Forensics Journal - Stevenson University 2013 | Page 35
STEVENSON UNIVERSITY
this trend in cyber crime by employing digital forensic examiners to
perform these types of investigations. Forensics examiners are specially trained examiners who are able to recover digital information
from various types of electronic media even if it has been deleted.
Current best practices in the field would be to hire one examiner for
every five hundred thousand residents covered in a specific jurisdiction. However, as stated above, knowledge of forensics is not enough
to detect steganography. A steganalyst needs to possess both a thorough knowledge of the techniques used to hide data and how to crack
the steganographic algorithm codes.
the carrier file. Therefore, performing signature analysis on a carrier
file will only show the signature of the carrier and not the payload.
Masking the file signature by embedding it within the carrier file is an
easy method to avoid detection by a forensic investigator.
Forensic tools such as WinHex have the ability to compare multiple
files to determine if differences exist. Figure 9 shows the comparison
of two files, one of which was the image on the top left of Figure 8
and the other was the image on the top right. As Figure 9 shows,
WinHex was unable to locate any differences between the two images
with the exception of the size of the file. During an investigation, if
the forensic investigator found these two files and received the same
output from tools such as WinHex, the next logical step would be to
run a steganalysis tool such as StegDetect or StegoHunt on the images
to attempt to locate the hidden content, especially if steganography
tools were located on the evidence drive.
By having a dedicated steganalysis investigator, law enforcement agencies will be able to more effectively fight crime and protect local, state,
and national interests from terrorist activities. It would also take away
the one place that criminals can hide to avoid detection. Presenting
a case in court based on steganographic evidence can be very difficult
since it is not a well known technology. However, including a steganalyst on staff to act as an expert witness to the courts can help increase
the chance of successfully prosecuting a suspect.
IMPACT ON AN INVESTIGATION
Investigators are trained to search obscure locations during an investigation in an attempt to locate evidence that will either prove or
disprove a person’s guilt. Typically, there are various signs that an
investigator would look for that would signal that data is hidden
using these techniques. For example, if an investigator has a drive
that appears to be empty, they may try to recover the deleted file system using common forensic tools. The same would apply with a hard
drive labeled with a capacity of 1 TB but only shows 500 GB when
connected to the system.
FIGURE 9
While forensic tools are unable to detect steganographic content on
their own, these tools do allow the investigator to build hash files
from files that are known to contain hidden content. Once steganographic content has been located, the investigator can use tools such
as Forensic Toolkit to generate an exportable list that includes the
hash values for all of the carrier files. These lists can be used during
future investigations to locate copies of the original carrier file that
may have been shared.
In addition to searching obscure locations for evidence, a forensic
investigator will also perform signature analysis on files to determine
if tampering has occurred. On Windows based systems, files are
specified by their extension (.exe, .pl, .pdf, etc.). Windows uses these
extensions to load the correct software when the user calls for that
specific file to open. It should be noted that while files on UNIX
based systems might also show file extensions, the operating system
does not require them. UNIX based systems are able to look at the
file signature alone and determine what software is required to open
the file.
CONCLUSION
As stated in “Steganalysis: Detecting Hidden Information with Computer Forensic Analysis”:
Although steganography is becoming more advanced, it is still a
science that is not well known. Its use on the Internet is certainly
promising. That is why law enforcement authorities must continually
stay abreast of this technology, because there will always be some new
program to hinder their efforts. (Richer)
The file signature is a small block of hexadecimal code used to
determine the t