Presentation is loading. Please wait.

Presentation is loading. Please wait.

Digital Forensics 2 (DFC721S)

Published byMaximillian Byrd Modified over 6 years ago

Similar presentations

Presentation on theme: "Digital Forensics 2 (DFC721S)"— Presentation transcript:

1 Digital Forensics 2 (DFC721S)
Lecture1: Steganography and Steganalysis Presented by : J.Silaa Lecturer: CS/ FCI Date:17 July 2017 Based on Guide to Computer Forensics and Investigations, Fifth Edition

2 Objectives Early steganography Explain common data-hiding techniques
Hiding entire partitions Changing file extensions Setting file attributes to hidden Bit-shifting Using encryption Setting up password protection Steganalysis Methods Chapter Summary Guide to Computer Forensics and Investigations, Fifth Edition

3 Steganography and Steganalysis
History: Ancient Greek rulers –shave & tattoo Steganography - comes from the Greek word for “hidden writing” Hiding messages in such a way that only the intended recipient knows the message is there Steganalysis - term for detecting and analyzing steganography files Digital watermarking - developed as a way to protect file ownership Usually not visible when used for steganography Guide to Computer Forensics and Investigations, Fifth Edition

4 Addressing Data-Hiding Techniques
Data hiding - changing or manipulating a file to conceal information Techniques: Hiding entire partitions Changing file extensions Setting file attributes to hidden Bit-shifting Using encryption Setting up password protection Guide to Computer Forensics and Investigations, Fifth Edition

5 Hiding Files by Using the OS
One of the first techniques to hide data: Changing file extensions Advanced digital forensics tools check file headers Compare the file extension to verify that it’s correct If there’s a discrepancy, the tool flags the file as a possible altered file Another hiding technique Selecting the Hidden attribute in a file’s Properties dialog box Guide to Computer Forensics and Investigations, Fifth Edition

6 Hiding Partitions By using the Windows diskpart remove letter command
You can unassign the partition’s letter, which hides it from view in File Explorer To unhide, use the diskpart assign letter command Other disk management tools: Partition Magic, Partition Master, and Linux Grand Unified Bootloader (GRUB) Guide to Computer Forensics and Investigations, Fifth Edition

7 Hiding Partitions To detect whether a partition has been hidden
Account for all disk space when examining an evidence drive Analyze any disk areas containing space you can’t account for In ProDiscover, a hidden partition appears as the highest available drive letter set in the BIOS Other forensics tools have their own methods of assigning drive letters to hidden partitions Guide to Computer Forensics and Investigations, Fifth Edition

8 Hiding Partitions Guide to Computer Forensics and Investigations, Fifth Edition

9 Hiding Partitions Guide to Computer Forensics and Investigations, Fifth Edition

10 Hiding Partitions:In-Class Activity
Start Disk Management (diskmgmt.msc) number and the partitions. on your computer and take a closer look at your hard disk. Note the disk Start DiskPart and select your disk: DISKPART> list volume Start DiskPart and select your disk: DISKPART> Select Volume 0 List all partitions: DISKPART> list partition Now, select the hidden partition (see step 1) DISKPART> select partition 1 DISKPART>detail partition DISKPART>assign DISKPART> Remove letter E DISKPART>list volume Type “assign”: the system will assign a drive letter automatically. Alternatively type assign letter E (If E is available)

11 Marking Bad Clusters A data-hiding technique used in FAT file systems is placing sensitive or incriminating data in free or slack space on disk partition clusters Involves using old utilities such as Norton DiskEdit Norton DiskEdit Can mark good clusters as bad clusters in the FAT table so the OS considers them unusable Only way they can be accessed from the OS is by changing them to good clusters with a disk editor DiskEdit runs only in MS-DOS and can access only FAT-formatted disk media Guide to Computer Forensics and Investigations, Fifth Edition

12 Bit-Shifting Some users use a low-level encryption program that changes the order of binary data Makes altered data unreadable To secure a file, users run an assembler program (also called a “macro”) to scramble bits Run another program to restore the scrambled bits to their original order ( Practical Lab1) Bit shifting changes data from readable code to data that looks like binary executable code WinHex includes a feature for shifting bits Guide to Computer Forensics and Investigations, Fifth Edition

13 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition

14 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition

15 Bit-Shifting Guide to Computer Forensics and Investigations, Fifth Edition

16 Understanding Steganalysis Methods
A way to hide data is to use steganography tools Many are freeware or shareware Insert information into a variety of files If you encrypt a plaintext file with PGP and insert the encrypted text into a steganography file Cracking the encrypted message is extremely difficult Pretty Good Privacy. (PGP) Since encrypting an entire message can be time-consuming, PGP uses a faster encryption algorithm to encrypt the message and then uses the public key to encrypt the shorter key that was used to encrypt the entire message. Guide to Computer Forensics and Investigations, Fifth Edition

17 Understanding Steganalysis Methods
Stego-only attack used when only the file containing possible steganography file is available Most difficult since no comparative analysis possible Known cover attack Used when cover-media(original file without stego content) and stego-media are available Comparison to identify common pattern to decipher the message is possible Known message attack Used when a hidden message is reveled later Uses comparative analysis. Less effort to decipher Guide to Computer Forensics and Investigations, Fifth Edition

18 Understanding Steganalysis Methods
Chosen stego attack Used When stego Tool and Stego media are known With known tool password/passphrase recovery tech is possible Chosen message attack Used to identify corresponding patterns used in stego-media Creates stego-media ,analyzes them to determine data configurations Use the obtained configuration to compare with suspected stego-media Guide to Computer Forensics and Investigations, Fifth Edition

19 Examining Encrypted Files
To decode an encrypted file Users supply a password or passphrase Many encryption programs use a technology called “key escrow” Designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system failure Key sizes of 128 bits to 4096 bits make breaking them nearly impossible with current technology Key escrow (also known as a “fair” cryptosystem) is an arrangement in which the keys needed to decrypt encrypted data are held in escrow so that, under certain circumstances, an authorized third party may gain access to those keys. Guide to Computer Forensics and Investigations, Fifth Edition

20 Recovering Passwords Password-cracking tools are available for handling password-protected data or systems Some are integrated into digital forensics tools Stand-alone tools: Last Bit AccessData PRTK ophcrack John the Ripper Passware Guide to Computer Forensics and Investigations, Fifth Edition

21 Recovering Passwords Brute-force attacks Dictionary attack
Use every possible letter, number, and character found on a keyboard This method can require a lot of time and processing power Dictionary attack Uses common words found in the dictionary and tries them as passwords Most use a variety of languages Guide to Computer Forensics and Investigations, Fifth Edition

22 Recovering Passwords With many programs, you can build profiles of a suspect to help determine his or her password Many password-protected OSs and application store passwords in the form of MD5 or SHA hash values A brute-force attack requires converting a dictionary password from plaintext to a hash value Requires additional CPU cycle time SHA-256 Cryptographic Hash Algorithm. A cryptographic hash (sometimes called 'digest') is a kind of 'signature' for a text or a data file. SHA-256 generates an almost-unique 256-bit (32-byte) signature for a text …………………………………………………………………… A message digest is a cryptographic hash function containing a string of digits created by a one-way hashing formula. Message digests are designed to protect the integrity of a piece of data or media to detect changes and alterations to any part of a message. The hash is always 128 bits. If you encode it as a hexdecimal string you can encode 4 bits per character, giving 32 characters. MD5 is not encryption. You cannot in general "decrypt" an MD5 hash to get the original string. Guide to Computer Forensics and Investigations, Fifth Edition

23 Recovering Passwords Rainbow table Salting passwords
A file containing the hash values for every possible password that can be generated from a computer’s keyboard No conversion necessary, so it is faster than a brute-force or dictionary attack See( Salting passwords Alteration by adds extra bits followed by hashing. makes cracking passwords more difficult (especially with brute force) A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a plaintext password up to a certain length consisting of a limited set of characters. Guide to Computer Forensics and Investigations, Fifth Edition

24 Summary Lots of data hiding techniques
Three ways to recover passwords: Dictionary attacks Brute-force attacks Rainbows tables Various Steganalysis Methods - for detecting and analyzing steganography files Guide to Computer Forensics and Investigations, Fifth Edition

Download ppt "Digital Forensics 2 (DFC721S)"

Similar presentations

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.

Operating Systems Security 1. The Boot Sequence The action of loading an operating system into memory from a powered-off state is known as booting or.
Guide to Computer Forensics and Investigations, Second Edition

Guide to Computer Forensics and Investigations, Second Edition
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
File System Analysis.

File System Analysis.
MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.

COS 413 Day 13. Agenda Questions? Assignment 4 Due Assignment 5 posted –Due Oct 21 Capstone proposal Due Oct 17 Lab 5 on Oct 15 in N105 –Hands-on Projects.
Cryptographic Technologies

Cryptographic Technologies
Guide to Computer Forensics and Investigations Third Edition

Guide to Computer Forensics and Investigations Third Edition
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.

Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Computer Forensics Analysis/Validation and Recovering Graphic.
Hands-on: Capturing an Image with AccessData FTK Imager

Hands-on: Capturing an Image with AccessData FTK Imager
Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.

Nothing is Safe 1. Overview  Why Passwords?  Current Events  Password Security & Cracking  Tools  Demonstrations Linux GPU Windows  Conclusions.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.

Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Electronic Mail Security

Electronic Mail Security
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.

Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.

Similar presentations

Ads by Google