steganography, steganalysis, &...
TRANSCRIPT
![Page 1: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/1.jpg)
1
Steganography, Steganalysis, & Cryptanalysis
Michael T. Raggo, CISSP Principal Security Consultant
VeriSign
![Page 2: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/2.jpg)
2
Agenda
u Steganography – What is Steganography? – History – Steganography today – Steganography tools
u Steganalysis – What is Steganalysis? – Types of analysis – Identification of Steganographic files
u Steganalysis meets Cryptanalysis – Password Guessing – Cracking Steganography programs
u Forensics/Anti-Forensics
u Conclusions – What’s in the Future? – Other tools in the wild – References
![Page 3: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/3.jpg)
3
Steganography
![Page 4: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/4.jpg)
4
Steganography - Definition
u Steganography – from the Greek word steganos meaning “covered”
– and the Greek word graphie meaning “writing”
u Steganography is the process of hiding of a secret message within an ordinary message and extracting it at its destination
u Anyone else viewing the message will fail to know it contains hidden/encrypted data
![Page 5: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/5.jpg)
5
Steganography - History
u Greek history – warning of invasion by scrawling it on the wood underneath a wax tablet. To casual observers, the tablet appeared blank.
u Both Axis and Allied spies during World War II used such measures as invisible inks -- using milk, fruit juice or urine which darken when heated.
u Invisible Ink is also a form of steganography
![Page 6: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/6.jpg)
6
Steganography
u The U.S. government is concerned about the use of Steganography.
u Common uses in include the disguising of corporate espionage.
u It’s possible that terrorist cells may use it to secretly communicate information. – This is rumored to be a common technique used by Al-
Qaeda. By posting the image on a website for download by another terrorist cell. Using the same Steganography program, the terrorist cell could then reveal the message with plans for a new attack.
u It’s also a very good Anti-forensics mechanism to mitigate the effectiveness of a forensics investigation – Child pornography
![Page 7: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/7.jpg)
7
Steganography
u Modern digital steganography – data is encrypted – then inserted and hidden, using a special
algorithm which may add and/or modify the contents of the file
– This technique may simply append the data to the file, or disperse it throughout
– Carefully crafted programs apply the encrypted data such that patterns appear normal.
![Page 8: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/8.jpg)
8
Steganography – Modern Day
Carrier File Carrier File withHidden Message
![Page 9: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/9.jpg)
9
Steganography – Carrier Files
Steganography Carrier Files
u bmp
u jpeg
u gif
u wav
u mp3
u Amongst others…
![Page 10: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/10.jpg)
10
Steganography - Tools
Steganography Tools
u Steganos
u S-Tools (GIF, JPEG)
u StegHide (WAV, BMP)
u Invisible Secrets (JPEG)
u JPHide
u Camouflage
u Hiderman
u Many others…
![Page 11: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/11.jpg)
11
Steganography
u Popular sites for Steganography information – http://www.ise.gmu.edu/~njohnson/Steganography
– http://www.rhetoric.umn.edu/Rhetoric/misc/dfrank/stegsoft.html
– http://www.topology.org/crypto.html
![Page 12: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/12.jpg)
12
Steganalysis
Identification of hidden files
![Page 13: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/13.jpg)
13
Steganalysis - Definition
u Definition – Identifying the existence of a message – Not extracting the message – Note: Technically, Steganography deals with the
concealment of a message, not the encryption of it
u Steganalysis essentially deals with the detection of hidden content
u How is this meaningful???
![Page 14: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/14.jpg)
14
Steganalysis
u By identifying the existence of a hidden message, perhaps we can identify the tools used to hide it.
u If we identify the tool, perhaps we can use that tool to extract the original message.
![Page 15: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/15.jpg)
15
Steganalysis – Hiding Techniques
u Common hiding techniques – Appended to a file – Hidden in the unused header portion of the file near
the beginning of the file contents – An algorithm is used to disperse the hidden message
throughout the file � Modification of LSB (Least Significant Bit) � Other
![Page 16: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/16.jpg)
16
Steganalysis – Methods of Detection
u Methods of detecting the use of Steganography – Visual Detection (JPEG, BMP, GIF, etc.) – Audible Detection (WAV, MPEG, etc.) – Statistical Detection (changes in patterns of the pixels
or LSB – Least Significant Bit) or Histogram Analysis – Structural Detection - View file properties/contents
� size difference � date/time difference � contents – modifications � checksum
![Page 17: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/17.jpg)
17
Steganalysis – Methods of Detection
u Categories – Anomaly
� Histogram analysis � Change in file properties � Statistical Attack � Visually � Audible
– Signature � A pattern consistent with the program used
![Page 18: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/18.jpg)
18
Steganalysis – Methods of Detection
u Goal – Accuracy – Consistency – Minimize false-positives
![Page 19: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/19.jpg)
19
Anomaly – Visual Detection
u Detecting Steganography by viewing it
u Can you see a difference in these two pictures? (I can’t!)
![Page 20: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/20.jpg)
20
Anomaly - Kurtosis
u Kurtosis – The degree of flatness or peakedness of a curve desribing
a frequency of distribution – Random House Dictionary
![Page 21: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/21.jpg)
21
Anomaly - Histogram Analysis
u Histogram analysis can be used to possibly identify a file with a hidden message
![Page 22: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/22.jpg)
22
Anomaly – Histogram Analysis
u By comparing histograms, we can see this histogram has a very noticeable repetitive trend.
![Page 23: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/23.jpg)
23
Anomaly Analysis - Compare file properties
u Compare the properties of the files
u Properties – 04/04/2003 05:25p 240,759 helmetprototype.jpg – 04/04/2003 05:26p 235,750 helmetprototype.jpg
u Checksum – C:\GNUTools>cksum a:\before\helmetprototype.jpg
3241690497 240759 a:\before\helmetprototype.jpg – C:\GNUTools>cksum a:\after\helmetprototype.jpg
3749290633 235750 a:\after\helmetprototype.jpg
![Page 24: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/24.jpg)
24
File Signatures
HEX Signature File Extension ASCII Signature
u For a full list see:
www.garykessler.net/library/file_sigs.html
FF D8 FF E0 xx xx 4A 46 49 46 00
JPEG (JPEG, JFIF, JPE, JPG)
ÿØÿà..JFIF.
47 49 46 38 37 61
47 49 46 38 39 61
GIF GIF87a
GIF89a
42 4D BMP BM
![Page 25: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/25.jpg)
25
Steganalysis – Analyzing contents of file
u If you have a copy of the original (virgin) file, it can be compared to the modified suspect/carrier file
u Many tools can be used for viewing and comparing the contents of a hidden file.
u Everything from Notepad to a Hex Editor can be used to identify inconsistences and patterns
u Reviewing multiple files may identify a signature pattern related to the Steganography program
![Page 26: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/26.jpg)
26
Steganalysis – Analyzing contents of file
u Helpful analysis programs – WinHex – www.winhex.com
� Allows conversions between ASCII and Hex � Allows comparison of files
� Save comparison as a report � Search differences or equal bytes
� Contains file marker capabilities � Allows string searches – both ASCII and Hex � Many, many other features
![Page 27: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/27.jpg)
27
Hiderman – Case Study
u Let’s examine a slightly sophisticated stego program – Hiderman
![Page 28: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/28.jpg)
28
Hiderman – Case Study
u After hiding a message with Hiderman, we can review the file with our favorite Hex Tool.
u Viewing the Header information (beginning of the file) we see that it’s a Bitmap as indicated by the “BM” file signature
![Page 29: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/29.jpg)
29
Hiderman – Case Study
u We then view the end of the file, comparing the virgin file to the carrier file
u Note the data appended to the file (on the next slide)
![Page 30: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/30.jpg)
30
Hiderman – Case Study
![Page 31: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/31.jpg)
31
Hiderman – Case Study
u In addition, note the last three characters “CDN” which is 43 44 4E in HEX.
![Page 32: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/32.jpg)
32
Hiderman – Case Study
u Hiding different messages in different files with different passwords, we see that the same three characters (“CDN”) are appended to the end of the file.
u Signature found.
![Page 33: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/33.jpg)
33
Steganalysis – Stegspy V2.0
u StegSpy V2.0 – Signature identification
program – Searches for stego
signatures and determines the program used to hide the message
– Identifies 13 different steganography programs
– Identifies location of hidden message
![Page 34: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/34.jpg)
34
Steganalysis - Stegspy
u StegSpy - Demo
![Page 35: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/35.jpg)
35
Steganalysis – Stegspy V2.0
u StegSpy V2.0 – Will be available for
download from my site � www.spy-hunter.com
![Page 36: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/36.jpg)
36
Steganalysis – Identifying a signature
u Signature-based steganalysis was used to identify signatures in many programs including Invisible Secrets, JPHide, Hiderman, etc.
![Page 37: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/37.jpg)
37
Steganalysis – Identifying a signature
u How is this handy?
u No original file to compare it to
u Search for the signature pattern to determine a presence of a hidden message
u Signature reveals program used to hide the message!
![Page 38: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/38.jpg)
38
Steganalysis meets Cryptanalysis
Revealing hidden files
![Page 39: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/39.jpg)
39
Steganalysis meets Cryptanalysis
Cryptanalysis
u As stated previously, in Steganography the goal is to hide the message, NOT encrypt it
u Cryptography provides the means to encrypt the message.
u How do we reveal the hidden message?
![Page 40: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/40.jpg)
40
Steganalysis meets Cryptanalysis
u Knowing the steganography program used to hide the message can be extremely handy when attempting to reveal the actual hidden message
u Identifying and cracking the algorithm – Unfortunately, some of these programs use strong
encryption 128-bit or stronger – GOOD LUCK!
u Reveal or Crack the password, seed, or secret key – Practically all Steganography programs use a password
to hide the message
![Page 41: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/41.jpg)
41
Cryptanalysis
u Identify program used to hide message
u Identify the location of the program signature in the file
u Identify the location of the password in the file
u Identify location of the hidden message in the file
u Identify the algorithm used to encrypt the hidden message
![Page 42: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/42.jpg)
42
Steganalysis – Password Guessing
Password Guessing/Dictionary Attacks
u A few password guessing programs have been created.
u Stegbreak by Niels Provos, www.outguess.org – J-Steg
u Can now be found on the Knoppix Penguin Sleuth forensics CD – www.linux-forensics.com
![Page 43: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/43.jpg)
43
Cryptanalysis – Brute Force Method
Brute Force – Reverse Engineering
u Common encryption techniques – Modification of LSB (Least Significant Bit) – Password and/or contents masked using an algorithm
� Algorithm based on a secret key � Algorithm based on the password � Algorithm based on a random seed hidden somewhere
else in the file
![Page 44: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/44.jpg)
44
Cryptanalysis – Brute Force Method
u Common encryption algorithms used in steganography programs – XOR – DES – 3DES – IDEA – AES
![Page 45: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/45.jpg)
45
Camouflage – Case Study
u Determining the password used with Camouflage
u The location of the password was determined by using MultiHex which allows searches for Hex strings
![Page 46: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/46.jpg)
46
Camouflage
u The string was found to be “76 F0 09 56”
u The password is known to be “test” which is “74 65 73 74” in Hex
![Page 47: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/47.jpg)
47
BDHTool
u BDHTool we can XOR the two to reveal the key
![Page 48: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/48.jpg)
48
Camouflage
76 XOR 74 = 02
F0 XOR 65= 95
09 XOR 73 = 7A
56 XOR 74 = 22
u The 1st 4 digits of the key are “02 95 7A 22”
u So let’s test our theory…
![Page 49: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/49.jpg)
49
Camouflage
u We store another message using a different password
u The file reveals a Hex code of “63 F4 1B 43”
u We XOR this with the known key “02 95 7A 22”
u The result is “61 61 61 61” which is a password of “aaaa” in ASCII
u We’ve revealed the hidden password to hide the message!
u This exploit discovered by Guillermito at www.guillermito2.net
![Page 50: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/50.jpg)
50
Forensics/Anti-Forensics
![Page 51: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/51.jpg)
51
Anti-Forensics
u Best Practices when using Steganography programs: – Use a password different than your O/S password – Delete original message once you have created a new
image with the hidden message – Remove the Steganography program after hiding the
message – OR run the Steganography program from a CD if
possible. – Use Alternate Data Streams…
![Page 52: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/52.jpg)
52
Anti-Forensics – Alternate Data Streams
u Alternate Data Streams – (NTFS) New Technology File System allows for
Alternate Data Streams – One file can be a link to multiple Alternate Data
Streams of files of any size. – Important Note! – These Alternate Data Streams are
Hidden! – Allows for hiding of files and even directories! – Difficult to detect
� Doesn’t show up when you run c:\dir
![Page 53: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/53.jpg)
53
Anti-Forensics – Alternate Data Streams
u Alternate Data Streams – C:\notepad mike.txt:mikehidden.txt – This allows mikehidden.txt to be a hidden ADS – C:\dir – 02/26/2004 02:29p 0 mike.txt – Notice – no indication of mikehidden.txt – Although a message was saved in the mikehidden.txt,
the mike.txt shows 0 bytes!
![Page 54: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/54.jpg)
54
Anti-Forensics – Alternate Data Streams
u Alternate Data Streams can be used to hide private files, viruses and trojans! – Anti-Virus/Anti-Trojan Test - Does your scanner pass
the test? – There’s a small utility MakeStream, that can be used to
move a virus or trojan to a hidden Alternate Data Stream attached to an “innocent” text file!
– For example, if you ran makestrm.exe c:\test.exe, the file contents of c:\test.exe would be moved into c:\test.exe:StreamTest (an Alternate Data Stream), and the original file contents are then over-written with a simple message reminding you about the linked stream.
– Get any trojan or virus that is detected by your virus/trojan scanner, and run makestrm.exe on it to move its file contents into a hidden stream. Then, re-scan the file - is it still detected?
– Many commercials scanners do not identify viruses and trojans hidden in ADS’s!
– http://www.diamondcs.com.au/web/streams/streams.htm
![Page 55: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/55.jpg)
55
Forensics
u If performing Forensics and discover a potentially “stega-nized” file: – Look for evidence of steganography programs on the
computer – Leverage other O/S and application passwords found
on the machine, this may also be the password used to hide the message
– Look for other hints such as a password written down on a note, letters, diaries, etc.
– For more info – please see “Electronic Crime Scene Investigation – A Guide for First Responders, U.S. Dept of Justice”
![Page 56: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/56.jpg)
56
Forensics – Alternate Data Streams
u Tools for Detecting Alternate Data Streams – LNS – www.ntsecurity.nu – LADS - www.heysoft.de – NTFS ADS Check - www.diamondcs.com.au
![Page 57: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/57.jpg)
57
Conclusions
![Page 58: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/58.jpg)
58
Steganalysis – Future?
u Where do we go from here?
u My program StegSpy currently identifies JPHide, Hiderman, and Invisible Secrets. More to come!
u Write a program to crack weak Stego programs
u Need a password grinder, may vary depending on the Stego program (stegbreak already available)
u Statistical analysis has been performed and is also capable of detecting Steganographic programs (histogram, LSB, etc)
![Page 59: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/59.jpg)
59
Steganalysis – Other Tools
u Wetstone Technologies offers Stego Watch u Identifies the presence of steganography through
special statistical and analytical programs.
u Accurate and comprehensive tool ($$$)
u Does not attempt to crack or reveal the hidden message, merely identifies it
u Offer a Steganography Investigator Training Course
u See http://www.wetstonetech.com
![Page 60: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/60.jpg)
60
Steganalysis – Other Tools
u Stegdetect by Niels Provos u Available at http://www.outguess.org/detection.php
u Detects – jsteg – jphide (unix and windows) – invisible secrets – outguess 01.3b – F5 (header analysis) – appendX and camouflage
u Site down due to State of Michigan law!
![Page 61: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/61.jpg)
61
References
u Steganographica, Gaspari Schotti, 1665
u Disappearing Cryptography, Peter Wayner, 2002
u Hiding in Plain Sight, Eric Cole 2003
u Steganography – presentation Chet Hosmer, Wetstone Technologies, TechnoSecurity 2003
![Page 62: Steganography, Steganalysis, & Cryptanalysisastavrou/courses/ISA_785_F11/dc-12-raggo.pdfSteganalysis meets Cryptanalysis Cryptanalysis ! As stated previously, in Steganography the](https://reader033.vdocuments.us/reader033/viewer/2022051321/5ae17b4d7f8b9ab4688ebf11/html5/thumbnails/62.jpg)
62
Question and Answer