Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
1
Hidden Data
Week 5
Steganography
The “art” of hiding data
The word “steganography” comes from Greek words: steganos “covered” and graphie “writing”
This is quite different from a stegosaurus “covered lizard”
And different from stenography “narrow writing”
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 3
What is Steganography?
Steganography is a science (and art) of hiding a message within another message
• the secret message is referred to as the payload (or carrier medium)
• the normal message, that contains the secret message, is the carrier
Both parties know how the message was hidden and can secretly transfer messages
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 4
What is Steganography
Cryptography• does not hide the communication
• encodes the data to prevent eavesdroppers from understanding the content
• presence of encrypted data may cause suspicions
Steganography• hides the communication
• the data may or not be encrypted
• if they don’t know about it, how can they be suspicious?
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 5
Cryptography vs. Steganography
Steganography is not a new technology –the idea of secret messages is as old as humanity
Is has been used since ancient times• invisible ink (1st century AD to WW II)
• tattoos or drawings
• some characters reflect under special light
• pin punctures in type
• microdots
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 6
History
2
New techniques have been invented following technological advances
Steganography can be traced back to 440 BC, from the Histories of Herodotus
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 7
History
Histiaeus wanted to start a revolt to free his people from the Persians
To send a message, he shaved of his most trusted slave’s head
Slave’s head was then tattooed with the message
The hair was allowed to regrow – hiding it
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 8
Histories of Herodotus: Tattoo
At the time, wax tablets were used to write text – similar to today's white-boards
Demeratus needed to warn Greece about an upcoming attack by the Persians
He etched the message into the wooden backing of the wax tablet
The wax front of the tablet covered the message
By melting all the wax, the message was revealed
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 9
Histories of Herodotus: Wax
A null cipher is a technique that embeds a secret message into seemingly innocent (or meaningless) sentences
For instance, the first letter of each word can be meaningful – when these letters are combined, they form another sentence
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 10
Null Ciphers
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 11
World War II Example
During World War II, a German Spy sent a secret message using a null cipher
The message was hidden in every second letter of the sentence
Apparently neutral's protest is thoroughly
discounted and ignored. Isman hard hit.
Blockade issue affects pretext for embargo
on by-products, ejecting suets and
vegetable oils.
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 12
World War II Example
Apparently neutral's protest is thoroughly
discounted and ignored. Isman hard hit.
Blockade issue affects pretext for embargo
on by-products, ejecting suets and
vegetable oils.
pershingsailsfromnyjuneiPershing sails from NY June 1
3
April 2006: London's High Court ruled if author Dan Brown had plagiarized The DaVinci Code
Suit was brought by another author
Ultimately, the Judge Peter Smith ruled in favor of Brown
… but his 71-page written judgment raised eyebrows
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 13
Judge gets Cheeky…
In the document…
• seemingly random letters were in italics
• the first few pages of his ruling spell out "Smithy Code“
• also contains “Mr Justice Smith said he would confirm the code if someone broke it”
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 14
Judge gets Cheeky…
Smith: "I can't discuss the judgment, but I don't see why a
judgment should not be a matter of fun“
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 15
Judge gets Cheeky…
Microdot Technology is a technique of hiding an message inside a single letter or symbol
Basically the message shrunk down in size to about 1 millimeter or less
Just look how much information is stored on a piece of microfilm or microfiche!
The message can be placed in a period or the “tittle” above a j or an i
It was used in World War I, II and even today
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 16
Microdot
Secret messages can also be hidden in what appears to be innocuous data
For instance: data can be hidden in text formatting in subtle ways
• line spacing
• word or character spacing
• minor changes to shapes of characters
For humans, we might not be able to see the difference… but computers can!
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 17
Text Position
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 18
Are These the Same?
4
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 19
Nope….
So, let’s act like spies
What neat trick can we use to hide a message inside something?
Let’s create a new one
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 20
Cloak and Dagger
A 00001
B 00010
C 00011
D 00100
E 00101
F 00110
G 00111
H 01000
I 01001
J 01010
K 01011
L 01100
M 01101
N 01110
O 01111
P 10000
Q 10001
R 10010
S 10011
T 10100
U 10101
V 10110
W 10111
X 11000
Y 11001
Z 11010
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 21
Here are Some Binary Numbers
Steganography Today
So much data, so, so much data
Nowadays, practically everything is stored in digital format
People seldom realize how much data is there!
Digital data is used everywhere
• online images – websites, etc…
• video
• real-time games
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 23
Steganography Today
Since everything is binary…
• any binary data can be stored in any binary data
• there are limits depending on the size of the carrier and the payload
• …and some file format issues
• but, for the most part, it is possible
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 24
Steganography Today
5
Examples:
• text stored in an image
• image stored in text
• music file stored in an image
• image stored in a music file
• etc….
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 25
Steganography Today
There are a wide variety of techniques
When analyzing a technique, there are several attributes of importance
• perceptibility indicates how much the data payload distorts the carrier
• capacity is how much data can be hidden
• robustness refers to how well the data can survive if the carrier is modified or manipulated
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 26
Issues in Hiding Data
Often, there is a give-and-take…
• increasing one attribute may weaken another
• affects perceptibility, robustness and capacity
• e.g. the higher the capacity the more compact the data more perceivable
The person hiding the data must make a decision on the technique depending on the weaknesses / strengths
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 27
Issues in Hiding Data
Importance of Steganography
Information hiding in the Information Age
As the World becomes more based on information, the transmission of hidden data becomes easier
Think of the shear volume of data out there – and how little one message, file, etc… constitutes
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 29
Importance of Steganography
Like all technologies, steganography can be used for both good and evil
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 30
Importance of Steganography
6
Watermarks to detect forgeries
• holding a $20 bill up to the light and seeing a watermark
• ultraviolet marking on credit cards
Fighting against government intrusion
• some states are oppressive (e.g. Iran)
• resistance groups can use it to talk
Hiding confidential / value data
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 31
Good Uses of Steganography
Concealing a plan for terroristic threats
• al-Qaeda may have used steganographic software to communicate before the 9-11 attacks, this has not yet been confirmed
• this is a huge threat to the government
Hiding contraband
• can allow perpetrators (such as child pornographers) to exchange information
• stolen data – spying, etc…7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 32
Evil Uses of Steganography
April 2012
German officials detained a man in Berlin who appeared on a terrorist watchlist
On him, they found routine documents and travel items
However, the suspect had a memory card sewn into his underwear
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 33
al-Qaeda Master Plans
The card contained a pornographic videos called "kick ass" and "Sexy Tanja"
Why sew it into your underwear?
Cryptologists and steganographists spent weeks on the memory card
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 34
al-Qaeda Master Plans
Hidden, encrypted, within the video there were over 100 hidden files
Some of the content:
• "Lessons learned"
• "Future plans"
• and more documents detailing strategy
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 35
al-Qaeda Master Plans
On "future plan"
• take control of a cruise ship (low security, tons of victims)
• dress victims in orange jump suits (like those in Guantanamo Bay)
• behead them live (and slowly) and upload videos to terrorist websites
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 36
al-Qaeda Master Plans
7
Text & Steganography
Very basic, and very hard to detect
Even simple text files are often used to store secret messages
However, it is not efficient and little data can be put in the carrier
Classic null cipher
• every first letter of each word (or second, third, etc….) holds the message
• this restricts the text of the message
• awkward prose may be a red flag
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 38
Text
Whitespace can also be used to store a message
What is whitespace?
• this is space between words, the blank space after a sentence, etc….
• …looks simply "white" on paper
• it is seen as “empty” by people, and thus a great place to hide data
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 39
Text: Whitespace
The number of spaces between words can contain the message
e.g. single space 0, two spaces 1
The text will be visually altered, although few may notice
The file size will also increase
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 40
Whitespace: Word Spacing
Spaces can be added to the end of each line (after the text)
e.g. no space 0, single 1
Visual appearance of the text...
• will not be altered
• but the capacity is far smaller
The file size will still increase from the original
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 41
Whitespace: End Line
The following example shows data stored at the end of each line
A space is added for a 1, or left blank for a 0
The gray boxes are columns that contain no characters
In a society under
the forms of which
the stronger faction
can readily unite
and oppress the
weaker, anarchy may
as truly be said to
reign...
James Madison
Federalist Paper 51
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 42
End Line Example
8
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 43
End Line Example - Original
I n a s o c i e t y u n d e r
t h e f o r m s o f w h i c h
t h e s t r o n g e r f a c t i o n
c a n r e a d i l y u n i t e
a n d o p p r e s s t h e
w e a k e r , a n a r c h y m a y
a s t r u l y b e s a i d t o
r e i g n . . .
James Madison – Federalist Paper 51
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 44
End Line Example - Modified
I n a s o c i e t y u n d e r
t h e f o r m s o f w h i c h
t h e s t r o n g e r f a c t i o n
c a n r e a d i l y u n i t e
a n d o p p r e s s t h e
w e a k e r , a n a r c h y m a y
a s t r u l y b e s a i d t o
r e i g n . . .
James Madison – Federalist Paper 51
1
0
0
1
1
0
1
0
In a society under
the forms of which
the stronger faction
can readily unite
and oppress the
weaker, anarchy may
as truly be said to
reign...
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 45
It is Invisible to the Reader
Images & Steganography
Pictures look good for secrets!
Images are one of the most widely used mediums
As computers get more and more powerful, the size and complexity of graphics will increase
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 47
Images are a Popular Choice
What we think of “small” images can contain millions of bytes
Inside that space…
• there readily available space to hide data
• larger the image size, the more information you can hide
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 48
Images are a Popular Choice
9
Digital images are made up of pixels
Each pixel used 3 (or more) bytes to represent the red-green-blue color
This means:
• each pixel can have 16,777,216 unique values
• changing a red-green-blue value slightly cannot be picked up the human eye
• … but computers can tell the difference
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 49
Images are a Popular Choice
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 50
Completely Under the RADAR
1000100011110101
0101000100111001
1110100011000110
1100000111010101
0101010001010101
0000111000100011
The most popular technique for images
Hide the data in the least-significant-bits
• these are the bits (of each byte) which contain the smallest values (the rightmost bits)
• usually only the least-significant-bit (bit with a group value of 1) is used
• but more can be used to increase the capacity
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 51
Least-Significant-Bit Encoding
Advantages• simple
• high capacity – 3 or more bits per pixel
• low perceptibility – data hides in color “noise”
Disadvantages• not very robust – lossy compression will easily
destroy the data
• … as a result, this technique is used on lossless images such as BMP and PNG
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 52
Least-Significant-Bit Encoding
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 53
Least Significant Bit Example
Red Green Blue
Data
10100 10
11010011
0 10100 10 110100 10 11 1 0
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 54
Byte Can Be Stored in 3 Pixels
Data
10100 10
11010011
0 10100 10 110100 10 11 1 0
10100 10 0 10100 10 110100 10 10 1 0
10100 10 0 10100 10 110100 10 11 1
10
The two least-significant-bits can also be used
This basically doubles the capacity of carrier
… but
• more of the color data is altered
• it might be visually noticeable (still not likely)
• easier to detect by steganalysis tools
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 55
Increasing Payload Capacity
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 56
Using 2 Bits Per Byte 2 Pixels
Data
10100 10
11010011
0 10100 10 110100 10 11 1 0
10100 10 0 10100 10 110100 10 1
0 1 0
1 1
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 57
Demonstration….
Let’s Look at Some Secret
Messages
Other Image Techniques
There is more than pixels!
Not all images store full color information in each pixel
Palette images…• do not store red-green-blue
values separately for each pixel
• instead, they store a index into a table that contain the RGB color
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 59
Encoding: Palettes
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 60
Images Contain Indexes into the Palette Table
3 2 1 1
0 6 4 0
5 0 2 1
2 1 2 4
0
1
2
3
4
5
10011001
11111000
11011011Image
Palette
11
To make it work, the software needs to modify the palette
Palette contains seemingly duplicate colors • the two “duplicates” actually differ slightly
• one color is selected to store the 0 – usually in the least-significant-bit of one of the values
• the other color stores the 1 in its bit
When the image is redrawn, the steganography software can select the palette entry that hides the 0 or 1 – as it is needed
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 61
Palette Steganography
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 62
Two Redundant Colors… Almost
3 2 1 1
0 6 4 0
5 0 2 1
2 1 2 4
0
1
2
3
4
5
10011001
11111000
11011011
10011001
01111000
11011011
Image
Palette
Drawbacks…
• basically, there are two ‘duplicate’ palette entries for every real color
• 256 color palette can only have 128 “real” colors
• if the image has more than 128 unique colors, some will have to be remapped to their closest matches
If colors are remapped…
• it can cause radical color shifts for color images
• this can alert investigators7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 63
Palettes: How It Works…
As a result, grayscale images are often used
• they only have a max 256 colors!
• shift between two grays is subtle (and hard to detect)
Images that can use palettes:
• PNG – either true color or palette
• BMP – either true color or palette
• GIF – only palette7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 64
Palettes: How It Works…
Metadata
Hiding data in data about data!(yes, quite confusing!)
Many file types information about the main data in the file
This is called meta-data -
• its "data about data"
• various greatly between different file types
• e.g. created date, author, software used, etc...
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 66
Metadata and Steganography
12
Often the meta-data is stored in text format
But, sometimes can be binary data, an image, etc…
Metadata is often used to store hidden data
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 67
Metadata and Steganography
Remember now attachments are stored in e-mail?
Base64 (and related systems) can store any binary data in simple ASCII text
So, any text metadata can store any data
However, this can be detected by steganalysis software
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 68
Metadata and Steganography
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 69
Base64 Encoding Example
Bytes 2B C8 F1
Bits 0 0 1 0 1 0 1 1 1 1 0 0 1 0 0 0 1 1 1 1 0 0 0 1
6 Bit value 10 60 35 49
Base64 K 8 j 7
JPEG Files
Computer photographs
JPEGs are stored using in the JPEG File Interchange Format (JFIF)
Designed specifically for photographs
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 71
JPEGs
They use lossy compression
• compression changes the original red-green-blue values
• so least significant bits cannot be used
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 72
JPEGs
13
The JPEG file header contains information about the image:
This includes
• density of the picture (pixels per inch/cm)
• location data (extension)
• thumbnail graphic (created by the software that saves the JPEG)
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 73
JPEG: File header
Thumbnail is an independent image
• …so, all JPEGs can contain two images
• it is stored as a true color uncompressed image
• maximum of 256x256 pixels
So, the least-significant bit approach can be used on the thumbnail
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 74
JPEGs: Thumbnail
GIF Files
A legend of the Internet
GIFs were created by CompuServe in 1987 to use with its online software
The format is popular today to create simple images and basic animation
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 76
GIF Files
There are actually two versions of the file
They are basically compatible, but differ in a key feature
• GIF 87 – Original format, no animations
• GIF 89 – Animation!
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 77
GIF Files
The file format allows a number of features:• multiple images (each can have its own palette)
• timing and placement control
• looping – simple iteration, nothing fancy
• transparency
It can also store "comments"• these are hidden – never displayed
• often used to save the name the generating software
• can be used to hide a secret message
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 78
GIF Files
14
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 79
A Secret Message….. Here?
We be spies!
PNG Files
The bling-bling of pngs!
PNG (pronounced “Ping”) is a relatively new file format
It was designed to replace other bitmap file formats and work with the Internet
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 81
PNG Files
It is also backwards and forwards compatible and easily extendable
As a result, this format is designed to work forever…
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 82
PNG Files
PNGs contain multiple number of “chunks”
Each chunk…
• can contain up to 4,294,967,296 bytes
• contains a 4 byte ASCII identifier
• are backwards and forwards compatible. If a PNG reader does not understand a “chunk” identifier, it skips the section
• it also contains a CRC error check
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 83
PNG Chunks
Critical Chunks are necessary to identify the image, set bounds and other items that must be included
Ancillary Chunks
• help the image, but are not required
• they can be safely ignored – though the image might not look correct
• if a “chunk type” is not recognized, it is ignored
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 84
PNG Chunks
15
Type Contents
IHDR The “true” header is contained in this chuck. This is required and is the first chunk
PLTE If the image uses a palette, this chunk contains the table
IDAT The image data
IEND This chunk marks the end of the file
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 85
Critical Chunks
Type Contents
bKGB Default background color
cHRM Chromaticity settings (for color correction)
gAMA Gamma information
sBit Color accuracy
tIME Time stamp for the image
tRNS Transparency information
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 86
Ancillary Chunks – Just a few
PNGs also allow chucks that store text data
• these are used to store comments, information about the image, or anything the user needs
• hidden may be stored here
Using Base-64 (or a similar approach), these text fields can contain any data
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 87
Text Ancillary Chunks
Type Contents
iTXt Unicode text. This can be compressed
tEXt Stores text with a key = value time format. This allows image attributes to be stored similar to how to INI values. The format uses a 00 byte rather than an equals
zTXt Compressed version of tEXt
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 88
Ancillary Text Chunks
Since unrecognized “chunks” are ignored
• fake “chunks” can be snuck into a file and used to store hidden data
• although, these are easy to find
So, in addition to the least-significant bit method, there many ways to hide data in PNGs
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 89
Fake Ancillary Chunks
Other Techniques
This “art” is only limited by human imagination
16
Data can be hidden in audio files using perceptual coding
Inject signal into areas that will not be detected by humans
Human ears are poor –certain “white noise” and frequencies are beyond our abilities
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 91
Audio
Some common techniques:
• Least-Significant-Bit
• Phase Coding
• Echo Data Hiding
Don’t worry, we will not go any further – this stuff is complex!
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 92
Audio
Data may be destroyed by lossy compression algorithms
• MP3s, WMAs and MP4s use lossy compression
• Wave files are lossless
However, data might be inserted during compression – great for catching pirates!
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 93
Audio
Video files are huge in comparison to other file formats
As a result, there are great targets for hiding data
Movies typically show 24 frames a second
• enough to fool the human eye
• e.g. 1.5 hour movie has 129,600 still pictures
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 94
Video
Video is really a combination of images and sound
• so all techniques used for images and sound also apply
• there is a few more still
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 95
Video Watermarking
It is commonly used by movie companies to catch pirates
What companies do
• on a single frame, they hide a special number/symbol that is unique for that copy of the movie
• when a pirated movie appears on the Internet (or black market), they find that symbol
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 96
Video Watermarking
17
Besides hiding data into the least-significant-bit, data can be hidden in file-specific locations
Common techniques:
• Hide the message in unused areas of a file
• Add the message to the end of the file
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 97
Other Techniques
Steganalysis
Looking for a needle in a haystack
Steganalysis is concerned only with identifying the existence of a payload
It does not deal with extracting or reading the contents
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 99
Steganalysis
In the process of locating the existence of a payload it might be possible to identify the software that added it
Steganalysis looks for anomalies in the file
• these can concern the file’s format or contents
• it might also be able to identify the signature of the software that encoded the payload
• then the same software can be used to read it
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 100
Steganalysis
Often the generating software is needed –along with passwords, etc….
Where can you find this information?
Investigate…• hard drives
• written notes
• personal information (pet names, etc…)
• etc…
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 101
Recovering The Data
Data anomalies
• visual – Does the data “look” abnormal?
• statistical – pattern changes in pixels or bits
• histogram – occurrence of colors, bits, etc… does not match a “normal” view
Structural anomalies
• file size – is the file larger than it should be?
• date/time – internal timestamp doesn’t match files
• checksum – hash value is abnormal
• comparison – differences from a copy
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 102
Some Possible Anomalies
18
It is incredibly useful if you have a copy of the original file – free from any hidden data
Comparing the two on a bit-level can reveal differences that will be an interest of investigators
There are a number of tools such as WinHex, TextPad, etc….
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 103
Anomalies: File Comparison
Comparing numerous files can reveal information on how data is hidden
Using the same software….
• encode with the same message
• examining these and the original can reveal where the data is hidden and how
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 104
Anomalies: Research
Anomalies in the red-green-blue values can be examined
For each color…the value of each level will turn on or off bits depending on their value
For instance, the most significant bit will be 1 if the value is 128 or greater
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 105
Anomalies: Bit Planes
So, often, it is useful to look at an image by only looking at one bit at a time
These are called bit-planes since an image can be viewed, conceptually, as overlaid grids of single bits
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 106
Bit Planes
By looking at a single plane
• images will create patterns
• this is especially true for increasing/decreasing levels – in particular, gradients
• steganography can cause obvious breaks in this pattern
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 107
Bit Planes
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 108
Bit Planes
Single red, green or blue value viewed in 8 different bit-planes
19
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 109
Bit Plane #7 (128)
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 110
Bit Plane #6 (64)
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 111
Bit Plane #5 (32)
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 112
Bit Plane #4 (16)
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 113
Bit Plane #3 (8)
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 114
Bit Plane #2 (4)
20
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 115
Bit Plane #1 (2)
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 116
Bit Plane #0 (1)
The least-significant-bit is the most chaotic, but some patterns are still visible
Even least-significant-bit encoding may be detected
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 117
Bit Planes
Watermarking
Security, the sneaky way
Watermarking is a technique that puts a unremovablemessage on a target
Target is often marked…
• in such a way that its identity or source is known
• this mark is designed to be unremovable and attempts to altering it will destroy the item
• it might be obvious or more subtle7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 119
Watermarking
Used for both security and, in the case of software, to indicate the identity of the software used to create it
Examples:
• message displayed on shareware software (buying the full version removes it)
• verification codes on currency
• barcodes
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 120
Watermarking
21
Steganography:
• designed to avoid detection
• the largest message is desired – the more secret data
Watermarking:
• designed to avoid distortion or removal
• usually small hidden or visible message
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 121
Steganography vs. Watermarking
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 122
UV Watermarking
Some laser printers secretly embed hidden messages on printouts
Laser barely touches the paper – making little yellow dots
Dots contain the manufacturer and possible more information
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 123
Hidden Codes in Laser Printers
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 124
Example: Laser Printer Hidden Code
w2.eff.org/Privacy/printers/docucolor
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 125
Example: Laser Printer Hidden Code
w2.eff.org/Privacy/printers/docucolor
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 126
Example: Laser Printer Hidden Code
w2.eff.org/Privacy/printers/docucolor
22
Do you agree with these hidden messages on laser printers?
Are there Constitutional issues are involved?
What are the benefits and abuses?
7/28/2018 Sacramento State - Cook - CSc 116 - Summer 2018 127
What Do You Think of This?