Detecting Steganography in this article how to detect Steganography explained with it types as well as Steganography detecting files explained with the help of tools using in stegenography and data hiding in file system structures technique.
Software Clues on the Computer
During investigation, the investigators should first look at files, documents, software applications, and other suspicious files for clues hidden through steganography. Steganography investigators should also know about common steganographic techniques, software, tools, terminologies, and websites. This knowledge will help the investigators to find the process, software, and techniques used in steganography.
The investigators should find out the file names and web sites that the suspect used, by looking in the browser’s cookies, history, registry key entries, mailbox, chat or instant messaging logs, and communication from or comments made. Because this data is important for investigation, it gives clues to the investigator for further procedures.
Other Program Files
It is necessary to check other program files, because the non-steganographic programs may contain clues about the covering file and hidden file. The investigators should check other softwares such as the binary (hex) editor, disk-wiping software, chat software used for changing the data from one code to another, and to keep the data secret from others.
Related Product : Computer Hacking Forensic Investigator | CHFI
Detecting Steganography (Cont’d)
1. Multimedia Files
Investigators should look for large files in the system, because large files can act as carrier files for steganography. Though a Windows computer consists of a number of graphic and audio files, they all are small in size, If the system consists of large files in abundance, the investigators can suspect these files to be carrier files with large sizes. This can be true if the computer system has many duplicate files.
Type of Crime
Already investigated crimes may also make an investigator to think about steganography. Child pornographers use steganography to hide pornographic material when they are posting it on a web site or sending it via email. Crimes related to business records also use steganography. Though a perpetrator can hide important record files by using steganographic techniques, others can obtain access to those files. Such crimes include identity theft, gambling, smuggling, and terrorism.
2. Text Files
For text files, the attackers alter the character position for hiding the data. One can detect these alterations by looking for text patterns or disturbances, the language used, line height, and unusual number of blank spaces.
A simple word processor can sometimes reveal the text steganography as it displays the spaces, tabs, and other characters that distort the text’s presentation during text steganography. By having a closer look at following things, you can detect text steganography:
- Unusual patterns used in stego-object
- Appended extra spaces
- Invisible Characters
3. Image Files
To detect the information hidden in the image, investigators should determine the changes in size, file format, last modified, last modified time stamp, and color palette of the file. The following points can help to detect image steganography:
- Too many display distortions in images
- Sometimes images may become grossly degraded
- Detection of anomalies through evaluating too many original images and stego-images with respect to color composition, luminance, pixel relationships, etc.
- Exaggerated “noise”
Statistical analysis methods help to scan an image for steganography. Whenever a secret message is inserted into an image, least significant bits (LSBs) will no longer be random. With encrypted data that has high entropy, the LSB of the cover will not contain the information about the original and is more or less random. By using statistical analysis on the LSB, the difference between random and real values can be identified.
4. Audio File
Audio steganography is a process of embedding confidential information such as private documents and files in digital sound. The following are the main categories of audio steganography: LB coding, echo coding, phase coding, and spread spectrum coding. These methods have different implementation techniques, bandwidths, and hiding standard.
Investigators can use the LB modification technique to detect the audio steganographic files. Investigators scan for high and inaudible frequencies for information and distortions or patterns that help in detecting a secret message and try to find the differences in pitch, echo, or background noises.
5. Video File
Detection of the secret data in video files includes a combination of methods used in image and audio files. Special code signs and gestures help in detecting secret data. Most methods used to detect steganography in videos require human involvement as the machines cannot effectively detect the differences.
Also Read : Understand Steganalysis
Steganography Detection Tool: Gargoyle Investigator ™Forensic Pro
Gargoyle Investigator Forensic Pro is a tool that conducts quick searches on a given computer or machine for known contraband and malicious programs. This tool finds remnants in a removed program as it conducts the search for the individual files associated with a particular program. Its signature contains botnets, Trojans, steganography, encryption, and keyloggers. It helps in detecting stego files created by using BlindSide, WeavWay, and 5-Tools. It has the ability to perform a scan on a stand-alone computer or network resources for known malicious programs and the ability to scan within archived files.
Features:
- it scans on a stand-alone system or network resource for known contraband and hostile programs
- It comprises 20 datasets containing over 20,000 types of malicious software
- It is interoperable with popular forensic tools such as EnCase™
- It provides detailed forensic evidence reports with secure source time stamping, XML based and customizable
Steganography Detection Tools
1. Xstegsecret
Source: http://stegsecret.sourceforge.net
Xstegsecret is a steganalysis software that detects hidden information from various digital media sources. It is a Java-based multiplatform steganalysis tool used to detect FOF, LSB, DCTs, etc.
2. StegSecret
Source: http://stegsecret.sourceforge.net
Stegsecret is an open source (GNU/GPO steganalysis tool that detects hidden information in different digital media. It is a Lava-based multipiatform steganalysis tool that detects hidden information using EOF,LSB , DCTs, etc.
3. StegAlyzerAS
StegAlyzerAS is a digital forensic tool. It identifies files and registry keys associated with steganography applications. StegAlyzerAS allows for identification of files by using CRC-321 MD5, SHA-1, SHA-2247 SHA-256, SHA-384, and SHA-512 hash values stored in the Steganography Application Fingerprint Database (SAFDB).
4. StegAiyzerRTS
StegAlyzerRTS is a network security application to detect digital steganographic applications and the use of those applications in real time.
StegAlyzerRTS detects insiders downloading steganographic applications by comparing the file fingerprints, or hash values, to a database of known file or artifact hash values associated with over 960 steganography applications.
5. StegEx pose
Source: https://github.com
StegExpose is a steganalysis tool specialized in detecting LB steganography in lossless images such as PNG and BMP. It has a command line interface and is designed to analyze images in bulk while providing reporting capabilities and customization, which is comprehensible for non-forensic experts.
6. StegAiyzerS5
StegAlyzerSS is a steganalysis tool designed to extend the scope of traditional computerized forensic examinations by allowing the examiner to scan suspect media or forensic images of suspect media for over 55 uniquely identifiable byte patterns, known as signatures, left inside files when particular steganographic applications are used to embed hidden information within them.
7. Steganography Studio
Source: http://stegstudio.sourceforge.net
Steganography Studio software can be used to learn, use, and analyze key steganographic algorithms. It implements several algorithms highly configurable with a variety of filters. It also implements the best image analysis algorithms for the detection of hidden information.
8. Virtual Steganographic Laboratory (VSL)
source: http://vsl.sourceforge.net
Virtual Steganographic Laboratory (VSL) application helps in hiding data in digital images, detect its presence, and test its robustness using any number of different adjustable techniques. It provides a framework to use multiple methods at the same time. It can perform complex processing in both batch and parallel form.
9. Stegdetect
Stegcletect is an automated tool to detect steganographic content in images. It is capable of detecting several different steganographic methods to embed hidden information in PEG images. Given a set of normal images and a set of images that contain hidden content by a new steganographic application, Stegdetect can automatically determine a linear detection function that is applicable to yet unclassified images.
10. ImgStegano
Source: http://www1.chapman.edu
ImgStegano helps in the detection of steganography on .bmp or .png image. It uses an enhanced LSB technique to detect image steganography.
Anti-Forensics Techniques: Data Hiding in File System Structures
Data hiding is one of the anti-forensic techniques employed by attackers to make data inaccessible. Nil–FS-based hard disks contain bad clusters in a metadata file as $BadClus and the NTT entry 8 represents these bad clusters. $BadClus is a sparse file, which allows attackers to hide unlimited data as well as allocate more clusters to $BadClus to hide more data.
Some hard disks have the host protected area (HPA), in which the developers can store data they want to protect (and hidden) from normal use. In addition to the above technique, the attackers use DPAs, DCOs, and slack spaces to hide the data, which will not visible to by either BIOS or OS and requires few special tools to view.
Questions related to this topic
- What are the three best forensic tools?
- What are the forensic tools?
- Which tool is needed for a computer forensics job?
- What is ProDiscover tool?
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com