I think determining what you are hiding from is important here. If I was hiding something from a determined forensic investigator then I would probably choose encryption and the stronger the better.
If I was hiding from a larger scale electronic discovery issue I would probably choose a combination of encryption and or an alternative data source. By that I mean most EDD vendors and tools are focused on Windows related file types. Hide your data in an encrypted (or not) mac, linux or unix file and you are very likely to be missed in the Windows EDD world.
We looked at them through Norton and could see the bad sector flags in the FAT and change them at will. This was all done on floppies BTW.
Thanks.
Again, on a live system, how would those blocks have been accessed by a user? Using a technique similar to what you used?
I think determining what you are hiding from is important here. If I was hiding something from a determined forensic investigator then I would probably choose encryption and the stronger the better.
IMHO, using encryption is a way of telling a 'determined' forensic investigator, 'look, here I am'. By using encryption, you're letting the examiner know that you're there…you're just hiding the actual data from view…but someone's going to know that something was up.
If I was hiding from a larger scale electronic discovery issue I would probably choose a combination of encryption and or an alternative data source. By that I mean most EDD vendors and tools are focused on Windows related file types. Hide your data in an encrypted (or not) mac, linux or unix file and you are very likely to be missed in the Windows EDD world.
Well, EDD usually, like you said, looks for specific file types…PSTs, Word docs, Excel spreadsheets. You're not hiding, because no one is looking.
I agree that what you are hiding, and whom you are hiding from, is important when figuring out how you're going to hide. For example, are you 'hiding' just long enough to get data and get off the system, or are you planning to stay on the system for the long haul? Are you looking to grab as much data as you can in as short amount of time as you can, or are you looking to return to the system over a long period of time?
Using encryption, stego, and rootkits will end up getting you in trouble. Using Linux or Mac file formats on a Windows system is also likely to get you found out…if someone mounts an image of a Windows system and uses Rob Lee's SIFT workstation to run 'file' across the file system, you'll stand out like a sore thumb. Also, some rootkits have a way of BSoD'ing the box after an update.
If you're looking to get some data off of a system, do this…get a normal Windows PE file and write your data into the the sections of the PE file where code is kept. Make it a 'normal' EXE or DLL, but not one that would be used or run on the system. Be sure to put it some place where someone would normally expect it to be…you're leaving not only the PE header, but the .rsrc section in place, so if it says "Adobe", be sure that you don't write it to the C\Temp dir.
You can also encode data and place it into the Registry. I assisted with a case once where the customer had shut the system down prior to our arrival, and we had no idea that the malware (no AV detected it) was writing data to the Registry until we ran it in a monitored sandbox.
The point is, the best way to hide is like a sniper…in plain sight. Most hiding techniques will either highlight the presence of the intruder by crashing an application or the box, or will stand out to a reasonably competent examiner. If you *really* want to hide on a box for a long period of time, you have to blend in in every way possible, including how you get data off of the box.
Snip>>
Again, on a live system, how would those blocks have been accessed by a user? Using a technique similar to what you used?
That was what the instructors were assuming when they put the exercise together. To a large extent the point they were trying to make was that if it was possible to do something you needed to be on the lookout for such methods. In those days everything was very experimental, we were encouraged if we got an idea to try it to see if it was possible. The logic was that if we could do it, someone else could as well. I used to look around during search warrants to see what kind of reading materials the target had to see if they would be sophisticated enough to come up with something fancy or unusual.
Hmmm. I thought that I posted a response, but it never showed up. Oh well…
IMHO, using encryption is a way of telling a 'determined' forensic investigator, 'look, here I am'. By using encryption, you're letting the examiner know that you're there…you're just hiding the actual data from view…but someone's going to know that something was up.
That statement may be true, today, but I doubt that it will be as true looking into the future. Personal privacy tools are not only commonplace, they are increasingly simple to use. With cellphones and USB devices which either encrypt themselves on the fly, or when someone fails to give the appropriate password, encrypted files/folders/volumes will, at some point be routine fodder for us investigators.
To paraphrase Phil Zimmermann, just because I put my message into an envelope instead of on a postcard doesn't make me a subversive or drug dealer. Finding encryption may be enough to raise your level of suspicion, but would it be sufficient to result in legal action or sanctions?
Using encryption, stego, and rootkits will end up getting you in trouble.
Assuming that you don't get too "greedy" (sacrifice randomness for increased density), it is fairly straighforward to create stego which would avoid detection by all of the methods currently in use, today. The ubiquity of digital cameras means that there exists a huge database of original images which could be used as carriers, Without the originals with which to compare, you'd be looking for a needle in haystack. You also have the problem of false positives; your software says that it is stego and the owner says "Bollocks to that!" and what are you left with?
If you're looking to get some data off of a system, do this…
…The point is, the best way to hide is like a sniper…in plain sight.
Devil's Advocate here, Harlan. Isn't this a pretty good description of steganography? wink
That statement may be true, today, but I doubt that it will be as true looking into the future.
I think you're right…as more and more devices become common place (I know of teenagers and even adults with multiple cell phones and other devices) at some point, data encryption will become the default. But what you're referring to is personal data.
For right now, given that intrusions and malware are the least frequency of occurrence on systems, encryption and obfuscation stand out on a system. Packed PEs in the system32 dir are a way of saying, "hey, here I am!"
To paraphrase Phil Zimmermann, just because I put my message into an envelope instead of on a postcard doesn't make me a subversive or drug dealer. Finding encryption may be enough to raise your level of suspicion, but would it be sufficient to result in legal action or sanctions?
Depends on the situation. If it's a corporate environment and PGP is the standard, and there's a corporate policy stating the users shall not install unauthorized software, and some other tool is on the system (openssl, etc) for encrypting data in a non-PGP format…
…it is fairly straighforward to create stego which would avoid detection by all of the methods currently in use, today.
Of course it is. Niels Provos illustrated that years ago.
The ubiquity of digital cameras means that there exists a huge database of original images which could be used as carriers, Without the originals with which to compare, you'd be looking for a needle in haystack. You also have the problem of false positives; your software says that it is stego and the owner says "Bollocks to that!" and what are you left with?
Well, all this means is that there needs to be more research into artifacts regarding the use of such tools, that's all.
I agree that tools like STools4 can be a challenge, in that regardless of the image you open, that tool would prompt you for a password. However, talking to LE, there isn't much of a concern of stego if there were no indications that a stego tool had been run on the system.
Devil's Advocate here, Harlan. Isn't this a pretty good description of steganography? wink
It depends on the definition you choose to use. If you're referring to something like what's on WikiPedia, then perhaps. However, this technique isn't using an LSB algorithm to 'hide' the data in an audio or graphic image.
For right now, given that intrusions and malware are the least frequency of occurrence on systems, encryption and obfuscation stand out on a system. Packed PEs in the system32 dir are a way of saying, "hey, here I am!"
Agreed. I was thinking more in terms of the original context of hiding something from EnCase, which I interpreted to be hiding the information on a part of the media which would escape imaging since anything which is imaged could be detected, even if you couldn't tell what it was. The conversation moved more or less in a different direction, i.e., not hiding from Encase, but hiding it in such a way as to make it difficult to automatically identify.
…talking to LE, there isn't much of a concern of stego if there were no indications that a stego tool had been run on the system.
Sure. But the purpose of steganography is not simply to hide information, but to communicate it in such a way that anyone intercepting it would have difficulty detecting the hidden message. In that context, you might be the recipient rather than the sender, and there may be no such artefacts.
Devil's Advocate here, Harlan. Isn't this a pretty good description of steganography? wink
It depends on the definition you choose to use. If you're referring to something like what's on WikiPedia, then perhaps. However, this technique isn't using an LSB algorithm to 'hide' the data in an audio or graphic image.
Well, I think of LSB as being simply one technique and, at this point, one of the first places to look. There are others, more sophisticated, which, do not rely on the use of a predictable location for the data to be hidden (I rarely, strike that, "never" use Wikipedia as an authority).