STEGANOGRAPHY STEGANALYSIS & CRYPTANALYSIS
STEGANOGRAPHY
A Picture Speaks A Thousand Words!
�What Is Steganography ?
Greek Words:
q
STEGANOS Covered GRAPHIEWriting
Since Everyone Can Read, Encoding Text In Neutral Sentences Is Doubtfully Effective Since Everyone Can Read, Encoding Text In Neutral Sentences Is Doubtfully Effective
Steganography is the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message.
This can be achieve by concealing the existence of information within seemingly harmless carriers or cover
Carrier: text, image, video, audio, etc.
Secret inside
�History of S T E G A N O G R A P H Y
Steganography ancient origins can be traced back to 440 BC, from the Histories of Herodotus Histiaeus, who shaved the head of his most trusted slave and tattooed a message on it. After his hair had grown the message was hidden. The purpose was to instigate a revolt against the Persians. Use of Invisible inks -- using milk, fruit juice or urine which darken when heated. Null ciphers (unencrypted messages): Apparently neutral's protest is thoroughly discounted and ignored. Isman hard hit. Blockade issue affects pretext for embargo on by products, ejecting suet and vegetable oils. Microdot Technology Shrinking messages down to the size of a dot became a popular method. Since the microdot could be placed at the end of a sentence or above a j or an i.
�STEGANOGRAPHY
Modern Digital Steganography
Data is encrypted Then inserted and hidden, using a special algorithm which may add and/or modify the contents of the file This technique may simply append the data to the file, or disperse it throughout Carefully crafted programs apply the encrypted data such that patterns appear normal.
�MODERN STEGANOGRAPHY TECHNIQUES
Masking and Filtering is where information is hidden inside of a image using digital watermarks that include information such as copyright, ownership, or licenses. The purpose is different from traditional Steganography since it is adding an attribute to the cover image thus extending the amount of information presented. Algorithms and Transformations: This technique hides data in mathematical functions that are often used in compression algorithms. The idea of this method is to hide the secret message in the data bits in the least significant coefficients. Least Significant Bit Insertion: The most common and popular method of modern day Steganography is to make use of the LSB of a pictures pixel information. Thus the overall image distortion is kept to a minimum while the message is spaced out over the pixels in the images. This technique works best when the image file is larger then the message file and if the image is grayscale.
�Basics of Modern S T E G A N O G R A P H Y
fE: Steganography function "embedding" fE-1: Steganography function "extracting" cover: cover data in which emb will be hidden emb: message to be hidden key: parameter of fE stego: cover data with the hidden message
�STEGANOGRAPHY
Carrier Files:
Text Files
Image Files(.jpeg, .jpg, .gif, .jiff, .bmp, .png etc.)
Audio Files (.mp3, .wma, .flac, .aac, .amr, .wav, .ogg, .mp2 etc.)
Video Files (.mp4, .avi, .3gp, .divX, .wmv, .mkv, .vob, .mov, .mpg etc.)
�STEGANOGRAPHY
ADVANTAGES IT CAN BE USED FOR SAFEGUARDING DATA, SUCH AS IN THE FIELD OF MEDIA WHERE COPYWRITING ENSURES AUTHENTICITY.
IT CAN BE USED BY INTELLIGENCE AGENCIES FOR SENDING THEIR SECRET DATA.
DISADVANTAGES MANY A TERRORIST AND ANTI HUMANIST ACTIVITIES HAVE BEEN CARRIED OUT CLOAKED UNDER THIS TECHNIQUE.
�STEGANALYSIS
The detection of Steganographically encoded packages is called Steganalysis. Visual/Audible Analysis tries to reveal the presence of secret communication through inspection, either with the naked eye or with the assistance of a computer.
Statistical (Algorithmic) Analysis changes in patterns of the pixels or LSB or Histogram Analysis.
Structural Detection - View file properties/contents, size difference, date/time difference, contents modifications, checksum
�STEGANALYSIS
v
Steganalysis essentially deals with the detection of hidden content. How is this meaningful???
By identifying the existence of a hidden message, perhaps we can identify the tools used to hide it. If we identify the tool, perhaps we can use that tool to extract the original message.
�STEGANALYSIS-Methods of Detection
Categories
Anomaly Histogram analysis Change in file properties Statistical Attack Visually Audible Signature A pattern consistent with the program used
�Anomaly Visual Detection
Detecting Steganography by viewing it
Can you see a difference in these two pictures? (I cant!)
�Anomaly - Histogram Analysis
Histogram analysis can be used to possibly identify a file with a hidden message
�Anomaly - Histogram Analysis
By comparing histograms, we can see this histogram has a very noticeable repetitive trend.
�Anomaly Analysis - Compare file properties
Compare the properties of the files Properties 04/04/2003 05:25p 240,759 helmetprototype.jpg 04/04/2003 05:26p 235,750 helmetprototype.jpg Checksum C:\GNUTools>cksum a:\before\helmetprototype.jpg 3241690497 240759 a:\before\helmetprototype.jpg
�File Signatures
HEX Signature
FF D8 FF E0 xx xx 4A 46 49 46 00 47 49 46 38 37 61 47 49 46 38 39 61 42 4D BMP
File Extension
JPEG (JPEG, JFIF, JPE, JPG) GIF
ASCII Signature
..JFIF. GIF87a GIF89a BM
For a full list see:
www.garykessler.net/library/file_sigs.html
�Steganalysis Analyzing contents of file
If you have a copy of the original (virgin) file, it can be compared to the modified suspect/carrier file Many tools can be used for viewing and comparing the contents of a hidden file. Everything from Notepad to a Hex Editor can be used to identify inconsistencies and patterns Reviewing multiple files may identify a signature pattern related to the Steganography program
�Steganalysis Analyzing contents of file
Helpful analysis programs WinHex www.winhex.com
Allows conversions between ASCII and Hex Allows comparison of files
Save comparison as a report Search differences or equal bytes
Contains file marker capabilities Allows string searches both ASCII and Hex Many, many other features
�Hiderman Case Study
Lets examine a slightly sophisticated stego program Hiderman
�Hiderman Case Study
After hiding a message with Hiderman, we can review the file with our
favorite Hex Tool.
Viewing the Header information (beginning of the file) we see that its a
Bitmap as indicated by the BM file signature
Click to edit Master text styles Second level Third level Fourth level Fifth level
�Hiderman Case Study
We then view the end of the file, comparing the virgin file to the carrier file Note the data appended to the file (on the next slide)
�Hiderman Case Study
Click to edit Master text styles Second level Third level Fourth level Fifth level Click to edit Master text styles Second level Third level Fourth level Fifth level
�Hiderman Case Study
Hiding different messages in different files with different
passwords, we see that the same three characters (CDN) are appended to the end of the file.
Signature found.
Click to edit Master text styles Second level Third level Fourth level Fifth level
�Steganalysis Stegspy V2.0
Stegspy V2.0 Signature identification program Searches for stego signatures and determines the program used to hide the message Identifies 13 different Steganography programs Identifies location of hidden message
�Steganalysis meets Cryptanalysis
Revealing hidden files
�Steganalysis meets Cryptanalysis
Cryptanalysis As stated previously, in Steganography the goal is to hide the message, NOT encrypt it Cryptography provides the means to encrypt the message. How do we reveal the hidden message?
�Steganalysis meets Cryptanalysis
Knowing the Steganography program used to hide the message can be extremely handy when attempting to reveal the actual hidden message
Identifying and cracking the algorithm Unfortunately, some of these programs use strong encryption 128-bit or stronger GOOD LUCK!
Reveal or Crack the password, seed, or secret key Practically all Steganography programs use a password to hide the message
�Cryptanalysis
Identify program used to hide message Identify the location of the program signature in the file Identify the location of the password in the file Identify location of the hidden message in the file Identify the algorithm used to encrypt the hidden message
�Cryptanalysis Password Guessing
Password Guessing/Dictionary Attacks A few password guessing programs have been created. Stegbreak by Niels Provos, www.outguess.org J-Steg Can now be found on the Knoppix Penguin Sleuth forensics CD www.linux-forensics.com
�Anti-Forensics
Best Practices when using Steganography programs: Use a password different than your O/S password Delete original message once you have created a new image with the hidden message Remove the Steganography program after hiding the message OR run the Steganography program from a CD if possible. Use Alternate Data Streams
�Anti-Forensics Alternate Data Streams
Alternate Data Streams (NTFS) New Technology File System allows for Alternate Data Streams One file can be a link to multiple Alternate Data Streams of files of any size. Important Note! These Alternate Data Streams are Hidden! Allows for hiding of files and even directories! Difficult to detect
Doesnt show up when you run c:\dir
�Anti-Forensics Alternate Data Streams
Alternate Data Streams C:\notepad mike.txt:mikehidden.txt This allows mikehidden.txt to be a hidden ADS C:\dir 12/09/2011 PM 06:47 0 mike.txt
Notice no indication of mikehidden.txt Although a message was saved in the mikehidden.txt, the mike.txt shows 0 bytes!
�Anti-Forensics Alternate Data Streams
Alternate Data Streams can be used to hide private files, viruses and Trojans!
Anti-Virus/Anti-Trojan Test - Does your scanner pass the test? Theres a small utility MakeStream, that can be used to move a virus or Trojan to a hidden Alternate Data Stream attached to an innocent text file! For example, if you ran makestrm.exe c:\test.exe, the file contents of c:\test.exe would be moved into c:\test.exe:StreamTest (an Alternate Data Stream), and the original file contents are then over-written with a simple message reminding you about the linked stream. Many commercials scanners do not identify viruses and trojans hidden in ADSs!
http://www.diamondcs.com.au/web/streams/streams.htm
�Forensics
If performing Forensics and discover a potentially stega-nized file: Look for evidence of Steganography programs on the computer Leverage other O/S and application passwords found on the machine, this may also be the password used to hide the message Look for other hints such as a password written down on a note, letters, diaries, etc. For more info please see Electronic Crime Scene Investigation A Guide for First Responders, U.S. Dept of Justice
�Forensics Alternate Data Streams
Tools for Detecting Alternate Data Streams
LNS www.ntsecurity.nu LADS - www.heysoft.de NTFS ADS Check - www.diamondcs.com.au
Click to edit Master text styles Second level Third level Fourth level Fifth level
�Question and Answer
