Digital Forensics Midterm

Digital Forensics (CIS4203.01)

Audio Steganography

The approach of hiding information within an audio signal

indistinguishable

As data is embedded in the signal, it gets changed. This modification should be ____ to the human ear.

digital description and transmission media

An audio environment is decided by two considerations:

Sample Quantization Rate

How many bits per unit time?

Temporal Sampling Rate

The range of the frequency.

LSB (least significant bit)

replacing the least significant bits of the cover media with secret data to embed information.

frames

A video is a collection of ___ which are jpeg images

Steganography

the practice of concealing information within another message or physical object to avoid detection

Encryption

Hides the content of the message

Steganography traits

Hides the existence of the message,
needs a common knowledge,
doesn’t alter overall structure of data,
visibility 0, decipherability 100

types of steganography

text, image, audio, video, network

Text in text

Hiding information inside Text files

Types of text in text

Format Based Method • Random and Statistical Generation • Linguistic Methods, invisible inks

format based

include altering physically the format of text to conceal the data.

format based flaws

If the stego file is opened with a word processor, misspellings and additional white spaces will get identified. • Changed fonts sizes can excite suspicion to a human reader. • if the initial plaintext is accessible, comparing this plaintext with the suspected steganographic text can create manipulated element of the text quite visible.

Random character sequences

Conceal information in a sequence of characters that looks random

Statistical properties

Use the statistical properties of letter frequencies and word length to create words that appear to have the same statistical properties as actual words in a language

Linguistic Approach

Synonym substitution • To embed messages, a cover text must provide information carriers that can be modified to represent the secret.

Most existing stegosystems consist of three independent modules

linguistic transformation, encoder generation, and text selection.

image

a collection of numbers that defines color intensities in different areas of the image.

pixel

defined by a fixed number of bits and this is its color scheme.

red, green and blue

All color variations for the pixels of a 24-bit image are derived from three primary colors:

8 bits

each primary color is represented by

24-bit pixel

Digital color images are typically stored in ____ depth and uses the RGB color model.

Lossy compression

removes redundancies that are too small for the human eye to differentiate which makes the compressed files a close approximate, but not an exact duplicate of the original one.

JPEG

example of lossy compression

PNG, GIF, BMP

example of lossless compression

Lossless compression

never removes any information from the original image, but instead represents data in mathematical formulas maintaining the integrity of the original image and when uncompressed, the file is a bit-by-bit copy of the original.

Spatial Domain

techniques embed the secret message/payload in the intensity of the pixels directly.

LSB Supstitution

Most popular spatial domain

Lossless images

best suited for these techniques as compression would not alter the embedded data

Frequency-domain techniques

first transform the image and then embed the data.

transformation step

ensures that the message is hidden in less sensitive areas of the image, making the hiding more robust and makes the entire process independent of the image format.

JPEG Compression

transforms the image from RGB color to YCbCr representation - separating brightness from color.

DCT

expresses a finite sequence of data points in terms of a sum of cosine functions oscillating at different frequencies

quantization step

the one that removes redundant information from the image by rounding 64 values into 1 by taking average

Line Shift

secret message is hidden by vertically shifting the text lines to some degree

Word Shift

secret message is hidden by shifting the words horizontally

Feature coding

some of the features of the text are altered.

Word Mapping

encrypts a secret message using genetic operator crossover and then embeds the resulting cipher text, taking two bits at a time, in a cover file by inserting blank spaces between words of even or odd length using a certain mapping technique

MS Word Document

In this technique, text segments in a document are degenerated, mimicking to be the work of an author with inferior writing skills, with secret message being embedded in the choice of degenerations which are then revised with changes being tracked

Syntactic Method

This technique uses punctuation marks such as full stop (.), comma (,), etc. to hide bits 0 and 1.

Semantic method

uses the synonym of certain words thereby hiding information in the text.

Where to find evidence

Forensic, Imaging, Physical and Logical Disk Structures, Main Memory, File System, System Storage

Raw Image

A raw image file contains only the data from the imaged volume.

EnCase (E01) file

contains metadata about the image. The metadata that is contained in both the header and footer captures and stores information about the drive type, operating system, and timestamps.

Cyclical Redundancy Check (CRC)

ensures the integrity of the preceding block of data over the entire image file.

File system

a method and data structure that the operating system uses to control how data is stored and retrieved.

Types of File System

Disk FS, Flash FS, Tape FS

Logical Disk Structures

partitions, mounts, formatting, hidden partitions

Types of Computer Files

Test, image, audio, video, log, exe, dii, others

File signatures

a unique identification number seen at the beginning of a file. It tells you the file’s type and provides information about the data it contains.

Switches

core switches for a range of network segment and edge switches for individual segments.

Content Addressable Memory

Maps the physical ports on the switch to the Network Interface Card

Routers

The Routing Table. Logs traffic and data flow.

Firewalls

NIDS, NIPS, DLP, Logs.

Authentication Servers:

Successful or unsuccessful login, credential manipulation

SIEM

Security Information and Event Management, and is a security management system that combines security information management (SIM) and security event management (SEM)

Network tap

a system that monitors events on a local network.

tap

typically a dedicated

hardware device, which provides a way to

access the data flowing across a computer

network

Switch Port Analyzer (SPAN)

the switch closest to the compromised host will have port mirroring enabled. This then sends the traffic from the entire segment the switch is on to the system that is on the mirrored port

tcpdump

a command-line tool specifically designed for packet capture.

File Name

Each log file or packet capture should have its own unique name.

Description

A brief description of the file.

Location

The location is important. Eg: the packet capture was obtained on the switch located at 192.168.2.1

Date and time

Record the date and time the file was transferred to the medium

Collected by

Initials are sufficient for the log file.

Command and Control (C2)

A technique used by threat actors to communicate with compromised devices over a network

C2 Works by

The attacker starts by establishing a foothold to infect the target machine, which may sit behind a Next-Generation Firewall. This can be done in a variety of ways: • Via a phishing email that: Tricks the user into following a link to a malicious website or opening an attachment that executes malicious code. • Through security holes in browser plugins. • Via other infected software

Types of C2

Centralized, P2P, Random Architecture

Random Architecture Model

hardest to detect. This is by design. The objective is to prevent security personnel from tracing and shutting down the C&C server or identifying the botnet’s chain of command. This model functions by transmitting communications to the infected host (or botnet) from disparate sources: • IRC chat rooms • CDNs • Social media comments • Email

C2 Subtechniques

Application Layer Protocol • Removable Media • Data Encoding, Obfuscation • Encrypted Channels, Fallback Channels • Non-Standard Port • Remote Access Software • Protocol Tunneling

Malware delivery

With control of a compromised machine within a victim’s network, adversaries can trigger the download of additional malware

Data theft

Sensitive data, such as financial documents, can be copied or transferred to an attacker’s server.

Shutdown

An attacker can shut down one or several machines, or even bring down a company’s network.

Reboot

Infected computers may suddenly and repeatedly shutdown and reboot, which can disrupt normal business operations.

Defense evasion

Adversaries commonly attempt to mimic normal, expected traffic to avoid detection. Depending on the victim’s network, attackers establish command and control with varying levels of stealth to circumvent security tools.

Distributed denial of service

overwhelm server or networks by flooding them with internet traffic. Once a botnet is established, an attacker can instruct each bot to send a request to the targeted IP address. This creates a jam of requests for the targeted server.

Memory Acquisition

Hard disk drive from a shut down computer – primary source.

USB device or writable medium directly connected to the system.

Running memory can be acquired locally in two ways:

live systems

systems that are running and are at the time of identification potentially holding evidence that may be lost or hard to acquire if the system is shut down.

dead systems

systems not running. Any data in temporary storage areas such as cache, main memory, running processes, or active application dialogues on a computer will normally be lost when the system is powered down.

Post-mortem analysis

associated with analysis of a “dead” (not running) computer or electronic device.

Local

Direct Physical Access to the system

Remote

Not onsite. Portability issues etc

Online

Live systems

Offline

Dead systems

Network-based Evidence

• Switches • Routers • Firewalls • NIDS/NIPS • Web Proxy Servers • DHCP Servers • Authentication Servers • Application Servers

Preservation Tasks

• Isolate • Secure • Document

Collection

• Acquisition of physical devices • Digital copies of Digital devices.

Evidence Integrity

to ensure that evidence is neither accidentally nor intentionally changed when collecting digital data from an original source.

order of volatility

prioritization wrt the volatility of the data. Most volitile data should be acquired before less volatile data

volatiility

data lifetime.

Access Restrictions and Encryption

Restricted or encrypted information should be acquired early if we cannot ensure access later

Powered On

Keeping a device on can make the data vailable at a later time, but running processes might overwrite data

Shutdown

Powering off a device might overwrite data. Pulling the battery will delete data from RAM that is not written to nonvolatile memory

Physical Interface

Different data can often be acquired from different interfaces

Communication Protocol

Different data can often be acquired using different communication protocols

Lab Resources

Availability of lab resources will often be a limiting factor when selecting acquisition method. Time is also a resource.

Interpretation

The data can be just gibberish if we are not able to interpret it correctly