>> Steganalysis is the process of detecting steganography in the recovery hidden evidence.
If both the carrier and a covert files exist on the suspect machine, visual analysis can
be used to compare both files to reveal the presence
secret data through inspection with the help of a computer system.
In this case, detecting a steganographic file is easy since both images
or audios look or sound the same.
But their hash values are different.
In most scenarios a suspect only leaves covert files.
The carrier files are deleted and unrecoverable.
Statistical analysis will be used to search for changes in patterns of pixels, amplitudes
or frequency coefficient to detect if statistical properties evade from a norm.
Is steganography detection possible?
Yes.
Digital images, audio files and a video files are created by computer software
that allows standards in algorithm to produce normalized digital outputs.
Once detecting steganography investigators attempt to recover the hidden content.
The first step is to identify known steganography tools stored
on the suspect machine or recovered from unallocated spaces.
The next step is identifying artifacts of the steganography programs.
The artifacts include the types of carrier files each steganography tool use
and the special characteristics these tools leave on carrier files.
For example, Give It Up, uses pairs of similar colors.
JP Hide and Seek strips the covert images headers.
After identifying the steganographic files and the particular stego tools we finally
try to break the password to recover hidden message.
If embedded steganographic content is unrecoverable active attack may be used
to destroy the hidden content.
OutGuess is stegodetect and a stegbreak were written by Niels Provos in 2001.
This free steganography detection tools can possibly detect steganography files
that have hidden content embedded used JP Hide and Seek, OutGuess and Camouflage.
Stegbreak is a utility using brute force attack in attempt to break passwords if possible.
Unfortunately stegdetect and stegbreak are no longer supported by the Author.
They are both Windows and the Linus versions and then the Linux version is still available
at Get Hop [assumed spelling] at your own risk.
Make sure to check it's MD5 and it's SHA1 if you attempt to download it.
Wetstone technology supports several commercial products for malware detection
and steganography detection and analysis.
Stegeo Hunter is a utility to search for known stego tools based on hash analysis.
Stego Suite includes three software tools; Stego Watch, StegoAnalyst and a StegoBreak.
This set allows investigators to detect, analyze and in certain circumstances recover
hidden information.
Stego Watch compares the mathematical and statistical models
of normal with each supported type.
It supports parent images like jFiles, true color images like 24 bit, BMP files,
larcy [phonetic] images such as JPEG and audio wave files.
It then produce outputs with flecks of different levels of alerts such as okay,
high, medium or low risks etcetera.
After detecting stego files from the suspect image investigators will move on to analyze
and possibly recover stego contents.
As described at WetStone website Stego Analyst allows you to exam image or audio files
for artifacts that are typically caused by the inspection of information
into digital images or audio files.
Once you determine that there is a high degree of suspicion that steganography exists breaking
or cracking the steganography may be possible.
Stego Break attempts to break the steganography password and therefore recover a stego contents.
While using the StegoHunter in a Stego Suite for steganography analysis you will first
use StegoHunter to detect known stego tools.
After that you should know which files can be carrier files.
Then you use StegoWatch to detect suspicious files.
You will use StegoAnalyst to examine the suspicious files identified by StegoWatch.
Finally, you can hope StegoBreak will break passwords to recover the hidden contents.
Once the passwords are recovered they can be added
to StegoBreak library to assist further breaking.
In this lecture, we learned about steganography technologies and its power
to conceal evidence for malicious purpose.
As a forensic investigator you should always check
for steganography usage during your investigation.
Next, I will show you video of using Stego Suite to detect and analyze stego files.
Steganalysis Demo
>> Steganalysis is the process of detecting steganography and the recovery hidden evidence.
However, this is a very difficult task.
WetStone, as shown here is one of the leading companies
for malware detection and the steganography detection.
They have a suite of tools for steganography analysis, including Stego Hunter
which is a utility to search for any Stego tools stored on suspect's machine.
If such tool is identified, it indicates that the suspect has the capability,
has the ability to use steganography to hide data.
For example, if JP Hide and Seek is detected,
the investigator should especially pay attention to Jpeg images.
Because those images may contain hidden data.
Stego Suite includes three software tools; Stego Watch, Stego Analyst, and Stego Break.
Certainly, Stego Watch is used for detention.
And Stego Analyst is for analyze.
And then Stego Break is for breaking the password to recover hidden evidence.
Stego Suite is a commercial product.
I have one license, but this license has been many years old.
So, their new products may have a different look and different features.
But I just want to show you some basic ideas of how this detection
and then analysis tool looks like.
All right, so I have here Stego Watch.
And you open that.
Now, first thing you need to do is to set up the directory, the starting place
for Stego Watch to search through.
So, I specify here is the Stego demo data I will show you later.
So, that is a starting directory.
Then, Stego Watch will go through this directory and including his subdirectories
to identify all images and then compare those images toward the normal mathematical
and statistical models.
Try to detect whether it has any information hide inside of those images.
So, once I choose that, then you have a location to search,
then you just simply say start new session.
All right it will go through it very quick.
So, that's very impressive.
And then very quickly and it give you its guess based on their model, their algorithm.
So, the directory here, this is the directory I wanted to search through, all right.
So, here are the covert files images in the directory.
And you probably still remember this invisible,
this is from the invisible secret using invisible secret.
And then the hidden mum and this hidden, those two I gathered from using S tools.
And I use the JP Hide and Seek to hide information into this lily, or the lily picture.
Now, I also have a clean folder, those images are clean, supposed to be clean.
One is a penguin, one is that mum.
And I got those from basically Windows.
Just from Windows sample.
And then, the Jpeg I have a couple of that Jpeg files.
Those two are also from Windows sample file and this is from my own picture.
I took a picture.
I live in a beautiful northeast in Rochester, New York, and that's the picture I have.
So, this is the directory I search through, okay.
So, now it says this hidden.gif file, this one is highly,
has a highly risk due to have hidden data.
And then, a, is it identifies artifacts.
And then M means medium risk to have a hidden data, and then low has a low risk.
And OK, that means it's clean.
All right.
So, let's launch another tool.
You can launch it separately, like a Stego Analyst, or you can launch it
from here to really look through it.
Because detecting is difficult.
So, there are false positive and false negatives.
We were going through the analytic tools to look through those high risk,
or medium risk, or low risk files.
Try to find.
Now, first let me go through here the covert.
And again, this water lily picture has hidden.
I use the JP Hide and Seek to hide information into it.
And what information I hide into that?
Actually, I hide a very, very small text.
So, this is what I hide.
It's tiny bit, so it modified only little bit.
Now, we want to see, modify that little bit and let me compare this with original one.
So, the original one is in the Jpeg clean version.
Water lily.
Okay so those are two.
Okay, this one is from original, and then this one is JP Hide and Seek.
So, the name, and you can see the names here, and here is the path.
Now, hash is different.
This is the first alert.
If you see two images almost identical, but hash different, that means something changed.
And file size.
File size normally the hidden ones because of compression is smaller, okay.
Sometimes can be same, okay especially use S tools.
If we use S tools, then sometimes is the same size.
But for JP Hide and Seek, most cases it is smaller, the hidden one because it's going
through encryption and the compression.
Now, certain artifacts we can look into that.
Because for JP Hide and Seek, they hide information into the DCT coefficient.
So, we can look at DCT coefficient.
Now, for this case, because I'm only hide tiny,
tiny bit information, so shouldn't change that much.
But if you look at that, the sharp ones usually is the normal one.
Looks like pretty same, right, similar.
But if you look at the scale, this is a 500, it's down a little bit,
and this is a little bit more sharp.
Okay, so cannot absolutely say that, but with experience,
this might be malicious, this might be okay.
So, this is one you look at DCT coefficient and use the color and normally the one
with the artifacts, that one uses more color.
That's normally the case, okay.
And then what other information?
Now, the header, the Jpeg header, this is the special artifacts for JP Hide and Seek.
Using JP Hide and Seek it will scratch the header.
So, the header information is gone and this information is still here.
So, this is the normal one, the original one.
And this is the, after using JP Hide and Seek,
hiding information into that, this title is gone.
So, this is for specific JP Hide and Seek software.
So, that's the case.
If the suspect did not modify anything, just use it and then that one looks like is malicious.
The other things you can look into that is transform.
Intensity, saturation and hues.
Now in this case, it may not be able to see much because we only modify the tiny and I use my,
actually my eyes cannot detect much of anything, but just, let's just looking through it.
the saturation and we see whether this has any difference or not.
Hue, not hue is basically here for the resolution change and then the snowy color.
Now, again, because we only add, insert a tiny bit of information you don't see.
For the other ones, this is a great feature.
If you look at hue, the one with snowy that image most likely has data hidden into it.
Okay, so those are the two images we are looking at.
Now, if you look at the Stego Watch detection result.
Okay, one is a water lily and one is JP Hide and Seek.
So, here it says, JP Hide and Seek, it's a medium risk
and then the water lily has a low risk.
Okay, it doesn't say clean, I don't know some kind of noise is in there.
So, this is pretty good at this point.
And then let's look at, can we look at one more, look at the .gif file.
So, first let's open up one from the covert.
So, this is the penguins and in the covert message
and then here when you pick up the clean one.
Now, those are the gif file.
So, for gif file especially you need to look into, okay let's first look at the details.
Again, looks very similar image and then the hash is different.
The size is different.
All right, again the size is smaller.
So, this is the one actually has hidden information inside.
Now, because those are the pallet, those gif file.
Those are the pallet.
And the total has 256 colors.
Now how many colors this use?
This use 252 color, and this used 256; used the color, yeah this is a 256 and 252.
And we talk about similar colors, close colors.
That's an indication okay.
So the close color, because they are using pairs, okay the close color,
if you use a lot of more close colors, very likely that may have hidden information.
But those are all basically just guess.
All right.
And then now if you look at those two images, again you can use the intensity,
saturation and the hue to identify that.
Okay, look back to our image result.
The Stego Watch result and this penguin, it's called the penguin.gif
and so one is called penguin.gif, and another one is called a hidden.
So, the penguin.gif and then the hidden.gif.
Now, in this case, certainly the hidden.gif it says it's a highly risk with artifacts.
But this penguin.gif it also says it's a highly, at this point I really don't know
because this is the Windows image, right?
I'm not sure whether this is really has the other hidden data or not.
Because I'm just using the sample image and then I hide additional data
into it to got a hidden.gif file.
All right, so now, how about the invisible.
Okay the invisible secret we did from last video, that one unfortunately,
it is not able to detect, it's just a question mark.
It's some version match and it is not able to do it.
So, never the less actually this detect do give us some picture of how to,
which file we should pay attention to or not.
And then I also showed you some of the artifacts we can use when we do an analysis.
扫一扫
466
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
