Introduction to Computer Crime and Forensics

Document Sample
Introduction to Computer Crime and Forensics Powered By Docstoc
					 IST 454: Computer and Cyber Forensics

                        Lab 5 - Data Hiding and Steganography

There are numerous ways to hide files / messages. Some are easy, like changing file extensions,
but others can be more complicated, like hiding files within other files. Detecting and retrieving
messages hidden in a file, image, or sound wave, known as steganography, is an emerging field
of study in Computer Forensics.

Steganography is the art and science of hiding information into covert channels so as to conceal
the information and prevent the detection of the hidden message. Today, steganography refers to
hiding information in digital picture files and audio files. This lab consists of three major tasks to
be performed:

      Explore data hiding by changing the file extension,
      Detect files hidden in another file, and
      Hide files by embedding the information inside an image.

Understand that files can be identified by their first byte signatures
   Reestablish correct file extensions using a hex editor
   Hide message inside an image file using steganography techniques.
   Detect and retrieve information hidden using steganography

We will use the WindowsXP virtual machine. Located in the folder “My Documents\Labs\Lab
4\Tools” has several steganography tools that are to be used in completing this lab exercise.
Please preview and understand the purposes and limitations of each tool and learn how to use
them. They are:

      Jphs05 (jphswin, jphide, and jpseek)
      XVI32
      Stegdetect (xsteg, Stegdetect, and Stegbreak)
      Camouflage

Located in the folder “My Documents\Labs\Data Hiding and Steganography\data” are several
files that are not what they appear to be. Your team will be to use the provided tools and
instructions (in the folder “Manuals”) to identify the hided files and find the message hidden
inside one of the image files.

File Extensions

Create a working sub-directory and copy all the files to be investigated into it. Click the files to
see whether they can be opened and viewed properly or not. Open several known file types (e.g.,
txt, doc, xls, jpg, gif, wav, etc.) with xvi32 and record what their first two bytes are or search file
extension via Internet if needed (e.g., FIL EXT web site). Attempt to identify all the files based
on your investigations.


After completing task 1, several image files should have been uncovered. Some of these files
contain hidden data. The goal of task 2 is to uncover that data. Use the tools provided to examine
these files for hidden data. Performing Steganalysis is an art and requires experience, judgment,
and trial-and-error. Try the following possible approach to find the hidden message:

      Use xsteg to detect whether any file is hiding inside another (Stegdetect is not for every
       file type. You need to judge whether it is the right tool to use or not.)
      Use Stegbreak to identify the key (password) used to hide a message (Again, you may
       not find the key).
      Select an appropriate Steganography tools (jphs05 or Camouflage) and use it to detect
       and retrieve the hidden file.


Task 1: Explore Data Hiding via Changing File Extensions

One of the easier ways to hide a file is to change its file extension. Windows associates files with
programs based on their file extension, so if you alter the extension the operating system will
associate the file with a different program. This changes its icon and the program used to open it.
There is a way around this hiding technique. Files can be identified by their first two bytes.
Included in the “Tools” folder is a program called “xvi32”. This is a hex editor. xvi32 allows for
the viewing of files at the byte level.

Step 1: Login to the Virtual Win Machine assigned to your team.
        Select C:\Documents and Settings\Administrator\My Documents\Labs\Data Hiding
        and Steganography\Tools

Step 2: Double click on wbI32.exe to launch the program

Step 3: Drag and drop the file to be examined into the xvi32 window, and it will be displayed.

Step 4: Examine the first two bytes and search Internet (FIL EXT) to find their original file

Step 5: Change the file to their original extension using Windows (Hint: Use Windows Explorer.
        Right click and play with “Rename” or “Property” options).

Q1.1: Three types of files could contain graphics: bitmap, vector and metafile that combines
      bitmap and vector. Standard vector image file formats include Hewlett Packard Graphics
      Language (.hpgl) and Autocad (.dxf); non-standard image file formats include .tga, .rtl,
      .psd etc. Please search the Web for standard bitmap formats, and record their first two
      bytes via xvi32.

Task 2: Detect Data Hiding Using Steganalysis Techniques

After changing all the files to their correct extensions, you will see some image files. Open these
files. Can you tell any difference in them by just looking? One of these files contains another jpg
inside it. Steganography is the art of hiding data within data. Stegdetect is a steganalysis program
that deals with steganography in jpg files. Stegdetect is a command-line-based program that
allows you to check for hidden data. You can find some PDF documents with instructions on
stegdetect usage. xsteg is a gtk+ frontend to stegdetect. Below are instructions on how to use
these tools. Read the instructions in the tools folder for more detailed information.

Step 1: Open the command prompt on virtual machine and change the directory to
        “C:\Documents and Setting\My Documents\Administrator\Labs\Data Hiding and

Step 2: Use the following command to determine if a file possibly contains data.

         stegdetect -t p filename

         The output should indicate the presence or absence of hidden data and tell you what
         program was most likely used to hide the data. However, this program works on
         probability. If the data is small enough, it might not be detected. You might try adjusting
         the sensitivity level parameter.

Step 3: Use the following command to perform a brute force dictionary attack and crack the
        password on the file. (Dictionary is under the “Dictionary” folder, named “English.txt”.)

         stegbreak -f english.txt -r rules.ini filename


1. When you run Stegdetect or Stegbreak, you have to run it under its directory. e.g., under this
   directory "c:\Documents Setting......\Administrator\....\stegdetect>". Please switch to that
   directory using “CD directory”.
2. You need to copy the files that you want to detect or break to this folder.

3. When you run stegbreak, you need to copy the dictionary file "english.txt" to this folder.
   Then, run this command: "stegbreak -f english.txt -r rules.ini filename".
   After that, you will find the password in "<>".

Q 2.1: Please explain the weakness of stegbreak as a steganograph tool according to your
       experience in task 2.

Task 3: Learn to Hide Files / Messages

Camouflage and jphs05 are two popular steganography freeware programs. Jphs05 can only be
used to hide files in a file with JPEG format. Camouflage is more flexible and can be used to
hide files with different formats (e.g., gif, JPEG, Wav, etc.).

Sub-task 1: Use Jphide and jpseek programs to hide and reveal stego data. (Note: Not all
files can be revealed using jphs05)

Step 1: Double click on “jphswin.exe” to start a shell that uses both Jphide and jpseek programs.

Step 2: Click on “Open jpeg” then “seek” to attempt to uncover the data. Use the password
        obtained from step 2 of task 1.

Q 3.1: What are the major differences between Stegdetect and jphswin?

Sub-task 2: Use Camouflage to reveal stego data.

Step 1: Select the file / message to be retrieved.

Step 2: Right click on the file, select “Uncamouflage.”

Step 3: Follow the screen instructions to complete the task. (Use “ist454” as the password)

Sub-task 3: Use Camouflage and/or jphs05 to hide stego data.

Please select an appropriate tool to perform the following data hiding tasks:

   Hide the “btv_map.gif” file inside the “hitchhiker.wav” file.

   Hide the revealed “message.txt” file inside the “mall_at_night.gif” file.

Q 3.2: Can you find a quick way to tell the difference between the two files
       “mall_at_night_S.gif” and “mall_at_night.gif”? Please discuss “how”!

Q 3.3: Can you reveal the file inside “mall_at_night_S.gif” (Using the password “tyui”)? If not,
       please discuss why it cannot be revealed.

Q 3.4: Can you use the provided software to detect in all the evidence files on whether they have
       files hidden inside or not? If not, why, please discuss!

Q 3.5: What are the strengths and weaknesses of Camouflage and jphs05? Please compare and
       discuss based on your experience of using the tools and the manuals.

Analysis Questions (Challenge yourself!)
1. What are two ways Stego is used to protect data? Explain!

2. During your search, you probably found some file extensions that did not match even though
   the file types were the same. What are some possible reasons for this mismatch?

Team Report:
The team report is to show what you did in the project. Clearly state your results of this project.
You are expected to hand in a report in the following format:
    A cover page (including project title) with team name and team members
    A table of contents with page numbers
    Use double-spaced typing for convenient grading
    Number pages. Font size 12, Single column
    Save the Microsoft Word document with the team name in the title. Upload the document
       into the appropriate ANGEL dropbox.

The team report should have the following sections. Each section should cover all the topics
described below. Take screenshots if it is necessary.

Section I: Answer the 9 questions
   1. Q1.1: (page 3)
   2. Q 2.1, Q 3.1, Q 3.2, Q 3.3: (page 4)
   3. Q 3.4, Q 3.5 (page 5)
   4. Two Analysis Questions – page 5

Section II: Original Extensions, Byte Code results, Correct Extensions
   1. List of files with original extensions
   2. Byte code research results
   3. List of files with correct extensions

Section III: Correct Extensions, Stegdetect, Stegbreak, Hidden data
   1. File name and correct extension
   2. Stegdetect results
   3. Stegbreak results
   4. Data found if any was found (all files may not contain hidden data)

Grading Rubric:

This project has a number of specific requirements. The requirement for each section is
documented in the above project instruction “Team Report.” Whether you will get credit depends
on the following situations:
     You will get full credit on one item, if it is correctly reported as required and well written.
     You will get half credit on one item, if it is reported as required but there is something
        definitely wrong.
     You will not get any credit for one item, if it is not reported.

The credit for each section is as follows.
   1. Section I: Answer the 9 questions (56.25%):
            a. Questions are worth 6.25% each
   2. Section II: Original Extensions, Byte Code results, Correct Extensions (18.75%):
            a. Each of the 3 items are worth 6.25% each
   3. Correct Extensions, Stegdetect, Stegbreak, Hidden data (25%):
            a. Each of the 4 items are worth 6.25% each

This is a team project. Be sure to include the names of all the teammates and all their email
addresses in the report. The report should be turned in before class on the specified due date.
Late submissions will be issued a grade deduction especially if permission is not obtained from
the instructor. The instructor reserves the right to grant or reject extra time for report completion.

1. “Introduction to Steganography.”
2. Johnson, N. F., Jajodia, S., “Steganalysis of Images Created Using Current Steganography
   Software,” 1998.
3. Johnson, N. F. and Jajodia, S., “Steganalysis: The Investigation of Hidden Information,”
   1998 September.
4. FILExt - The File Extension Source.
5. Kessler, G., “An Overview of Steganography for the Computer Forensics Examiner,” 2004


Shared By: