Data Recovery and Data Hiding

1
Data Recovery and Data Hiding

• Acknowledgements to
• Dr. David Dampier and the
• Center for Computer Security Research (CCSR)

2
Data Recovery

• Data is lost for some reason
• Intentional
• Data is deleted
• Disgruntled employee
• Hacker covering tracks
• Data is destroyed
• Unintentional
• Disk crash
• User error

3
Data Recovery Techniques

• Disk Editor
• Look at metadata and try to find location of
  deleted data
• Use Forensic Software
• FTK
• Encase
• Autopsy

4
Data Hiding

• Obfuscating data
• Existence of the data is easy to see, but
  difficult to determine what it is
• Hiding Data
• Existence of the data is hidden
• Blinding the investigator
• Data is not hidden, but normal tools cannot
  detect it because data has been modified

5
Obfuscating Data

• Encryption
• Hides through changing data according to an
  algorithmmust be decrypted to see it
• Compression
• Hides through removing extraneous information in
  the file, making it unreadable and unsearchable
  look for decompression programs

6
How to beat it?

• In plain sight
• Find the code and determine type of file
• Within a file system in a file
• Steganography locate method then decipher
• Invisible, misleading or obscure names keyword
  search on file system
• No names unique to UNIX and zero link files
• locate the files before shutting down the system
  or they will be lost

7
Blinding the Investigator

• Data is not hidden, but tools are modified so
  that suspect data is not seen
• Change system commands
• Changing dir or ls to not see certain kinds of
  files
• Modifying windows applications like "my Computer"
• Modify the Operating System
• Changing the O.S. so that certain areas of the
  disk are not looked at

8
How to beat it?

• Change behavior of the system commands
• Reload system commands or move data to a new
  system
• Compare hash values of known system files

9
Computer Steganography

• Changes are made to images or sounds
• Changes represent the hidden image
• Successful if not noticeable
• Emphasis on detecting hidden communications since
  September 11

10
Steganography vs. Watermarking

• Steganography
• Message that we are hiding is a secret
• Not generally related to what we hide in it
• Watermarks
• Message that we are hiding might not be a secret
• Does relate to what we put it in
• Example 20 bill watermark shows authenticity,
  company logos show ownership

11
Playfair Cipher

• Block cipher that uses a 5 by 5 table containing
  a keyword
• The keyword is entered into the table from left
  to right, starting in row 1 and moving on to row
  2, etc.
• Duplicate letters are not entered
• When the keyword is complete, the remainder of
  the alphabet fills in
• Q may be left out, or I and J combined

12
Playfair cipher rules

• The message is broken into groups of two letters
  (digraphs)
• The two letters form the corner of a rectangle
• The original message digraph is replaced with the
  letters at the opposite end of the rectangle
• If the letters are on the same row as each other,
  replace them with the letters to their immediate
  right (wrapping)
• If the letters are on the same column as each
  other, replace them with the letters immediately
  below them
• Insert an X after a repeated letter

13
Null Ciphers

• A real message is camouflaged in an innocent
  sounding message
• Examples
• Fishing freshwater bends and saltwater coasts
  rewards anyone feeling stressed. Resourceful
  anglers usually find masterful leapers fun and
  admit swordfish rank overwhelming anyday. (third
  letter)
• Apparently neutrals protest is thoroughly
  discounted and ignored. Isam hard hit. Blockade
  issue affects pretext for embargo on byproducts,
  ejecting suets and vegetable oils. (second
  letter, sent by German spy in WWII)

14
Others

• Word shifting algorithms
• Example slight shifts up and down
• Microdots
• Image or text reduced as to not be noticeable
• http//en.wikipedia.org/wiki/Microdot

15
Summary of Hidden Data

• In plain sight
• Shows up in a directory listing, but not as what
  we are looking for..change file extension
• Within a file system in a file
• Steganography
• Invisible names, misleading names, obscure names
• No names
• Within a file system, but not in a file
• slack space
• free space
• swap space
• Outside the computer
• Floppy disks
• CDs
• zip disks
• thumb drives

16
Common ways of hiding data

• Embedded in files as noise
• Properties of images like luminescence, contrast
  and color can be manipulated
• Audio files can be manipulated by introducing
  small echoes or slight delays
• Signals can be masked with sounds of higher
  amplitude
• In documents by manipulating positions of the
  lines of the words
• Ciphers (e.g. taking the second letter of each
  word)
• Web browsers ignore spaces, tabs, certain
  characters and extra line breaks

17
More common ways of hiding data

• Unused or reserved space on a disk
• Unused space that is allocated by O.S. for a file
• Unused space in file headers, TCP/IP packet
  headers
• Spread spectrum techniques can be used by placing
  audio signal over a number of different
  frequencies

18
Digital Imaging

• Most common type of carrier used
• Produced by camera, scanner or other devices
• Approximation of the original image
• System producing image focuses a two-dimensional
  pattern of varying light intensity and color onto
  a sensor
• http//en.wikipedia.org/wiki/Steganography

19
Image Structure and Image Processing

• Pattern has a coordinate system
• Origin is in upper left corner
• Image can be described as an array of numbers
  which represents light intensities at various
  points
• The light intensities are called pixels

20
Image Structure and Image Processing

• Digital imaging
• Size of the image is given in pixels
• e.g. 640 by 480 (rows by columns) is 307,200
  pixels
• Spatial resolution of an image is the physical
  size of the pixel in the image
• Pixels are indexed by their x and y coordinates
• Spatial frequency is the rate of change of f(x,y)
  value as we move across the image
• Gradual changes in f(x,y) corresponds to low
  spatial frequencies (coarsely sampled image)
• Rapid changes correspond to high (must be
  represented by densely sampled image)
• Dense sampling produces high-resolution image
• many pixels contribute a small part of the scene

21
RGB color

• Color is represented by the relative intensity of
  the 3 colors red, green and blue
• Absence of three colors yields black
• Presence of full intensity of all 3 colors yields
  white
• Cyan 100 blue and 100 green
• Magenta 100 blue and 100 red
• Yellow 100 green and 100 red

22
RGB color

• Each RGB component is specified by a single byte
  (8 bits)
• Each color can have an intensity of 0 255
• Each pixel uses 24 bits to represent a color
  (Called 24 bit true-color 8 bits for red, 8 bits
  for green and 8 bits for blue), 224 colors
• A pixel could also be represented by 32 bits
• Extra bits used for transparency 0 transparent
  - 255 opaque
• Some use 8 bit true-color (28 different colors)

23
Image Formats

• 8-bit color is used with Graphics Interchange
  Format (GIF) and Bitmap (BMP) image formats
• The value of the pixel points to a color in the
  palette?
• When a GIF image is displayed, the software
  paints color from the palette to the screen
• This method offers lossless compression because
  the image is recovered after encoding and
  compression is bit-for-bit identical to the
  original image

24
Digital carrier methods

• Image and audio files are the easiest and most
  common carriers
• Least significant bit substitution or overwriting
• Simple method of hiding
• Given the following 8 bytes of a carrier file
• 10010101 00001101 11001001 10010110
• 00001111 11001011 10011111 00010000
• We can insert the ASCII value of F (70 or
  01000110)
• 10010100 00001101 11001000 10010110
• 00001110 11001011 10011111 00010000
• Not all of the bytes get changed from the
  original, so not likely to be detected by human
  eye

25
Detecting Steganography

• Principles of Steganography
• Digital files can be altered to a certain degree
  without losing functionality
• Human senses are not acute enough to distinguish
  minor changes in altered files

26
Masking

• In audio files, one sound could interfere with
  (mask) another sound
• Humans may not be able to pick up on the
  subtleties

27
Detecting and Cracking Steganography

• Compare the cover file to the suspicious file,
  looking for distortions
• Work with people who have analyzed steganography
  tools

28
US Government steps to counter Stegano

• US Patriot Act signed in 2001 allows the Federal
  Government and Corporations to scan and intrude
  into employees networks to verify suspected
  images
• Former NSA instructor had evidence that
  terrorists of 9/11 used images of paintings and
  posters to hide their message
• But failed to show proof regarding the use of
  Steganography

29
Steganography used for

• Hiding watermarks
• Authenticating information
• Proving ownership
• Copy control (e.g. downloading free music from
  the Internet)
• Terrorism?