Chapin Bryce, one of our interns has gone to the GMU GMU 2013 Computer Crime & Digital Forensics Training conference for the week. While he is there, he will be blogging about the different presentations he has the pleasure of sitting in on. For more information about the conference, visit their site: http://www.rcfg.org/gmu/
The Scary Side of Steg
Steganography is a known evil that haunts computer forensic examiners. It is the one evidence type that is hidden from plain view and escapes analysts’ scrutiny. The ability to store data in a covert manner is a valuable asset, though when locating and identifying this information for evidentiary use, it becomes a nightmare. This data is so obfuscated that almost every investigation ignores the possibility of its existence. The excuse “it is only used by advanced users” is used, and believed. That is where the issue lies. Steganography tools are more available than ever before and anyone can use them.
“Any sufficiently advanced technology is indistinguishable from magic” is a famous quote from Sir Arthur Clarke, and speaks to the very idea that identifying this veiled data is such a hurdle for investigators. The first major issue is identifying that steganography exists on the exhibit, generally the most crucial step. This can be done by searching for known steganography applications in the file structure or registry, or by analyzing file header and footers for abnormal data. If these signs are found, the files then must be vetted, either reversed with the original application or brute forced. Either method takes a lot of expensive labor from the examiner and can be put to a screeching halt if the data inside the carrier file is encrypted.
With the combination of advanced techniques for hiding data, and the ease of hiding it for end users, makes it a very frightening threat for computer forensic examiners who traverse exhibits in the dark. The methods and tools used to identify this data and assist examiners are not proven to work in every case, similar to how an antivirus scanner cannot easily detect viruses it hasn’t seen before. This challenge will always exist when attempting to file a needle in a haystack.