Title: STEGANOGRAPHY
1STEGANOGRAPHY
- GLENN WATT
- President CEO
- Backbone Security.Com
2Steganography
- Steganography is the art of hiding information in
ways that prevent the detection of the hidden
information. - The word derives from Greek, and literally means
covered writing - While cryptography scrambles messages so that
they cannot be understood, Steganography hides
messages so that they cannot be seen. - It includes numerous secret communication methods
that conceal the messages very existence.
3Secret Messages
- Apparently neutrals protest is thoroughly
discounted and ignored. Isman hard hit. Blockade
issue affects pretext for embargo on by-products,
ejecting suets and vegetable oils. - A message sent by a German spy in World War II.
Pershing sails from NY June 1.
4Encrypted Message
Pershing sails from NY June 1
ROT 13
Crefuvat fnvyf sebz AL Whar 1
5A Steganography System
Message File
Message File
Cover File
Steganography Tool
Steganography Tool
Steg File (with hidden data)
Steg File (with hidden data)
Hiding messages
Extracting messages
6Steganography TechniqueAdding Bytes to
End-of-Image
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60
......JFIF..... 00 60 00 00 FF E1 00 94 45 78
69 66 00 00 49 49 .......Exif..II 2A 00 08 00
00 00 0A 00 FE 00 04 00 01 00 00 00
............... 00 00 00 00 00 01 03 00 01 00 00
00 00 02 1A 01 ................ 01 01 03 00 01
00 00 00 00 02 00 00 02 01 03 00
................ ... 73 4E 85 03 7D B6 D4 60 FF
00 CF 45 CF F3 AB BF sN.......E.... 72 D4 7A
9B 2F 13 3E D4 57 C0 E3 9E 4F BE 2A B5
r.z./.gt.W...O.. CD B7 92 57 3C F1 D8 7B FB 7F 9F
C2 A8 CF AF D9 ...Wlt.......... 96 DF 1E A1 68
0F 27 1E 6A F2 7F 3A 9E 5D 73 4C
....h.'.j...sL 96 DD 44 97 F6 AC 79 CF EF 17 F2
A4 3D 51 FF D9 ..D...y.....Q.. 50 4B 03 04 14
00 02 00 08 00 72 76 D6 30 1B A9
PK........rv.0.. 83 F2 F8 3F 00 00 27 D9 00 00 13
00 11 00 75 73 ...?..'.......us 20 63 6F 6E 73
74 69 74 75 74 69 6F 6E 2E 74 78
constitution.tx 74 55 54 0D 00 07 C7 8D D8 40 63
D7 F2 40 C6 E0 tUT......_at_c.._at_.. ED 40 D5 7D 5B
73 DC 46 B2 E6 3B 23 F8 1F 10 7E
._at_.s.F..... ... 21 00 00 81 00 00 00 00 75
73 20 63 6F 6E 73 74 !.......us const 69 74 75
74 69 6F 6E 2E 74 78 74 55 54 05 00 07
itution.txtUT... C7 8D D8 40 50 4B 05 06 00 00 00
00 01 00 01 00 ..._at_PK.......... 4A 00 00 00 3A
40 00 00 00 00 48 49 12 00 9A 40
J..._at_....HI..._at_ 00 00 64 34 31 64 38 63 64 39 38
66 30 30 62 32 ..d41d8cd98f00b2 30 34 00 27 DD
73 04.'.s
- baboon.jpg
- JPEG file withend-of-image bytes FF D9.
- Application appends hidden data within a zip
file, its signature, and user-specified password.
baboon_stego.jpg
7Steganography TechniqueLeast Significant Bit
- Messages are encoded in the least significant bit
of every byte in an image. By doing so, the value
of each pixel is changed slightly, but not enough
to make significant visual changes to the image,
even when compared to the original. - Example Inserting the word bomb using LSB
techniques - b 01100010
- o 01101111
- m 01101101
- b 01100010
Image bits
01011010 00101011 10101011 10101010 11101011
11010100 01000111 11111001
01011010 00101011 10101011 10101010 11101010
11010100 01000111 11111000
01011010 10101101 10010111 10101111 10101011
10100111 01010110 01011011
01011010 10101101 10010111 10101110 10101011
10100111 01010111 01011011
10110111 11111011 00101011 10010101 10101000
01010100 10101010 11010101
10110110 11111011 00101011 10010100 10101001
01010101 10101010 11010101
10100100 01011000 11011010 01010101 01001001
10110000 01000010 01010100
10100100 01011001 11011011 01010100 01001000
10110000 01000011 01010100
8Steganography TechniqueLeast Significant Bit
- Enhancing the least significant bits alerts
investigators of possible embedding of hidden
data.
bliss.bmp
No SteganographyDetected
bliss_stego.bmp
SteganographyDetected
9Media Operations LSB Steganography
- LSB Steganography is easy to implement, but it is
vulnerable to almost all media transformations - For example, cropping an image that has a hidden
message can result in losing the entire message
10Steganography TechniquePalette Manipulation
renoir.gif
Before Embedding
After Embedding
airfield.gif
Palette of an 8-bit GIF, sorted by luminance.
The repetition of similar colors indicates
possible steganography.
11Steganography TechniqueDiscrete Cosine Transform
peppers.bmp
8x8 DCT Block
The DC coefficient receives the data to be hidden.
12SteganographyEmbedding Within Audio
- Appending hidden information to end-of-file
- Pulse Code Modulation bit twiddling that
produces sound indistinguishable from the
original
Before Steganography Embedding
After Steganography Embedding
Source Gary Kessler
13Steganalysis
- Steganalysis is the science of detecting hidden
information and making that information visible
14Two Models for Steganalysis
- Blind Detection Model
- Detects presence of hidden information without
any prior knowledge of the steganography
application or carrier file types that may have
been used - Analytical Model
- Detects presence of file or other artifact
associated with a particular steganography
application - Then uses knowledge of particular application to
conduct focused search for carrier file types
associated with the application and then extract
any information that may have been hidden - Backbones SARC uses the analytical model
15Current Activities
- Majority of current effort focused on populating
Steganography Application Signature Database
(SASDB) with freeware, shareware and licensed
versions - To date over 250 steganography applications have
been hashed and added to SASDB - Some files used in more than one application
thus 10,147 are unique files - Assistance from DCCI in acquiring steganography
applications - We are also currently hashing a collection from a
CD by StegoArchive.com - Archive all copies of steganography applications
to CD format while validating application title /
version
16Populating the SASDB
- Search for steganography applications on the
Internet, download them (typically in a
compressed .zip archive format), and generate
their hash values. - If the application is distributed as an archive,
recursively extract and hash all files contained
within.
17Populating the SASDB
- If the application utilizes an installer, track
and hash all files that are installed on the
system. - Changes to the registry are also monitored and
documented.
18Structure of the SASDB
Hash Values
- SHA-1 Hash Value
- SHA-256 Hash Value
- MD5 Hash Value
- CRC32 Hash Value
- Filename
- Associated Application
19Structure of the SASDB
- Application Data Table
- Application Name
- Number of Associated Files
- Download date/time/location
20Structure of the SASDB
Carrier Footprint
- Application Name
- Carrier File Types Affected
- Method of Embedding
- Comments (Path to application specific TTP)
- Operating System
21How Do Our Capabilities Compare With Other Tools?
- Wetstones Gargoyle can detect 167 steg
applications (mostly versioning) - Wetstones Stego Suite can crack 4 steg
applications - Steg Detect/Steg Break can detect/crack 4 steg
applications - Steg Spy can crack 5 steg applications
- Backbone can detect 254 steg applications and
crack 19 steg applications
22Current Activities
- Expanding knowledge base by developing profiles
for steganography applications - Embedding/encoding techniques used
- Carrier file types
- Fingerprints left in carrier files by
particular applications - Etc.
- Enhancing the tool developed to capture all
changes to system when a steganography
application is installed
23Current Activities
- Developing detailed TTPs for steganalysis
- Will provide to law enforcement digital forensic
investigators to aid in extending traditional
digital forensic analysis to include
steganalysis - Developing proof-of-concept experiments to
demonstrate - Validity and value of TTPs for analytical model
for steganalysis vs blind detection model
24Current Activities
Real-Time Malware / Spyware / Virus /
Hacking Steganography Detection
25QUESTIONS
- WWW.BACKBONESECURITY.COM
- 888.805.4331
26BACKUP SLIDES
27Blind Detection Model
- Used to determine if information may have been
hidden in one of several different carrier file
formats - May, or may not, detect hidden information
- Even if hidden information is detected, may still
not be able to extract the information - Various efforts underway to improve success of
technique for detecting presence of hidden
information
28Analytical Model
- Used to determine specific steganography
application(s) that may have been used to hide
information - Hash all files on seized hard drive
- Reduce set of files to be analyzed by removing
files with hash values that exist in NSRL RDS - These are known good files
- Compare hash values of remaining files to hash
values in SASDB
29Analytical Model (Continued)
- A match would represent an artifact of a
steganography application - One, or more, of possibly several files
associated with a particular application - Use TTPs associated with the particular
application to perform steganalysis - Conduct focused search of seized hard drive for
carrier file types utilized by the particular
application - Determine if information has been hidden in the
carrier file - Extract the hidden information