Computer Forensics Investigating Data and Image File
Security|5
Security|5 is an entry level certifi cation for anyone interested in learning computer networking and security basics. Security|5 means 5 components of IT security: fi rewalls, anti-virus, IDS, networking, and web security.
Wireless|5
Wireless|5 introduceslearners to the basics of wireless technologies and their practical adaptation. Learners are exposed to various wireless technologies; current and emerging standards; and a variety of devices.
Network|5
Network|5 covers the ‘Alphabet Soup of Networking’ –the basic core knowledge to know how infrastructure enables a work environment, to help students and employees succeed in an integrated work environment.
E|DRP – EC-Council
Disaster Recovery Professional
The**Solution:**
EC-Council**Press**
TheEC-Council|Pressmarksaninnovationinacademictextbooksandcoursesof
studyininformationsecurity,computerforensics,disasterrecovery,andend-user
security.ByrepurposingtheessentialcontentofEC-Council’sworldclassprofessional
certificationprogramstofitacademicprograms,theEC-Council|Presswasformed.
With8FullSeries,comprisedof27differentbooks,theEC-Council|Pressissetto
revolutionizeglobalinformationsecurityprogramsandultimatelycreateanewbreed
ofpractitionerscapableofcombatingthisgrowingepidemicofcybercrimeandthe
risingthreatofcyberwar.
This**Certifi**cation:
C|HFI**–ComputerHackingForensicInvestigator**
ComputerHackingForensicInvestigationistheprocessofdetectinghacking
attacksandproperlyextractingevidencetoreportthecrimeandconductaudits
topreventfutureattacks.TheC|HFImaterialswillgiveparticipantsthenecessary
skillstoidentifyanintruder’sfootprintsandtoproperlygatherthenecessary
evidencetoprosecute.
EC-Council
|
Press
The**Experts:**
EC-Council
EC-Council’smissionistoaddresstheneedforwelleducatedandcertifiedinformationsecurityande-businesspractitioners.
EC-Councilisaglobal,memberbasedorganizationcomprisedofhundredsofindustryandsubjectmatterexpertsall
workingtogethertosetthestandardsandraisethebarinInformationSecuritycertificationandeducation.
EC-Councilcertificationsareviewedastheessentialcertificationsneededwherestandardconfigurationandsecurity
policycoursesfallshort.Providingatrue,hands-on,tacticalapproachtosecurity,individualsarmedwiththeknowledge
disseminatedbyEC-Councilprogramsaresecuringnetworksaroundtheworldandbeatingthehackersattheirowngame.
E|DRP covers disaster recovery topics, including identifying vulnerabilities, establishing policies and roles to prevent and mitigate risks, and developing disaster recovery plans.
C|EH - Certifi ed Ethical HackerInformation assets have evolved into critical components of survival. The goal of the Ethical Hacker is to help the organization take preemptive measures against malicious attacks by attacking the system himself or herself; all the while staying within legal limits.
E|NSA – EC-Council
Network Security AdministratorThe E|NSA program is designed to provide fundamental skills needed to analyze the internal and external security threats against a network, and to developsecurity policies that will protect an organization’s information.
E|CSA - EC-Council Certifi ed Security AnalystThe objective of E|CSA is to add value to experienced security professionals by helping them analyze the outcomes of their tests. It is the only in-depth Advanced Hacking and Penetration Testing certifi cation available that covers testing in all modern infrastructures, operating systems, and application environments.
Additional Certifi cations Covered By EC-Council Press:
Investigating**Data**
and**Image**Files
EC-Council|Press
Volume3of5mappingto
C
H**F**I
Computer**Hacking**Forensic
INVESTIGATOR
Certification
™
Australia • Brazil • Japan • Korea • Mexico • Singapore • Spain • United Kingdom • United States
Cengage Learning and EC-Council do not warrant or guarantee any of the products described herein or perform any independent analysis in connection with any of the product information contained herein. Cengage Learning and EC-Council do not assume, and expressly disclaim, any obligation to obtain and include information other than that provided to it by the manufacturer. The reader is expressly warned to consider and adopt all safety precautions that might be indicated by the activities described herein and to avoid all potential hazards. By following the instructions contained herein, the reader willingly assumes all risks in connection with such instructions.Cengage Learning and EC-Council make no representations or warranties of any kind, including but not limited to, the warranties of fi tness for particular purpose or merchantability, nor are any such representations implied with respect to the material setforth herein, and Cengage Learning and EC-Council take no responsibility with respect to such material. Cengage Learning and EC-Council shall not be liable for any special, consequential, or exemplary damages resulting, in whole or part, from the readers’use of, or reliance upon, this material.
Printed in the United States of America
1 2 3 4 5 6 7 12 11 10 09
TABLE OF CONTENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .v
PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix
ACKNOWLEDGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv
CHAPTER 1Steganography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
CHAPTER 2Data Acquisition and Duplication. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1
CHAPTER 3Forensic Investigations Using EnCase. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .3-1
CHAPTER 4Recovering Deleted Files and Deleted Partitions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1
Brief**TableofContents**
CHAPTER 5Image File Forensics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1
INDEX................................................................................
..........
I-1
.....
iii
PREFACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ix
ACKNOWLEDGEMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xv
CHAPTER 1
Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
Key Terms . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1 Introduction to Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2 Stegosystem Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .1-2 Application of Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2
Classification o**f Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3**Technical Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Linguistic Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . 1-3
Digital Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Digital Fil**e Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8**Text Files . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Image Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Audio Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. .. . . . . . . . . . .1-11
Video Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . .. . . . . . . . . .1-11Steganographic File Sys**tem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . .. . . . . . . . .1-11
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . .1-12**Model of a Cryptosystem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . . . . . . . . . . . . . . . . .. . . . . . . .. . . . . . . . .. . . . . . . . .1-13
Steganography Versus Cryptography . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . .1-13
Public Key Infrastructure (PKI) . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . .1-13
Watermarking . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-14**Application of Watermarking . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . .1-14
Table**of**Contents
Steganography Versus Watermarking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-14 Categories of Watermarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . .1-14 Watermarksand Compression . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-14 Digimarc’s Digital Watermarking . . . . . . .. . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-15
Attacks on Watermarking . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-15
Iss**ues in Information Hiding . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . .1-16**Level of Visibility . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17 Robustness Versus Payload . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17
File Format Dependence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17
Detecting Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . .1-17Detection Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-17 Detecting Text, Image, Audio, and Video Steganography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18 Steganalysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-18
Stego-Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . .1-19
Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-192Mosaic . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-19 FortKnox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
BlindSide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
S-Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . .1-21 StegHide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
Snow . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
Camera/Shy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
Steganos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . 1-24 Pretty Good Envelope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
Gifshuffle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24 JPHS . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25 wbStego . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25 OutGuess . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . 1-26 Invisible Secrets 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28
Masker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28 Data Stash . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30 Hydan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30
Cloak . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . .1-31
v
Table of Contents
StegaNote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 132
Stegomagic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Hermetic Stego .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
StegParty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Stego Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . 134
StegSpy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Stego Hunter . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
WNSTORM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . 135
Xidie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
CryptArkan . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Info Stego . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Stealth Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . 136
InPlainView . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
EzStego . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Jpegx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Camouflage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Scramdisk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
CryptoBola JPEG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Steganosaurus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
ByteShelter I .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
appendX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Z-File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . 140
MandelSteg and GIFExtract . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ... . . . . . . . 141
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . .. . . . . .141
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . .. . . . . . . . . . . . . . . . . . . . .. . . . . 142
CHAPTER 2
Data Acquisition and Duplication. . . . . . . . . . . . . . . . . . . . . . . . . . . .**.**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . 2-1
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . 2-1 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Case E**xample . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Introduction to Data Acqui**sition and Duplication . . . . .. . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2**
Determining the**Best Acquisition Methods . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . 2-2Disk-To-Image File . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Disk-To-Disk Copy . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Sparse Data Copy . . . . . . . . . . . . . .. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Data R**ecovery Contingencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 The Nee**d for DataDuplication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. 2-3
Data Acquisition Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3Windows Standard Tools . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Linux Standard Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 DriveSpy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . 2-5 FTK Imager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Mount Image Pro . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Drive SnapShot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 SnapBack DatArrest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 2-8
SafeBack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
Data Acquisition Hard**ware Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8**Image MASSter Solo-3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
LinkMASSter-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . 2-10
RoadMASSter-2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-11
Data Duplication**Software Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12**R-Drive Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12 DriveLook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . 2-13
DiskExplorer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-14Save-N-Sync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-14 DFSMSdss . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
SCSIPAK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-16
Data Duplication Hardware Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . .2-16ImageMASSter 6007SAS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-16 Disk Jockey IT . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-17 QuickCopy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-18
Table of Contentsvii
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-18 Review Questions . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-18
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
CHAPTER 3
Forensic Investigations Using EnCase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Introduction to Forensic Investigation Using EnCase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2
Evidence Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2Verifying Evidence Files . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Evidence File Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Verifying File Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . 3-3
Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3Acquiring an Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Configuring EnCase . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 View Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 Device Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . 3-6 Status Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7
Searchin**g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . .. . . . . . . . . . . 3-8**Keywords . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . .. . . . . . . . . . 3-9
Starting the Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . .. . . . . . . . 3-10
Search Hits Tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . .. . . .. . . . . . . 3-10
Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . .3-10Creating Bookmark Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . 3-11
Adding Bookmarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . 3-11
Bookmarking a Selected Area . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .... . . . . . . . . . . .. . . . . . . . . . . . . 3-12
Recovering Deleted Files/Folders in a FA**T Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12
Viewing Recovered Files . . . .. . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13Recovering Files/Folde**rs in an NTFS Partition . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Master Boo**t Record (MBR) . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . .3-14
NTFS Starting Point . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15Vi**ewing Disk Geometry . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-16 Recovering Deleted Partition**s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-16
HashValues. . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . .3-16Creating Hash Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16 MD5 Hash . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Creating Hashes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18Viewers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-18
Signature Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . .3-18**
Viewing the Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-18
Copying Files and Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
E-Mail Recovery . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-19 EnCase Boot Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . 3-20 Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21 Review Questions . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21**
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
CHAPTER 4
Recovering Deleted Files and Deleted Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 4-1
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Key**Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1**
Case Example . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Introduction to Recovering Deleted Files and Deleted Partitions . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Table of Contents
Deleting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . 4-2**
What Happens When a File Is Deleted in Windows?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3The Recycle Bin in Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3Damaged Recycled Folder . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-6
How to Undelete a File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-7**
Data Recovery in Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8
Tools to Recover Deleted Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-8File Recovery Tools for Windows . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-9Tools for Use with UNIX-Based Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . 4-33**
Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-43
Rec**overing Deleted Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-50Deletion of a Partition . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-50**What Happens When a Partition Is Deleted? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . 4-51 Recovery of Deleted Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-53
Tools to RecoverDeleted and Damaged Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-53
Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-63 Review Questions . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-64**
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-65
CHAPTER 5
Image File Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . 5-1
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . .**. . . . . . . . 5-1 Key Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . .. . . . . . . 5-1
Case Example 1 . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . 5-2**
Case Example 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . 5-3
Introduction to Image File Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . . 5-3
Introduction to Image Files . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . 5-3U**nderstanding Vector Images . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3
Understanding Raster Images . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 Understanding Image File Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . .**. . . . . . . . . . . . . . . . . . . . . . 5-4
Data Compression in Im**age Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-11 Understanding File Compression. . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12 LosslessCompression Algorithms . . . . . . . . . . . . . . . . .. . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-13 Lossy Compression . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . .5-14**
L**ocating and Recovering Image Files . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-15
Stegan**ography in Image Files . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-22Steg**analysis . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23
Identi**fying C**opyright Issues with Graphics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . 5-26Chapter Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27 Review Questions . . . . .**. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-27**
Hands-On Projects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-28
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .I-1
Hacking and electronic crimes sophistication has grown at an exponential rate in recent years. In fact, recent reports have indicated that cyber crime already surpasses the illegal drug trade! Unethical hackers, better known as_black hats,_are preying on information systems of government, corporate, public, andprivate networks and are constantly testing the security mechanisms of these organizations to the limit with the sole aim of exploiting them and profiting from the exercise. High-profile crimes have proven that the traditional approach to computer security is simply not sufficient, even with the strongest perimeter, properly configured defense mechanisms such as firewalls, intrusion detection, and prevention systems, strong end-to-end encryption standards, and anti-virus software. Hackers have proven theirdedication and ability to systematically penetrate networks all over the world. In some cases, black hats may be able to execute attacks so flawlessly that they can compromise a system, steal everything of value, and completely erase their tracks in lessthan 20 minutes!
The EC-Council Press is dedicated to stopping hackers in their tracks.
About EC-Council
The International Council of Electronic Commerce Consultants, better known as EC-Council, was founded in late 2001 to address the need for well-educated and certified information security and e-business practitioners. EC-Council is a global, member-based organization comprised of industry and subject matter experts all working together to set the standards and raise the bar in information security certificationand education.
EC-Council first developed theCertified Ethical Hacker(C|EH program).The goal of this program is to teach the methodologies, tools, and techniques used by hackers. Leveraging the collective knowledge from hundreds of subject matter experts, the C|EH program has rapidly gained popularity around the globeand is now delivered in more than 70 countries by more than 450 authorized training centers. More than 60,000 information security practitioners have been trained.
Preface
C|EH is the benchmark for many government entities and major corporationsaround the world. Shortly after C|EH was launched, EC-Council developed theCertified Security An__alyst(E|CSA). The goal of the E|CSA program is to teach groundbreaking analysis methods that must beapplied while conducting advanced penetration testing. The E|CSA program leads to theLicensed Pen__etration Tester(L|PT) status. TheComputer Hacking Forensi__c Investigator(C|HFI) was formed with the same design methodologies and has become a global standard in certification for computer forensics. EC-Council, through its impervious network of professionals and huge industry following, has developed various other programs in information security and e-business. EC-Council certifications areviewed as the essential certifications needed when standard configuration and security policy courses fall short. Providing a true, hands-on, tactical approach to security, individuals armed withthe knowledge disseminated by EC-Council programs are securing networks around the world and beating the hackers at their own game.
About the EC-Council | Press
The EC-Council | Press was formed in late 2008 as a result of a cutting-edge partnership between global information security certification leader, EC-Council and leading global academic publisher, Cengage Learning. This partnership marks a revolution in academic textbooks and courses of study in information security, computer forensics, disaster recovery, and end-user security. By identifying the essentialtopics and content of EC-Council professional certification programs, and repurposing this world-class content to fit academic programs, the EC-Council | Press was formed. The academic community is now able to incorporate this powerful cutting-edge contentinto new and existing information security programs. By closing the gap between academic study and professional certification, students and instructors are able to leverage the power of rigorous academic focus and high demand industry certification. The EC-Council | Press is set to revolutionize global information security programs and ultimately create a new breed of practitioners capable of combating the growing epidemic of cybercrime and the rising threat of cyber-war.
ix
Preface
Computer Forensics Series
The EC-Council | Press_Computer Forensics_series, preparing learners for C|HFI certification, is intended for those studying to become police investigators and other law enforcement personnel, defense and military personnel, e-business security professionals, systems administrators, legal professionals, banking, insurance and other professionals, government agencies, and IT managers. The content of this program is designed to expose the learner to the process of detecting attacks and collecting evidence in a forensically sound manner with the intent to report crime and prevent future attacks. Advanced techniques in computer investigation and analysis with interest in generating potential legal evidence are included. In full, this series prepares the learner to identify evidence in computer related crime and abuse cases as well as track the intrusive hacker’s path through client system.
Books in Series
Computer Forensics: Investigation Procedures and Response/1435483499
Computer Forensics: Investigating Hard Disks, File and Operating Systems/1435483502
Computer Forensics: Investigating Data and Image Files/1435483510
Computer Forensics: Investigating Network Intrusions and Cybercrime/1435483529
Computer Forensics: Investi__gating Wireless Networks and Devices/1435483537
Investigating Data and Image Files
_Investigating Data and Image Files_provides a basic understanding of steganography, data acquisition and duplication, encase, how to recover deleted files and partitions andimagefile forensics.
Chapter Contents
Chapter 1,_Steganography,_provides the history and classifications of steganography, explains the difference between steganography and cryptography as well as the essentials of stego-forensics and watermarking. Chapter 2,_Data Acquisition andDuplication,_focuses on how to determine the best data acquisition method, how to make sure crucial data is not lost, and the importance of data duplication. A description of the tools used fordata acquisition and duplication is also included. Chapter 3,_Forensic Investigation Using EnCase,_includes coverage of thisforensic software suite and how investigators can use EnCase to perform different forensic tasks. Chapter 4,_Recovering Deleted Files and Deleted Partitions,_covers deleting files and the recycling bin as well as file recovery and deleting and recovering partitions. Chapter 5,_Image File Forensics,_covers the various methods that can be used torecovergraphics files. It also highlights the various image recovery, steganalysis, and viewing tools that are used and the salient features of these tools.
Chapter Features
Many features are included in each chapter and all are designed to enhance the learner’s learning experience. Featuresinclude:
_Objectives_begin each chapter and focus the learner on the most important concepts in the chapter.
_Key Terms_are designed to familiarize the learner with terms that will be used within the chapter.
_Case Examples,_found throughout the chapter, present short scenarios followed by questions that challenge the learner to arrive at an answer or solution to the problem presented.
_Chapter Summary,_at the end of each chapter, serves as a review of the key concepts coveredin the chapter.
_Review Questions_allow learners to test their comprehension of the chapter content.
Hands-On Projects_encourage learners to apply the knowledge they have gained after finishing the chapter. Files for the Hands-On Projects can be found on the Student Resource Center. Note: You will need your access code provided in your book to enter the site. Visit[_www.cengage.com/community/eccouncil](http://www.cengage.com/community/eccouncil)for a link to the Student Resource Center.
How to Become C|HFI Certifiedxi
Student Resource Center
The Student Resource Center contains all the files you need to complete the Hands-On Projects found at the end of the chapters. Access the Student Resource Center with the access code provided in your book. Visitwww.cengage.com/community/eccouncilfor a link to the Student Resource Center.
Additional Instructor Resources
Free to all instructors who adopt the_Investigating Data and Image Files_book for their courses is a complete package of instructor resources. These resources are available from the Course Technology Web site, www .cengage.com/coursetechnology, by going to the product page for this book in the online catalog, and choosing “Instructor Downloads.”
Resources include:
Instructor Manual: This manual includes course objectives and additional information to help your instruction.
Examview Testbank: This Windows-based testing software helps instructors design and administer tests and pre-tests. In addition to generating tests that can be printed and administered, this full-featured program has an online testing component that allows students to take tests at the computer and have their exams automatically graded.
PowerPoint Presentatio__ns: This book comes with a set of Microsoft PowerPoint slides for each chapter. These slides are meant to be used as teaching aids for classroom presentations, to be made available to students for chapter reviews, or to be printed for classroomdistribution. Instructors are also at liberty to add their own slides.Labs: These are additional hands-on activities to provide more practice for your students.
Assessment Activities: These areadditional assessment opportunities including discussion questions, writing assignments, Internet research activities, and homework assignments along with a final cumulative project.
Final Exam: This exam provides a comprehensive assessment of_Investigating Data and Image Files_content.
Ceng**age Learning InformationSecurity Community Site**
Cengage Learning Information Security Community Site was created for learners and instructors to find out about the latest in information security news and technology. Visit_community.cengage.com/infosec_to:
Learn what’s new in information security through live news feeds, videos and podcasts;
Connect with your peers and security experts through blogs and forums;
Browse our online catalog.
How to Become C|HFI Certified
Today’s battles between corporations, governments, and countries are no longer fought only in the typical arenas of boardrooms or battlefields using physical force. Now the battlefield starts in the technical realm, which ties into most every facet of modern day life. The C|HFI certification focuses on the necessary skills to identify an intruder’s footprints and to properly gather the necessary evidence to prosecute. The C|HFI certification is primarily targeted at police and other law enforcement personnel, defense and military personnel, e-business security professionals, systems administrators, legal professionals, banking, insurance and other professionals, government agencies, and IT managers. This certification will ensure that you have the knowledge and skills to identify, track, and prosecute the cyber-criminal.
C|HFI certification exams are available through authorized Prometric testing centers. To finalize your certification after your training by taking the certification exam through a Prometric testing center, you must:
- Apply for and purchase an exam voucher by visiting the EC-Council Press community site:www.cengage .com/community/eccouncil, if one was not purchased with your book.
Preface
Once you have your exam voucher, visitwww.prometric.comand schedule your exam, using the information on your voucher.
Take and pass the C|HFI certification examination with a score of 70% or better.
C|HFI certification exams are also available through Prometric Prime. To finalize your certification after your training by taking the certification exam through Prometric Prime, you must:
Purchase an exam voucher by visiting the EC-Council Press communitysite:www.cengage.com/ community/eccouncil, if one was not purchased with your book.
Speak with your instructor about scheduling an exam session, or visit the EC-Council community site referenced above for more information.
Take and pass the C|HFI certification examination with a score of 70% or better.
About Our Other EC-Council | Press Products
Ethical Hacking and Countermeasures Series
The EC-Council | Press_Ethical Hacking and Countermeasures_series is intended for those studying to become securityofficers, auditors, security professionals, site administrators, and anyone who is concerned about or responsible for the integrity of the network infrastructure. The series includes a broad base of topicsin offensive network security, ethical hacking, aswell as network defense and countermeasures. The content ofthis series is designed to immerse learners into an interactive environment where theywill be shown how to scan, test, hack, and secure information systems. A wide variety of tools, viruses, andmalware is presented in these books, providing a complete understanding of the tactics and tools used by hackers. By gaining a thorough understanding of how hackers operate, ethical hackers are able to set up strong countermeasures and defensive systems to protect their organization’s critical infrastructure and information. The series, whenused in its entirety, helps prepare readers to take and succeed on the C|EH certification exam from EC-Council.
Books in Series
Ethical Hacking and Countermeasures: Attack Phases/143548360X
Ethical Hacking and Countermeasures: Threats and Defense Mechanisms/1435483618
Ethical Hacking and Countermeasure__s: Web Applications and Data Servers/1435483626
Ethical Hacking and Countermeasures: Linux, Macintosh and Mobile Systems/1435483642
Ethical Hacking and C__ountermeasures: Secure Network Infrastructures/1435483650
Network Security Administrator Series
The EC-Council | Press_Network Administrator_series, preparing learners for E|NSA certification, is intended for those studying to become system administrators, network administrators, and anyone who is interested in network security technologies. This series is designed to educate learners, from avendor neutral standpoint, how to defend the networks they manage. This series covers the fundamental skills in evaluating internal and external threats to network security, design, and how to enforce network level security policies, and ultimately protectan organization’s information. Covering a broad range of topics from secure network fundamentals, protocols and analysis, standards and policy, hardening infrastructure, to configuring IPS, IDS and firewalls, bastion host and honeypots, among many other topics, learners completing this series will have a full understanding of defensive measures taken to secure their organizations information. The series, when used in its entirety, helps prepare readers to take and succeed on the E|NSA, Network Security Administrator certification exam from EC-Council.
Books in Series
Network Defense: Fundamentals and Protocols/1435483553
Network Defense: Security Policy and Threats/1435483561
Network Defense: Perimeter Defense Mechanisms/143548357X
_Network Defense: Securing_and Troubleshooting Network Operating Systems/1435483588
Network Defense: Security and Vulnerability Assessment/1435483596
About Our Other EC-Council | Press Productsxiii
Security Analyst Series
The EC-Council | Press_Security Analyst/Licensed Penetration Tester_series, preparing learners for E|CSA/LPT certification, is intended for those studying to become network server administrators, firewall administrators, security testers, system administrators, and risk assessment professionals. This series covers a broad base of topics in advanced penetration testing and security analysis. The content of this program is designed to expose the learner to groundbreaking methodologies in conducting thorough security analysis, as well as advanced penetration testing techniques. Armed with the knowledge from the_Security Analyst_series, learners will be able to perform the intensive assessments required to effectively identify and mitigate risks to the security of the organizations infrastructure. The series, when used in its entirety, helps prepare readers to take and succeed on the E|CSA, Certified Security Analyst, and L|PT, License Penetration Tester certification exam from EC-Council.
Books in Series
Certified Security Analyst: Se__curity Analysis and Advanced Tools/1435483669
Certified Security Analyst: Customer Agreements and Reporting Procedures in Security Analysis/1435483677
Certified Security Analyst: Penetration Testing Methodologies in Security Analysis/1435483685
Certified S__ecurity Analyst: Network and Communication Testing Procedures in Security Analysis/1435483693
Certified Security Analyst: Network Threat Testing Procedures in Security Analysis/1435483707
Cyber Safety/1435483715
_Cyber Safety_is designed for anyone who is interested in learning computer networking and security basics. This product provides information cyber crime; security procedures; how to recognize security threatsand attacks, incident response, and how to secure Internet access. This book givesindividuals the basic security literacy skills to begin high-end IT programs. The book also prepares readers to take and succeed on the Security|5 certification exam from EC-Council.
Wireless Safety/1435483766
_Wireless Safety_introduces the learner to the basics of wireless technologies and its practical adaptation._Wireless|5_is tailored to cater to any individual’s desire to learn more about wireless technology. It requires no pre-requisite knowledge and aims to educate the learner in simple applications of these technologies. Topics includewireless signal propagation, IEEE and ETSI wireless standards, WLANs and operation, wireless protocols and communication languages, wireless devices, and wireless security networks. The book also prepares readers totake and succeed on the Wireless|5 certification exam from EC-Council.
Network Safety/1435483774
_Net__work_Safetyprovides the basic core knowledge on how infrastructure enables a working environment. Intended for those in office environments and for home users who want to optimize resource utilization, share infrastructure, and make the best of technology and the convenience it offers. Topics include foundations of networks, networking components, wireless networks, basic hardware components, the networkingenvironment and connectivity as well as troubleshooting. The book also prepares readers to take and succeed on the Network|5 certification exam from EC-Council.
Disaster Recovery Professional
The_Disaster Recovery Professional_series, preparing the reader for E|DRP certification, introduces the learner to the methods employed in identifying vulnerabilities and how to take the appropriate countermeasures to prevent and mitigate failure risks for an organization. It also providesa foundation in disaster recovery principles, including preparation of a disaster recovery plan, assessment of risks in the enterprise, development of policies, and procedures, and understanding of the roles and relationships of various members of an organization, implementation of the plan, and recovering from a disaster. Students will learn how to create a secure network by putting policies and procedures in place, and how to restore a network in the event of a disaster. The series, when used in its entirety, helps prepare readers to take and succeed on the E|DRP, Disaster Recovery Professional certification exam from EC-Council.
Books in Series
Disaster Recovery/1435488709
Business Continuity/1435488695
Acknowledgements
Michael H. Goldner is the Chair of the School of Information Technology for ITT Technical Institute in Norfolk Virginia, and also teaches bachelor level courses in computer network and information security sy stems. Michael has served on and chaired ITTEducational Services Inc. National Curriculum Committee on Information Security. He received his Juris Doctorate from Stetson University College of Law, his undergraduate degree from Miami University and has been working for more than 15 years in the areaof Information Technology. He is an active member of the American Bar Association, and has served on that organization’s cyber law committee. He is a member of IEEE, ACM, and ISSA, and is the holder of a number of industrially recognized certifications including, CISSP, CEH, CHFI, CEI, MCT, MCSE/Security, Security , Network , and A. Michael recently completed the design and creation of a computer forensic program for ITT Technical Institute and has worked closely with both EC-Council and Delmar/Cengage Learning in the creation of this EC-Council Press series.
xv
Objective
After completing this chapter, you should be able to:
Understand steganography
Recount the history of steganography
Explain the classifications of steganography
Identify image steganography
Detect steganography
Explain the differences between steganography and cryptography
Explain stego-forensics
Explain watermarking
Select appropriate steganography tools
Steganography
Chapter
1
Key Terms
Cover mediumthe medium used to hide a message with steganography
Digital watermarka digital stamp embedded into a digital signal
Least significant bit (LSB)a steganography technique in which the rightmost bit in the binary notation is substituted with abit from the embedded message
Steganographythe practice of embedding hidden messages within a carrier medium
Stego-keythe secret key used to encrypt and decrypt messages hidden by steganography
Stego-mediumthe combined cover medium and embedded messageused in steganography
Stegosystemthe mechanism used in performing steganography
1-1
Introduction to Steganography
Steganographyis the practice of embedding hidden messages within a carrier medium. Mathematicians, military personnel, and scientists have used it for centuries. The use of steganography dates back to ancient Egypt. Today steganography, in its digital form, is widelyused on the Internet and in a variety of multimedia forms.
Modern steganography works by replacing bits of useless or unused data in regular computer files with bits of different, invisible information. When a file cannot be encrypted, the next best optionfor safe transfer is steganography. Steganography can also be used to supplement encryption. When used in this manner, steganography provides a double measure of protection, as the encrypted file, once deciphered, will not allow a message hidden by steganography to be seen. The receiver of the file has to use special software to decipher a message hidden by steganography.
Stegosystem Model
Astegosystemis the mechanism that is used in performing steganography (Figure 1-1). The following components make up a stegosystem:
Embedded message: The original secret message to be hidden behind the cover medium
Cover medium: The medium used to hide the message
St**ego-key**: The secret key used to encrypt and decrypt the message
Stego-medium: The combined cover medium and embedded message
Application of Steganography
Steganography can be used for a variety of legal and illegal uses. It can be used for the followingpurposes:
Medical records: Steganography is used in medical records to avoid any mix-up of patients’ records. Every patient has an EPR (electronic patient record), which has examinations and other medical records stored in it.
Workplace communication: Steganography can be used as an effective method for employees who desire privacy in the workplace to bypass the normal communication channels. In this area, steganography can be an obstacle to network security.
Copyright © by
All rights reserved. Reproduction is strictly prohibited
Figure 1-1A stegosystem is the mechanism used to embed a hidden message within a cover medium.
Figure 1-2An embedded message is not typically visible to the naked eye.
Digital music: Steganography is also used to protect music from being copied by introducing subtle changes into a music file that act as a digital signature. BlueSpike Technology removes a few select tones in a narrow band. Verance adds signals that are out of the frequency range detectable by the human ear. Others adjust the sound by changing the frequency slightly. Digital audio files can also be modified to carry a large amount of information. Some files simply indicate that the content is under copyright. More sophisticated steganography versions can include information about the artist.
Terrorism: Certain extremist Web sites have been known to use pictures and text to secretly communicate messages to terrorist cells operating around the world. Servers and computers around the world provide a new twist on this covert activity. Figure 1-2 shows two photos: one has a message embedded, and the other does not.
The movie industry: Steganography can also be used as copyright protection for DVDs and VCDs. The DVD copy-protection program is designed to support a copy generation management system. Secondgeneration DVD players with digital video recording capabilities continue to be introduced in the black market. To protect itself against piracy, the movie industry needs to copyright DVDs.
Classification of Steganography
Steganography is classified into the following three major categories (Figure 1-3):
Technical steganography
Linguistic steganography
Digital steganography
Technical Steganography
In technical steganography, physical or chemical methods are used to hide the existence of a message. Technical steganography can include the following methods:
Invisible inks: These are colorless liquids that need heating and lighting in order to be read. For example, if onion juice and milk are used to write a message, the writing cannot be seen unless heat is applied, which makes the ink turn brown.
Microdots: This method shrinks a page-sized photograph to 1 mm in diameter. The photograph is reduced with the help of a reverse microscope.
Linguistic Steganography
Linguistic steganography hides messages in the carrier in several ways. The two main techniques of linguistic steganographyinvolve the use of semagrams and open codes.
Copyright © by
All rights reserved. Reproduction is strictly prohibited
Figure 1-3Steganography is classified into three main categories.
Semagrams
Semagrams hide information through the use of signs or symbols. Objects or symbols can be embedded in data to send messages. Semagrams can be classified into the following types:
Visual semagrams: In this technique a drawing, painting, letter, music, or any other symbol is used to hide the information. For example, the position of items on a desk or Web site may be used to hide some kind of message.
Text semagrams: In this technique, a message is hidden by changing the appearance of the carrier text. Text can be changed by modifying the font size, using extra spaces between words, or by using different flourishes in letters or handwritten text.
Open Codes
Open codes make use of openly readable text. This text contains words or sentences that can be hidden in a reversed or vertical order. The letters should be in selected locations of the text. Open codes can be either jargon codes or covered ciphers.
_Jargon_codes: In this type of open code, a certain language is used that can only be understood by a particular group of people while remaining meaningless to others. A jargon message is similar to a substitution cipher in many respects, but rather than replacing individual letters the words themselves are changed.
Covered ciphers: This technique hides the message in a carrier medium that is visible to everyone. Any person who knows how the message is hidden can extract this type of message. Covered ciphers can be both null and grill ciphers.
Null ciphers: Null ciphers hide the message within a large amount of useless data. The original data may be mixed with the unused data in any order—e.g., diagonally, vertically, or in reverse order— allowing only the person who knows the order to understand it.
Grill ciphers: It is possible to encrypt plaintext by writing it onto a sheet of paper through a separate pierced sheet of paper or cardboard. When an identical pierced sheet is placed on the message, the original textcan be read. The grill system is difficult to crack and decipher, as only the person with the grill (sheet of paper) can decipher the hidden message.
Figure 1-4The source file can reveal an injected message when compared to the altered file.
Digital Steganography
In digital steganography, the secret messages are hidden in a digital medium. The following techniques are used in digital steganography:
Injection
Least significant bit (LSB)
Transform-domain techniques
Spread-spectrum encoding
Perceptual masking
File generation
Statistical method
Distortion technique
Injection
With the injection technique, the secret information is placed inside a carrier or host file. The secret message is directly inserted into a host medium, which could be a picture, sound file, or video clip. The drawback to this technique is that the size of the host file increases, making it easy to detect. This can be overcome by deleting the original file once the file with the secret message is created. It is difficult to detect the presence of any secret message once the original file is deleted.
In theWeb page shown in Figure 1-4, the message “This is a sample of Stego” is displayed. In the source code of the Web page, the secret message “This is the hidden message” can be viewed.
Least Significant Bit (LSB)
With theleast-significant-bit (LSB)technique, the rightmost bit in the binary notation is substituted with a bit from the embedded message. The rightmost bit has the least impact on the binary data. If an attacker knows that this technique is used, then the data are vulnerable.
Copyright © by
All rights reserved. Reproduction is strictly prohibited
Figure 1-5LSB substitutes the rightmost bit in the binary notation with a bit from the embedded message.
Figure 1-5 shows a basic LSB approach. Bit planes of a grayscale image are imprinted with themost significant bit (MSB) on top. The dark boxes represent binary value 0, and the light boxes represent binary value 1. The LSB plane of the cover image is replaced with the hidden data.
Transform-Domain Techniques
A transformed space is generated whena file is compressed at the time of transmission. This transformed space is used to hide data. The three transform techniques used when embedding a message are: discrete cosine transform (DCT), discrete Fourier transform (DFT), and discrete wavelet transform (DWT). These techniques embed the secret data in the cover at the time of the transmission process. The transformation can either be applied to an entire carrier file or to its subparts. The embedding process is performed by modifying the coefficients,which are selected based on the protection required. The hidden data in the transform domain is present in more robust areas, and it is highly resistant to signal processing.
Example: Images sent through Internet channels typically use JPEG format becauseit compresses itself when the file is closed. A JPEG file makes an approximation of itself to reduce the file’s size and removes the excess bits from the image. This change and approximation results in transform space that can be used to hide information.
Spread-Spectrum Encoding
Spread-spectrum encoding encodes a small-band signal into a wide-band cover. The encoder modulates a smallband signal over a carrier.
Spread-spectrum encoding can be used in the following ways:
Direct sequence: In direct-sequence encoding, the information is divided into small parts that are allocated to the frequency channel of the spectrum. The data signal is combined during transmission with a higher data-rate bit sequence that divides the data based on the predetermined spreadratio. The redundant nature of the data-rate bit sequence code is useful to the signal-resist interference, allowing the original data to be recovered.
Frequency hopping: This technique is used to divide the bandwidth’s spectrum into many possible broadcast frequencies. Frequency hopping devices require less power and are cheaper, but are less reliable when compared to direct sequence spectrum systems.
Copyright © by
All rights reserved. Reproduction is strictly prohibited
Figure 1-6Perceptual masking uses masking tones to hide messages within audio signals.
Copyright © by
All rights reserved. Reproduction is strictly prohibited
Figure 1-7The statistical method embeds one bit of information in a digital carrier.
Perceptual Masking
Perceptual masking is the interference of one perceptual stimulus with another, resulting in a decrease in perceptual effectiveness (Figure 1-6). This type of steganography makes one signal hard to identify due to the presence of another signal.
File Generation
Rather than selecting a cover to hide a message, this technique generates a new cover file solely for the purpose of hiding data. A picture is created thathas a hidden message in it. In the modern form of file generation, a spam-mimic program is used. Spam mimic embeds the secret message into a spam message that can be e-mailed to any destination.
Statistical Method
This method uses a one-bit steganographicscheme. It embeds one bit of information in a digital carrier, creating a statistical change. A statistical change in the cover is indicated as a 1. A 0 indicates that a bit was left unchanged (Figure 1-7). The work is based on the receiver’s ability to differentiate between modified and unmodified covers.
Original imageDistorted image
Figure 1-8In the distortion technique, an encoder performs a sequence of modifications to the cover that correspond to a secret message.
Distortion Technique
This technique creates a change in the cover object in order to hide the information. An encoder performs a sequence of modifications to the cover that corresponds to a secret message. The secret message is recovered by comparing the distorted cover with the original (Figure 1-8). The decoder in this technique needs access to the original cover file.
Digital File Types
The various techniques used in steganography are applied differently depending on the type of file that is being used to encode the message. The three digital file types are text files, audio files, and video files.
Text Files
The following steganography methods are used in text files:
Open-space
Syntactic• Semantic
Open-Space Steganography
This method uses white space on the printed page. Open-space methods can be categorized in the following three ways:
- Intersentence spacing: This method encodes a binary message by inserting one or two spaces after every terminating character. This method is inefficient since it requires more space for a small message, and the white spaces can be easily spotted.
Digital File Types
End-of-line spacing: Secret data is placed at the end of a line in the form of spaces. This allows more room to insert a message but can createproblems when the program automatically removes extra spaces or the document is printed as hard copy.
Interword spacing: This method uses right justification, by which the justification spaces can be adjusted to allow binary encoding. A single space between words is 0, and two spaces is 1.
Syntactic Steganography
This method manipulates punctuation to hide messages. Look at the following example:
• Laptop, iPod, USB • Laptop iPod USB
The punctuation marks are missing in the second phrase. These punctuation marks can be used to hide the message.
Semantic Steganography
This method of data hiding involves changing the words themselves. Semantic steganography assigns two synonyms primary and secondary values. When decoded, the primary value is read as 1 and the secondary as 0.
Image Files
Image files commonly use the following formats:
Graphics Interchange Format (GIF): GIF files are compressed image files that make use of a compression algorithm developed by CompuServe. GIF files are based on a palette of 256 colors. They are mainly used for small icons and animated images since they do not have the color ranges needed for high-quality photos.
Joint Photographic Experts Group (JPEG): JPEG files are the proper format for photo images that need to be small in size. JPEG files are compressed by 90%, or to one-tenth, of the size of the data.
Tagged Image File Format (TIFF): The TIFF file format was designed to minimize the problems with mixed file formats. This file format did not evolve from a de facto standard. It was made as the standard image file format for image file exchange.
The following steganography techniques are used to hide a message in an image file:
Least-significant-bit (LSB) insertion
Masking and filtering
Algorithms and transformation
Least-Significant-Bit (LSB) Insertion
Using the LSB insertion method, the binary representation of the hidden data can be used to overwrite the LSB of each byte inside the image. If the image properties indicate that the image is 24-bit color, the net change is minimal and can be indiscernibleto the human eye.
The following steps are involved in hiding the data:
The steganography tool makes a copy of an image palette with the help of the red, green, and blue (RGB) model.
Each pixel of the eight-bit binary number LSB is substituted with one bitof the hidden message.
A new RGB color in the copied palette is produced.
With the new RGB color, the pixel is changed to an eight-bit binary number.
Look at the following example:
01001101 00101110 10101110 10001010 10101111 10100010 00101011 10101011Seen above are the adjacent pixels made up of eight bits. If the letter_H_is represented by binary digits, 01001000 needs to be hidden in this file, and the data would need to be compressed before being hidden.
After_H_is combined, the changed binary valueswould be as seen below:
01001100 00101111 10101110 10001010
10101111 10100010 00101010 10101010
Eight bits, which is four of the LSBs, have been successfully hidden. The above example is meant to be a high-level overview. This method can be applied to eight-bit color images. Grayscale images are also used for steganographic purposes. The drawback tothese methods is that they can be detected by anyone who knows where to search for them.
Masking and Filtering
Masking and filtering techniques are commonly used on 24-bit and grayscale images. Grayscale images that hide information are similar to watermarks on paper and are sometimes used as digital versions. Masking images entails changing the luminescence of the masked area. The smaller the luminescent change, the less chance there is that it can be detected. Steganography images that are masked keep a higher fidelity rate than LSB through compression, cropping, and image processing. The reason that images encoded with masking have less degradation under JPEG compression is because the message is hidden in significant areas of the picture. The tool namedJpeg-Jsteg takes advantage of the compression of JPEG and keeps high message fidelity. This program uses a message and lossless cover image as input and produces an output image in JPEG format.
Algorithms and Transformation
Mathematical functions can be used to hide data that are in compression algorithms. In this technique, the data are embedded in the cover image by changing the coefficients of an image, (e.g., discrete cosine transform coefficients).
If information is embedded in the spatial domain, it may be subjected to loss if the image undergoes any processing techniques like compression. To overcome this problem, the image would need to be embedded with information that can be hidden in the frequency domain, as the digital data is not continuous enough to analyze the data of the image that transformations are applied on.
Figure 1-9 depicts one of the algorithms used in this method.
Copyright © by
All rights reserved. Reproduction is strictly prohibited
Figure 1-9Mathematical functions can be used to hide data that are in compression algorithms.
Steganographic File System
Audio Files
Hiding information in an audio file can be done either by using LSB or frequencies that are inaudible to the human ear. Frequencies over 20,000 Hz cannot be detected by the human ear.
Information can also be hidden using musical tones with a substitution scheme. For example, tone F could represent 0, and tone C could represent 1. By using the substitution technique a simple musical piece can be composed with a secret message, or an existing piece can be used with an encoded scheme that represents a message.
Low-Bit Encoding in Audio Files
Digital steganography is based on the fact that artifacts, such as bitmaps and audio files, contain redundant information. Compression techniques such as JPEG and MP3 remove parts of the redundancy, allowing the files to be compressed. By using the DigStegtool, the computer forensic investigator can replace some of the redundant information with other data.
Low-bit encoding replaces the LSB of information in each sampling point with a coded binary string. The low-bit method encodes large amounts of hiddendata into an audio signal at the expense of producing significant noise in the upper frequency range.
Phase Coding
Phase coding involves substituting an initial audio segment with a reference phase that represents the data. This method is carried out usingthe following steps:
The original sound sequence is shortened into segments.
Each segment creates a matrix of the phase and magnitude by using the discrete Fourier transform (DFT) algorithm.
The phase difference is calculated between each adjacent segment.
New phase frames are created for all other segments.
A new segment is created by combining the new phase and the original magnitude.
These new segments are combined together to create the encoded output.
Spread Spectrum
In most communication channels, audio data is limited to a narrow range of frequencies to protect the bandwidth of the channel. Unlike phase coding, direct-sequence spread spectrum (DSSS) introduces some random noise to the signal. The encoded data is spread across as much of the frequency spectrum as possible.
Spread spectrum is used in audio files both to embed data in the audio file and to send the audio file.
Echo Data Hiding
In this technique, an echo is introduced into the original signal. Three properties of this echo can then be varied to hide data:
Initial amplitude
Decay rate
Offset
Video Files
Discrete cosine transform (DCT) manipulation is used to add secret data at the time of the transformation process of the video. The techniques used in audioand image files can also be used in video files, as video consists of audio and images. A large number of secret messages can be hidden in video files because a video is a moving stream of images and sound. Due to this, an individual watching the video will not observe any distortion in the video caused by the hiding of data.
Steganographic File System
A steganographic file system is a method used to store files that encrypts and hides the data within those files. It hides the user’s data in other, seemingly random files, allowing users to give names and passwords for some files while keeping others secret.
A steganographic file system is used to overcome the drawback of using individual files for data hiding. The following methods are used to construct a steganographic file system:
Method 1:
Program operates using a set of cover files with initially random content.
The cover files are modified to store data files.
Cover files should be large enough to ensure that all attempts to access cover files remain computa-tionally infeasible.
Method 2:
File system begins with random data.
The encrypted blocks are written to the pseudorandom locations using the key acquired from the file-name and directory password to hide the file blocks in random data. When the file system continues to be written to, collisions occur and the blocks are overwritten, allowing only asmall portion of the disk space to be safely utilized.
Multiple copies of each block should be written.
A method to identify the blocks when they are overwritten is also required.
Cryptography
Cryptography is the art of writing text or data in a secret code. It involves encrypting plaintext data into an unreadable format called a ciphertext. This encryption process is based on mathematical algorithms. These algorithms use a secret key for secure encryption (Figure 1-10). The following are three types ofcryptographic schemes used:
Secret-key (or symmetric) cryptography
Public-key (or asymmetric) cryptography
Hash function
In each of these schemes the primary unencrypted data is plaintext which is encrypted into ciphertext.
Source:http://www.garykessler.net/library/crypto.html.Accessed 2/2007.
Figure 1-10Cryptography can be performed in three different ways.
Cryptography
Copyright © by
All rights reserved. Reproduction is strictly prohibited
Figure 1-11A cryptosystem uses a key to convert plaintext to ciphertext.
Model of a Cryptosystem
A cryptosystem is a pair of algorithms that use a key to convert plaintext to ciphertext and back again. Figure 1-11 illustrates the cryptography process. The following key explains the symbols:
Plaintext M: The original text to be encrypted to form the ciphertext
ke: The key used for encrypting the message
Ciphertext C: The text obtained after encrypting the original message: Ciphertext C Eke(M)
kd: The key used for decrypting the ciphertext: Plaintext M Dkd(C), where C Eke(M)
Steganography Versus Cryptography
Steganography is defined as the art of hiding data within other data. It replaces bits of unused data from various media files with other bits that, when assembled, reveal a hidden message. The hidden data can be plaintext, ciphertext, an audio clip, or animage.
In cryptography an encrypted message that is communicated can be detected but cannot be read. In steganography, the existence of the message is hidden. Steganography is used to hide information when encryption is not a safe option. From a security point ofview, steganography should be used to hide a file in an encrypted format. This is done to ensure that even if the encrypted file is decrypted, the message will still remain hidden.
Another contrast between steganography and cryptography is that the formerrequires caution when reusing pictures or sound files, while the latter requires caution when reusing keys.
In steganography, only one key is used to hide and extract data. In cryptography, the same key or two different keys for encryption and decryptioncan be used.
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) is used for secure and private data exchange over the Internet. It uses a public and private cryptographic key pair that is obtained and given to the public key owner. PKI provides a digital certificate that can identify an individual or organization and directory services that can store and, when necessary, revoke the certificates. It uses public-key cryptography, which is the most commonly used method on the Internet for authenticating a message sender or encrypting a message. PKI consists of the following components:
A certificate authority (CA) that issues and verifies the digital certificate
A registration authority (RA) that acts as the verifier for the certificate authority before a digital certifi-cate is issued to a request
One or more directories where the certificates (with their public keys) are held
Key management protocols
The primary goal of a key management scheme is to provide two communicating devices with a commonor shared cryptographic key. The term_session key_is used to identify a short-lived key. This key does not require a session-based communication model._Master key_is used to denote a key having a longer life period than a session key.
Watermarking
Traditionally, paper was manufactured from wet fiber which was then subjected to high pressure to extract any moisture present in it. If the press mold had a pattern in it, that pattern, or watermark, would be left on the paper. This term has been incorporated into the termdigital watermark_in the technology field, but the meaning is essentially the same.**_Digital watermarks**are, in essence, digital stamps embedded into digital signals. A digital stamp can contain many kinds of data, and can be both visible and invisible. Often, the digital data found hidden in a watermark are a digital multimedia object. While digital images are most often mentioned in reference to digital watermarking, it is important to remember that watermarks can be applied to other forms ofdigital data such as audio and video segments.
Application of Watermarking
Watermarking is used to facilitate the following processes:
Embedding copyright statements into images that provide authentication to the owner of the data
Monitoring and tracking copyright material automatically on the Web
Providing automatic audits of radio transmissions. These audits show any music or advertisement that is broadcasted
Supporting data augmentation. This enables users to add more informationto the existing data present on the Web
Supporting fingerprint applications
Steganography Versus Watermarking
The main purpose of steganography is to hide a messagem_in data_d_to form new data_D, which is different fromd, so that a third person cannot detect them_in_D. Conversely, the main purpose of watermarking is to hide the datam_in data_d_to form new data_D_so that a third person cannot remove or replace the_m_in_D. Steganography hides the message in one-to-one communication, while watermarking hides the message in oneto-many communication. The main goal of steganography is to protect the data from detection, while that of watermarking is to protect data from distortion by others.
In steganography a message of any length can be hidden, whereas in watermarking only small messages can be hidden. Steganography is used for the purpose of secret communication, while watermarking is used for authentication and copyright protection.
Categories of Watermarks
Watermarks are split into two categories: visible and invisible.
Visible: A visible watermark is the most robust as it is not part of the foundation of the image. The watermark’s presence is clearly noticeable and often difficult to remove. A good exampleof a visible watermark is a television identification logo that appears on a television screen. The watermark can either be solid or semitransparent. Removing it would require a great deal of work.
Invisible: The main purpose of an invisible watermark is to identify and verify a particular piece of i nformation in data. An invisible watermark is imperceptible but can be extracted through computational methods. An invisible watermark contains information about the watermark itself or the information presentin the image that is hiding the data. The data hidden in the image can be accessed with a password, termed a watermark key. There is a big difference between a watermark key and an encryption key. A watermark key is used only for watermarks, whereas an encryption key is used for information that is to be encrypted.
Watermarks and Compression
The application of watermarks in the modern world mainly concerns images, audio, and video. Watermarks are used in the case of MP3s and DVDs as a tool to ensure copyrights are enforced.
Watermarking
Types of Watermarks
Semifragile: Semifragile watermarks are used at the time of soft-image authentication and integrity verifications. They are robust to any common image processing of loose compression, but are fragile in case of any malicious tampering that changes the image content.
Fragile: Fragile watermarks are less robust when modified. A small change in the content will destroy the embedded information and show that an attack has occurred. Any tampering with the image will modify its integrity.
Robust: A robust watermark can be either visible or invisible. Robust watermarks are resistant to any kind of attack and will not affect the quality of the data. They are difficult to remove or damage. Robust watermarks are used in the case of copyright protection and access control. Most of these are found on television broadcasts during which the channels impose their logos in the corner of the screen to let people know what they are viewing and to signify copyright.
Digimarc’s Digital Watermarking
Digimarc’s digital watermarking techniqueenables users to embed a digital code into an image, audio, video, or text file. This digital code is unnoticeable in normal use and can only be detected by computers and software.
Digimarc’s digital watermarking is used to embed copyright messages into the image, video, and audio files that provide authentication to the owner of the data.
The image gets split into a number of subimages. A Web browser puts all the pieces of the images together at display time, making a new image that is an exact replica ofthe original image. Both images are watermarked with Digimarcs, but the watermark is not readable in a small, partitioned image. Because all marking techniques need a marked image of minimal size, it is difficult to detect the mark from the image. It works because it is hard for copyright marking techniques to embed the watermark in an image having a size of less than 100 100 pixels. In addition, the bandwidth required for the embedding process is less.
Attacks on Watermarking
Robustness Attack
This attack attempts to remove watermarks from an image. It can be divided into the following categories:
Signal-processing attacks: These attacks apply techniques such as compression, filtering, resizing, printing, and scanning to remove the watermark.
Analytical and algorithmic attacks: These attacks use algorithmic techniques of watermark insertion and detection to remove the watermark from the image.
Presentation attacks: Presentation attacks are carried out to change the watermarked data in such a way that a detector cannot detect it. The watermark will appear as it did before the attack. It is not necessary to eliminate the watermark to carry out the attack. The following instances are examples of presentation attacks:
An automated detector cannot detect the misalignment of a watermarked image.
A detector cannot detect the rotation and enlargement of a watermark.
Interpretation attacks: Interpretation attacks catch the weakness of watermarks, such as wrong and multiple interpretations. A watermark canbe created from the existing watermark image with the same strength as the original watermark.
Legal attacks: Legal attacks mainly target digital information and copyright laws. Attackers can change the watermarked copyrights in order to create doubts about copyright in a court of law. These attacks depend upon the following conditions:
Existing and future legislation on copyright laws and digital information ownership
The credibility of the owner and the attacker
The financial strength of the owner and the attacker
The expert witnesses
The competence of the lawyers
The following techniques are commonly used to remove watermarks:
Collusion attack: A collusion attack is carried out by searching for a number of different objects having the same watermark, allowing the forensic investigator to isolate and remove the watermark by comparing the copies.
Jitter attack: A jitter attack upsets the placement of the bits that identify a watermark by applying a jitter effect to the image. By applying a jitter effect, the forensic investigator is able to gauge the integrity of the watermark.
StirMark: A StirMark attack can be applied to small distortions that are designed to simulate the printing or scanning process. If a hard-copy photograph has been scanned, it would appear obvious that subtle distortions are introduced, no matter how careful the user is. The StirMark attack can be used for JPEG scaling and rotation. This attack is effective, as some watermarks are resistant to only one type of modification.
Anti–soft bo__t: A benefit of watermarking in the realm of the Internet is the ability to use software robots, sometimes called soft bots or spiders, to search through Web pages for watermarked images. If the soft bot finds a watermarked image, it can use the information to determine if there is a copyright violation.
Attacks on echo hiding: Echo hiding is a signal processing technique that places information into an audio data stream in the form of closely spaced echoes. These echoes place digital tags into the sound file with minimal sound degradation. Echo hiding is also resistant to jitter attacks, making a removal attack the usual method for getting rid of the watermark. In echo hiding, most echo delays are between 0.5 and 3 milliseconds; in anything above 3 milliseconds the echo becomes noticeable.
Mosaic Attack
A mosaic attack works by splitting an image into multiple pieces and stitching them back together using JavaScript code. In this attack the marked image can be unmarked, and later all the pixels are renderedin a similar fashion to the original marked image.
This attack was prompted by automatic copyright detection systems which contain watermarking techniques and crawlers that download images from the Internet to determinge whether or not they are watermarked.Mosaic Attack – JavaScript Code
kings_chapel_wmk1.jpg’ BORDER=”0’ ALT=”1/6’ width=”116’ height=”140”>
RC=”kings_chapel_wmk4.jpg’ BORDER=”0’ ALT=”4/6’ width=”116’ height=”140”>
Issues in In**formation Hiding**
The following three sections discuss issues that must be considered when hiding information.
Detecting Steganography
Level of Visibility
The way a message is embedded will determine whether the data is perceptible or not. To reduce the theft of data, the presence of a watermark is often publicized. However, publicizing the presence of a watermark also allows various methods to be implemented to attempt to alter or disable the watermark. When the visibility of the data is increased, the potential for manipulation of the data also increases.
Robustness Versus Payload
In order to have a robust method of embedding a message, redundancy should bemaintained to resist changes made to the cover. However, increasing the robustness of the message means that less space is usable for the payload. Robustness must be weighed against the size of the payload.
File Format Dependence
Conversion of files thathave lossless information to compressed files with lossy information can destroy the secret information present in the cover. Some processes embed the data depending on the file format of the carrier, while others do not depend on the file format. The JPEGcompression algorithm uses floating-point calculations to translate the picture into an array of integers. This conversion process can result in rounding errors that may eliminate portions of the image. This process does not result in any noticeable difference in the image. Nevertheless, embedded data could become damaged.
Some other popular algorithms, namely Windows Bitmap (BMP) and Graphic Interchange Format (GIF), are considered lossless compressions. The compressed image is an exact representation ofthe original.
Detecting Steganography
The following indicators are likely signs of steganography:
Software clues on the computer: The investigator should determine the filenames and Web sites the suspect used by viewing the browser’s cookies or history.An investigator should also look in registry key entries, the mailbox of the suspect, chat or instant messaging logs, and communication or comments made by the suspect. Because these data are important for investigation, they give clues to the investigatorfor further procedures.
Other program files: It is also important to check other program files because it is possible that a nonprogram file may be a cover file that hides other files inside it. The investigator should also check software that is not normally used for steganography such as binary (hex) editors, disk-wiping software, or other software used for changing data from one code to another.
Multimedia files: The investigator should look for large files in the system, as they can be used as carrier files for steganography. If the investigator finds a number of large duplicate files, then it is possible that they are used as carrier files.
Detection Techniques
Detecting steganographic content is difficult, especially when low payloads are used. The following techniques are used for detecting steganography:
Statistical tests: These tests reveal that an image has been modified by examining the statistical properties of the original. Some of the tests are not dependent on the data format and will measure the entropy of the redundant data, so the images with hidden data will have more entropy than the original image.
Stegdetect: Stegdetect is an automated tool that detects the hidden content in images. It detects different steganographic methods for embedding steganographic messages in images.
Stegbreak: Stegbreak breaks the encoding password with the help of dictionary guessing. It can be used in launching dictionary attacks against JSteg-Shell, JPHS, and OutGuess.
Visible noise: Attacks on hidden information can employ detection, extraction, and disabling or damaging hidden information. The images that have large payloads display distortions from the hidden data.
Appended spaces and invisible characters: Using invisible characters or appended spaces is a form of hiding data in the spaces of the text. The presence of many white spaces is an indication of steganography.
Color palettes: Some application characteristics are exclusive to steganography tools. The color palettes used in steganographic programs have unique characteristics. Modifications in the color palettes create a detectable steganographic signature.
Detecting Text, Image, Audio, and Video Steganography
Hidden information is detected in different ways depending on the type of file that is used. The following file types require specific methods to detect hidden messages.
Text Files
When a message is hidden in a text file so that the message can be detected only with the knowledge of the secret file, it was probably hidden by altering the cover source. For text files, the alterations are made to the character positions. These alterations can be detected by looking for text patterns or disturbances, the language used, and an unusual number of blank spaces.
Image Files
The hidden data in an image can be detected by determining changes in size, file format, last modified timestamp, and color palette of the file.
Statistical analysis methods can be used when scanning an image. Assuming that the least significant bit is more or less random is an incorrect assumption since applying a filter that shows the LSBs can produce a recognizable image. Therefore, it can be concluded that LSBs are not random. Rather, they consist of information about the entire image.
When a secret message is inserted into an image, LSBs are no longer random. With encrypted data that has high entropy, the LSB of the cover will not contain the information about the original and is more or less random. By using statistical analysis on the LSB, the difference between random values and real values can be identified.Audio Files
Statistical analysis methods can be used for audio files since LSB modifications are also used on audio. The following techniques are also useful for detecting hidden data:
Scanning information for inaudible frequencies
Determining odd distortions and patterns that show the existence of secret dataVideo Files
Detection of secret data in video files includes a combination of the methods used in image and audio files.
Steganalysis
Steganalysis is the reverse process of steganography. Steganography hides data, while steganalysis is used to detect hidden data. Steganalysis detectsthe encoded hidden message and, if possible, recovers that message. The messages are detected by verifying the differences between bit patterns and unusually large file sizes.
Steganalysis Methods/Attacks on Steganography
Steganography attacks are categorized by the following seven types:
Stego-only attack: The stego-only attack takes place when only the stego-medium is used to carry out the attack. The only way to avoid this attack is by detecting and extracting the embedded message.
Known-cover attack: The known-cover attack is used with the presence of both a stego-medium and a cover medium. The attacker can compare both media and detect the format change.
Known-message attack: The known-message attack presumes that the message and the stego-medium are present and the technique by which the message was embedded can be determined.
Known-stego attack: In this attack the steganography algorithm is known, and the original object and the stego-objects are available.
Chosen-stego attack: The chosen-stego attacktakes place when the forensic investigator generates a stegomedium from the message using a special tool.
Chosen-message attack: The steganalyst obtains a stego-object from a steganography tool or algorithm of a chosen message. This attack is intended to find the patterns in the stego-object that point to the use of specific steganography tools or algorithms.
Disabling or active a__ttacks: These attacks are categorized into the following six types;
Blurring: Blurring attacks can smooth transitions and reduce contrast by averaging the pixels next to the hard edges of defined lines and the areas where there are significant color transitions.
Noise reduction: Random noise in the stego-medium inserts random-colored pixels into the image. The uniform noise inserts pixels and colors that look similar to the original pixels. Noise reduction decreases the noise in the image by adjusting the colors and averaging the pixel values.
Sharpening: Sharpening is the opposite of the blurring effect. It increases the contrast between the adjacent pixels where there are significant color contrasts that are usually at the edge of objects.
Rotation: Rotation moves the stego-medium to give its center a point.
Resampling: Resampling involves a process known as interpolation. This process is used to reduce the raggedness associated with the stego-medium. It is normally used to resize the image.
Softening: Softening of the stego-medium applies a uniform blur to an image in order to smooth edges and reduce contrasts. It causes less distortion than blurring.
Stego-Forensics
Stego-forensics is an area of forensic science dealing with steganography techniques to investigate a source or cause of a crime. Different methods of steganalysis can be used to unearth secret communications between antisocial elements and criminals.
Tools
2Mosaic
2Mosaic (Figure 1-12) is a small, command-line utility for Windows that will break apart any JPEG file and generate the HTML code needed to reconstruct the picture.
2Mosaic is a presentation attack against digital watermarking systems. It is of general applicability and possesses the property that allows a marked image to be unmarked and still rendered by a standard browser in exactly the same way as the marked image.
The attack was motivated by an automatic system which was fielded for copyright piracy detection. It consists of a watermarking scheme plus a Web crawler that downloads pictures from the Internet and checks whether they contain a watermark.
Figure 1-122Mosaic can break a JPEG file apart and reconstruct it without a watermark.
Figure 1-13FortKnox can be used to encrypt messages into image files.
It consists of chopping an image up into a number of smaller subimages that are embedded in a suitable sequence in a Web page. Common Web browsers render juxtaposed subimages stuck together, so theyappear identical to the original image. This attack appears to be quite general; all marking schemes require the marked image to have some minimal size (one cannot hide a meaningful mark in just one pixel). Thus, by splitting an image into sufficiently small pieces, the mark detector will be confused. The best that one can hope for is that the minimal size could be quite small, rendering the method impractical.
FortKnox
FortKnox is security software used to secure folders, encrypt files, and encrypt, split, and transmit data. It contains other useful security tools for the user (Figure 1-13). This tool is helpful in steganography as it uses algorithms such as MD5, Blowfish, CryptAPI, and other steganography techniques in fulfilling user security and profile-building needs. Additional features of the program include a password protection lock, the ability to hide and secure files and folders, logon password masking, and theability to instantly lock multiple gigabytesized folders in multiple drives.
The FortKnox application can also hide messages in image files by using powerful, unbreakable, militarygrade encryption software. Both the CryptAPI and Blowfish algorithms are military grade. After hiding a message in an image, the application is able to send it as a stealth e-mail. The built-in steganography software is called Steganography 2.8.
BlindSide
The BlindSide tool can hide files of any file type within a Windows bitmap image (Figure 1-14). The original and the encoded image look identical to thehuman eye. However, when the image is executed through BlindSide, the concealed data can be extracted and retrieved. For added security, the data can be scrambled with a password so that no one will be able to access the data. The BlindSide tool analyzes color differentials in an image so that it will only alter pixels it knows will not be noticeable to the human eye. The main limitation to BlindSide is that each image has its own capability that is dependent on color patterns within it.
The BlindSide toolcan be used in many ways. The main advantage of BlindSide is that it uses a steganographic technique, supplemented with a cryptographic algorithm. This means that one can pass messages without arousing suspicion. BlindSide allows the user to encrypt messages with a password-based encryption so
Figure 1-14BlindSide can extract embedded messages from a variety of files.
Figure 1-15S-Tools can hide multiple files within a single object.
that even if someone did examine these images, they would need a password to obtain the secret data. Digital publishers typically use BlindSide to embed a license file and copyright notice within the images that are to be published. A similar procedure could be applied to images on a company’s Web pages.
S-Tools
The S-Tools steganographic tool has the ability to hide multiple files within a single object (Figure 1-15). S-Tools first compresses the individual files, which are stored with their names, and then it inserts filler on the front of the data to prevent two identical sets of files from encrypting in the same way. All files are then encrypted using the passphrase that the user generates. The encryption algorithms operate in cipher-feedback mode. The S-Tools application seeds a cryptographically strong, pseudorandom number from the passphrase and uses its output to choose the position of the next bit from the cover data to be used.
For example, if a sound file had 100 bits available for hiding and the user wanted to use 10 of those bits to hold a message, S-Tools wouldnot choose bits zero through nine as they are easily detected by a potential enemy. Instead, it might choose bits 63, 32, 89, 2, 53, 21, 35, 44, 99, and 80.
Figure 1-16StegHide enables users to embed messages into various types of files.
StegHide
StegHide (Figure 1-16) is a steganography tool that is able to hide information in images and audio files. The color and frequencies are not changed during the embedding process. Features of this tool include compression of the embedded data, encryption ofthe embedded information, and automatic integrity checking using a checksum. JPEG, BMP, and WAV file formats are supported for use as a cover file. No such restrictions are imposed on the format of the secret data.
StegHide also uses the graph-theoretic approach to steganography. The investigator does not need to know anything about graph theory to use the StegHide application. The following steps illustrate the working of an embedding algorithm:
The secret information is compressed and encrypted.
Based ona pseudorandom number, a sequence of pixel positions, which is initialized with a passphrase, is created.
By using a graph-theoretic matching algorithm, the application finds pairs of positions so that exchanging their values has the effect of embedding the information.
The pixels at the remaining positions are also modified to contain the embedded information. The default encryption algorithm is Rijndael, with a key size of 128 bits in the cipher block-chaining mode.
Snow
Snow is a steganography tool thatexploits the nature of white space. It achieves this by appending white space to the end of lines in ASCII text to conceal messages. White-space steganography can be detected by applications such as Word.
Snow is susceptible to this factor. The basic assumption of Snow is that spaces and tabs are generally not visible in text viewers and therefore, a message can be effectively hidden without affecting the text’s visual representation from the casual observer. Encryption is provided using the ICE encryptionalgorithm in one-bit cipher-feedback (CFB) mode. Because of ICE’s arbitrary key size, passwords of any length up to 1,170 characters are supported. Snow takes advantage of the fact that, since trailing spaces and tabs occasionally occur naturally, their existence will not be sufficient to immediately alert an observer who may stumble across them.
The Snow program runs in two modes: message concealment and message extraction (Figure 1-17). The data are concealed in the text file by appending sequences of upto seven spaces, interspersed with tabs. This usually allows three bits to be stored every eight columns. The start of the data is indicated by an appended tab character, which allows the insertion of e-mail and news headers without corrupting the data. Snow provides rudimentary compression, using Huffman tables optimized for English text. However, if the data are not text, or if there is a lot of data, the use of an external compression program such as compress or gzip is recommended. If a message stringor message file is specified on the command line, Snow attempts to conceal the message in the file Illegal HTML tag removed : , or standard input otherwise. The resulting file is written to
Figure 1-17Snow uses white space to hide messages.
Figure 1-18Camera/Shy allows users to embed messages in GIF files.
Camera/Shy
Camera/Shy is a simple steganography tool that allows users to encrypt information and hide it in standard GIF images. What makes this program different from most steganography tools is its ease of use, making it a desirable component of a cracker’s arsenal.
While other steganography programs are command-line based, Camera/Shy is embedded in a Web browser (Figure 1-18). Other programs require users to know beforehand that an image contains embedded content. Camera/Shy however, allows users to check images for embedded messages, read them, and embed their own return messages with the click of a mouse.
The Camera/Shy program allows Internet users to conceal information, viruses, or exploitative software inside graphics files on Web pages. Camera/Shybypasses most known monitoring methods. Utilizing LSB steganographic techniques and AES 256-bit encryption, this application enables users to share censored information with their friends by hiding it in plain view as an ordinary GIF image. Moreover, it leaves no trace on the user’s system. It allows a user to make a Web site C/S-enabled (Camera/Shy-enabled) and allows a reader to decrypt images from an HTML page on the fly.
Steganos
Steganos is a steganography tool that combines cryptography and steganography to hide information. It first encrypts the information and then hides it with steganographic techniques. With the help of Steganos the user can store a file with a copyright and prove ownership of a picture if someone tries to use it. Steganos can hide a file inside a BMP, VOC, WAV, or ASCII file.
Pretty Good Envelope
Pretty Good Envelope is a steganography tool that can hide messages in a larger binary file and also retrieve those messages. This tool uses an algorithm that hides one message behind the other. It can be used with any graphics, binary, or WAV files.
Gifshuffle
Gifshuffle hides messages inside GIF images by mixing up the colors within the images so that it is difficult to find the original message. It supports GIF images that have features such as transparency and animation. Gifshuffle compresses the message using Huffman tables. If there is a lot of data or the data does not contain text, then a gzip compression program is used. The message also gets encrypted using the ICE encryption algorithm in the one-bit cipher-feedback (CFB) mode. ICE supports arbitrary keys and passwords of any length.
For example, to hide the message “eccouncil is best” in the file ecc.gif with compression and encryption using the password “eccouncil,” the following command should be used:gifshuffle -C -m “eccouncil is best” -p “ecc**ouncil” ecc.gif outfile.gif**To extract the message, the following command should be used:
gifshuffle -C -p “eccouncil” outfile.gif
See Figure 1-19 for an illustration of this process.
The following syntax is used in the commands:
-C: Compress the data if concealing, or uncompress it if extracting
-m: message string; the contents of this string will be concealed in the input GIF image.
-p: password; with this password, data will be encrypted during concealment and decrypted during extraction.
Hiding Message
Message
Password
Input file
Output File
Extracting Message
PasswordOutput file
Figure 1-19Gifshuffle can embed and extract messages in GIF files.
Figure 1-20JPHS use JPEG files to hide and extract messages.
JPHS
JPHS (Figure 1-20) hides files in JPEG format. For a typical visual image and a low insertion rate of up to 5%, it is nearly impossible for someone to detect that a JPEG file processed with this tool contains hidden data.wbStego
wbStego is a tool that hides any type of data behind the following types of files:
Windows bitmaps with 16, 256, or 16.7 million colors
ASCII or ANSI text files
HTML files• Adobe PDF files
wbStego allows the user to insert copyright information into a file to prove ownership. wbStego also provides cryptographic functions that encrypt the data before hiding it. It uses algorithms such as Blowfish, Twofish, CAST, and Rijndael (AES).
wbStego supports the following two user interfaces:
Wizard mode: This mode gives detailed information about step-by-step encoding and decoding. In each step, input data get checked and verified. Files can simply be dragged into the wbStego wizard window (Figure 1-21).
Flowchart mode: This mode uses a single flowchart to display the encoding and decoding process. Files can simply be dropped onto the relevant icon (Figure 1-22).
Figure 1-21wbStego’s wizard mode allows the user to verify input data.
Figure 1-22wbStego’s flowchart mode uses symbols to streamline the encoding and decoding process.
OutGuess
OutGuess is a steganography tool that inserts hidden information into redundant bits of data sources. During extraction, the redundant bits are extracted and written back after modification. OutGuess supports PNM and JPEG images. In the JPEG format, OutGuess maintains statistics based on frequency counts (Figure 1-23). Before hiding the data, OutGuess determines the size of the hidden data and maintains the statistics. Due to this, statistical tests based on frequency counts are unable to detect the presence of steganographic content.
Figure 1-23OutGuess allows users to embed messages into JPEG files.
The following example is of the data embedding procedure:outguess -k “my secret key” -d hidden.txt demo.jpg out.jpg
Reading demo.jpg....
JPEG compression quality set to 75
Extracting usable bits: 40,059 bits
Correctable message size: 21,194 bits, 52.91% Encoded ‘snark.bz2’: 14,712 bits, 1839 bytes Finding best embedding...
0: 7467(50.6%)[50.8%], bias 8137(1.09), saved: -13, total: 18.64%
1: 7311(49.6%)[49.7%], bias 8079(1.11), saved: 5, total: 18.25%
4: 7250(49.2%)[49.3%], bias 7906(1.09), saved: 13, total: 18.10%
59: 7225(49.0%)[49.1%], bias 7889(1.09), saved: 16, total: 18.04%
59, 7225: Embedding data: 14,712 in 40,059
Bits embedded: 14,744, changed: 7225(49.0%)[49.1%], bias: 7889, tot: 40,032, skip: 25,288
Foiling statistics: corrections: 2590, failed: 1, offset: 122.585494 +- 239.664983 Total bits changed: 15,114 (change 7225 + bias 7889) Storing bitmap into data... Writing foil/out.jpg....
The following example is of the data extraction procedure:
outguess -k “my secret key” -r out.jpg hidden.txt
Reading out.jpg....
Extracting usable bits: 40,059 bits
Steg retrieve: seed: 7225, len: 1839
Source:http://www.neobytesolutions.com/invisiblesecrets/screen.php.Accessed 2/2007.
Figure 1-24Invisible Secrets 4 allows the user to select a variety of files.
Invisible Secrets 4
Invisible Secrets 4 supports both cryptography and steganography. It first encrypts the message and then hides it behind a variety of files. The user can directly encrypt and hide files from Windows Explorer and transfer them over the Internet via e-mail. Invisible Secrets 4 can hide information behind JPEG, PNG, BMP, HTML, and WAV files.
Invisible Secrets 4 includes the following features:
Helps to hide files (Figure 1-24), encrypt files, destroy Internet traces, shred files, make secure IP-to-IP password transfers (Figure 1-25), and even lock any application on a computer
Allows data compression before the encrypt/hide process
Uses strong file-encryption algorithms, including Rijndael (AES)
Supports password management solutions that store all passwords
Supports a shredder that destroys files, folders, and Internet traces beyond recovery
Has a locker that allows password protection for certain applications
Creates self-decrypting packages that can be mailed over the Internet
Helps transfer passwords securely over the Internet
Masker
Masker provides strong security for data. It encrypts files and hides those files behind image, video, program,or sound files. It provides up to 448-bit encryption and password protection. The cover file remains functional.
This means that if it is a sound or video file, it can be played without trouble. Masker includes the following features:
Hides files, folders, and subfolders within a carrier file (Figure 1-26)
Reveals and extracts hidden files and folders from a carrier file
Encryption (up to 448 bits) and compression
Seven strong encryption algorithms (Blowfish, Rijndael, etc.) are available
Source:http://www.neobytesolutions.com/invisiblesecrets/screen.php.Accessed 2/2007.
Figure1-25Invisible Secrets 4 allows the user to conduct an IP-to-IP password transfer.
Figure 1-26Masker allows files and folders to be hidden within another file.
Supports multiple hideouts
Preview function (hidden files can be previewed and modified in hidden mode)
Search function
Lock/unlock function blocks unauthorized use
Source:http://www.skyjuicesoftware.com/software/ds_info.html.Accessed 2/2007.
Figure 1-27Data Stash features a simple drag-and-drop user interface.
Data Stash
Data Stash (Figure 1-27) is a steganography tool that hides sensitive data files behind other files. With this tool the user can use any large bitmap or database file as the cover file and select the files to be hidden by using the drag-and-drop function. In this method the carrier file remains active. This tool supports password protection, with the help of Blowfish encryption.
Data Stash includes the following features:
Hides files within files
Receptacle file remains fully functional
Supports a wide variety of file formats (MPEG, JPEG, MP3, EXE, COM, etc.)
Password protection using Blowfish encryption
Fast operation
Hydan
Hydan is a steganography tool used to hide data files. It defines sets of functionally equivalent instructions and uses the redundancy in i386 machine code instructions. Hydan embeds data into binaries, forming a covert channel that can be used to transport secret messages. It supports watermarking to prevent copyright issues. Hydan includes the following features:
Application file size remains unchanged
Message is Blowfish-encrypted with a user-supplied passphrase, before being embedded
Encoding rate: 1/110
Figure 1-28 shows how Hydan embeds data using polymorphic coding techniques. Figure 1-29 shows Hydan encrypting and hiding a message inside a calculator program.
Copyright © by
All rights reserved. Reproduction is strictly prohibited
Figure 1-28Hydan uses polymorphic coding techniques.
Figure 1-29Hydan can embed messages in a variety of programs.
Cloak
Cloak is a steganography tool that provides security for personal data. This tool compresses, encrypts, and hides data behind images, and sends e-mail messages securely. It comes with Microsoft Outlook, which helps users send secure files and e-mails in combination with Cloak. It uses 256-bit encryption algorithms, supports seven image formats, and creates custom security certificates. Cloak includes the following features:
Compresses and encrypts all important documents into a secure Cloak file
Encrypts and hides files within images; files hidden with Cloak are undetectable and cannot be decrypted without the correct password
Sends and receives e-mails that are encrypted and cannot be noticed
Figure 1-30StegaNote uses cryptosecure steganography.
Securely shreds and permanently deletes documents permanently from a system; documents cannot be reconstructed or recovered once they have been shredded with Cloak
Permanently erases Internet and system traces, including cookies, temporary Internet documents, Inter-net history files, recently typed URLs, and recently accessed documents
StegaNote
The StegaNote tool (Figure 1-30) uses cryptosecure steganography that mixes up the compressed file and text from a text editor with the cover file, rendering it invisible to the human eye. This tool hides data in image files. It uses the RPP (random pixelpositioning) technique, making it impossible to extract the original data. RPP uses a pseudorandom number generator (PRNG) in feedback mode, and starts with the key or password, which contains a series of coordinates to detect the pixels used to hold the data. This spreads data over the cover image. The data bits are stored into the LSB of the colors red, green, and blue. The main use of the RPP is to protect data against cryptanalysis. It has an easy and clear user interface.
Stegomagic
Stegomagic (Figure 1-31) is a steganography tool that uses text, WAV, 24-bit BMP, and 256-color BMP files to hide data. The size of the cover file remains the same except in the case of text files. Data is encrypted and protected with a password using theDES algorithm and it is subsequently hidden behind the cover file. It supports all Microsoft Windows environments.
Hermetic Stego
The Hermetic Stego tool (Figure 1-32) hides data files in either a single image or a set of BMP images. The data file may be of any type and size. It hides the data with or without a key. Hermetic Stego has the following features:
It can hide data of any type and any size.
The bits of data are inserted into the bytes of image files, making it impossible to crack.
Data can be transported with or without the stego-key, which encrypts the data.
Figure 1-31StegoMagic supports 24-bit and 256-color BMP files.
Source:http://www.hermetic.ch/hst/hst.htm.Accessed 2/2007.
Figure 1-32Hermetic Stego allows the user to encrypt data and hide them in another file.
A user takes the following steps to hide data files:
Select the data file to be hidden.
Enter the stego-key.
Select the image files in which to hide the data and the input image file folder that contains the BMP images for hiding the data.
Specify the folder to receive the stego images; this is known as the Stego images folder.
StegParty
StegParty is a system for hiding information inside plaintext files. Unlike similar tools currently available, it does not use random gibberish to encode data. Instead, itrelies on small alterations, like changes in spelling and punctuation, to the message. StegParty also does not, by default, use white space to encode data. This is because whites-pace-encoded messages are too easy to detect, and too easy to alter in a waythat would destroy the encoded message. But since StegParty is customizable, features can be added.
Stego Suite
Stego Suite is a tool that identifies the presence of steganography without prior knowledge of the steganography algorithm that might have beenused against the target file. This is known as blind steganography detection.
Stego Suite’s tools provide the ability to quickly examine and evaluate digital images and/or audio data for the presence of hidden information or communications. It comprises the following three tools:
StegoWatch
StegoAnalyst
StegoBreak
StegoWatch
StegoWatch allows users to detect digital steganography and can use a dictionary attack to extract information that has been embedded with some of the most popular steganography tools.
StegoAnalyst
StegoAnalyst is a full-featured imaging and analysis tool. It allows investigators to search for visual clues that steganography has, in fact, been utilized in both image and audio files. A file viewing panel is provided that displays the individual file image or audio wave and the file attributes, including image details, DCT coefficients, and color pairs (Figure 1-33). In order to allow investigators to look for further clues that steganography is in use, filter options are included that transform the images into one of three different presentations: intensity, saturation, or hue. Other filter options display only selected least significant bits (LSBs) of specific colors. Since many steganographic techniques use LSBs for data hiding, viewing the LSBs of animage can sometimes reveal indicators of steganography.
StegoBreak
StegoBreak is a built-in utility designed to obtain the passphrase that has been used on a file found to contain steganography. Included with the purchase of the tool are popular passworddictionaries used to execute a dictionary attack (Figure 1-34). Investigators also have the ability to bring in other dictionaries. Alternately, if they have obtained the password through suspect questioning, they can run the password against the detectedimage or audio files.
Figure 1-33StegoAnalyst provides a file viewing panel to compare altered files.
Source:http://www.infoassure.in/stego_suite.html.Accessed 2/2007.
Figure 1-34StegoBreak allows the user to obtain a password used for steganography.
StegSpy
StegSpy detects steganography and the program used to hide the message. It also identifies the location of the hidden content. StegSpy currently identifies the following programs:
Hiderman
JPHS
Masker
JPegX
Invisible Secrets
Stego Hunter
Stego Hunter is designed to quickly, accurately, and easily detect steganography programs as a first step in the investigation process. With Stego Hunter, results are easily reported to the investigator of any installed or even previously installed applications. The suspected carrier types are flagged to further the investigation process. Forensic images of other popular forensic tools such as EnCase, FTK, dd, and Safeback can be scanned.
WNSTORM
WNSTORM is used to encrypt files to keep prying eyes from invading a user’s privacy. It can hide files within PCX images. WNSTORM’s method of hiding files in PCX images is very secure. A user can take the PCX image containing the hidden data and send it to any source. Only the sender and the one whom the password isshared with can get at the hidden data file.
Xidie
Xidie (Figure 1-35) enables the user to hide and encrypt files within other files. It can encrypt sensitive information while simultaneously hiding it in a file that will not look suspicious. The carrierfiles are fully functional and almost identical to the original files.
Options like encrypt and burn, hide and burn, encrypt and mail, hide and mail, etc., make the work easier. The program directly transfers archives through the use of an FTP module.
CryptArkan
CryptArkan (Figure 1-36) encrypts and hides data files and directories inside one or more container files. Hidden data can be directly read off an audio CD.
CryptArkan performs the following functions:
Encrypts data files to be hidden
Hides data files in multiple container files
Can hide whole directories, preserving subdirectory structure
Can use different hiding methods for separate container files
Uses different amounts of the original container file for data
Figure 1-35Xidie performs steganographic functions with a user-friendly interface.
Source:http://www.kuskov.com/cryptarkan/manual/overview.html.Accessed 2/2007.
Figure 1-36CryptArkan allows the user to hide entire directories.
Info Stego
Info Stego (Figure 1-37) is a tool that allows the user toprotect private information, communication secrets, and legal copyright using information-watermark and data encryption technology. It can hide important information within a file without noticeably changing the file cover.
Stealth Files
Stealth Files (Figure 1-38) is a tool that takes a PGP 2._x_encrypted message and strips any standard headers off to ensure that the result looks like random noise. If the PGP random number generators are secure, and if IDEA and RSA (RSA when normalized) produce good-qualityrandom numbers, the result should look like white noise
Source:http://www.antiy.net/infostego/.Accessed 2/2007.
Figure 1-37Info Stego can hide data within image files without visibly changing the images.
Figure 1-38Stealth Files can make encrypted messages look like white noise.
and stand up to analysis as being indistinguishable from white noise. Stealth Files can also be used to produce random numbers.
InPlainView
InPlainView allows the user to hide any type of information within a BMP file, as well as recover it. The program lets the user store any type of file within a 24-bit BMP image without altering its size or appearance. It supports filename drag-and-drop capability and includes password protection.
EzStego
EzStego is an easy-to-use tool for private communication. It hides an encrypted message in a GIF image file. It works like invisible ink for Internet communication. EzStego is a standalone Java application.
Jpegx
Jpegx (Figure 1-39) encrypts and hides messages in JPEG files to provide an ample medium for sending secure information. The images remain visually unchanged but the code inside is altered to hide the message. It can clean JPEG files of hidden messages.
Camouflage
Camouflage (Figure 1-40) allows the user to hide files by scrambling them and then attaching them to a carrier file. A camouflaged file behaves like a normal file and can be stored, used, or e-mailed without attracting attention. It can be password protected for additional security.
Scramdisk
Scramdisk (Figure 1-41) is a program that allows for the creation and use of virtual encrypted drives. A container file is created with a specific password on an existing hard drive. The container can then be mounted by Scramdisk software, which creates a new drive letter to represent the drive. Scramdisk allows virtual disks to be stored in the following ways:
In a container file on a FAT-formatted hard disk
On an empty partition
Stored in the low bits of a WAV audio file
Figure 1-39Jpegx encrypts and hides messages in JPEG files.
Figure 1-40Camouflage scrambles messages and attaches them to carrier files.
Figure 1-41Scramdisk creates virtual encrypted drives.
CryptoBola JPEG
CryptoBola JPEG (Figure 1-42) stores only the ciphertext without any additional information like filename, type, or length. It determines which parts (bits) of the JPEG-encoded data play the least significant role in the reproduction of the image and replaces those bits with the bits of the ciphertext. The plaintext can be any data file or it can be entered in edit mode directly before the actual embedding takes place.
Steganosaurus
Steganosaurus is a plaintext steganography utility that encodes a (usually encrypted) binary file as gibberish text. The encoding is based on either a spelling dictionary or words taken from a text document.
ByteShelter I
ByteShelter I (Figure 1-43) encrypts data and hides it in DOC files or e-mail messages. ByteShelter can be used to hide files and/or text in rich-text fragments.
Source: http//www.cryptobola.com/. Accessed 2/2007.
Figure 1-42CryptoBola stores ciphertext in JPEG files.
Source:http://www.softpedia.com/get/Security/Encrypting/ByteShelter.shtml.Accessed 2/2007.
Figure 1-43ByteShelter I encrypts data and hides it in DOC files or e-mail messages.
appendX
appendX is a steganography tool that simply appends data to other files (like JPEGs or PNGs) to hide it. It supports PGP headerstripping. It allows the user to remove any appendX data from a specified file.
Z-File
Z-File’s camouflage and encryption system integrates compression, encryption, and camouflage technology to protect personal privacy and business core data. The files will be effectively compressed, strongly encrypted, and implanted into an ordinary image.This procedure leaves no indication that the file contains any meaningful information other than a simple image.
Review Questions
MandelSteg and GIFExtract
These two programs allow the user to hide confidential data in fractal GIF images, giving an increased level of security compared to sending PGP-encrypted e-mail over the Internet. MandelSteg will create a Mandelbrot image (though it could easily be modified to produce other fractals), storing the data in the specified bit of the image pixels, after which the recipient can use GIFExtract to extract that bit plane of the image.