Computer Forensics and Steganography

Xavier Prathap. WSt. Claret College, Jalahalli

Overview

What is Computer Forensics? Uses of Computer Forensics. Forensic Processes. What is Steganography? Examples of Steganography in history. Classification of Steganography Techniques. Application of Steganography in Computer

Forensics. Steganography Tools.

Introduction to Computer Forensics

Use of Scientific knowledge for collecting, analyzing and presenting evidence to the court.

Forensics means “to bring to the court”

Why is Computer Forensics necessary?

Helps to ensure overall integrity and survivability of network infrastructure.

Defence-in-depth. Bad practices of computer forensics

may result in destroying of vital evidences.

Uses of Computer Forensics as evidence

Computer forensics has been used sincemid 1980s as evidence in the court

BTK Killer Joseph E. Duncan III Sharon Lopatka

Forensic Processes

Cross-drive analysis Live analysis Deleted Files Steganography

What is Steganography?

Art of Covered or hidden writing.

Steganography (greek word)

στεγανός

covered

γραφία

writing

Examples in History

Invisible ink (1st century AD - WW II) Tatoo message on head Overwrite select characters in printed type in

pencil› look for the gloss

Pin punctures in type Microdots (WW II) Newspaper clippings, knitting instructions, XOXO

signatures, report cards, …

Stego in Digital world

Steganography received little attention in computing

Renewed interest because of industry desire to protect copyrighted digital work› audio› images› video› Text

Detect counterfeiter, unauthorized presentation, embed key, embed author ID

Steganography ≠ Copy protection

Steganography Techniques

Null Cipher Hide message among irrelevant data Confuse the cryptoanalyst

Null Cipher Hide message among irrelevant data Confuse the cryptoanalyst

Big rumble in New Guinea.The war oncelebrity acts should end soon.Over fourbig ecstatic elephants replicated.

Null Cipher

Hide message among irrelevant data Confuse the cryptoanalyst

Big rumble in New Guinea.The war oncelebrity acts should end soon.Over fourbig ecstatic elephants replicated.

Bring two cases of beer.

Chaffing & Winnowing

Separate good messages from the bad ones Stream of unencoded messages with signatures

› Some signatures are bogus› Need key to test

M0M3 M1M2 M0M3 M1M2

Alice Bob

M0M3 M1M2

Irene

? ? ? ?

× × ×OK

Image watermarking

Spatial domain watermarking› bit flipping› color separation

Frequency domain watermarking› embed signal in select frequency bands (e.g.

high frequency areas)› apply FFT/DCT transform first

› e.g. Digimarc› watermark should alter the least perceptible

bits these are the same bits targeted by lossy image

compression software

DIGITAL APPROACHES

Today, it often exists within digital formats It makes use of seemingly innocent cover files

such as text, audio, and image files The embedded message may be anything that can

be encoded in binary

AudioPerceptual coding

› inject signal into areas that will not be detected by humans

› may be obliterated by compression

Hardware with copy-protection› not true watermarking - metadata present on media› DAT› minidisc› presence of copy protection mechanisms often failed to

give the media wide-spread acceptance

Video

Coding still frames - spatial or frequency

data encoded during refresh› closed captioning

visible watermarking› used by most networks (logo at bottom-

right)

IMAGE ATTRIBUTES

Digital images are made up of pixels The arrangement of pixels make up the image’s

“raster data” 8-bit and 24-bit images are common The larger the image size, the more information

you can hide. However, larger images may require compression to avoid detection

IMAGE-BASED TECHNIQUES

Least Significant Bit Insertion Masking and Filtering

LSB INSERTION

Replaces least significant bits with the message to be encoded

Most popular technique when dealing with images

Simple, but susceptible to lossy compression and image manipulation

LSB - ExampleA sample raster data for 3 pixels (9 bytes) may be:

Inserting the binaryvalue for

A (10000001

)changes

4 bits

00100111 11101000 1100100000100110 11001000 1110100011001001 00100111 11101011

00100111 11101001 1100100000100111 11001000 1110100111001000 00100111 11101011

MASKING & FILTERING

Masks secret data over the original data by changing the luminance of particular areas

During masking, it embed the message within significant bits of the cover image

Not susceptible to lossy techniques because image manipulation does not affect the secret message

MASKING & FILTERING - Uses

Digital Watermarking – provides identification pertaining to the owner; i.e. license or copyright information

- Invisible vs Visible

Fingerprinting – provides identification of the user; used to identify and track illegal use of content

Steganography ToolsSoftware Supporting Files Notes

BMPSecrets BMP, JPG, TIFF, GIFAllows to replace upto 50-

60% of picture with information

DarkCryptTC

BMP, JPG, TIFF, PNG, PSD, TGA, MNG, WAV,

TXT, HTML, XML, EXE, DLL

RSD mode(RNG-based random data distribution)

MP3Stego MP3 Source code provided

OpenPuffBMP, JPEG, PNG,TGA, MP3, WAV, 3fp, MP4,

MPEG-2, FLV, VOB, Pdf

256-bit multi-encryption, carrier chains, Multi-layered

obfuscation

PHP-Class StreamSteganography PNG -

Steganography Studio BMP, PNG, GIFDifferent hiding methods

included (LSC, LSC matching, SLSB, ….)

Steganographic Laboratory (VSL) BMP, PNG, JPG, TIFF Open Source

REFERENCES Wikipedia Exploring Steganography: Seeing the Unseen –

N. Johnson & S. Jajodia www.jjtc.com/stegdoc/steg1995.html Information Hiding: Techniques for

Steganography and Digital Watermarking” – S. Katzenbeisser, F. Petitcolas

Digital Watermarking – H. Bergel, L. O’Gorman

Questions?

Thank you

Xavier Prathap. WSt. Claret College, Jalahalli