IST 454: Computer and Cyber Forensics
There are numerous ways to hide files / messages. Some are easy, like changing file extensions, but others can be more complicated, like hiding files within other files. Detecting and retrieving messages hidden in a file, image, or sound wave, known as steganography, is an emerging field of study in Computer Forensics.
Steganography is the art and science of hiding information into covert channels so as to conceal the information and prevent the detection of the hidden message. Today, steganography refers to hiding information in digital picture files and audio files. This lab consists of three major tasks to be performed:
Explore data hiding by changing the file extension,
Detect files hidden in another file, and
Hide files by embedding the information inside an image.
Understand that files can be identified by their first byte signatures
Reestablish correct file extensions using a hex editor
Hide message inside an image file using steganography techniques.
Detect and retrieve information hidden using steganography
We will use the WindowsXP virtual machine. Located in the folder “My Documents\Labs\Lab
4\Tools” has several steganography tools that are to be used in completing this lab exercise.
Please preview and understand the purposes and limitations of each tool and learn how to use them. They are:
Jphs05 (jphswin, jphide, and jpseek)
XVI32
Stegdetect (xsteg, Stegdetect, and Stegbreak)
Camouflage
Located in the folder “My Documents\Labs\Data Hiding and Steganography\data” are several files that are not what they appear to be. Your team will be to use the provided tools and instructions (in the folder “Manuals”) to identify the hided files and find the message hidden inside one of the image files.
1
File Extensions
Create a working sub-directory and copy all the files to be investigated into it. Click the files to see whether they can be opened and viewed properly or not. Open several known file types (e.g., txt, doc, xls, jpg, gif, wav, etc.) with xvi32 and record what their first two bytes are or search file extension via Internet if needed (e.g., FIL EXT web site). Attempt to identify all the files based on your investigations.
Steganography
After completing task 1, several image files should have been uncovered. Some of these files contain hidden data. The goal of task 2 is to uncover that data. Use the tools provided to examine these files for hidden data. Performing Steganalysis is an art and requires experience, judgment, and trial-and-error. Try the following possible approach to find the hidden message:
Use xsteg to detect whether any file is hiding inside another (Stegdetect is not for every file type. You need to judge whether it is the right tool to use or not.)
Use Stegbreak to identify the key (password) used to hide a message (Again, you may not find the key).
Select an appropriate Steganography tools ( jphs05 or Camouflage ) and use it to detect and retrieve the hidden file.
Task 1: Explore Data Hiding via Changing File Extensions
One of the easier ways to hide a file is to change its file extension. Windows associates files with programs based on their file extension, so if you alter the extension the operating system will associate the file with a different program. This changes its icon and the program used to open it.
There is a way around this hiding technique. Files can be identified by their first two bytes .
Included in the “Tools” folder is a program called “ xvi32
”. This is a hex editor. xvi32 allows for the viewing of files at the byte level.
Step 1: Login to the Virtual Win Machine assigned to your team.
Select C:\Documents and Settings\Administrator\My Documents\Labs\Data Hiding and Steganography\Tools
Step 2: Double click on wbI32.exe
to launch the program
Step 3: Drag and drop the file to be examined into the xvi32 window, and it will be displayed.
Step 4: Examine the first two bytes and search Internet (FIL EXT) to find their original file format.
2
Step 5: Change the file to their original extension using Windows ( Hint : Use Windows Explorer.
Right click and play with “Rename” or “Property” options).
Q1.1: Three types of files could contain graphics: bitmap, vector and metafile that combines bitmap and vector. Standard vector image file formats include Hewlett Packard Graphics
Language (.hpgl) and Autocad (.dxf); non-standard image file formats include .tga, .rtl,
.psd etc. Please search the Web for standard bitmap formats, and record their first two bytes via xvi32.
Task 2: Detect Data Hiding Using Steganalysis Techniques
After changing all the files to their correct extensions, you will see some image files. Open these files. Can you tell any difference in them by just looking? One of these files contains another jpg inside it. Steganography is the art of hiding data within data. Stegdetect is a steganalysis program that deals with steganography in jpg files. Stegdetect is a command-line-based program that allows you to check for hidden data. You can find some PDF documents with instructions on stegdetect usage. xsteg is a gtk+ frontend to stegdetect. Below are instructions on how to use these tools. Read the instructions in the tools folder for more detailed information.
Step 1: Open the command prompt on virtual machine and change the directory to
“C:\Documents and Setting\My Documents\Administrator\Labs\Data Hiding and
Steganography\Tools\stegdetect”
Step 2: Use the following command to determine if a file possibly contains data. stegdetect -t p filename
The output should indicate the presence or absence of hidden data and tell you what program was most likely used to hide the data. However, this program works on probability. If the data is small enough, it might not be detected. You might try adjusting the sensitivity level parameter.
Step 3: Use the following command to perform a brute force dictionary attack and crack the password on the file. (Dictionary is under the “Dictionary” folder, named “English.txt”.) stegbreak -f english.txt -r rules.ini filename
TIPS :
1.
When you run Stegdetect or Stegbreak, you have to run it under its directory. e.g., under this directory "c:\Documents Setting......\Administrator\....\stegdetect>". Please switch to that directory using “CD directory”.
2.
You need to copy the files that you want to detect or break to this folder.
3
3.
When you run stegbreak, you need to copy the dictionary file "english.txt" to this folder.
Then, run this command: " stegbreak -f english.txt -r rules.ini filename ".
After that, you will find the password in "<>".
Q 2.1: Please explain the weakness of stegbreak as a steganograph tool according to your experience in task 2.
Task 3: Learn to Hide Files / Messages
Camouflage and jphs05 are two popular steganography freeware programs. Jphs05 can only be used to hide files in a file with JPEG format. Camouflage is more flexible and can be used to hide files with different formats (e.g., gif, JPEG, Wav, etc.).
Sub-task 1: Use Jphide and jpseek programs to hide and reveal stego data. ( Note : Not all files can be revealed using jphs05)
Step 1: Double click on “ jphswin.exe
” to start a shell that uses both Jphide and jpseek programs.
Step 2: Click on “Open jpeg” then “seek” to attempt to uncover the data. Use the password obtained from step 2 of task 1.
Q 3.1: What are the major differences between Stegdetect and jphswin ?
Sub-task 2: Use Camouflage to reveal stego data.
Step 1: Select the file / message to be retrieved.
Step 2: Right click on the file, select “ Uncamouflage .”
Step 3: Follow the screen instructions to complete the task. (Use “ ist454 ” as the password)
Sub-task 3: Use Camouflage and/or jphs05 to hide stego data.
Please select an appropriate tool to perform the following data hiding tasks:
Hide the “ btv_map.gif
” file inside the “ hitchhiker.wav
” file.
Hide the revealed “ message.txt
” file inside the “ mall_at_night.gif
” file.
Q 3.2: Can you find a quick way to tell the difference between the two files
“mall_at_night_S.gif” and “mall_at_night.gif”? Please discuss “ how
”!
Q 3.3: Can you reveal the file inside “ mall_at_night_S.gif
” (Using the password “ tyui
”)? If not, please discuss why it cannot be revealed.
4
Q 3.4: Can you use the provided software to detect in all the evidence files on whether they have files hidden inside or not? If not, why, please discuss!
Q 3.5: What are the strengths and weaknesses of Camouflage and jphs05? Please compare and discuss based on your experience of using the tools and the manuals.
1.
What are two ways Stego is used to protect data? Explain!
2.
During your search, you probably found some file extensions that did not match even though the file types were the same. What are some possible reasons for this mismatch?
The team report is to show what you did in the project. Clearly state your results of this project.
You are expected to hand in a report in the following format:
A cover page (including project title) with team name and team members
A table of contents with page numbers
Use double-spaced typing for convenient grading
Number pages. Font size 12, Single column
Save the Microsoft Word document with the team name in the title. Upload the document into the appropriate ANGEL dropbox.
The team report should have the following sections. Each section should cover all the topics described below. Take screenshots if it is necessary.
Section I: Answer the 9 questions
1.
Q1.1: (page 3)
2.
Q 2.1, Q 3.1, Q 3.2, Q 3.3: (page 4)
3.
Q 3.4, Q 3.5 (page 5)
4.
Two Analysis Questions – page 5
Section II: Original Extensions, Byte Code results, Correct Extensions
1.
List of files with original extensions
2.
Byte code research results
3.
List of files with correct extensions
Section III: Correct Extensions, Stegdetect, Stegbreak, Hidden data
1.
File name and correct extension
2.
Stegdetect results
3.
Stegbreak results
4.
Data found if any was found (all files may not contain hidden data)
5
Grading Rubric:
This project has a number of specific requirements. The requirement for each section is documented in the above project instruction “Team Report.” Whether you will get credit depends on the following situations:
You will get full credit on one item, if it is correctly reported as required and well written.
You will get half credit on one item, if it is reported as required but there is something definitely wrong.
You will not get any credit for one item, if it is not reported.
The credit for each section is as follows.
1.
Section I: Answer the 9 questions (56.25%): a.
Questions are worth 6.25% each
2.
Section II: Original Extensions, Byte Code results, Correct Extensions (18.75%): a.
Each of the 3 items are worth 6.25% each
3.
Correct Extensions, Stegdetect, Stegbreak, Hidden data (25%): a.
Each of the 4 items are worth 6.25% each
Note
This is a team project. Be sure to include the names of all the teammates and all their email addresses in the report. The report should be turned in before class on the specified due date.
Late submissions will be issued a grade deduction especially if permission is not obtained from the instructor. The instructor reserves the right to grant or reject extra time for report completion.
1.
“Introduction to Steganography.” http://io.acad.athabascau.ca/~grizzlie/Comp607/menu.htm
2.
Johnson, N. F., Jajodia, S., “Steganalysis of Images Created Using Current Steganography
Software,” 1998. http://www.jjtc.com/ihws98/jjgmu.html.
3.
Johnson, N. F. and Jajodia, S., “Steganalysis: The Investigation of Hidden Information,”
1998 September. http://www.jjtc.com/pub/it98a.htm.
4.
FILExt - The File Extension Source. http://filext.com/alphalist.php?extstart=%5EJ
5.
Kessler, G., “An Overview of Steganography for the Computer Forensics Examiner,” 2004
February. http://www.garykessler.net/library/fsc_stego.html.
6