In-depth Anti-Forensics - Challenges of Steganography & Discovering Hidden Data

This presentation was given during Hack In The Box Conference in Dubai-UAE, 17th April 2008. Abstract:
Steganography has been a popular data-hiding technique for decades, being very effective in covering messages from the world war times until the era of Internet where electronic communications became default for new generations. It’s easy to find public wide-distributed materials that focus on subversion of in-traffic analysis, even those who inspect this traffic in a supposed ‘intelligent’ manner. These techniques rely on encryption + steganography + tunnels to evade information leakage detectors.

The purpose of this presentation is to talk a little bit more of a relatively little-discussed area of Steganography and Computer Forensics, which deals with ways of storing contents, files (or even another filesystem) inside the current “healthy” filesystem of a computer. Hence some issues covering poisoning of current well used file formats in order to store evil data will be demonstrated and also some detection methods using entropy analysis will be covered.

Some awareness about using correct methodology not relying on common file interpreters will be created also, demonstrating some methods and examples that will show how sometimes a Computer Forensics analyst can recover hidden files (for example in slack space) by file carving techniques and state that no “evil” data was found, but inside this file would be possible to have even another filesystem with complete different files and even content.