>> Steganography comes from the Greek words meaning covered writing.It is the art and the science of hiding communications.In many cases critical evidence is hidden inside images,audio or video files using widely-available steganography tools.We have seen that forensic analysis tools are capable of gathering all imagesfrom suspect media and displaying them in a graphics or gallery view.However, human eyes are not able to detect hidden messages from these images.Forensic investigators may detect new steganography through hash analysisif a hash is included in the hash set.But general forensic analysis tools are not very effectiveto detect the graphic steganographic files.As a forensic investigator we must learn the techniques to detect imagesthat contain steganographic content and to recover hidden evidence in a forensically-soundmanner.Steganography is different from encryption in that cryptography does not concealthat a message has been encrypted but the message is unreadable without a specific key.Steganography on the other hand hides the existence of hidden data.Without using tools humans would not detect the presence of the image.However most steganography encrypts the hidden message firstand then hides it in digital or audio files.The combination of steganography and cryptography provides two levels of hiddendata protection.Steganalysis is the process of detecting steganography and then recovering hidden evidence.The concept of steganography and cryptography can be traced back to 2500 years ago.The early Greeks used various forms of covered writing to conceal secret communication.The ancient Greeks used a scytale as a cipher to communicate during military campaigns.The scytale used a rod with a strip of parchment wrapped around it on which is written a message.The sender only carries this strip of parchment and it contains a hidden message.The recipient has to use a rod of the same diameter on which the parchment is wrappedto read the message, therefore the rod is similar to our modern-day symmetric key.Without this particular rod, even if enemies got the pieceof parchment they cannot read the message.However, a scytale does not hide the fact that the adversary is sending a hidden messageso a scytale is considered one of the oldest cryptography tools.Another interesting approach using history for transposition cipher wasto hide secret text inside a messenger's hair.They would first shave a messenger's hair and then the secret text was tattooed on tohis bald head.After his hair grew back to a normal length the messenger would then proceedto the destination passing security inspections.This approach hides the existence of a secret message so we consider itas n-shift steganography method.A Null Cipher or early encrypted text message is another example of steganography.It works by hiding a secret message within a large paragraph of non-cipher words.The recipient knows how to discard certain characteristicsin order to extract the secret message.For example, given a normal-looking paragraph, taking the third letter or other positionsin each word successively receives the real hidden message.Germans used Null Cipher messages during World War I.Perceptual masking is the concept of hiding a sound behind another loud soundof the same frequency.We have seen this technique used many times when someone is concerned that they will beoverheard.They turn up the studio or television sound to mask their conversation.Modern-day steganography hides information in digital mediasuch as digital audio, video or image files.Steganography can be beneficial to people in many ways, for example,for passwords protection and communication privacy.Steganography technique is also used in digital watermarksfor copyright protection in digital format.Digital watermarking embeds owner and the rights information in images to tell the internetworld that these pictures belong to the owner.If someone downloads these watermarked images the download includes not only the image itselfbut also the copyright information.Steganography technique is used to add a visual watermark to an existing product.Unfortunately steganography has been employed for illegal purposes.Terrorists may use steganography to communicate via the internetby hiding instructions or commands in webpage pictures.It was reported that Bin Laden and his terrorists used steganography to planfor the 9/11 attacks.Corporate espionage commonly uses steganography to conceal intellectual propertyand trade secrets inside innocent-looking digital mediato bypass expensive corporate detection systems.The malware Zeus hit the URL's of the target banks and the financial institutionsin a set of a sunset and cat images.This approach successively bypassed a signature-based intrusion detection systemsand anti-virus software.To perform steganographic analysis we will first look at steganography conceptsand the technologies to understand how steganography hides informationin various digital sources.If you choose to use steganography you must have a secret to hide.The secret message of information that you want to conceal is called the payload.The carrier or host is the data body that hides the payload.Carriers can be existing files or generate on-the-fly.The combination of the payload and the carrier is called a covert file.Steganography works by exploiting limitations on human perception.Human eyes are only capable of perceiving light at narrow lengths of wavelengthsso they are poor at distinguishing different colors.The human hearing range is limited so humans have difficulties detecting sightamplitude and phase shifts.Even though the covert file contains a payload it's different from the carrier.When a human examines them through human eyes and ears the covert file appears identicalto the carrier.The goal of forensic analysis is to detect steganography filesand to recover the hidden content in a forensically-sound manner.There's no doubt this process is difficult.Even if you detect a steganographic file you may not be able to recover its payload.There are many approaches to hide data using steganography.We will look at four methods, injection, substitution, generating covert files and the covert channels.The injection method adds a payload to a carrier filewithout changing the carrier file's content.With this approach the quality of the carrier file will not be affectedsince its content is not modified but the covert image's size will increase.Camouflage is a free steganography tool that uses the injection method.It distinctly injects the payload data by appending data after the carrier filesin a file marker.Although camouflage does not modify the carrier file's appearanceor function it is easy to be detected.If you know the footer for the carrier file you can detect the data inserted after thefooter.The substitution method replaces existing data in a carrier file with the payload content.Depending on the type and the size of a carrier file and the sizeof the payload substitution could degrade original file's quality.After the substitution the covert file's size should be the same as the carrier file.Some data-hiding process involves data compression.In these cases the covert file's file size will be even smaller than the original's filesize.Substitution usually replaces carrier's insignificant data.In a binary notation the most significant bits are towards the left while the leastsignificant bits are the right-most bits.Changing most of the significant bits will certainly lead to a larger difference in value.The least significant bit or LSB is one of the main substitution techniques used insteganography.It embeds a payload into the least significant bits of certain bytes in a carrier file.For example if you plan to use 2 least significant bitsto hide Character A in binary 0100001.Then you would use a total of four bytes of a carrier fileto hide Character A. The first bytes to lead to significant bits while the 01,the second and the third bytes hide 00.The fourth byte hides 01 in its two least significant bits.Changing one or two LSBs creates minimum impact.Both injection and substitution uses existing carrier files to hide a payload.Given the payload we can also generate a covert file on-the-fly to embed the payload inside.SPAM MIMIC, a web-based steganography tool allows youto insert your payload by clicking encode.It would then automatically create a SPAM-like message that contains the payload you provide.You simply send this message to the intended receiver via email or other methods.To decode this message the recipient will use SPAM MIMIC's decode featureby clicking on 'decode'.After copying and pasting the message to SPAM MIMIC this tool will decode the messageand display the hidden message.If the sender uses encode with a password optionwhen generating the message the recipient will haveto provide the password to decode the message.Since SPAM MIMIC is web-based malicious users may use publicly-available computersto generate a spam message to hide their own identities.Covert channels use TCP packets as carrier files to send and receive payload betweenmachines without loading any firewalls and IDSs onthe network.There are many different channels to export hiding mechanisms.The payload data may be hidden in unused or reserved spaces in TCP IP packet headers.The freeware Covert-TCP is an example of covert channels.It hides information in TCP's initial sequence numbers.An initial sequence number is a 32-bit number assigned to each new TCP connectionon a TCP-based data communication.Here is how Covert-TCP hides information.If you want to hide a character 'a' you set the initial sequence number to be the productof multiplying the ASCI value of 'a' and a constant value 'k'.You then send a TCP packet using this specially crafted initial sequence number.The receiver divides this initial sequence numberby the constant number 'k' and gets the ASCI value of 'a'.Now the receiver reveals the hidden character 'a'.The disadvantage of this method is that only a limited amountof payload can be sent through it.
转载于:https://www.cnblogs.com/sec875/articles/10040362.html
相关资源:JAVA上百实例源码以及开源项目