Computer Forensics: Steganography 4.2.2019

Steganography 4.2.2019.

● cryptography • exchanging messages

– everybody can see that communication is going on • through open channels

● even capture the message • even if someone can – but cannot understand the message ▪ intercept messages and change them

● steganography • "The Prisoners Problem" by Simmons, 1983

– is hiding the fact that there is a communication

● nobody can see the message

● it is hidden steganos = protected gráfo = to write

http://docsdrive.com/images/academicjournals/rjit/2013/fig3-2k13-53-66.jpg

2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 2 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 3 1 2 3

• invisible (secret) ink • digital messages • 1499. g. „Steganographia” by Johannes Trithemus ▪ needs chemicals or heat to become visible ▪ first recorded use of the term „steganography” • digital text ▪ a book on cryptography ◦ lemon juice–heat • network steganography and steganography • knitting in clothes • ▪ Cyber-physical Systems (Internet of Things) disguised as a book on magic ! • microdots • 440 BC - Herodot records use • printed content ▪ shaving slaves head • typefaces in printed text ▪ „Is every car electrical?” ▪ using wooden surface of wax tablets ...... • media files • Cardan Grille ▪ positions in text

2/4/2019 4 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 5 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 6 4 5 6

2015-2017 (c) P.Pale: Computer forensics 1 Steganography 4.2.2019.

• hiding content in office files • also „Social steganography” • using color to disguise text ▪ text and background of same color • using space in last block after the end-of-file • all sorts of messages • overlapping elements • hidden partitions ▪ web pages, blogs, comments, shares, likes ▪ picture overlapping text People can’t see messages but programs can detect them • … • methods • coding ▪ mixing ASCII and Unicode characters ▪ timing, order, mistakes, …. ▪ nonprinting Unicode characters ▪ types of media files, size, metadata …. • deliberate errors ▪ using jargon ▪ spelling ◦ professional, slang, emoticons, pictograms, … ▪ formatting • using control elements in HTML ▪ embedding in JavaScript

2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 7 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 8 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 9 7 8 9

• uses communication protocols' control elements ▪ typically in headers • Some countries (e.g. China, Iran…) • They use technology ▪ or special packets ▪ block access to VPNs, Tor network etc. ▪ that makes “illegal” traffic (e.g. Tor traffic) ▪ or pattern of packet exchange • single protocol ▪ on a network level ▪ look like “legal” traffic (e.g. Skype video call traffic) ▪ within packets ▪ timing of packets • multiple protocols ▪ inter protocol steganography • To circumvent this • Doing this • steganophony ▪ citizens use (network) steganography ▪ makes it hard to block “illegal” traffic ▪ Voice-over-IP ◦ LACK (Lost Audio Packets Steganography) ▪ without also blocking “legal” traffic ▫ delayed or corrupted packets ▪ WLAN Steganography ▪ because it is hard to distinguish between them ◦ HICCUPS (Hidden Communication System for Corrupted Networks) ▫ intentionally wrong checksums

2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 10 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 11 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 12 10 11 12

2015-2017 (c) P.Pale: Computer forensics 2 Steganography 4.2.2019.

• The programs for hiding Tor network traffic • Format-Transforming Encryption (FTE) • SkypeMorph/CTT ▪ are called Pluggable Transports (PT) ▪ makes data (e.g. “illegal” Tor/VPN traffic) ▪ disguises Tor traffic • There are many ingenious PT designs ▪ look like arbitrary application-layer traffic (e.g. HTTP) ▪ as Skype video call traffic ▪ more info: https://www.torproject.org/docs/pluggable-transports.html.en • From a steganography point of view, ▪ some interesting PTs are: ◦ Format-Transforming Encryption (FTE) ◦ SkypeMorph / Code-Talker-Tunnel ◦ meek http://cacr.uwaterloo.ca/techre ports/2012/cacr2012-08.pdf

https://fteproxy.org/about.html

2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 13 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 14 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 15 13 14 15

• meek uses domain fronting: • This works with some CDN services e.g.: • Physical systems controlled by computers ▪ it uses different domain names ▪ Amazon CloudFront ▪ at different layers of communication ▪ Microsoft Azure • the state of multiple devices • one domain ▪ appears on the “outside” of an HTTPS request • the timing/order of their operation: on/off ◦ in the DNS request • the manipulation of their measurements and ◦ and TLS Server Name Indication reports • while another domain ▪ appears on the “inside” • … ◦ in the HTTP Host header • more info: https://www.bamsoftware.com/papers/fronting/

https://fteproxy.org/about.html

2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 16 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 17 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 18 16 17 18

2015-2017 (c) P.Pale: Computer forensics 3 Steganography 4.2.2019.

• Machine Identification Code (MIC) ▪ „yellow dots, tracking dots, secret dots” • audio, video, photos, drawings ▪ laser printers and photo-copiers • ▪ watermarking every page techniques ▪ serial number, timestamp ▪ insertion • countermeasures ▪ to enhance privacy ▪ modifying least significant bits ▪ • the letter size, spacing, typeface, … distortions ▪ FontCode ▪ creating carrier ◦ http://www.cs.columbia.edu/cg/fontcode/ ◦ modifying specific parameters of letters ▫ to carry information ◦ undetectable to humans ◦ machine readable to computers ◦ message is preserved ▫ in copying/scanning/resizing/rotating

2/4/2019 21 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 19 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 20 19 20 21

22 23 24

• hiding image or audio (and decoding) • free coding and decoding of any file type • hiding and decoding images, audio, video ▪ any format by Andy Brown • uses LSB (Least significant bits algorithm) • can use multiple carriers (carrier chain) • in image or audio by Michal Wegrzyn by Cosimo Oliboni WIndows only • simple GUI for various techniques ▪ JPG, PNG, MP3, MP4, WAV,... ▪ WAV, BMP, GIF • 3 layers of hidden data obfuscation • also offers encryption ▪ cryptography, whitening and encoding ▪ IDEA, DES, MDC • deniable steganography

2/4/2019 22 2/4/2019 23 2/4/2019 24 22 23 24

2015-2017 (c) P.Pale: Computer forensics 4 Steganography 4.2.2019.

25 26

• creating carrier • hiding any type of file Software Carrier RAM Encryption Steganography usage algorithm • also editing image • by Kent Briggs in audio or image S-Tools BMP, GIF 1.6 MB IDEA, DES, LSB ▪ resizing, cropping, rotating … ▪ JPG, GIF, BMP or MP3, WAV T-DES, MDC • VSL Any 43.8 MB - LSB, encrypting • can also encrypt Karhunen-Loeve, ▪ 256-bit AES F5 algorithm ▪ Blowfish, AES, T-DES OpenPuff BMP, JPG, PCX, PNG, 36.0 MB AES, Anubis, LSB TGA Camelia, proprietary

CryptaPix BAY, BMP, CRW, CR2, CUR, 6.3 MB AES 3 bit segments DCR, DCX, DIB, EMF, FAX,GIF, G3F, G3N, ICB, ICO, JIF, JPC, JPE, JPG, JP2, J2C, J2K, MRW, NEF… Quick Crypto JPG, GIF, BMP 4.7 MB Blowfish, AES, LSB T-DES

2/4/2019 25 2/4/2019 26 2015-2017 (c) P.Pale: Computer forensics: Steganography 4.2.2019. 27 25 26 27

28 29

• Measures ▪ PSNR – Peak Signal to Noise Ratio ◦ better measure 1 2 ◦ the greater the value the better image Image S-Tools VSL OpenPuff CryptaPix Quick ▪ SSIM – Structural Similarity Index Crypto P 3 66.32 57.09 56.76 56.34 65.02 ◦ similar to human perception S ◦ values 0 to 1; 1 = totally equal N 4 67.02 58.76 57.26 57.26 66.01 R • Message 5 67.1 57.95 57.03 57.03 66.25 • Carriers PSNR vrijednosti

Image S-Tools VSL OpenPuff CryptaPix Quick S Crypto S 3 0.9999 0.9988 0.9989 0.9988 0.9998 I 4 0.9998 0.9987 0.9981 0.9981 0.9998 M 5 1.0 0.9997 0.9997 0.9997 1.0 SSIM vrijednosti 2/4/2019 30 467.6 KB 399x399 24 bit BMP Slika500.2 2 KB 413x413 24 bit BMP 557.0 KB 436x436 24 bit BMP 2/4/2019 28 2/4/2019 29 28 29 30

2015-2017 (c) P.Pale: Computer forensics 5 Steganography 4.2.2019.

31 32

• the science of discovering messages • Prema poznatim informacijama ▪ hidden by steganographic methods • Metoda vizualnog pregleda • analytical „attacks” attempt to • Audio‐reproduktivna metoda ▪ detect the presence of a hidden message ▪ or even its meaning/content • Softverska metoda

2/4/2019 31 2/4/2019 32 31 32 33

2015-2017 (c) P.Pale: Computer forensics 6