Stegano Forensics
-
Upload
chiawei-wang -
Category
Software
-
view
348 -
download
0
Transcript of Stegano Forensics
Steganography Forensics
Chiawei Wang
2015.10.20
Why Forensics ?
• In short, given a binary dump
WHAT’S INSIDE ?
2
Aspects of Forensics
• Steganography
• Network Traffic Analysis
• Disk
• Memory
• Etc.
3
Today we will go through …
• Steganography
• Network Traffic Analysis
• Ready to become the Shaman King ?
4
Steganography
• The art of data hiding to prevent the detection of the“Secret”
• V.S. Cryptography ?• Pro – the secret cloaked does not attract attention to itself as
an object of scrutiny.• Con – the strength of the encoding schema cannot compete
with that of crypto.
• According to the CNN report on the 911 event• It is possible that bin Laden also exploited the steganography
techniques to secretly deliver their messages• http://edition.cnn.com/2001/US/09/20/inv.terrorist.search/
5
Common Types of Steganography
• Text-based
• Image-based
• Audio-based
• File-embedding
• Etc.• In this course we try our best to give you those we have
experienced in the previous CTFs. The steganography is multifarious.
• EXPLORE IT & ENJOY TO BE TROLLED~
6
Text-based Stegano
• Given a text message, the secret is covered by invisible characters • White space
• Unicode non-printable
• More advanced, the secret is covered by mimicry characters• Unicode multilingual
7
Invisible Characters
• White space• Utilize space and tab to compose the secret messages.
• Unicode non-printable • The Unicode tags U+E0000 to U+E007F appear to be
invisible after spaces or covered text.
• Practice – “Read” the word
8
Multilingual Characters
• Characters with different encoding may have similar appearance.
• Take the alphabet “A” for example:
• An encryption scheme can be conducted …• if plaintext = 0b00 then 0x0041 0x0041• if plaintext = 0b01 then 0x0041 0x0391• if plaintext = 0b10 then 0x0041 0x0410• if plaintext = 0b11 then 0x0041 0x013aa
• AMS Rahma, WS Bhaya, and DA Al-Nasrawi, “Text Steganography Based On Unicode of Characters in Multilingual,” International Journal of Engineering Research and Applications (IJERA), 2013
Multilingual Encoding (hex) Appearance
Basic Latin (ASCII) 0x0041 A
Greek and Coptic 0x0391 Α
Cyrillic 0x0410 А
Cherokee 0x13aa Ꭺ
9
Image-based Stegano
• Human eye can distinguish around 10,000,000 colors.
• BUT!
• For a digital image, each pixel within contains the three-bytes RGB information• 28 x 28 x 28 = 16,777,216
• Hmm…the human eye is not sensitive enough, isn’t it ?
RGB(76,230,113) RGB(76,230,112)
10
Discover the Pixel Difference
• Use image post-production tool to amplify the difference• GIMP• Picasa3• etc.
• Pixel-based comparison with the original image• compare of ImageMagick
• Other pixel analysis tools• There are too many of them. We are not able to enumerate the
tools here.
• Practice – “See” the key• Hint: encode the key with base64 and submit in BAMBOOFOX{…}
11
LSB Data-hiding
• The Least Significant Bit (LSB) of per-pixel RGB bytes are used to store the secret.
• For example• secret = ‘A’ = (01000001)2
• original image pixels = { (11011010, 10010111, 10010100),(10111010, 10110101, 10010111),(00101010, 10000111, 00010000) }
• Covered image pixels = {(11011010, 10010111, 10010100),(10111010, 10110100, 10010110),(00101010, 10000111, 00010000) }
12
Can More than One LSB Be Used ?
• One bit used. Well, the difference is hard to tell
http://www.datagenetics.com/blog/march12012/index.html
13
Can More than One LSB Be Used ?
• Four bits used. Uh… did you degrade the image quality ?
http://www.datagenetics.com/blog/march12012/index.html
14
Can More than One LSB Be Used ?
• Hmm…busted…
http://www.datagenetics.com/blog/march12012/index.html
15
Audio-based Stegano
• The audio stream can be inverted, speed up, or slow down to confuse the human hearing.• Use Audacity to recover the audio stream
• Practice – “Hear” the key• Hint: Give me some tempo
16
File-embedding Stegano
• Embed a file into another file is extremely common in CTF contests.• The two files can have different file types
• The covered file must be able to be normally executed/opened as the distraction to the hidden file
17
Challenges of File-embedding Stegano• Numerous combination of the covered file and the
hidden binary
• The embedding is mostly achieved by exploiting the file specifications.
You are inevitably required to understand various file formats in order to notice the truth of the embedding
18
The first step ?
• There exists certain tools which generally scan the given binary and report the recognized binary(file) format• strings
• binwalk
• foremost
• Later we use JPEG and PDF for examples to demonstrate the discovery of the embedded file.
19
JPEG File Format
http://www.exif.org/Exif2-2.PDF
https://en.wikipedia.org/wiki/JPEG 20
The Key Understanding of JPEG
• Start with the SOI magic bytes 0xFF, 0xD8• End with the EOI magic bytes 0xFF, 0xD9• Anything after the EOI will be ignored
•Wow!!!!!!!!!
• Practice – Find the hidden key file• Hint:
dd (usage: dd if=IN_FILE of=OUT_FILE skip=OFFSET),binwalk,foremost
21
PDF File Format
HEADER
BODY
XREF TABLE
TRAILER
22
PDF Body Object
• Each object is described by the following context:OBJECT_ID GENERATION obj
<<KEY1 VALUE1KEY2 VALUE2…
>>
• A key-value pair specifies an attribute of the object• Type, Encoding, Resources, etc.• The value can be a reference to another object
• The data stream held by an object is enclosed by stream… endstream
23
A Quick Walkthrough of PDFPDF Root. The information of the pages included are described in the object 2
Object describing pages included in the PDF file
A single PDF page, whose content should refer to the object 4
The object 4 is a data stream representing the string “Hello, World!”
24
PDF Object-of-Interest
• Use human-intelligence to completely parse the PDF file structure is infeasible.• The PDF spec has around 800 pages…
• Focus on the interested keyword within the objects• /JS, /JavaScript – Nothing to say
• /EmbeddedFile – Extract the data stream
• /Flate, /FlateDecode, /DCTDecode – The encoding scheme of the data stream
25
Try the Crafted PDF
• Practice – Find or See the hidden key• Hint: hex editor(e.g. 010, HxD)
dd, pdf-parser, pee-pdf
• More than one way to resolve this one
26
Additional Obstacles of Steganography Challenge• Now you should agree with that the knowledge of
the file formats is valuable in forensics tasks.
• Sometimes you need to repair the file format first and then proceed on further analysis• The repair is more like a general forensics operation
instead of a stegano-oriented one
27
Finally
• We can leave the guessing hell constructed by the evil steganography.
• Feel like the Shaman King ?• Never gonna happen… Orz
28
Forensics on Network Traffic
• The network traffic is usually captured and kept as a .pcap file
• In this course, we focus on the common used Wireshark feature to perform the network traffic forensics.
29
Common Wireshark Features Used• Packet filter
• Follow TCP stream
• Export HTTP object
• Decrypt SSL traffic
30
Packet Filter
• TCP
• FTP-DATA
• HTTP
• SSL
• ip.dst==xxx
• Etc.
31
Follow TCP Stream
32
Follow TCP Stream
33
Export HTTP Object
34
Export HTTP Object
35
Encrypted Traffic - HTTPS
36
Decrypt HTTPS
• Two requirements • Traffic record containing the handshake process
• Private key of the server
37
Configure SSL Setting
Protocol SSL
Click
38
Import Private Key
Server IP
Server PortUnderlying Protocol (e.g. http)Select your private key “XXX.pem”
Needed if the .pem is password-protected
39
LOL ~ I See You
40
DIY Time
• Practice – Decrypt HTTPS
• Hint: Merge them
41
Thank You for Listening
42