Forensics Journal - Stevenson University 2011 | Page 46
STEVENSON UNIVERSITY
Digital Forensics Techniques versus Data
Obfuscation and Transformation Artifacts
Tobias Voegele
Cyber Forensic Examiners, security network experts and intrusion
analysts are challenged by cyber criminals and network hackers on a daily
basis. As a result, companies are focused on reducing vulnerabilities by
enlisting the services of cyber forensic experts. These experts search for
malicious activity occurring on a computer system.
encoding” (Dunbar, 5) hides data by changing the attributes and traits of
the text in a given file, “such as the vertical or horizontal length” (Dunbar,
5) of the characters themselves, to create the value necessary for embedding additional data.
Encoding secret data into image files is more complicated than its textbased counterpart; however, it provides the ability to store larger data
amounts, with minimal change to the host file. Image file bits form
pixels, the basic building blocks for image file formats. Comprised of
three separate 8-bit values that represent Red, Green, and Blue (RGB)
respectively, the larger the number of pixels, the more detailed the image’s
resolution, and consequently, the larger available storage capacity for
hidden data.
The cyber criminal conceals malicious activity by data hiding, obfuscation, and steganography. With the availability of virtually unlimited tools,
including freeware and open-source applications which enable just about
anyone to embed chunks of data and information into various file types,
the act of examining and discovering indicators of possible malicious
activity becomes a complex undertaking.
This paper provides a brief overview of common data obfuscation and
steganography methods, how those methods thwart the digital examination process, and how cyber forensic examiners mitigate the data obfuscation effect. It explains an objectives-based approach for cyber forensic
investigators. Best possible detection and subsequent removal techniques
of obfuscated data are discussed and vulnerabilities of existing digital
forensic tools are identified.
DATA HIDING
The Least Significant Bit (LSB) technique is the most common method
to hide data in image files. As the name denotes, using the LSB of each
byte (made up of 8 bits) of data can allow for the storage of “3 bits of
data in each pixel for 24-bit images” (Dunbar 6). In this example, a
24-bit image file with a resolution of 640 x 480 will equate to 307,200
pixels and allow for 921,600 bits of data to be embedded into a single
image. This is a significant amount of data as this number correlates to
approximately 115,200 characters.
STEGANOGRAPHY
Steganography is the “art of hiding sensitive information within innocuous communications” (Frith 4). It affords cyber criminals and system
users a mechanism to disguise information, avoid disclosure, and prevent
compromise by unauthorized individuals.
Data may also be hidden by “appending the secret text to the end of file
(EOF) tag” (Cheddad 733). A simple command to perform this process
could be:
Data are stored in a digital format represented by a binary number called
a bit. Each bit can have only one value, either 1 or 0, which indicates the
bit’s state as either on or off respectively. By modifying the series of 1’s
and 0’s through “mathematical manipulation” (Sheetz 48) of the digital
data stream, hiding data within the stream becomes possible. This is
known as steganography. Multi HX