1 / 46

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 March 19, 2012

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 March 19, 2012. MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE. Data Recovery. Forensics without the legal junk! Data is lost for some reason Intentional Data Deleted Disgruntled Employee

kirima
Download Presentation

Intro to Cyber Crime and Computer Forensics CSE 4273/6273 March 19, 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro to Cyber Crime and Computer Forensics CSE 4273/6273 March 19, 2012 MISSISSIPPI STATE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

  2. Data Recovery • Forensics without the legal junk! • Data is lost for some reason • Intentional • Data Deleted • Disgruntled Employee • Hacker trying to cover tracks • Device “Destroyed” • Unintentional • Heads “Crash” • “Oops, My Bad!”

  3. Data Recovery Techniques • Disk Editor • Look at Metadata and try to discover location of deleted data • Forensics Software • FTK • FTK Imager • Encase • Autopsy

  4. Data Hiding • Obfuscating Data • Existence of the data is easy to see, but it is difficult to determine what it is. • Hiding Data • Existence of the data is hidden • Blinding Investigator • Data not hidden, but normal tools not able to detect it, because they have been modified.

  5. Obfuscating Data • Encryption • Hides through changing the data according to some algorithm. In order to see it, you must decrypt it. • Compression • Hides through removing extraneous information in the file, thus making it unreadable, and unsearchable. • There are very good decompression programs.

  6. Hiding Data • In plain site • Shows up in directory listing, but not as what you are looking for. • Change file extension • Within file system in a file. • Steganography • Invisible Names • Misleading names • Obscure names • No Names

  7. Continued… • Within a file system, but not in a file. • Slack Space • Free Space • Swap Space • Outside Computer • Floppy Disks • CDs • Zip Disks • Thumb Drives

  8. How to beat it? • In plain site • Find the two digit signature and determine the type of the file. • Within file system in a file. • Steganography • Locate then crack • Invisible, misleading, or obscure names • Keyword search on file system will find the file. • No Names • Peculiar to unix and zero link files • Must locate the files before shutting down the system, or they will be lost.

  9. Blinding the Investigator • Data not hidden, but tools used to view the system are modified to not see suspect data. • Changing system commands • Changing DIR or ls to not see certain kinds of files • Modifying windows apps like “My Computer” • Modifying the Operating System • Changing the operating system to not look at certain areas of the disk, except under certain circumstances.

  10. How to beat it? • Changing behavior of the system commands. • Reload system commands, or move the data to a new system. • Compare hash values of know system files. • Changing behavior of the operating system. • Ditto.

  11. Steganography • Steganography • Means “covered or hidden writing” • Process of hiding a message in an appropriate carrier (image, audio, or video) • Prevents anyone else from knowing that a message is being sent. • Used by civil right organizations & Terrorists.

  12. History of Steganography • First used by Greek historian Herodotus • Text was written on tablets covered with wax • Upon delivery wax would be melted. • Also, slaves could be shaved and tattooed • After hair grows out, message could not be seen.

  13. Computer Steganography • Computer Steganography • Changes are made to digital carriers (images or sounds) • Changes represent the hidden image. • Successful if not noticeable. • Emphasis on detecting hidden communications has become an important area since 9/11.

  14. Steganography vs. Watermarking • Steganography • Message that we are hiding is a secret • Not generally related to what we hide it in • Watermarks • Message that we are hiding might not be a secret (Might not even hide) • Does relate to what we put it in • Ex. Hold a $20 bill up to light to see watermark (authenticity) , Company Logos (Ownership)

  15. Various techniques in Steganography • Many approaches to hide data in a file • Embedded bits can be inserted in any place or in any order • Areas that are less detectable or dispersed through out the cover file are suitable • Selection of cover medium will enhance Steganography better.

  16. Various techniques in Steganography • Substitution is the naïve approach to this problem • It replaces cover file bits with embedded file bits • Replacing certain cover file bits are detectable • Careful selection of bits in cover file is important

  17. Types of digital carriers • Common ways of hiding data- • Data may be embedded in files as noise. • Properties of images: luminescence, contrast and color can be manipulated. • Audio files can be manipulated by introducing small echoes or slight delays. • Signals can be masked with sounds of higher amplitude.

  18. Types of digital carriers • Common ways of hiding data- (contd.) • Hidden in documents by manipulating the positions of the lines of the words. • Messages can be retrieved e.g. By taking second letter of each word (null cipher). • Web browsers ignore spaces, tabs, certain characters & extra line breaks.

  19. Types of digital carriers • Common ways of hiding data- (contd.) • Unused/Reserved space on a disc can be used. • OS allocates minimum amount of space for a file and some of it goes unused. • Unused space in file headers, TCP/IP packet headers. • Spread spectrum techniques can be used by placing an audio signal over a number of different frequencies.

  20. Image Structure and Image processing • Digital Imaging • Most common type of carrier used • Produced by camera/scanner or other devices. • Approximation of the original image. • System producing image focuses a two dimensional pattern of varying light intensity and color onto a sensor.

  21. Image Structure and Image processing • Digital Imaging • Pattern has a co-ordinate system. • Origin  Upper left hand corner • Pattern described by function f(x, y) • Image can be described as an array of numbers which represents light intensities at various points. • The light intensities are called pixels.

  22. Image Structure and Image processing • Digital Imaging • Size of the image given in pixels. • e.g. 640 x 480 (contains 307,200) pixels. • Spatial resolution of an image is the physical size of the pixel in the image. • Pixels are indexed by X & Y co-ordinates. • Spatial Frequency  Rate of change of f(x, y) value as we move across the image.

  23. Image Structure and Image processing • Digital Imaging • Gradual changes in f(x,y) corresponds to low spatial frequencies (Coarsely sampled image) • Rapid changes correspond to high (must be represented by densely sampled image) • Dense sampling produces high-resolution image (many pixels contribute a small part of the scene)

  24. Image Structure and Image processing • RGB Color Cube

  25. Image Structure and Image processing • RGB Color Cube • Representing color by the relative intensity of the three colors- red, green & blue. • Absence yields black (intersection of 3 axes) • Presence of all three colors yield white • Cyan  100% blue & 100% green • Magenta 100% blue & 100% red • Yellow  100% green & 100% red

  26. Image Structure and Image processing • RGB Color Cube • Each RGB Component is specified by a single byte (8 bits). • Color intensity (0-255) • This 24 bit encoding supports 16,777,216 (224)Colors • Each picture element (pixel) encoded in 24 bits. Called 24 bit true-color. • Can be represented by 32-bits (Extra bits  Transparency) 0 (transparent) 255 (opaque) • Some use 8 bit true-color.

  27. Image Structure and Image processing • RGB Color Cube • Color palettes and 8-bit color used with Graphics Interchange Format (GIF) and Bitmap (BMP) image formats. • Value of pixel points color in the palette. • When GIF image is displayed the software paints color from the palette to the screen. • Offers loss-less compression because the image recovered after encoding and compression is bit-for-bit identical to the original image.

  28. Digital Carrier methods • Common methods of Digital Carrier • Image and audio files easiest & common carrier. • Least significant bit substitution or overwriting. • Most Common method • LSB term comes from the numeric significance • MSB - 28 LSB - 20

  29. Digital Carrier methods • Simple method of hiding. • Hiding the character ‘G’ across the following eight bytes of a carrier file. 10010101000011011100100110010110 00001111110010111001111100010000 • ASCII value of G ( 71  01000111) 10010100000011011100100010010110 00001110110010111001111100010001

  30. Digital Carrier methods • Simple method of hiding. • Eight bit can be written to the LSB of each of the 8 carrier bytes. • Only half of the bytes changed (in this case) • LSB substitution can be used to overwrite • RGB Color Encoding in GIF,BMP • Pulse code modulation in audio files. • Changing LSB changes numeric value very little • Least likely to be detected by human eye.

  31. Detecting Steganography • Detection and Analysis should not result in destruction of the embedded message. • Types of analysis • Stego-only attack • Stego-image available for analysis • Known-cover attack • Original image also available for analysis • Color composition, luminance and pixel relationships compared. • Known-message attack • If the hidden message is known • Goal to locate stego-image

  32. Basic Principles of Steganography Two Principles:  • Digital files can be altered to a certain degree without losing functionality • Human senses are not acute enough to distinguish minor changes in altered files 

  33. Masking Masking:  • Masking is another way used to conceal data • Definition: • Sound A interferes (masks) with sound B with regards to audio files • Human perception is the key as we are not able to pick up on the subtleties

  34. Forensics and Steganography • The use of steganography toolkits can thwart the completion of a successful forensic analysis • The odds of every piece of potential evidence hidden within cover images are slim • Even if a stego file is found and the secret data is extracted successfully, what about encryption?

  35. Forensics and Steganography… • As of today, few stego programs have been analyzed such that searching for file headers can be performed • Part of the problem is that some stego programs allow us to encrypt the header  • Which stego program was used, and if encrypted, what is the stego key ?

  36. Detecting and cracking Steganography • Reading and detecting covert files is a challenging task for Forensic investigators • Steganalysts can join with cryptanalysts • Steganalysis is a time consuming process • Forensic investigator should also track the original carrier file(host file)

  37. Examples of Hiding data in various carriers • Hiding Burlington International Airport Map

  38. Examples of Hiding data in various carriers (Contd.) • A GIF Carrier file containing the airport map

  39. Examples of Hiding data in various carriers (Contd.) • Example employs Gif-it-Up, Nelsonsoft program • Hides information using LSB Substitution • Includes encryption option • Original Carrier (Mall GIF)  632,778 bytes • Steganography file  677,733 bytes

  40. Examples of Hiding data in various carriers (Contd.) • A JPEG Carrier file containing the airport map

  41. Examples of Hiding data in various carriers (Contd.) • Method JP Hide & Seek (JPHS) by Allan Latham • Hides information using LSB Substitution • Blowfish crypto algorithm used for randomization and encryption. • Original Carrier  207,244 bytes • Steganography file  227,870 bytes

  42. Signal level comparisons between a WAV carrier file before (above) and after (below) insertion.

  43. What Can Be Done? • Use steganographic toolkits so that you become knowledgeable • Know what files are installed when a stego program is installed • Know what files are left behind (or registry keys) when a stego program is removed • You may get lucky and find that no encryption was applied

  44. (Cont.) • Compare the cover file to the suspicious file, looking for distortions • Work with people who have analyzed stego tools as these tools have unique characteristics

  45. Steganography Good /Bad ? • Good to hide watermarks • Authenticate information • Proves ownership • My watermark so mine • Copy Control • Bad for those who like free music from the internet. • Bad  Mostly used by terrorists

  46. Questions?

More Related