Shadow Porn

PM to you

Well, it's a form of steganography.

http//en.wikipedia.org/wiki/Steganography

It is perfectly possible to "hide" images within images (or video).

The difficult part is "extracting" the hidden content from the viewable one, so I don't see at first sight how this would apply in the case depicted.

As well nothing prevents you to take a porn movie, rename the file to (say)
Whitney_Houston_in_concert_Live_from_LA.avi
and put it on a P2P or on Rapidshare or whatever.

And it would be possible that someone unknowingly downloads it thinking to get some music, and finds something different. 😉

I guess that it would depend on the "amount" of such images/porn and on the circumstances.

jaclaz

Shadow porn?

I have seen it where the files are named differently and then when downloaded they turn out to be porn, although many of the P2P programs also show a description which tends to show the true contents. The only other thing is 'wrapping' the CP in with another file but the vast majority of the wrappers are detected by AV software.

Have you analysed the AV logs around the MAC time of the file the CP was 'supposed' to be attached to? Are the MAC for the CP different to the host file? How much CP have you found?

Personally I would be interested to see the defence 'prove' the shadow porn theory.

Personally I would be interested to see the defence 'prove' the shadow porn theory.

Unfortunately all the defense needs to do is create "reasonable doubt" in the minds of the jury. If the defense paints "Shadow Porn" in a similar light to the Trojan Defense they just need to show the possibility of it happening.

Ok - let's think about this.

I download a file using a P2P client - I have asked for a file which I believe is a music track. Embedded within that file is some other file be it IIoC or anything else, but, I haven't asked for the included content, I don't want the included content and I don't expect there to be any included content.

The music track I have downloaded plays fine, so I keep it.

or

The music track I have downloaded doesn't play, I delete it.

My computer gets seized by Plod and examined and, lo and behold, there is the collection of IIoC.

How did those pictures get extracted from the Music file??

I knew they were there so I did it?? Case proven!

Some form of automated process?? Hmm, kind of like the old fashioned discredited trojan defence. If the music file contains a suspect image and some form of executable file, both of which are capable of avoiding detection by AV then it is a very sophisticated combination, I personally have never seen one, been told about one or read about one.

If the suspect didn't know about the picture then the music file should be still there, why would he delete it?? so it should be possible to carry out the same kind of examination that you would for a cheap shot, last ditch trojan defence.

Run two or three decent AV tools across the drive.
Check all of the autorun locations - something triggered the .exe, if not human intervention.
Check prefetch.
Do some basic time/date analysis.

It is a PITA, and ultimately a waste of time but it is achievable.

Sorry about the 'stream of conscious' post but it is gone 10 and time for bed!!

Good luck,

Nigel

Nigel, can you point me to where I can find "old fashioned discredited trojan defence" related court cases or research?

Personally I would be interested to see the defence 'prove' the shadow porn theory.

Unfortunately all the defense needs to do is create "reasonable doubt" in the minds of the jury. If the defense paints "Shadow Porn" in a similar light to the Trojan Defense they just need to show the possibility of it happening.

Agreed, but it all depends on the volume of CP. As we all know the majority of these people like to keep huge numbers of images and videos - I don't think even the most 'understanding' jury member would let that wash for a large amount of imges across the full scale.

Going to trial where the defense will bring up something called "Shadow Porn." Apparently someone downloads a file such as music in a p2p environment, ie limewire, and contained within the file or attached to the file is a contraband image or video file, usually CP. So the defendant intends to get music and gets possibly music and contraband. Anyone heard of this? What is the best method to determine whether or not it really happened outside of setting up a clean machine and downloading the music files found on the suspect machine and see if we can get some image/video files to show up after the downloading? Any advice is much appreciated.

Have the movies been played? How many times? Have the pictures been viewed? Have they been moved from their download location? What do the user's searches via his p2p client show? What has he searched for on the internet? What interests do his email and instant messaging show? What does the computer tell you about his IT know-how?

Answers to the above could prove helpful in showing the extent of intention to download such material.

What is the best method to determine whether or not it really happened outside of setting up a clean machine and downloading the music files found on the suspect machine and see if we can get some image/video files to show up after the downloading? Any advice is much appreciated.

As mentioned above, it is steganography. It's quite possible to embed large volumes of material into MP3 and MP4 files.

You will need to scan the computer for any stego programs (if known). Scanning the suspect music files for known steganographic program signatures may also help.

(EDIT) - I got interrupted.

Some MP3 stego programs just stick the payload on the end of the file. Using any old fashioned file cutting program, can cut it off of the end of the file. No special tools required. Looking for evidence of use of a file cutting program may shed some light.

If they are in fact embedded within the audio stream, I'd be most interested in the process involved. (Research purposes).