STEGANOGRAPHY

1 / 25
About This Presentation
Title:

STEGANOGRAPHY

Description:

A message sent by a German spy in World War II. Secret Messages. Pershing sails from NY June 1. ... Steg Spy can crack 5 steg applications ... – PowerPoint PPT presentation

Number of Views:683
Avg rating:3.0/5.0
Slides: 26
Provided by: DOI1

less

Transcript and Presenter's Notes

Title: STEGANOGRAPHY


1
STEGANOGRAPHY
  • GLENN WATT
  • President CEO
  • Backbone Security.Com

2
Steganography
  • Steganography is the art of hiding information in
    ways that prevent the detection of the hidden
    information.
  • The word derives from Greek, and literally means
    covered writing
  • While cryptography scrambles messages so that
    they cannot be understood, Steganography hides
    messages so that they cannot be seen.
  • It includes numerous secret communication methods
    that conceal the messages very existence.

3
Secret Messages
  • Apparently neutrals protest is thoroughly
    discounted and ignored. Isman hard hit. Blockade
    issue affects pretext for embargo on by-products,
    ejecting suets and vegetable oils.
  • A message sent by a German spy in World War II.

Pershing sails from NY June 1.
4
Encrypted Message
Pershing sails from NY June 1
ROT 13
Crefuvat fnvyf sebz AL Whar 1
5
A Steganography System
Message File
Message File
Cover File
Steganography Tool
Steganography Tool
Steg File (with hidden data)
Steg File (with hidden data)
Hiding messages
Extracting messages
6
Steganography TechniqueAdding Bytes to
End-of-Image
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 60
......JFIF..... 00 60 00 00 FF E1 00 94 45 78
69 66 00 00 49 49 .......Exif..II 2A 00 08 00
00 00 0A 00 FE 00 04 00 01 00 00 00
............... 00 00 00 00 00 01 03 00 01 00 00
00 00 02 1A 01 ................ 01 01 03 00 01
00 00 00 00 02 00 00 02 01 03 00
................ ... 73 4E 85 03 7D B6 D4 60 FF
00 CF 45 CF F3 AB BF sN.......E.... 72 D4 7A
9B 2F 13 3E D4 57 C0 E3 9E 4F BE 2A B5
r.z./.gt.W...O.. CD B7 92 57 3C F1 D8 7B FB 7F 9F
C2 A8 CF AF D9 ...Wlt.......... 96 DF 1E A1 68
0F 27 1E 6A F2 7F 3A 9E 5D 73 4C
....h.'.j...sL 96 DD 44 97 F6 AC 79 CF EF 17 F2
A4 3D 51 FF D9 ..D...y.....Q.. 50 4B 03 04 14
00 02 00 08 00 72 76 D6 30 1B A9
PK........rv.0.. 83 F2 F8 3F 00 00 27 D9 00 00 13
00 11 00 75 73 ...?..'.......us 20 63 6F 6E 73
74 69 74 75 74 69 6F 6E 2E 74 78
constitution.tx 74 55 54 0D 00 07 C7 8D D8 40 63
D7 F2 40 C6 E0 tUT......_at_c.._at_.. ED 40 D5 7D 5B
73 DC 46 B2 E6 3B 23 F8 1F 10 7E
._at_.s.F..... ... 21 00 00 81 00 00 00 00 75
73 20 63 6F 6E 73 74 !.......us const 69 74 75
74 69 6F 6E 2E 74 78 74 55 54 05 00 07
itution.txtUT... C7 8D D8 40 50 4B 05 06 00 00 00
00 01 00 01 00 ..._at_PK.......... 4A 00 00 00 3A
40 00 00 00 00 48 49 12 00 9A 40
J..._at_....HI..._at_ 00 00 64 34 31 64 38 63 64 39 38
66 30 30 62 32 ..d41d8cd98f00b2 30 34 00 27 DD
73 04.'.s
  • baboon.jpg
  • JPEG file withend-of-image bytes FF D9.
  • Application appends hidden data within a zip
    file, its signature, and user-specified password.

baboon_stego.jpg
7
Steganography TechniqueLeast Significant Bit
  • Messages are encoded in the least significant bit
    of every byte in an image. By doing so, the value
    of each pixel is changed slightly, but not enough
    to make significant visual changes to the image,
    even when compared to the original.
  • Example Inserting the word bomb using LSB
    techniques
  • b 01100010
  • o 01101111
  • m 01101101
  • b 01100010

Image bits
01011010 00101011 10101011 10101010 11101011
11010100 01000111 11111001
01011010 00101011 10101011 10101010 11101010
11010100 01000111 11111000
01011010 10101101 10010111 10101111 10101011
10100111 01010110 01011011
01011010 10101101 10010111 10101110 10101011
10100111 01010111 01011011
10110111 11111011 00101011 10010101 10101000
01010100 10101010 11010101
10110110 11111011 00101011 10010100 10101001
01010101 10101010 11010101
10100100 01011000 11011010 01010101 01001001
10110000 01000010 01010100
10100100 01011001 11011011 01010100 01001000
10110000 01000011 01010100
8
Steganography TechniqueLeast Significant Bit
  • Enhancing the least significant bits alerts
    investigators of possible embedding of hidden
    data.

bliss.bmp
No SteganographyDetected
bliss_stego.bmp
SteganographyDetected
9
Media Operations LSB Steganography
  • LSB Steganography is easy to implement, but it is
    vulnerable to almost all media transformations
  • For example, cropping an image that has a hidden
    message can result in losing the entire message

10
Steganography TechniquePalette Manipulation
renoir.gif

Before Embedding
After Embedding
airfield.gif
Palette of an 8-bit GIF, sorted by luminance.
The repetition of similar colors indicates
possible steganography.
11
Steganography TechniqueDiscrete Cosine Transform
peppers.bmp
8x8 DCT Block
The DC coefficient receives the data to be hidden.
12
SteganographyEmbedding Within Audio
  • Appending hidden information to end-of-file
  • Pulse Code Modulation bit twiddling that
    produces sound indistinguishable from the
    original

Before Steganography Embedding
After Steganography Embedding
Source Gary Kessler
13
Steganalysis
  • Steganalysis is the science of detecting hidden
    information and making that information visible

14
Two Models for Steganalysis
  • Blind Detection Model
  • Detects presence of hidden information without
    any prior knowledge of the steganography
    application or carrier file types that may have
    been used
  • Analytical Model
  • Detects presence of file or other artifact
    associated with a particular steganography
    application
  • Then uses knowledge of particular application to
    conduct focused search for carrier file types
    associated with the application and then extract
    any information that may have been hidden
  • Backbones SARC uses the analytical model

15
Current Activities
  • Majority of current effort focused on populating
    Steganography Application Signature Database
    (SASDB) with freeware, shareware and licensed
    versions
  • To date over 250 steganography applications have
    been hashed and added to SASDB
  • Some files used in more than one application
    thus 10,147 are unique files
  • Assistance from DCCI in acquiring steganography
    applications
  • We are also currently hashing a collection from a
    CD by StegoArchive.com
  • Archive all copies of steganography applications
    to CD format while validating application title /
    version

16
Populating the SASDB
  • Search for steganography applications on the
    Internet, download them (typically in a
    compressed .zip archive format), and generate
    their hash values.
  • If the application is distributed as an archive,
    recursively extract and hash all files contained
    within.

17
Populating the SASDB
  • If the application utilizes an installer, track
    and hash all files that are installed on the
    system.
  • Changes to the registry are also monitored and
    documented.

18
Structure of the SASDB
Hash Values
  • SHA-1 Hash Value
  • SHA-256 Hash Value
  • MD5 Hash Value
  • CRC32 Hash Value
  • Filename
  • Associated Application

19
Structure of the SASDB
  • Application Data Table
  • Application Name
  • Number of Associated Files
  • Download date/time/location

20
Structure of the SASDB
Carrier Footprint
  • Application Name
  • Carrier File Types Affected
  • Method of Embedding
  • Comments (Path to application specific TTP)
  • Operating System

21
How Do Our Capabilities Compare With Other Tools?
  • Wetstones Gargoyle can detect 167 steg
    applications (mostly versioning)
  • Wetstones Stego Suite can crack 4 steg
    applications
  • Steg Detect/Steg Break can detect/crack 4 steg
    applications
  • Steg Spy can crack 5 steg applications
  • Backbone can detect 254 steg applications and
    crack 19 steg applications

22
Current Activities
  • Expanding knowledge base by developing profiles
    for steganography applications
  • Embedding/encoding techniques used
  • Carrier file types
  • Fingerprints left in carrier files by
    particular applications
  • Etc.
  • Enhancing the tool developed to capture all
    changes to system when a steganography
    application is installed

23
Current Activities
  • Developing detailed TTPs for steganalysis
  • Will provide to law enforcement digital forensic
    investigators to aid in extending traditional
    digital forensic analysis to include
    steganalysis
  • Developing proof-of-concept experiments to
    demonstrate
  • Validity and value of TTPs for analytical model
    for steganalysis vs blind detection model

24
Current Activities
Real-Time Malware / Spyware / Virus /
Hacking Steganography Detection
25
QUESTIONS
  • WWW.BACKBONESECURITY.COM
  • 888.805.4331

26
BACKUP SLIDES
27
Blind Detection Model
  • Used to determine if information may have been
    hidden in one of several different carrier file
    formats
  • May, or may not, detect hidden information
  • Even if hidden information is detected, may still
    not be able to extract the information
  • Various efforts underway to improve success of
    technique for detecting presence of hidden
    information

28
Analytical Model
  • Used to determine specific steganography
    application(s) that may have been used to hide
    information
  • Hash all files on seized hard drive
  • Reduce set of files to be analyzed by removing
    files with hash values that exist in NSRL RDS
  • These are known good files
  • Compare hash values of remaining files to hash
    values in SASDB

29
Analytical Model (Continued)
  • A match would represent an artifact of a
    steganography application
  • One, or more, of possibly several files
    associated with a particular application
  • Use TTPs associated with the particular
    application to perform steganalysis
  • Conduct focused search of seized hard drive for
    carrier file types utilized by the particular
    application
  • Determine if information has been hidden in the
    carrier file
  • Extract the hidden information
Write a Comment
User Comments (0)