|
|
| Embedding the evil within |
| By Sharon Goudy, OLETC Project Coordinator |
| Published: 01/24/2007 |
'A picture is worth a thousand words,' and in today's high-tech world those words have never been more true, especially for criminals. From terrorists to child pornographers, photos are providing the means by which they establish covert communication. Many of these criminals are experts at steganography. While it certainly sounds like something developed in the lab of a James Bond movie, the method involves using computer software to embed hidden text and images inside other images, which are called “carrier files” or “cover images, and then transferring them via the Internet. The Office of Law Enforcement Technology Commercialization (OLETC), a program of the National Institute of Justice, Office of Justice Programs, is working with a West Virginia-based company whose technology combats this practice. Backbone Security, a small, privately-owned company incorporated in West Virginia in September 2000 and based in Fairmont, has developed the StegAlyzerAS and the StegAlyzerSS, an “artifact” scanner and a “signature” scanner, respectively, to detect the presence and use of steganography applications on suspect computers. “Steganography can be used to conceal evidence of criminal activity. This includes terrorists using steganography to conceal their communications and child pornographers using it to distribute contraband images by hiding information in other files,” says Jim Wingate, Backbone Security's Vice President of West Virginia operations. He is also Director of the Steganography Analysis and Research Center (SARC), a center within Backbone Security dedicated to establishing a national repository of digital steganography application fingerprints and signatures. SARC also develops techniques and procedures for detecting and extracting information hidden inside other files by digital steganography applications. To understand the technology, some basic background information is needed. Derived from the Greek word “steganos,” which means “covered,” and “graphie,” or “writing,” steganography literally translates to “covered writing.” Digital steganography applications can be used to hide digital files inside other digital files. Merely looking at a photo or listening to a sound byte would not reveal the additional, hidden information to the average person. Criminals with steganography software hide, embed or append information to a cover file and then post the file to a Web site for downloading, or send the file via e-mail attachment. The intended recipient then uses the same steganography application to reverse the process and extract the information. Steganography software itself is not illegal; it's how the software is used that causes problems with the law. So how does this technology work? “The StegAlyzerAS is actually an artifact scanner,” Wingate explains. “It does not detect the presence of hidden text; rather, it detects the presence of a steganography application on a suspect's hard drive by looking for the fingerprints' or hash values' of artifacts or files associated with the steganography application.” It also scans the Windows Registry for registry keys and/or values associated with steganography application. “The reason this is significant is because criminals will typically make some attempt to cover their tracks,” Wingate adds. “Cyber criminals are no different, so we suspect that some will download, install and use a steganography application then, to cover their tracks, they will uninstall the application and delete the residual files and folders associated with the application that the uninstaller didn't remove. “Unless they are a very technically savvy user, they will likely not realize the application has left a fingerprint in the Windows Registry in the form of a key or value that was added or changed as a result of installing the application that the uninstaller didn't remove or change back to the original settings,” he adds. Law enforcement officials then logically conclude that if the application existed on the computer, it was probably used. “And if it was used, it was used to hide something that may be of evidentiary value in a criminal prosecution,” he says. StegAlyzerAS can detect all the file and registry artifacts associated with 250 steganography applications. “As a result of our extensive research on steganography applications available as freeware/shareware on the Internet, we discovered that some leave a uniquely identifiable hexadecimal byte pattern or signature' as a by-product of embedding information in or appending information to a carrier file,” he said. StegAlyzerSS can detect 22 signatures associated with 30 steganography applications, some of which are later versions of the same application that leave the same signature, thus the reason there are fewer signatures than applications. “We intend to discover as many more signatures as we can within resource constraints,” he said. “Signature discovery is an extraordinarily difficult process that involves the use of a hex editor to do a side-by-side analysis of a reference file with another file that has known information hidden with a steganography application. “Our technical staff then searches through the files with the hex editor, searching for the known payload so we can figure out how the application embedded the known information. Sometimes that research results in the discovery of a signature, and, when we can discover a signature, a by-product of that is the technique and procedure to extract the hidden information,” Wingate said. A feature unique to the StegAylzerSS is AEAs, or Automated Extraction Algorithms. It provides computer forensic examiners with a point-click-and-extract' interface to relieve them of the burden of doing detailed steganalysis. The Steganography Application Fingerprint Database (SAFDB) can be used by federal, state and local law enforcement digital forensic examiners and the intelligence community to determine whether files on a seized computer can be associated with a particular digital steganography or other data-hiding application. “First came the SAFDB, which contains the fingerprints, or hash values, of the file artifacts associated with steganography applications,” Wingate explains. “We make extracts of the database available for free to law enforcement, intelligence and government agencies in a format that can be imported into their forensic tool of choice.” The StegAlyzerAS includes SAFDB along with a registry artifact detection capability. “So essentially, they can use our fingerprint database with or without our artifact scanner. But to scan for registry artifacts, they must have StegAlyzerAS.” Then, for signature scanning and automated extraction, the StegAlyzerSS would be used. Backbone Security and OLETC OLETC contacted Wingate to know more about his steganography research in the SARC and whether or not there was any commercial application in law enforcement for Backnone's technology. “As criminals become more sophisticated, so must the tools we use as law enforcement to help catch them,” said Steve Morrison, former career law enforcement professional and Vice President of the West Virginia High Technology Consortium Foundation's Public Safety and Homeland Security Group (PSHSG). He is also OLETC's Interim Director. Wingate, who retired in 2000 after 25 years as a communications and information officer for the U.S. Air Force, explained that he was moved to action after he read a National Needs Assessment regarding tools and technology for investigating cyber attacks. “One of the needs identified in the document was a clearinghouse of digital steganographic programs and signatures that could be consulted during forensic analysis of a seized computer to flag the possible use of this data-hiding technique, as well as additional long-term research into breakthrough technologies for steganography detection,” he says. “This need resonated with me because of my familiarity with how steganography can be used to establish covert channels for communication.” After the technology prototype was matured, Wingate attended OLETC's Commercialization Planning Workshop (CPW®), a five-day extensive course in developing a strategy for taking a project from infancy to innovation to the marketplace. “I was very fortunate to have made the cut,” Wingate says of the CPW. “I would liken the experience to boot camp for entrepreneurs because it was a very taxing, yet personally and professionally rewarding five days.” He says license sales recently have more than quadrupled and he believes there is still significant growth yet to come. He also says Backbone has developed a prototype for real-time detection of steganography application fingerprints and signatures that will be the first of its kind in the world. Sharon Goudy has been with OLETC for three and a half years and is currently the organization's project coordinator. For more information about OLETC, call 888-306-5382. For more information about Backbone Security, call 304-366-9161. |
MARKETPLACE search vendors | advanced search
IN CASE YOU MISSED IT
|