Professional Documents
Culture Documents
Steganography R0ck$ PDF
Steganography R0ck$ PDF
Cryptanalysis
Michael T. Raggo, CISSP
Principal Security Consultant
VeriSign
1
Agenda
X Steganography
– What is Steganography?
– History
– Steganography today
– Steganography tools
X Steganalysis
– What is Steganalysis?
– Types of analysis
– Identification of Steganographic files
X Steganalysis meets Cryptanalysis
– Password Guessing
– Cracking Steganography programs
X Forensics/Anti-Forensics
X Conclusions
– What’s in the Future?
– Other tools in the wild
– References
2
Steganography
3
Steganography - Definition
X Steganography
– from the Greek word steganos meaning
“covered”
– and the Greek word graphie meaning “writing”
X Steganography is the process of hiding of a
secret message within an ordinary message
and extracting it at its destination
X Anyone else viewing the message will fail to
know it contains hidden/encrypted data
4
Steganography - History
5
Steganography
6
Steganography
7
Steganography – Modern Day
8
Steganography – Carrier Files
9
Steganography - Tools
Steganography Tools
X Steganos
X S-Tools (GIF, JPEG)
X StegHide (WAV, BMP)
X Invisible Secrets (JPEG)
X JPHide
X Camouflage
X Hiderman
X Many others…
10
Steganography
– http://www.rhetoric.umn.edu/Rhetoric/misc/dfrank/steg
soft.html - No longer available site…
UPDATED URL:
http://www.topology.org/soft/crypto.html
11
Steganalysis
Identification of hidden files
12
Steganalysis - Definition
X Definition
– Identifying the existence of a message
– Not extracting the message
– Note: Technically, Steganography deals with the
concealment of a message, not the encryption of it
13
Steganalysis
14
Steganalysis – Hiding Techniques
15
Steganalysis – Methods of Detection
16
Steganalysis – Methods of Detection
X Categories
– Anomaly
f Histogram analysis
f Change in file properties
f Statistical Attack
f Visually
f Audible
– Signature
fA pattern consistent with the program used
17
Steganalysis – Methods of Detection
X Goal
– Accuracy
– Consistency
– Minimize false-positives
18
Anomaly – Visual Detection
19
Anomaly - Kurtosis
X Kurtosis
– The degree of flatness or peakedness of a curve describing
a frequency of distribution
– Random House Dictionary
20
Anomaly - Histogram Analysis
21
Anomaly – Histogram Analysis
22
Anomaly Analysis - Compare file
properties
X Properties
– 04/04/2003 05:25p 240,759 helmetprototype.jpg
– 04/04/2003 05:26p 235,750 helmetprototype.jpg
X Checksum
– C:\GNUTools>cksum a:\before\helmetprototype.jpg
3241690497 240759 a:\before\helmetprototype.jpg
– C:\GNUTools>cksum a:\after\helmetprototype.jpg
3749290633 235750 a:\after\helmetprototype.jpg
23
File Signatures
HEX Signature File Extension ASCII Signature
FF D8 FF E0 xx xx JPEG (JPEG, JFIF, ÿØÿà..JFIF.
4A 46 49 46 00 JPE, JPG)
47 49 46 38 37 61 GIF GIF87a
47 49 46 38 39 61 GIF89a
42 4D BMP BM
24
Steganalysis – Analyzing contents of file
25
Steganalysis – Analyzing contents of file
26
Hiderman – Case Study
27
Hiderman – Case Study
28
Hiderman – Case Study
29
Hiderman – Case Study
30
Hiderman – Case Study
31
Hiderman – Case Study
32
Steganalysis – Stegspy V2.1
X StegSpy V2.1
– Signature identification
program
– Searches for stego
signatures and
determines the program
used to hide the
message
– Identifies 13 different
steganography
programs
– Identifies location of
hidden message
33
Steganalysis - Stegspy
X StegSpy - Demo
34
Steganalysis – Stegspy V2.1
X StegSpy V2.1
– Available for download
from my site
f www.spy-hunter.com
– Features currently under
development:
f New signatures
f Scanning entire directories
or drive
f A *NIX-friendly version of
the program
35
Steganalysis – Identifying a signature
36
Steganalysis – Identifying a signature
37
Steganalysis meets Cryptanalysis
Revealing hidden files
38
Steganalysis meets Cryptanalysis
Cryptanalysis
X As stated previously, in Steganography the
goal is to hide the message, NOT encrypt it
X Cryptography provides the means to encrypt
the message.
X How do we reveal the hidden message?
39
Steganalysis meets Cryptanalysis
40
Cryptanalysis
41
Steganalysis – Password Guessing
42
Cryptanalysis – Brute Force Method
43
Cryptanalysis – Brute Force Method
44
Camouflage – Case Study
X Determining the password used with
Camouflage
X The location of the password was determined
by using MultiHex which allows searches for
Hex strings
45
Camouflage
46
BDHTool
X BDHTool we can XOR the two to reveal the key
47
Camouflage
76 XOR 74 = 02
F0 XOR 65= 95
09 XOR 73 = 7A
56 XOR 74 = 22
X The 1st 4 digits of the key are “02 95 7A 22”
X So let’s test our theory…
48
Camouflage
49
Forensics/Anti-Forensics
50
Anti-Forensics
51
Anti-Forensics – Alternate Data Streams
52
Anti-Forensics – Alternate Data Streams
53
Windows – Alternate Data Streams
54
Anti-Forensics – Alternate Data Streams
55
Forensics
56
Forensics – Alternate Data Streams
57
Conclusions
58
Steganalysis – Future?
59
Steganalysis – Other Tools
60
Steganalysis – Other Tools
61
References
62
Question and Answer
63