Data Hiding
- Tags
- security
An anti-forensics process which works by making evidence harder to find by [see page 12, obscuring] its storage. This can include scrambling the data (encryption) or moving its storage into slack-space to evade detection.
Can be subdivided into:
- Data in transit through a network such as using SSH, SSl/TLS, ToR
- Data at rest in your hard-disk
[see page 14, Basic] Techniques
- Modifying file extensions (store an executable as a png image file)
- Include random garbled text to evade hash based signature detection
- Store text such that it appears invisible when opened (example: word document with white foreground and background text).
- Make files hidden
- Place files in unexpected places (such as the system folder)
- Hidden partitions or unallocated spaces
see page 15, Codes
Typically substitute a word or sentence with another word/sentence based on some codebook. This approach could be potentially more difficult to analyse/break then ciphers.
[see page 16, Encryption]
An obfuscation approach that can be applied at the file, volume or device level.
It's relatively easy to detect encryption because the output looks much like compressed data.
Common tools used to detect that encryption has been employed:
- TrueCrypt (forked to VeraCrypt)
- Bitlocker (Windows)
- FileVault (Mac OS)
[see page 17, Passwords]
Locking files/resources behind a password/phrase/key. The strength of a password is dictated by the number of possible permutations a password can have, which is a function of the character set a password can take and the length of the password.
This can be easy to find if you're able to capture the system RAM when it was input.
[see page 18, Steganography]
Hiding information/files within other files. Such as hiding data in a certain color layer for an image.
Detection is very difficult because the hidden file may also be compressed before encryption.
Warn: Compression can destroy hidden messages in some type of steganography because it may discard certain, seemingly irrelevant, data.
Steganography is often used in conjunction with cryptography so that the information is doubly protected; first it is encrypted and then hidden so that an adversary has to first find the information and then decrypt it.
- Kessler, 2001
See a list of common steganography programs [see page 20, here].
Steganalysis
Is the discovery of the existence of information hidden using Steganography. The goal is to discover hidden information and break the security of its carriers.
Techniques are classified based on how much prior information is known:
- Steganography-only attack: Can only use the steganography medium for analysis.
- Known-carrier attack: The carrier and steganography medium are both known.
- Known-message attack: The hidden message is known.
- Chosen-steganography attack: The steganography medium and algorithm are both known.
- Chosen-message attack: A known message and steganography algorithm are used to create steganography media for future analysis and comparison.
- Known-steganography attack: The carrier steganography medium, and steganography algorithm are known.