CSE6273 Data Recovery Hiding
-
Upload
marosha-khan-afridi -
Category
Documents
-
view
217 -
download
0
Transcript of CSE6273 Data Recovery Hiding
-
8/11/2019 CSE6273 Data Recovery Hiding
1/46
1
Intro to Cyber Crime andComputer Forensics
CSE 4273/6273March 18, 2013
MISSISSIPPI STATE UNIVERSITYDEPARTMENT OF COMPUTER SCIENCE
-
8/11/2019 CSE6273 Data Recovery Hiding
2/46
Data Recovery
Forensics without the legal junk! Data is lost for some reason
Intentional Data Deleted
Disgruntled Employee Hacker trying to cover tracks
Device Destroyed
Unintentional Heads Crash Oops, My Bad!
-
8/11/2019 CSE6273 Data Recovery Hiding
3/46
Data Recovery Techniques
Disk Editor Look at Metadata and try to discover location
of deleted data Forensics Software
FTK
FTK Imager Encase Autopsy
-
8/11/2019 CSE6273 Data Recovery Hiding
4/46
4
Data Hiding
Obfuscating Data Existence of the data is easy to see, but it is
difficult to determine what it is. Hiding Data
Existence of the data is hidden
Blinding Investigator Data not hidden, but normal tools not able todetect it, because they have been modified.
-
8/11/2019 CSE6273 Data Recovery Hiding
5/46
5
Obfuscating Data
Encryption Hides through changing the data according to some
algorithm. In order to see it, you must decrypt it. Compression
Hides through removing extraneous information in
the file, thus making it unreadable, and unsearchable. There are very good decompression programs.
-
8/11/2019 CSE6273 Data Recovery Hiding
6/46
6
Hiding Data
In plain site Shows up in directory listing, but not as what you are
looking for. Change file extension
Within file system in a file. Steganography Invisible Names Misleading names Obscure names No Names
-
8/11/2019 CSE6273 Data Recovery Hiding
7/46
7
Continued
Within a file system, but not in a file. Slack Space
Free Space Swap Space
Outside Computer SD Cards CDs/DVDs Zip Disks Thumb Drives
-
8/11/2019 CSE6273 Data Recovery Hiding
8/46
8
How to beat it?
In plain site Find the file signature and determine the type of the
file.
Within file system in a file. Steganography
Locate then crack
Invisible, misleading, or obscure names Keyword search on file system will find the file.
No Names Peculiar to unix and zero link files Must locate the files before shutting down the system, or they
will be lost.
-
8/11/2019 CSE6273 Data Recovery Hiding
9/46
9
Blinding the Investigator
Data not hidden, but tools used to view thesystem are modified to not see suspect data. Changing system commands
Changing DIR or ls to not see certain kinds of files Modifying windows apps like My Computer
Modifying the Operating System Changing the operating system to not look at certain
areas of the disk, except under certain circumstances(rootkits).
-
8/11/2019 CSE6273 Data Recovery Hiding
10/46
10
How to beat it?
Changing behavior of the systemcommands. Reload system commands, or move the data to
a new system. Compare hash values of known system files.
Changing behavior of the operating system. Ditto.
-
8/11/2019 CSE6273 Data Recovery Hiding
11/46
11
Steganography
Steganography Means covered or hidden writing Process of hiding a message in an appropriate
carrier (image, audio, or video) Prevents anyone else from knowing that a
message is being sent. Used by civil right organizations & Terrorists.
-
8/11/2019 CSE6273 Data Recovery Hiding
12/46
12
History of Steganography
First used by Greek historian Herodotus Text was written on tablets covered with wax Upon delivery wax would be melted. Also, slaves could be shaved and tattooed
After hair grows out, message could not be seen.
-
8/11/2019 CSE6273 Data Recovery Hiding
13/46
13
Computer Steganography
Computer Steganography Changes are made to digital carriers (images or
sounds) Changes represent the hidden image. Successful if not noticeable.
Emphasis on detecting hidden communicationshas become an important area since 9/11.
-
8/11/2019 CSE6273 Data Recovery Hiding
14/46
14
Steganography vs. Watermarking
Steganography Message that we are hiding is a secret
Not generally related to what we hide it in Watermarks
Message that we are hiding might not be a secret(Might not even hide)
Does relate to what we put it in Ex. Hold a $20 bill up to light to see watermark
(authenticity) , Company Logos (Ownership)
-
8/11/2019 CSE6273 Data Recovery Hiding
15/46
15
Various techniques in
Steganography Many approaches to hide data in a file Embedded bits can be inserted in any place
or in any order Areas that are less detectable or dispersed
through out the cover file are suitable Selection of cover medium will enhance
Steganography better.
-
8/11/2019 CSE6273 Data Recovery Hiding
16/46
16
Various techniques in
Steganography Substitution is the nave approach to this
problem
It replaces cover file bits with embedded file bits Replacing certain cover file bits are detectable Careful selection of bits in cover file is
important
-
8/11/2019 CSE6273 Data Recovery Hiding
17/46
17
Types of digital carriers
Common ways of hiding data- Data may be embedded in files as noise.
Properties of images: luminescence, contrastand color can be manipulated.
Audio files can be manipulated by introducing
small echoes or slight delays. Signals can be masked with sounds of higher
amplitude.
-
8/11/2019 CSE6273 Data Recovery Hiding
18/46
18
Types of digital carriers
Common ways of hiding data- (contd.) Hidden in documents by manipulating the
positions of the lines of the words. Messages can be retrieved e.g. By taking
second letter of each word (null cipher).
Web browsers ignore spaces, tabs, certaincharacters & extra line breaks.
-
8/11/2019 CSE6273 Data Recovery Hiding
19/46
19
Types of digital carriers
Common ways of hiding data- (contd.) Unused/Reserved space on a disc can be used.
OS allocates minimum amount of space for afile and some of it goes unused. Unused space in file headers, TCP/IP packet
headers.
Spread spectrum techniques can be used by placing an audio signal over a number ofdifferent frequencies.
-
8/11/2019 CSE6273 Data Recovery Hiding
20/46
20
Image Structure and Image
processing Digital Imaging
Most common type of carrier used
Produced by camera/scanner or other devices. Approximation of the original image. System producing image focuses a two
dimensional pattern of varying light intensityand color onto a sensor .
-
8/11/2019 CSE6273 Data Recovery Hiding
21/46
21
Image Structure and Image
processing Digital Imaging
Pattern has a co-ordinate system . Origin Upper left hand corner Pattern described by function f(x, y)
Image can be described as an array of numbers
which represents light intensities at various points. The light intensities are called pixels.
-
8/11/2019 CSE6273 Data Recovery Hiding
22/46
22
Image Structure and Image
processing Digital Imaging
Size of the image given in pixels. e.g. 640 x 480 (contains 307,200) pixels .
Spatial resolution of an image is the physicalsize of the pixel in the image.
Pixels are indexed by X & Y co-ordinates. Spatial Frequency Rate of change of f(x, y)
value as we move across the image.
-
8/11/2019 CSE6273 Data Recovery Hiding
23/46
23
Image Structure and Image
processing Digital Imaging
Gradual changes in f(x,y) corresponds to low
spatial frequencies (Coarsely sampled image) Rapid changes correspond to high (must be
represented by densely sampled image)
Dense sampling produces high-resolutionimage (many pixels contribute a small part ofthe scene)
-
8/11/2019 CSE6273 Data Recovery Hiding
24/46
24
Image Structure and Image
processing RGB Color Cube
-
8/11/2019 CSE6273 Data Recovery Hiding
25/46
25
Image Structure and Image
processing RGB Color Cube
Representing color by the relative intensity of
the three colors- red, green & blue. Absence yields black ( intersection of 3 axes ) Presence of all three colors yield white
Cyan 100% blue & 100% green Magenta 100% blue & 100% red Yellow 100% green & 100% red
-
8/11/2019 CSE6273 Data Recovery Hiding
26/46
26
Image Structure and Image
processing RGB Color Cube
Each RGB Component is specified by a single byte ( 8 bits ). Color intensity ( 0-255 ) This 24 bit encoding supports 16,777,216 (224)Colors Each picture element (pixel) encoded in 24 bits. Called 24
bit true-color. Can be represented by 32-bits (Extra bits Transparency)
0 (transparent) 255 (opaque) Some use 8 bit true-color .
-
8/11/2019 CSE6273 Data Recovery Hiding
27/46
27
Image Structure and Image
processing RGB Color Cube
Color palettes and 8-bit color used with GraphicsInterchange Format (GIF) and Bitmap (BMP) imageformats .
Value of pixel points color in the palette. When GIF image is displayed the software paints color
from the palette to the screen. Offers loss-less compression because the image
recovered after encoding and compression is bit-for-bitidentical to the original image.
-
8/11/2019 CSE6273 Data Recovery Hiding
28/46
28
Digital Carrier methods
Common methods of Digital Carrier Image and audio files easiest & common
carrier. Least significant bit substitution or overwriting.
Most Common method LSB term comes from the numeric significance MSB - 2 8 LSB - 2 0
-
8/11/2019 CSE6273 Data Recovery Hiding
29/46
29
Digital Carrier methods
Simple method of hiding . Hiding the character G across the following
eight bytes of a carrier file.1001010 1 0000110 1 1100100 1 1001011 00000111 1 1100101 1 1001111 1 0001000 0
ASCII value of G ( 71 01000111 )1001010 0 0000110 1 1100100 0 1001011 00000111 0 1100101 1 1001111 1 0001000 1
-
8/11/2019 CSE6273 Data Recovery Hiding
30/46
30
Digital Carrier methods
Simple method of hiding . Eight bit can be written to the LSB of each of
the 8 carrier bytes. Only half of the bytes changed (in this case) LSB substitution can be used to overwrite
RGB Color Encoding in GIF,BMP Pulse code modulation in audio files. Changing LSB changes numeric value very
little Least likely to be detected by human eye.
-
8/11/2019 CSE6273 Data Recovery Hiding
31/46
31
Detecting Steganography
Detection and Analysis should not result in destructionof the embedded message.
Types of analysis Stego-only attack
Stego-image available for analysis
Known-cover attack Original image also available for analysis
Color composition, luminance and pixel relationships compared. Known-message attack
If the hidden message is known Goal to locate stego-image
-
8/11/2019 CSE6273 Data Recovery Hiding
32/46
32
Basic Principles of
SteganographyTwo Principles:
Digital files can be altered to a certaindegree without losing functionality
Human senses are not acute enough todistinguish minor changes in altered files
-
8/11/2019 CSE6273 Data Recovery Hiding
33/46
33
Masking
Masking :
Masking is another way used to conceal data Definition:
Sound A interferes (masks) with sound B with regardsto audio files
Human perception is the key as we are not able to pick up on the subtleties
-
8/11/2019 CSE6273 Data Recovery Hiding
34/46
34
Forensics and Steganography
The use of steganography toolkits can thwart thecompletion of a successful forensic analysis
The odds of every piece of potential evidencehidden within cover images are slim Even if a stego file is found and the secret data is
extracted successfully, what about encryption ?
-
8/11/2019 CSE6273 Data Recovery Hiding
35/46
35
Forensics and Steganography
As of today, few stego programs have beenanalyzed such that searching for file headers can
be performed
Part of the problem is that some stego programsallow us to encrypt the header
Which stego program was used, and if encrypted,what is the stego key ?
-
8/11/2019 CSE6273 Data Recovery Hiding
36/46
36
Detecting and cracking
Steganography Reading and detecting covert files is a challenging
task for Forensic investigators
Steganalysts can join with cryptanalysts Steganalysis is a time consuming process Forensic investigator should also track the original
carrier file(host file)
-
8/11/2019 CSE6273 Data Recovery Hiding
37/46
37
Examples of Hiding data in
various carriers Hiding Burlington International Airport Map
-
8/11/2019 CSE6273 Data Recovery Hiding
38/46
38
Examples of Hiding data in
various carriers (Contd.) A GIF Carrier file containing the airport map
-
8/11/2019 CSE6273 Data Recovery Hiding
39/46
39
Examples of Hiding data in
various carriers (Contd.) Example employs Gif-it-Up, Nelsonsoft
program
Hides information using LSB Substitution Includes encryption option Original Carrier (Mall GIF) 632,778 bytes
Steganography file 677,733 bytes
-
8/11/2019 CSE6273 Data Recovery Hiding
40/46
40
Examples of Hiding data in
various carriers (Contd.) A JPEG Carrier file containing the airport map
-
8/11/2019 CSE6273 Data Recovery Hiding
41/46
41
Examples of Hiding data in
various carriers (Contd.) Method JP Hide & Seek (JPHS) by Allan
Latham
Hides information using LSB Substitution Blowfish crypto algorithm used for
randomization and encryption. Original Carrier 207,244 bytes Steganography file 227,870 bytes
-
8/11/2019 CSE6273 Data Recovery Hiding
42/46
42
Signal level comparisons between a WAV carrierfile before (above) and after (below) insertion.
-
8/11/2019 CSE6273 Data Recovery Hiding
43/46
43
What Can Be Done?
Use steganographic toolkits so that you becomeknowledgeable
Know what files are installed when a stego program is installed Know what files are left behind (or registry keys)
when a stego program is removed You may get lucky and find that no encryption
was applied
-
8/11/2019 CSE6273 Data Recovery Hiding
44/46
44
(Cont.)
Compare the cover file to the suspicious file,looking for distortions
Work with people who have analyzed stego toolsas these tools have unique characteristics
-
8/11/2019 CSE6273 Data Recovery Hiding
45/46
45
Steganography Good /Bad ?
Good to hide watermarks Authenticate information
Proves ownership My watermark so mine
Copy Control Bad for those who like free music from the internet.
Bad Mostly used by terrorists
-
8/11/2019 CSE6273 Data Recovery Hiding
46/46
46
Questions?