Stego Suite– Examine files for potential covert content
M l l • Malware tools scan– Gargoyle– Scan source workstations Scan source workstations
• Live Investigator– Consolidate findings into forensic documentation
k
PAGE 24
package
DLP Configuration
• Technology implementation should always be derived from security policies and procedures
• Classified environmentBlock and archive everything– Block and archive everything
• Pharmaceutical company– Research area
• Block and archive
– Legal department• Log and archive• Log and archive
– All other areas• Log only
PAGE 25
DLP Architecture
Policy set in ePO server to archive evidence
files
Policy on endpoints captures evidence files
Evidence files collected in archive for
PAGE 26
steganalysis
Steganography Scan Configuration
• Scan image files in evidence archive – Identify images as possible Steganography carriers
• Identify workstations where images originatedS n o k t tion fo teg nog ph tool– Scan workstations for steganography tools
– Possibly scan for other malware tools
• Initiate personnel actions, as necessaryp , y– Capture evidence as part of forensic investigation
• Continue digital investigation– Examine suspect files– Attempt to extract payload
PAGE 27
Steganography Scan Architecture
Scan k
Capture id
Scan image f l workstations
for malware tools
evidence as part of forensic investigation
files in evidence archive
PAGE 28
Evidence Archive Scan
PAGE 29
Suspect Workstation Scan
PAGE 30
Future – Stego Stomping
• Server-level technology to filter outgoing e-mail
• Modify all files to corrupt potential payload but leave carrier essentially intactleave carrier essentially intact– Essentially apply a randomized stego payload to
every outgoing image
• Proven for JPG formats– Other formats in development
PAGE 31
Want to Learn More?
• Classes– Steganography Investigator Training
• November 11 - 12, 2008 - Fairfax, VAD b 10 11 2008 O li• December 10 - 11, 2008 - Online
– Live Investigator Training• October 24 - 25, 2008 - Gaithersburg, MDOctober 24 25, 2008 Gaithersburg, MD
– Hacking BootCamp for Investigators• October 23 - 25, 2008 - Gaithersburg, MD • November 18 - 21, 2008 - Vancouver, BC• December 16 - 18, 2008 - Houston, TX
PAGE 32
Contact Us
Corporate Headquarters:
Allen Corporation of America Inc.p10400 Eaton Place, Suite 450Fairfax, VA 22030(866) HQ - ALLEN (866) 472-5536
Bill FanelliBill Fanelli571-321-1648 - [email protected]
Carlton Jeffcoat571-321-1641 - [email protected]
www.AllenCorp.comwww WetStoneTech com
PAGE 33
www.WetStoneTech.comA wholly owned subsidiary of Allen Corporation
000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000000101010101010101010101010101010101010101010101000000100000001111111111110000000000000111111111000000000000011111111111111000000000000001111111111100000000000011111111111110000000000011111110000000000111111111111111111000000000001111111111110000000000000111111111111111100000000000111111111100000001111111111111111111110000000000001010101010101010100101010010101011010101010101011010101010101010101010100101010010101100000011011111001010101010101111111111000000010101010101010101010101010010101010101010010101010101000000000000000000000011111111111111111111000000000000011111111111111111111000000000000101010101010101101010101010101010101010101010101010101010101010101010100111111111100000000000011111111100000001111111111010100100101010101010101010101010101010010101010100101010101001010101010101001010101010101010101001010101010101010101010101010101001010101001010100000000011111111100000000011111111111100000011111000001111111000001010101001010010100101001010010101010111111111111000000000001111111111000000010101010101010101010101010101010101010101010101010101010000001111111111111000001010101010101001010101010101010101010101010010101010010101010100101010111111111111111111111111100000000000000000000000001111111111111111110000000000000111111111000000000001111111111111100000000011111111111110101010101010101000000011111110000001111000101010100011100001111000010111000000110101010101010101010101010101010101010101010101010010101010101010101100011100011110001111000111000001111000001111100000001111000000001010101010101010100000001111111111100000000000101010101010100101
Stego Suite™
D i s c o v e r i n g T h e H i d d e n
Di
gi
ta
l
In
ve
st
ig
at
io
n
Pr
od
uc
ts
Stego Suite is comprised of four specialized products: Stego Hunter™, Stego Watch™, Stego Analyst™, and Stego Break™. This comprehensive suite of applications is designed to quickly identify, examine and analyze digital images and/or audio files for the presence of hidden information or covert communication channels. Detecting the presence of steganography is a tedious process; without advanced tools it is close to impossible to detect. Using Stego Suite investigators are able to utilize the latest algorithms for flagging suspicious files through a blind anomaly-based approach, examine files with image filters, analyze DCT coefficient histograms, and track palette manipulation with close color pairs, shortening investigation time drastically and allowing investigators to work specifically within the four tools provided in the suite.
Free software maintenance for one year from the date of purchase!
Key Features:
▫ Rapid identification of known steganography programs
▫ Flag suspicious files through blind anomaly-based approach
▫ State-of-the-art image and audio analyzer ▫ Crack and extract payloads from carrier files
▫ Court ready investigator reports ▫ Scan audio files, JPG, BMP, GIF, PNG and more
System Recommendations:
▫ Microsoft Windows® 98 ▫ 100 MB free disk space ▫ 512 MB RAM ▫ Pentium® III 1GHz processor
License:
▫ Single user license allows for installation of entire suite
▫ Site licenses are available upon request
Identify Steganography Applications ■ Detect Presence of Hidden Messages ■ Analyze Image Characteristics ■ Reveal Vital Evidence
Stego Break™ Stego Watch™ Stego Analyst™
Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850
1-877-WETSTONE · www.wetstonetech.com
Stego Hunter™
Copyright 2005-2008 WetStone Technologies All Rights Reserved
000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000000101010101010101010101010101010101010101010101000000100000000001111111111111000000000000011111111100000000000001111111111111100000000000000111111111110000000000001111111111111000000000001111111000000000011111111111111111100000000000111111111111000000000000011111111111111110000000000011111111110000000111111111111111111111000000000000101010101010101010010101001010101101010101010101101010101010101010101010010101001010110000001101111100101010101010111111111100000001010101010101010101010101001010101010101001010101010100000000000000000000001111111111111111111100000000000001111111111111111111100000000000010101010101010110101010101010101010101010101010101010101010101010101010011111111110000000000001111111110000000111111111101010010010101010101010101010101010101001010101010010101010100101010101010100101010101010101010100101010101010101010101010101010100101010100101010000000001111111110000000001111111111110000001111100000111111100000101010100101001010010100101001010101011111111111100000000000111111111100000001010101010101010101010101010101010101010101010101010101000000111111111111100000101010101010100101010101010101010101010101001010101001010101010010101011111111111111111111111110000000000000000000000000111111111111111111000000000000011111111100000000000111111111111110000000001111111111111010101010101010100000001111111000000111100010101010001110000111100001011100000011010101010101010101010101010101010101010101010101001010101010101010110001110001111000111100011100000111100000111110000000111100000000101010101010101010000000111111111110000000000010101010101010
Gargoyle Investigator™ E n t e r p r i s e M o d u l e
E n t e r p r i s e M a l w a r e I n v e s t i g a t i o n
Di
gi
ta
l
In
ve
st
ig
at
io
n
Pr
od
uc
ts
Gargoyle Enterprise Module (GEM) provides corporate IT departments, incident response investigators, or organizations with large and complex networks, the ability to fight against malicious software within enterprise computing environments. GEM is designed to quickly target systems under investigation, collecting hashes of files found on suspect systems. The resulting collection is then analyzed by Gargoyle Investigator Forensic Pro, providing investigators significant details about each targets activities, motives, and intent. As enterprise networks continue to expand in numbers and geographic locations, investigators need a tool that will acquire forensic evidence from targets anywhere, anytime throughout the enterprise.
Free software maintenance for one year from the date of purchase!
Key Features:
▫ Perform enterprise wide collection of malicious code hashes on multiple targets simultaneously ▫ Includes a single user license of Gargoyle Investigator™ Forensic Pro ▫ Dataset Creator™ - create and build your own categories for detection ▫ Interoperates with popular forensic tools such as EnCase™ and FTK™
▫ Timestamped enterprise discovery reports for each target suspected
System Recommendations:
▫ Microsoft Windows® 2000 ▫ 230 MB free disk space ▫ 1 GB RAM ▫ Pentium® III 1GHz processor ▫ Gargoyle Investigator™ Forensic Pro License:
▫ Enterprise license with 10 scan option, additional scans of 25, 50 and 100 are available
Internal
Investigation
Incident Response
Enterprise Reporting
Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850
1-877-WETSTONE · www.wetstonetech.com
Copyright 2005-2008 WetStone Technologies All Rights Reserved
000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111000000101010101001010101010010101010010101010000000111111100001011010010101000000000000000000000011111111111111111111000000000000000000011111111111111111000000000000000011111111111100000000000000111111111110000000010101010101010101010101010101010101010101010100000010000000000111111111111100000000000001111111110000000000000111111111111110000000000000011111111111000000000000111111111111100000000000111111100000000001111111111111111110000000000011111111111100000000000001111111111111111000000000001111111111000000011111111111111111111100000000000010101010101010101001010100101010110101010101010110101010101010101010101001010100101011000000110111110010101010101011111111110000000101010101010101010101010100101010101010100101010101010000000000000000000000111111111111111111110000000000000111111111111111111110000000000001010101010101011010101010101010101010101010101010101010101010101010101001111111111000000000000111111111000000011111111110101001001010101010101010101010101010100101010101001010101010010101010101010010101010101010101010010101010101010101010101010101010010101010010101000000000111111111000000000111111111111000000111110000011111110000010101010010100101001010010100101010101111111111110000000000011111111110000000101010101010101010101010101010101010101010101010101010100000011111111111110000010101010101010010101010101010101010101010100101010100101010101001010101111111111111111111111111000000000000000000000000011111111111111111100000000000001111111110000000000011111111111111000000000111111111111101010101010101010000000111111100000011110001010101000111000011110000101110000001101010101010101010101010101010101010101010101010100101010101010101011000111000111100011110001110000011110000011111000000011110000000010101010101010101000000011111111111000000000001010101010101
LiveWire Investigator™
O n D e m a n d D i g i t a l I n v e s t i g a t i o n
Di
gi
ta
l
In
ve
st
ig
at
io
n
Pr
od
uc
ts
LiveWire Investigator is the ultimate tool for incident response, vulnerability assessment, compliance audits and criminal investigations. Quickly and inconspicuously exam live running computer systems, providing the ability to assess vulnerabilities, collect evidence directly from suspect computers, and perform enterprise-wide malware scans. LiveWire does not require pre-installed software deployed on target computers. The “command and control” of LiveWire can be on-site or remote, with any on-site operations controlled directly through the LiveWire application. Investigators can now rapidly and easily collect evidence on live running target systems from anywhere in the world.
Free software maintenance for one year from the date of purchase!
Key Features:
▫ Live forensic discovery and triage of 25 or more “Live” target systems simultaneously
▫ File system blueprinting ▫ Remote screenshots ▫ Live drive and device captures ▫ Physical and virtual memory imaging ▫ Integrated enterprise malware detection ▫ Automated timestamped audit trail *Companion product LiveDiscover™
System Recommendations:
▫ Microsoft Windows® 2000 or higher ▫ 100 MB free disk space ▫ 128 MB RAM ▫ Pentium® III 1GHz processor
License:
▫ Single user license with the option to add up to 50 and 100 simultaneous scans
▫ Site licenses are available upon request
Live Forensics
Remote Malware Detection
eCrime
eDiscovery
Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850
1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved