PowerPoint Presentation
CSIS 3700
Anti-Forensics Techniques
Southern Utah University
Dr. Glen Sagers
1
Overview
HPA & DCO hiding
Steganography
Cryptography and cryptanalysis
HPA and DCO (Ch 4)
Host Protected Area (HPA) and Device Configuration Overlays (DCO) are hidden areas created by device mfg
Usually inaccessible to user
Can be accessed by various utilities, user could hide data there
Various forensic tools will show these, be sure to investigate them
Talon imager devices gave option to copy these areas
SleuthKit (embedded in Autopsy) can detect
Victoria (Download)
ATATool – no longer freeware
HDAT2 – DOS mode
Hdparm – built into Linux
Steganography
Hidden messages (Steganós-hidden – graphia-writing)
Not encrypted – although ciphertext can be used
Security through obscurity
Stego messages don’t attract attention unlike encrypted – but, is this changing after LetsEncrypt?
Usually hide text or small media files in larger media files
Steganography – uses images
Steganophony – uses sound files
Video steganography – amazingly, this uses videos!
Steganalysis – analyzing files for hidden information
Terminology and History
Payload – the information to be covertly communicated
Carrier – the file, signal or stream in which payload is hidden
Channel – medium type, like static files, streams, VoIP call
Historical
Shaving slave’s heads – ancient Greece
Swallowing wax capsules with paper inside – ancient China
Some substitution ciphers – middle ages, Germany
Invisible inks on back of couriers – French Resistance WWWII
Currently not widely used, but sometimes in complex cases – Osama bin Laden was using messages in pornographic videos to communicate with Al-Qaeda members
Methods
LSB (least significant bit)
8 bit byte = 1111 1111 = 255
If you change first 1 to 0 = 0111 1111 = 127 – large difference
Change last 1 to 0 = 1111 1110 = 254 – small difference
24-bit color, change one bit, not visible to eye (0,0,255 top; 0,0,254 bottom)
Payload about 1/8 size of carrier file
Methods
Discrete cosine transform for video steganography
DCT is a lossy compression method used to compress all video files
In steganography, values are simply altered (usually rounding up)
Extra sounds in echoes in a sound file or VoIP stream
Also inter-frame info in MP3
Bit-Plane Complexity Segmentation Steganography – BCPS
Bit planes are the set of bits that correspond to given bit position
24-bit files have 24 bit-planes, certain “complex areas” are replaced
Payload can be nearly 50% of size of carrier
Steganography Tools
QuickStego – Very easy to use, but very limited
Invisible Secrets – Much more robust, free trial and commercial version
MP3Stego – Specifically for hiding payload in MP3 files.
Stealth Files 4 – Works with sound, video, and image files – discontinued
Snow – Hides data in whitespace
DeepSound – Embeds in many kinds of sound files
WavSteg – hides data in WAV audio & LSBSteg – for images, same page
StegHide – JPG, BMP, WAV, AU files
Qtech Hide & View – BCPS implementation
https://en.wikipedia.org/wiki/Steganography_tools#Tools_comparison
Steganalysis
Simple checks
Metadata – created vs last-modified dates (created on this computer), usually created is later for music, movies, pix
Bloat – 100 vacation pix @ 2 MB, one at 3-4 MB, may be suspicious
Analyzing file or stream for hidden content
Usually gives a statistical chance that the file contains hidden info
For LSB, check close-color pairs of pixels, too many ~= stego
Chi-square – calc avg LSB, comp w/ table of real values – theory vs actual
Noise or video distortion analysis
Lots depends on the ratio of payload to carrier
Steganalysis Tools
FTK, Encase both have detection tools
Linux “strings” command displays printable strings
StegDetect – part of WAVSteg and LSBSteg
Steghide can detect its own steganography w/ “info” switch
Stegsolve – manages color filters to visually find info
Zsteg – ruby tool to test different methods
StegCracker – bruteforce steghide passwords
StegSecret – Detects various methods
StegSpy – 5 specific methods detected
McAfee steganography analysis site
Cryptography
Strength of cryptography depends on which two factors?
A
B
Detecting encrypted files – should be random, Autopsy flags high-entropy files
Cryptanalysis
Total Break – find the key
Global deduction – functionally equivalent method for encrypt/decrypt, but no key
Information deduction – gain some info about previously unknown plain or cipher texts
Instance deduction – additional plaintext/ciphertext found
Distinguishing algorithm – algorithm leaks patterns that can make ciphertext distinguishable from random
Cryptanalysis Methods
Frequency analysis – some letters more common in each language – not useful for modern crypto
Kasiski’s test – looking for repeated strings – may be useful for some modern algorithms
Known-plaintext – have sample plaintext and corresponding ciphertextes – may be able to find keys
Chosen-plaintext – attacker can get target to encrypt chosen methods – difficult but not impossible
Cipher-text only – most likely, also most difficult
Related-key – like chosen plaintext, but with two different keys
Other Anti-Forensics Tools
Log tampering
Deletion – very obvious, but don’t have the logs! (unless central logging)
Auditpol – turns off logging, turn back on later – leaves a gap – Win tool
VPNs
Tor
Wiping drives – dd, dban – wipe free space or file (“shred”)
BleachBit
Hidden VMs and Tails
Summary
HPA and DCO can sometimes be used to hide little or lots of data, fairly easy to detect
Steganography hides text or small files inside larger files
Usually media files; audio, video, photo
May be detectable, depends on size/ratio
Crypto good for hiding data
Strength based on algorithm and passphrase/key
Realistic decryption of good crypto unlikely
Various other data hiding/deletion methods may protect
/docProps/thumbnail.jpeg