Digital Forensics 2 (DFC721S) Lecture1: Steganography and Steganalysis Presented by : J.Silaa Lecturer: CS/ FCI Date:17 July 2017 Based on Guide to Computer Forensics and Investigations, Fifth Edition

Objectives Early steganography Explain common data-hiding techniques Hiding entire partitions Changing file extensions Setting file attributes to hidden Bit-shifting Using encryption Setting up password protection Steganalysis Methods Chapter Summary Guide to Computer Forensics and Investigations, Fifth Edition

Steganography and Steganalysis History: Ancient Greek rulers –shave & tattoo Steganography - comes from the Greek word for “hidden writing” Hiding messages in such a way that only the intended recipient knows the message is there Steganalysis - term for detecting and analyzing steganography files Digital watermarking - developed as a way to protect file ownership Usually not visible when used for steganography Guide to Computer Forensics and Investigations, Fifth Edition

Addressing Data-Hiding Techniques Data hiding - changing or manipulating a file to conceal information Techniques: Hiding entire partitions Changing file extensions Setting file attributes to hidden Bit-shifting Using encryption Setting up password protection Guide to Computer Forensics and Investigations, Fifth Edition

Hiding Files by Using the OS One of the first techniques to hide data: Changing file extensions Advanced digital forensics tools check file headers Compare the file extension to verify that it’s correct If there’s a discrepancy, the tool flags the file as a possible altered file Another hiding technique Selecting the Hidden attribute in a file’s Properties dialog box Guide to Computer Forensics and Investigations, Fifth Edition

Hiding Partitions By using the Windows diskpart remove letter command You can unassign the partition’s letter, which hides it from view in File Explorer To unhide, use the diskpart assign letter command Other disk management tools: Partition Magic, Partition Master, and Linux Grand Unified Bootloader (GRUB) Guide to Computer Forensics and Investigations, Fifth Edition

Hiding Partitions To detect whether a partition has been hidden Account for all disk space when examining an evidence drive Analyze any disk areas containing space you can’t account for In ProDiscover, a hidden partition appears as the highest available drive letter set in the BIOS Other forensics tools have their own methods of assigning drive letters to hidden partitions Guide to Computer Forensics and Investigations, Fifth Edition

Hiding Partitions Guide to Computer Forensics and Investigations, Fifth Edition

Hiding Partitions Guide to Computer Forensics and Investigations, Fifth Edition

Hiding Partitions:In-Class Activity Start Disk Management (diskmgmt.msc) number and the partitions. on your computer and take a closer look at your hard disk. Note the disk Start DiskPart and select your disk: DISKPART> list volume Start DiskPart and select your disk: DISKPART> Select Volume 0 List all partitions: DISKPART> list partition Now, select the hidden partition (see step 1) DISKPART> select partition 1 DISKPART>detail partition DISKPART>assign DISKPART> Remove letter E DISKPART>list volume Type “assign”: the system will assign a drive letter automatically. Alternatively type assign letter E (If E is available)

Marking Bad Clusters A data-hiding technique used in FAT file systems is placing sensitive or incriminating data in free or slack space on disk partition clusters Involves using old utilities such as Norton DiskEdit Norton DiskEdit Can mark good clusters as bad clusters in the FAT table so the OS considers them unusable Only way they can be accessed from the OS is by changing them to good clusters with a disk editor DiskEdit runs only in MS-DOS and can access only FAT-formatted disk media Guide to Computer Forensics and Investigations, Fifth Edition

Bit-Shifting Some users use a low-level encryption program that changes the order of binary data Makes altered data unreadable To secure a file, users run an assembler program (also called a “macro”) to scramble bits Run another program to restore the scrambled bits to their original order ( Practical Lab1) Bit shifting changes data from readable code to data that looks like binary executable code WinHex includes a feature for shifting bits Guide to Computer Forensics and Investigations, Fifth Edition

Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition

Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition

Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition

Understanding Steganalysis Methods A way to hide data is to use steganography tools Many are freeware or shareware Insert information into a variety of files If you encrypt a plaintext file with PGP and insert the encrypted text into a steganography file Cracking the encrypted message is extremely difficult Pretty Good Privacy. (PGP) Since encrypting an entire message can be time-consuming, PGP uses a faster encryption algorithm to encrypt the message and then uses the public key to encrypt the shorter key that was used to encrypt the entire message. Guide to Computer Forensics and Investigations, Fifth Edition

Understanding Steganalysis Methods Stego-only attack used when only the file containing possible steganography file is available Most difficult since no comparative analysis possible Known cover attack Used when cover-media(original file without stego content) and stego-media are available Comparison to identify common pattern to decipher the message is possible Known message attack Used when a hidden message is reveled later Uses comparative analysis. Less effort to decipher Guide to Computer Forensics and Investigations, Fifth Edition

Understanding Steganalysis Methods Chosen stego attack Used When stego Tool and Stego media are known With known tool password/passphrase recovery tech is possible Chosen message attack Used to identify corresponding patterns used in stego-media Creates stego-media ,analyzes them to determine data configurations Use the obtained configuration to compare with suspected stego-media Guide to Computer Forensics and Investigations, Fifth Edition

Examining Encrypted Files To decode an encrypted file Users supply a password or passphrase Many encryption programs use a technology called “key escrow” Designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure Key sizes of 128 bits to 4096 bits make breaking them nearly impossible with current technology Key escrow (also known as a “fair” cryptosystem) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. Guide to Computer Forensics and Investigations, Fifth Edition

Recovering Passwords Password-cracking tools are available for handling password-protected data or systems Some are integrated into digital forensics tools Stand-alone tools: Last Bit AccessData PRTK ophcrack John the Ripper Passware Guide to Computer Forensics and Investigations, Fifth Edition

Recovering Passwords Brute-force attacks Dictionary attack Use every possible letter, number, and character found on a keyboard This method can require a lot of time and processing power Dictionary attack Uses common words found in the dictionary and tries them as passwords Most use a variety of languages Guide to Computer Forensics and Investigations, Fifth Edition

Recovering Passwords With many programs, you can build profiles of a suspect to help determine his or her password Many password-protected OSs and application store passwords in the form of MD5 or SHA hash values A brute-force attack requires converting a dictionary password from plaintext to a hash value Requires additional CPU cycle time SHA-256 Cryptographic Hash Algorithm. A cryptographic hash (sometimes called 'digest') is a kind of 'signature' for a text or a data file. SHA-256 generates an almost-unique 256-bit (32-byte) signature for a text …………………………………………………………………… A message digest is a cryptographic hash function containing a string of digits created by a one-way hashing formula. Message digests are designed to protect the integrity of a piece of data or media to detect changes and alterations to any part of a message. The hash is always 128 bits. If you encode it as a hexdecimal string you can encode 4 bits per character, giving 32 characters. MD5 is not encryption. You cannot in general "decrypt" an MD5 hash to get the original string. Guide to Computer Forensics and Investigations, Fifth Edition

Recovering Passwords Rainbow table Salting passwords A file containing the hash values for every possible password that can be generated from a computer’s keyboard No conversion necessary, so it is faster than a brute-force or dictionary attack See(http://project-rainbowcrack.com/table.htm) Salting passwords Alteration by adds extra bits followed by hashing. makes cracking passwords more difficult (especially with brute force) A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters. Guide to Computer Forensics and Investigations, Fifth Edition

Summary Lots of data hiding techniques Three ways to recover passwords: Dictionary attacks Brute-force attacks Rainbows tables Various Steganalysis Methods - for detecting and analyzing steganography files Guide to Computer Forensics and Investigations, Fifth Edition