Team Delta - Pennsylvania State University team project...Steganography Lab 7 Team Delta The...
Transcript of Team Delta - Pennsylvania State University team project...Steganography Lab 7 Team Delta The...
Team Delta
Steganography Lab
IST 454, Section 1 Spring 2011
Team Delta Allison Antis – [email protected] Steven Dodge – [email protected]
David Lingelbach – [email protected] Steven Lizzi – [email protected] Adan Ortiz – [email protected]
Tammara Ross – [email protected]
Steganography Lab 2
Team Delta
Table of Contents
INTRODUCTION: 3
HOW DOES STEGANOGRAPHY WORK? 5
THE SCENARIO 9
HOW FRED SENDS THE RECIPE 9
STEP 1: PREPARE AN IMAGE FOR USE WITH XIAO 9
STEP 2: PREPARE A DOCUMENT TO HIDE 10
STEP 3: SELECT THE FILES IN XIAO 10
STEP 4: SELECT THE ENCRYPTION TYPE 11
STEP 5: SAVE THE NEW FILE 11
STEP 6: SELECT THE FILE TO DECODE 12
STEP 7: EXTRACT THE MESSAGE 12
HOW POPEYE’S READS THE MESSAGE 13
THE FORENSIC INVESTIGATION 14
BACKGROUND 14
INITIAL EVIDENCE 14
MANAGER INTERVIEW 15
COMPUTER EXAMINATION 15
CONCLUSION 16
BIBLIOGRAPHY 17
Steganography Lab 3
Team Delta
Introduction:
How do you hide a message in plain sight? The art or practice of hiding a message within other
information is called steganography. Steganography has been used since the 5th century when
Greek tyrants would shave the heads of their servants, tattoo a message on the servants head, and
send the servant to his destination where his head would be promptly shaved. Unless a person knew
that a hidden message was inscribed on the servant’s head, the message would be transmitted
without any problems. Today, steganography is more commonly used to hide digital messages within
digital information. For example, a password can be embedded in a text file, music file, image file, or
any other kind of file. In the summer of 2010, the FBI discovered that a ring of alleged Russian spies
had been using steganography to hide information in images posted on public websites. For
example, the innocent looking image of the Washington monument below hid a map of the Burlington
Airport in Vermont.
Figure 1. Image of the Washington Monument
Steganography Lab 4
Team Delta
Figure 2. Image of the Burlington Airport Hidden in the Washington Monument
In this lab report, using steganography to hide messages into image files will be explained using a
steganalysis tool called Xiao.
Steganography Lab 5
Team Delta
How Does Steganography Work?
The concept of how Xiao works is actually pretty simple. All Xiao does is slightly change color values
throughout a picture but not by a noticeable amount. Let’s start by examining the structure of an
image file. Images are actually made up of a grid of dots or squares called pixels. Each pixel is a
sample of the original image. As the number of pixels in the grid gets closer to the number of pixels
used to display the image on the screen, the clearer the image becomes. The color shade of each
pixel is determined by some value.
Figure 3. A Picture of a Duck
When examining the image with HexEdit, we can see the hexadecimal values that make up the
image.
Steganography Lab 6
Team Delta
Figure 4. HexEdit
Computers that run in 32 bit color mode today are capable of displaying 16.7 million different color
shades. There are so many different shades that the difference between some of these shades can
be indistinguishable to the human eye. For example, the color on the left was taken from an
individual pixel within the duck picture. Two of the characters within its hex value were then changed,
which produced the color seen on the right. Upon first glance, the colors look exactly alike. Keep in
mind that this is just one pixel out of the 1,482,129 that make up the original picture of the duck. By
making slight changes to multiple pixels, the contents of another file can be hidden within the picture
without making the original image look any different.
Figure 5. 16.7 Million Different Color Shades
Steganography Lab 7
Team Delta
The hexadecimal value of a short text file containing a message like “Ducks go quack.” is made up of
only 30 characters. Let’s use this text file as an example and insert it into our duck picture.
Figure 6. Quack.txt
First, we need to establish a procedure. Let's insert the hex value from each character of the
message into a different pixel. The message hex characters will replace the characters in position 2
and 4 of the pixels' hex values. We'll start 1 block in and one block down from the upper left hand
corner of the picture. We'll modify every other pixel until we've changed 5 of them, then we'll skip a
row and start back 1 pixel in from the left edge. That should mean having to modify pixels in 3
separate rows of pixels on the picture. Remember; think of the image as a grid, table, or two-
dimensional array of squares.
Figure 7. Steganography Procedure
Steganography Lab 8
Team Delta
Using Adobe Fireworks CS5, we can simply type the hex value of the color we want into the color
picker. Then we use the paintbrush with a stroke width of one pixel and the hard line option selected,
which lets us re-color individual pixels.
Figure 8. Adobe Fireworks CS5
Once all the changes have been made, we can look at the original picture next to our version
containing the message. Do you see anything different between them?
Figure 9. The Original and Modified Picture
Xiao’s algorithms may be much more advanced than the one used in our example, but in the end, all
it does is change the hex values of pixels. If you know what method was used to hide a file within the
image, it is easy to know how where to look to extract the hidden file back out. Luckily, Xiao does all
that tedious work for you.
Steganography Lab 9
Team Delta
The Scenario
To demonstrate the Xiao tool, we will run through a fictional example. When conducting corporate
computer forensic investigations, a common type of investigation involves industrial espionage where
sensitive corporate data or intellectual property is sold to another company. In this example, Fred
works at Kentucky Fried Chicken. Fred is having problems at home and is in dire financial straits.
Fred needs money, and competitor Popeye’s wants the Colonel’s secret recipe. Fred and Popeye’s
come to a financial agreement, and both parties decide to exchange this data using steganography
and agree on using Xiao because the tool is free and has a graphical user interface.
How Fred Sends the Recipe
Note: To download Xiao for free, please visit the following link: http://download.cnet.com/Xiao-Steganography/3000-2092_4-
10541494.html
Step 1: Prepare an Image for Use with Xiao
1. Xiao accepts only .BMP images. To convert a photo from another format, open the
photo in Microsoft Paint.
2. Go to file and select “Save As.”
3. Select the BMP file type.
4. Navigate to the appropriate directory and click “Save.”
Figure 10. Microsoft Paint
Steganography Lab 10
Team Delta
Step 2: Prepare a Document to Hide
1. Any type of file can be used. In this example we will create a text file in Notepad and
type a secret message into it. The message will be saved as “secret.txt.”
Figure 11. secret.txt
2. To avoid confusion; make sure the document is saved in the same directory as you
saved the picture in the previous step.
Step 3: Select the Files in Xiao
1. Open Xiao.
2. Select “Add Files.”
3. Select “Load Target File.”
4. Navigate to the directory where you saved your picture and document. The image and
information about it should appear within the window.
5. Select “Next.”
6. In the window that appears, click “Add Files.”
7. Select your document in the file browser and click “Open.” The file should appear in the
Xiao window.
Steganography Lab 11
Team Delta
Figure 12. Xiao File Browser
8. Click “Next.”
Step 4: Select the Encryption Type
1. You can select any encryption or hashing algorithm combination you like. We will use
the defaults of RC2 encryption and MD5 hashing in this example.
2. Type a password for the file into the text field, for this example we'll use
“chickendunk3r.”
Figure 13. Xiao Encryption Type
3. Click “Next.”
Step 5: Save the New File
1. You should see a progress bar indicating that the files you selected are being merged.
A file browser will appear to save the resulting file.
2. Navigate to the directory containing the original files you used and save the file as “New
Picture.bmp.”
Steganography Lab 12
Team Delta
Figure 14. Saving “New Picture.bmp”
3. Click “Finish.”
Step 6: Select the File to Decode
1. If you closed out of Xiao, open Xiao back up.
2. Select “Extract Files.”
3. Select “Load Source File.”
4. Navigate to where you saved “New Picture.bmp,” select it, and click “Open.”
5. The picture should be shown in the window along with information about it.
Figure 15. Xiao File Browser
6. Click “Next.”
Step 7: Extract the Message
1. Xiao should now show you a list of files contained within “New Picture.bmp.”
2. Select “secret.txt” and type the password you used to encrypt the file into the password
text field.
3. Click “Extract File.”
Steganography Lab 13
Team Delta
Figure 16. Extract File
4. Browse to where you want to save the extracted file and save it as “Decoded
Message.txt.”
5. An alert should appear saying that the file was successfully extracted.
6. Click “Exit” to close out of Xiao.
How Popeye’s Reads the Message 1. Navigate to where you saved your decoded file in Xiao.
2. Click on it to open.
3. You should now see the secret message you created in the beginning of the lab.
4. Try encoding your own secret message and sending it to a friend to have him or her decode it.
**Disclaimer: Don't break any laws using this method!
Steganography Lab 14
Team Delta
The Forensic Investigation
Background
The IT department at KFC notices that Fred has been sending a lot of emails to an outside email
address: [email protected]. KFC has a written policy stating that a manager must approve
any email sent outside the company, and Fred has not been given approval. Because of the policy,
KFC's IT staff decides to investigate the case to see if any foul play is afoot.
Initial Evidence
The IT staff at KFC discovers that a vast majority of these emails contain image attachments, but the
image attachments are of trivial harmless things.
Figure 17. Example Image Attachment
The staff also notices that the first email that Fred sent to the Gmail address only contained one word:
“chickendunk3r.”
Steganography Lab 15
Team Delta
Figure 18. “chickendunk3r” e-mail
Manager Interview
The IT staff decides to ask Fred's manager about the situation. The manager tells the staff that Fred
has been under a lot of pressure at home recently and has been running into financial troubles. The
IT staff decides to forensically analyze Fred's computer just in case.
Computer Examination
They discover the Xiao tool downloaded on Fred's PC. They run one of the image attachments
through the program and discover that there is a text file hidden in the image file. However, to read
the text file, a password is required. After trying Fred's email, system, and network passwords, the IT
staff tries the “chickendunk3r” password that they noticed in the first email and discovers the secret
message. Fred has been busted.
Steganography Lab 16
Team Delta
Conclusion
In this lab, we have learned the definition of steganography, how steganography works in theory, and
how steganography can be practiced through the use of the Xiao software tool. Remember to
practice responsibility and strong ethics when working with steganography and computer forensics in
general. Thanks and good luck!
Steganography Lab 17
Team Delta
Bibliography
Betancourt, Stephanie R. “Steganography: A New Age of Terrorism.” GSEC Practical Version 1.2f.
2004. SANS Institute. <http://www.giac.org/certified_professionals/practicals/gsec/3494.php>.
“Bin Laden: Steganography Master?” Wired.com. Web. 28 Jan. 2011.
<http://www.wired.com/politics/law/news/2001/02/41658?currentPage=1>.
Chaveriat, Alexander. “Steganography: The Unseen World.” Docstoc – Documents, Templates, Forms,
Ebooks, Papers & Presentations. 13 Apr. 2009. Web. 01 Feb. 2011.
<http://www.docstoc.com/docs/6028160/Hacking-Steganography-The-Unseen-World>.
“Digital Steganography: Threat or Hype?” Information Systems Security Today Home (Index) Page.
Web. 28 Jan. 2011. <http://www.infosectoday.com/Articles/digitalstego.htm>.
Guillermito. “Breaking a Steganography Software in 10 Seconds: SQFileHide.” Guillermito ZONE. 4
Dec. 2003. Web. 01 Feb. 2011. <http://www.guillermito2.net/stegano/sqfilehide/index.html>.
Judge, James C. “Steganography: Past, Present, Future.” Tech. no. 552. SANS Institute, 2001. Web. 30
Jan. 2011. <http://www.sans.org/reading_room/whitepapers/stenganography/steganographypast-
present-future_552>.
Raggo, Michael T. Microsoft PowerPoint. Computer software. Defcon. VeriSign, 26 Feb. 2004. Web. 30
Jan. 2011. <www.defcon.org/images/defcon-12/dc-12-presentations/Raggo/dc-12-raggo.ppt>.
Ramillil, Marco. “How to Detect Steganography.” Marco Ramilli's Blog. Blogspot, 5 Nov. 2007. Web.
30 Jan. 2011. <http://marcoramilli.blogspot.com/2007/11/howto-detect-steganography.html>.
Shachtman, Noah. “FBI: Spies Hid Secret Messages on Public Websites | Danger Room | Wired.com.”
Wired.com. Web. 28 Jan. 2011. <http://www.wired.com/dangerroom/2010/06/alleged-spies-hid-
secret-messageson-public-websites/>.
“Steganography for the Computer Forensics Examiner.” GaryKessler.net Home Page. Web. 29 Jan.
2011. <http://www.garykessler.net/library/fsc_stego.html>.
TopBits. “Steganography.” Web. 30 Jan. 2011. <http://www.techfaq.com/steganography.html>.
Westphal, Kristy. “Steganography Revealed | Symantec Connect.” Symantec Connect. Symantec. Web.
29 Jan. 2011. <http://www.symantec.com/connect/articles/steganography-revealed>.