Forensics Journal - Stevenson University 2013 | Page 35

STEVENSON UNIVERSITY this trend in cyber crime by employing digital forensic examiners to perform these types of investigations. Forensics examiners are specially trained examiners who are able to recover digital information from various types of electronic media even if it has been deleted. Current best practices in the field would be to hire one examiner for every five hundred thousand residents covered in a specific jurisdiction. However, as stated above, knowledge of forensics is not enough to detect steganography. A steganalyst needs to possess both a thorough knowledge of the techniques used to hide data and how to crack the steganographic algorithm codes. the carrier file. Therefore, performing signature analysis on a carrier file will only show the signature of the carrier and not the payload. Masking the file signature by embedding it within the carrier file is an easy method to avoid detection by a forensic investigator. Forensic tools such as WinHex have the ability to compare multiple files to determine if differences exist. Figure 9 shows the comparison of two files, one of which was the image on the top left of Figure 8 and the other was the image on the top right. As Figure 9 shows, WinHex was unable to locate any differences between the two images with the exception of the size of the file. During an investigation, if the forensic investigator found these two files and received the same output from tools such as WinHex, the next logical step would be to run a steganalysis tool such as StegDetect or StegoHunt on the images to attempt to locate the hidden content, especially if steganography tools were located on the evidence drive. By having a dedicated steganalysis investigator, law enforcement agencies will be able to more effectively fight crime and protect local, state, and national interests from terrorist activities. It would also take away the one place that criminals can hide to avoid detection. Presenting a case in court based on steganographic evidence can be very difficult since it is not a well known technology. However, including a steganalyst on staff to act as an expert witness to the courts can help increase the chance of successfully prosecuting a suspect. IMPACT ON AN INVESTIGATION Investigators are trained to search obscure locations during an investigation in an attempt to locate evidence that will either prove or disprove a person’s guilt. Typically, there are various signs that an investigator would look for that would signal that data is hidden using these techniques. For example, if an investigator has a drive that appears to be empty, they may try to recover the deleted file system using common forensic tools. The same would apply with a hard drive labeled with a capacity of 1 TB but only shows 500 GB when connected to the system. FIGURE 9 While forensic tools are unable to detect steganographic content on their own, these tools do allow the investigator to build hash files from files that are known to contain hidden content. Once steganographic content has been located, the investigator can use tools such as Forensic Toolkit to generate an exportable list that includes the hash values for all of the carrier files. These lists can be used during future investigations to locate copies of the original carrier file that may have been shared. In addition to searching obscure locations for evidence, a forensic investigator will also perform signature analysis on files to determine if tampering has occurred. On Windows based systems, files are specified by their extension (.exe, .pl, .pdf, etc.). Windows uses these extensions to load the correct software when the user calls for that specific file to open. It should be noted that while files on UNIX based systems might also show file extensions, the operating system does not require them. UNIX based systems are able to look at the file signature alone and determine what software is required to open the file. CONCLUSION As stated in “Steganalysis: Detecting Hidden Information with Computer Forensic Analysis”: Although steganography is becoming more advanced, it is still a science that is not well known. Its use on the Internet is certainly promising. That is why law enforcement authorities must continually stay abreast of this technology, because there will always be some new program to hinder their efforts. (Richer) The file signature is a small block of hexadecimal code used to determine the t