 Good morning! How's everybody doing today? Mildly hungover? Really hungover? Alright, how many people here were at Caesar's Challenge last night? Raise your hand. How many people were at the Ninja Networks party? How many people were at the 303 party? And he's up this morning, surprisingly. How many people were at a completely different party? Black and white belt. How many people were at the black and white belt? Thank you. How many people don't remember very much of last night? How many people are still trying to figure out why they're in Las Vegas? Alright, we have one quick schedule change to announce. At 1 o'clock, 1300 in this room, we have a different Max. Speaking of Max Mullin talking about how to hack your car. That's the one schedule change that we know of right now, 1 o'clock in this room. And just so that we can keep things on schedule and get everything going, I present to you Mr. Rago. Thank you very much. Hey guys, you hear me okay? Out there? Alright. My name's Mike Rago. I work for Verisign as a member of their Incident Response and Forensics team. Probably asking yourself, what the hell is a guy from Verisign doing here? I've been doing a lot of research and strenography for the last four years. I think a motivating factor for me was certainly 9-11, like many of the people in the audience. I knew people that were there, including myself. And I happened to be there that day in New York City teaching on 33rd Street when all the stuff happened. So I think it's been kind of a motivating factor for me. I'm sure you've heard a lot of rumors about Al-Qaeda and Midlan supposedly using strenography for various types of communications and things of that nature. And it's raised the level of awareness such that NSA, DOD, a lot of other companies have approached me about some of my research. And so I'm here to demonstrate some of my tools for Steganalysis for identifying hidden messages within digital photographs, MPEGs, and so forth. So I'll go ahead and get right into the presentation. One of the things I want to say is I'm sure all of you have seen at least one presentation on stegrenography, whether it be here at a prior DEFCON conference or at some other conference. Where I think my presentation differs somewhat is that I'm going to focus a little bit more on the steganalysis and cryptanalysis of those steganized files rather than just gloss overview of what strenography is. In addition to that, I think there's been a lot of presentations on steganalysis, but they've focused a little bit more on statistical analysis. My analysis is more signature based, and I'll talk more about that as I go through the presentation. So for those of you who have never seen stegrenography or don't know what that is, I'll go through a brief overview of that. Like I said, I'm not going to spend a lot of time talking about that. You can go to prior DEFCON downloads to download other presentations on stegrenography. And then we'll get into some deep steganalysis in trying to find those hidden messages within those photographs and those video and wave type files. And then we'll blend that into cryptanalysis and distinguish between the difference of those. Talk about different attack mechanisms. Once you've identified a hidden message, how do you extract it? How do you decrypt it? What other types of attacks can you use to reveal that hidden information? Then we'll talk about forensics and anti-forensics. If you're using this as an anti-forensics mechanism, what methods can you use over covert channels and other types of things for communicating without being identified? And from a forensics perspective, how can you identify whether there's steganized files on the machine that you're doing forensics on? And then we'll talk about kind of where the direction of this is heading from my personal research and things that I know that other people are doing. We'll talk about some of the other tools that people are working on out in the wild as well. Alright, so stegrenography. From the Greek word, word means steganos, or in other words covered, and the Greek word graphy meaning writing. Stegrenography is the process of hiding a secret message within an ordinary message and extracting it at its destination. One major caveat to this is anyone else viewing the message will hopefully fail to identify that there's a hidden message within the communication. So stegrenography has been around literally for thousands of years. The Greeks used to use this for various types of communication. It's documented that they would have a wooden tablet with a hidden message on it covered with wax so that to casual observers, no one would notice that they were carrying some type of hidden communications. During World War II, access and allies both would use various types of invisible inks, whether this be various types of milk, vinegar, and other types of hidden type of writing by which you could go ahead and use some form of heat or something else to reveal the hidden message. I'm sure you all remember growing up having those games with the highlighter, and you'd be traveling sitting in the backseat in the car and wherever it was you were going, and go ahead and answer those questions and use that highlighter, and it would reveal the answer to those questions. So that's a form of invisible ink. So of course the U.S. government is concerned about the use of stegrenography. Common uses include the disguising of corporate espionage. In addition, it's been highly documented that possibly terrorist cells are using this for communications, whether this be for hiding a message within a photograph and posting it on a website for another terrorist cell to download and reveal the hidden message which may reveal details about a particular attack. And it's also a very good anti-forensics mechanism, especially in child pornography. I've had a lot of people approach me from various forms of the government about many child pornography cases that they've lost in court because they simply just haven't had the ability to either identify hidden porn within other types of digital photographs, or if they've been able to identify that there's something hidden there that they haven't been able to extract it so that they can prove it in court. So with modern digital stegrenography, many times the data is not only hidden, but it's also encrypted. We'll talk about some of the different encryption algorithms that I've seen with many of the stegrenography programs that I've analyzed. There's various techniques that they're using for hiding this information within a digital photograph or a wave file or some other digital mechanism. Sometimes the data is encrypted and then simply appended to the file. And in other cases, it's dispersed throughout the file using algorithms such as least significant bit and other types of mechanisms. But typically, the goal here is to the casual eye, really not to visually or technically identify that there's something hidden. But as you'll see through some analysis, I've done most of the stegrenography program fairly weak and easily identified as far as hidden messages within them, within the pictures that they've hidden, as well as extracting the messages as well. They're typically used with... Just some terminology for the rest of the presentation. If I go ahead and I create a message and I hide it within a file, we call this file a carrier file. And this carrier file is essentially used to carry this hidden message. There are a variety of carrier files used with stegrenography, all types of digital photographs, whether they be bump files, JPEGs or GIFs, as well as video and audio files too, as well as wave and other types of files. So there are a variety of stegrenography tools out there. Most of them are freeware or shareware types tools, including S-tools, which has been around for many years, steg hide and visible secrets, and the list goes on and on. There are some commercial manufacturers out there, including Stegenos, which I believe is based out of Germany. They've got a fantastic tool that I've tried to do a lot of analysis on. That's one of the few tools I haven't been able to crack. They have a full software suite that allows you to not only hide messages within digital photographs and other mechanisms, but you can also hide drives and hide files within drives and all kinds of cool stuff. And they have some pretty elaborate encryption that they use with it as well. So if you're interested in finding out more information about stegrenography in general, I've provided a couple URLs for you. I don't believe they're the latest and greatest on your CD, so I've gone ahead and taken the liberty of updating this particular presentation with these updated URLs. I have sent these to Dead Attic, who will be posting these on the DEF CON site for your download. So you may notice some slight slide differences between what's on your CD versus what you see here on the board. Neal Johnson has a fantastic site. You can download many of the stegrenography tools through links on his site. He's got some great white papers out there and links to other Steg analysis people, including Neal Provost, Eric Cole, and some other people that are pretty predominant within the industry as it relates to stegrenography. Topology.org also has a link on it, too, with crypto, and a lot of that links to various stegrenography research as well. So let's get into the bulk of my presentation, which has more to do with steg analysis. We're going to talk about how to identify a file that has a hidden message in it in different ways in which you can do that, and the particular mechanisms that I'm using in the wild. All right, so when we talk about steg analysis, we're really talking about the identifying of the existence of a message, not essentially the extraction of the message that's left more to the crypt analysis portion of this presentation. Steg analysis really just has to do with the fact of trying to identify that it's a hidden message. So really, in this section, I'm not going to really talk about how to extract it. So technically, stegrenography deals with the concealment of a message, not really the encryption of it. That's really just become an add-on with many of the recent stegrenography programs. And then we'll talk about how is this really meaningful, and that'll basically bleed over into the crypt analysis. So by identifying the existence of a hidden message, we can perhaps identify the tool used to hide the message. A lot of the encryption used for encrypting these hidden messages are highly difficult, if not impossible to crack. So other mechanisms by which you can use to try to extract the message may be to identify the tool that was used to hide the message and then somehow use that tool to extract it, either through a password attack or some other mechanism. So common hiding techniques that I found during my research have to do a lot with appending to a file. Many times, you can view a suspect file and actually scroll down to the end of it and see that possibly the hidden message has been appended right to the end of the file. This may include the password as well as the message. It may even include the secret key or something else used by the particular algorithm that was used to encrypt the message. Still, other ways of performing this that I've seen is that they'll hide it up in the message header up at the top of the file or somehow some type of dispersion throughout the file, either using least significant bit or some other type of algorithm. So there's a variety of methods we can use for detecting steganography, many of which have been documented. Perhaps some type of visual detection. Maybe we can take a look at the file and see that just down at the bottom of the file or throughout the file is just not essentially all that clear. But really without the original file or the virgin file, it may be kind of hard to determine the differences. Perhaps there's some audible detection if it's a wave file or something else. Neopropos and a lot of other people have done a lot of different types of statistical detection or histogram analysis and we'll talk about that as well. Or you can actually view the structural chemistry of the file. For example, if you have the original virgin file, you can compare file size differences, date and time differences, check sums, and other types of modifications. But in many cases when you're performing forensic analysis, the original file is not there. So it really depends on the steganography program used to hide the message. Some of them will remove the original hidden message file and other ones will leave it behind. So I went ahead and kind of categorized these things into anomaly and signature based. If you're intimately familiar with intrusion detection systems, kind of the same mentality with this. So as far as histogram analysis, file properties, statistical attack, visual or audible type of review against the files, I kind of classify these into anomaly type of detection. Versus a signature detection, which may be a pattern consistent with the program that was used to hide the message. So when writing my program, essentially my goal was to provide some type of accuracy. It wouldn't be good if you were running this program and it told you that there was a hidden message in it and actually there wasn't. Some type of consistency that might provide better consistency of differentiating between one particular program that was used to hide the message versus the other. And most importantly, in my opinion, to minimize false positives. So if we use some type of visual detection, it may be next to impossible to determine if there's a hidden message within one of these two photographs. So I took a graphic file of Cartman here and I went ahead and hid a message in one of these two pictures. But if you take a visual look at this, it may be next to impossible to determine if there's a hidden message in this. So we really don't think this is a viable option. Still yet, there's some other mechanisms including kurtosis. This is the degree of flatness or peakingness of a curve describing a frequency of distribution. In other words, if you have a frequency of different colors making up the photograph, you may recognize a consistent pattern of certain colors showing up. And if you were to graph this out and they show consistent peaks. If we use histogram analysis to evaluate this in more detail, which would include kurtosis and other things such as standard deviation and other types of things, this may or may not allow us to really identify whether or not there's a hidden message. For example, if they're using a least significant bit type algorithm to go ahead and disperse it throughout the message, you may see a consistent pattern to these peaks. So I want to use histogram analysis to evaluate a number of different steganography programs and how they hid messages within photographs and wave files. For the most part, it was pretty much useless. I've read in Eric Cole's book and a number of other books, which are by the way very good books, but they say that you can essentially use histogram analysis for evaluating a lot of different types of steganography and steganized type files. I found the patterns to be grossly inconsistent and really only found this pattern with one of the 50 steganography programs that I've analyzed. So we don't think this is a viable option either. Yeah, this is actually just PaintShop Pro. Yeah. So there's a lot of different types of programs out there you can use for histogram analysis. I just use PaintShop Pro for this. Still yet, we can do other types of analysis comparing the file properties. If you do have the original file, you can do various types of comparisons which will show obvious differences as far as date and time, even file size. And still yet, you can also run various types of check-sums. But I won't really consider this a viable option either. If you do have the original version file, well then yes, it makes it quite easy to identify differences in the file and come up with a potential suspect file. But if you're performing forensic analysis and the person had any kind of intelligence, you wouldn't have the original file and the original message. And so I would think that if anyone was doing anything over a covert channel in which they didn't want anyone to detect this, you really wouldn't have the original file to compare it to. So although this is a possible option, again, I don't really consider it viable either. So when analyzing these types of files, it is important to understand what types of files you're looking at. Not only from the extension, but when evaluating the file itself, you can actually take a look at various signatures related to the type of file that it is. For example, if you're analyzing a JPEG file versus a GIF file, the headers are going to be different. As indicated on this board here, you can see that the ASCII signature at the beginning or header of the file, you can see the various differences. So then you know for sure what type of file you're actually looking at. Gary Kessler is a friend of mine. He did a presentation for SANS on steganography, which is pretty decent, highly recommended. It's out there for free download. I believe he works at the University of Vermont. And he's done a lot of research as well as far as steganography. So feel free to check out his site as well. So if you have a copy of the original file or a virgin file, it can be compared to the modified or suspect carrier file. Many files can be used for viewing and comparing the contents of a hidden file. You can use everything from Notepad to your favorite hex editor, such as WinHex or something else to go ahead and analyze the file contents. This may allow you to convert it to ASCII and other types of mechanisms that, believe it or not, may actually reveal the password itself in clear text when the message itself is actually encrypted. So reviewing multiple files may identify a signature pattern related to the steganography program used to hide the message. So if we use a particular steganography program to hide a message, it's going to hide it in a particular way. For example, it may append it to the end of a file. As part of that, it may add some additional information to the end of that file, which may be related to some type of signature. If we do a bunch of hiding of messages and then comparisons, we may identify a relative pattern to the way it hides that message, and it may be differentiated between different types of steganography programs. So I typically use WinHex for this. It does allow comparisons between ASCII and hex. You can open up multiple files and new file comparisons. It does allow you to save the comparison as a report, and you can do various types of searches as far as differences between the two files, or even possibly equal bytes as well. It also contains a file marker capability. So as you find differences in the patterns, you can use various types of markers so that you can come back later on and compare the differences at a later time. So I went ahead and put together a case study of a steganography program called Hyderman. This is a program provided from a company in France. It is a pay-for-type program. You can download a free eval. I think it's like a 30-day eval. So I went ahead, and as many of the analysis I've done on various types of steganography programs, this one in particular stood out to me. I thought it might be good for a demonstration. So I went ahead and had a graphic file, hit a message in it, and then did some analysis with my favorite hex editor. If we go ahead and take a look at this file, we can see BM related to bitmap at the beginning of the file, identifying what type of file this is, and then viewing the end of the file, I was able to identify that it appeared that the data was simply appended to the end of this file. So I had the original version file, as well as the carrier file, compared the two, and we can see what was added to the end of the file. So you may see some consistent patterns here, and on some of the other slides, you're going to see it actually reveals some of the pass route and clear text, too. So although it used some type of encryption algorithm for hiding the message, it went ahead and put the pass route in there, clear text. So I don't even need to reverse the encryption in order to reel this hidden message. Just take the pass route, take the program, and take this file and go ahead and open it up with the pass route. It was as simple as that. In addition, I noticed a consistent pattern to the way it hid the message. Not only did it append it to the end of the file, but the last three characters were always CDN, regardless of the encryption algorithm I used for hiding the message. And as I went through and did more and more comparisons using this program, found a consistent pattern, which to me means some kind of signature related to this type of program. Consistently at the end of the file and the same three characters every time. So by hiding different messages with different files and even different passwords, again, the same three characters were hidden or appended to the end of the file, essentially related to some kind of signature related to the Stagnant IP program used to hide the message. So I've written a program called Stagspy. It's gone through a couple iterations, and I have some more iterations in process. It is a signature identification program. Neoprovos and some other people have written some statistical analysis, Stagnalysis type programs, minus more signature based related to, again, the type of program that was used to hide the message. It search for Stego signatures and determines also the program that was used to hide the message. And also it'll identify the location of the hidden message within the file. So if you're going to go ahead and extract that message, simply just can then go ahead and open up your favorite hex editor, find that location, and then go ahead and try to extract the message. So I went ahead and used some different graphics and went ahead and hid messages in it. And through my analysis, I've used a number of different Stagnography programs for hiding these messages and have correlated these signatures to those Stagnography programs. And that's all built into my program. So if I go ahead and choose a file that I want to interrogate, it'll tell me, first of all, whether or not there's hidden Stagnography within this message, as it relates to the programs that I've correlated signatures to. But it'll also identify the program used to hide the message, as well as the marker position as well, as to where the hidden message is located within that file. So if you are doing forensic analysis and you want to make an attempt at trying to extract this message, you can add it to that marker using your favorite Hex Editor or something else and then make attempts to try to extract that message. So I've got a number of programs here that I've identified, including Masquer, JPEG-X, JPEG-HIDE, and a number of other different types of programs, including HIDERMAN, Invisible Secrets, and a whole slew of other Stagnography programs. And I'm continuing to add new signatures to this program all the time. Yes. No, it can't. Stagnos has given me quite a struggle. Stagnos is written by a really good cryptographer guy that's worked for the company since its start-up a number of years ago. It is a commercial program. People have done Stagnosis on older versions of it, which have revealed where the message was hidden. They use something a little bit more intelligent than just appending it to the file or hiding it in the message or header contents. They tend to use some type of least significant bit dispersion throughout the file instead. So in that case, it definitely requires a little bit more statistical analysis. So I've tried to identify signatures related to Stagnos, though, separate from the type of algorithm it used to hide the message, but I haven't been successful yet in identifying it, though. So I wrote the original version in Perl, and then I kind of cut it over to Visual Basic. You can download this program for free from my site, spyhunter.com. Like I said, I'm continuing to work on new versions of this program. Some of the new things that I'm adding to the program include additional signatures, constantly reviewing new Stagnography programs and identifying new signatures as it relates to those programs. Did you have a question over there? Coming up on the next slide. Yeah, I've had some other people recommend that as well, so I've got some cool information on the next slide. We'll talk about it. One of the cool things would be a Bosello plug-in that just inspects every image. Yeah, I honestly can't take credit for this idea. E.Y. over at Black Hat came up with this idea originally a while back while I was working on this. And I thought it was a great idea, so it's something I'm going to start working on probably as soon as I get back in town. Great idea though, yeah. So the goal of this would be to detect Stego as your browser. A little bit different than what you suggested. We're just kind of doing a spider over the web. I know someone did that a couple of years ago, and I think they combed through about two or three million pictures and found one potentially steganized photograph out there. This would actually detect Stego as your browsing. So as you hit a particular site, a pop-up could possibly pop up identifying well this particular picture on this web page potentially has a steganized file, or a hidden message in it. Some of the other features would be the ability to if you're doing forensic analysis to scan an entire directory, or maybe even an entire drive. So that's my number one priority at this point. In the next version of the program I'm going to do that and then also work on the Mozilla plugin too. Also I'm going to try to revert back to some type of pearl iteration, so it can be a little bit more UNIX and Linux friendly. I want to create a GUI around that, originally wrote it just in pearl. So it was mostly command line. I would like to create some kind of GUI around it, so I'm going to work on that a little bit more too. I just request that you keep that command line. Okay, I'll do that. Yeah, I'm old school too, so I think I'll keep the command line. Okay, so this does differ somewhat from a lot of the other type of research and steganized analysis that other people have done, which by no means I don't mean to undermine. I think Neo Provo has done some great research as far as statistical analysis as it relates to steganography. I just decided to take it in a different direction. So I've identified a number of signatures including Invisible Secrets, J.P. Hyde, High Demand, Masker, JPEG-X. There are some other ones that are in there that I haven't really come out and told people that are in there yet simply because I'm trying to minimize the false positives. I'm still trying to confirm that they are good signatures and all that good stuff. So as I feel comfortable with that I'll go ahead and post all those updates to my website as well. Okay, so how is this handy? We really haven't achieved the goal in my opinion, which is revealing the hidden message. So we've identified that there's a hidden message in the file, but in my opinion, really only halfway there. We need some type of ability to actually reveal that hidden message. And what I'm going to show you in the next part of this presentation is some tactical measures by which you can possibly perform that. So, searching for the signature pattern to determine the presence of a hidden message. And this signature reveals the program used to hide that message. So perhaps if you identified that there is a hidden message within that file and the program used to hide it, we're going to talk about ways in which you can leverage that to then possibly reveal the hidden message. So we bleed over into crypt analysis. So as stated previously, Stereoenography, the goal is to hide the message, not encrypt it. Cryptography provides the means to encrypt the message. So how do we reveal the hidden message? So knowing the Stereoenography program used to hide the message can be extremely handy when attempting to reveal the actual hidden message. Because trying to identify and crack the algorithm, good luck. A lot of these things use very strong encryption. But yeah, other ones still use pretty weak encryption as well. Other mechanisms we can use is to try to reveal or crack the password, seed, or secret key. Practically all Stereoenography programs use some form of a password or secret key or a seed to hide the message. If we can possibly reveal that, that may allow us to reveal the message as well. So although sometimes they may use some type of strong encryption, I have found that they use a clear text password or a seed right there within the file. And by using that you can just reveal the message. So far we've identified the program used to hide the message, identified the location of the program signature within the file. But now we want to try to identify the location of the password in the file. We've also identified the location of the hidden message. This is possibly the algorithm used to encrypt the hidden message. There are some password guessing and dictionary type tools out there. Neil Provost wrote one called Steg Break. Only works against one particular program called J-Steg. But nonetheless this is one of the first I've seen out there in the wild. It is now actually on the NAPIX Penguin Sleuth Forensic CD as well. You can check out Neil Provost's tour at outguest.org. He's been under a lot of political fire from the state of Michigan where he attends college. They've attempted to shut down his site a number of times. So his site is sometimes up, sometimes down. It's currently up as of my last check last night. Some of the links are crossed out but if you click on it it still takes you to the site where you can download the tools. So brute force methods or reverse engineering common encryption techniques. We did talk about modification of the least significant bit within the program by which it hides the message by dispersing it throughout the file. Changing the least significant bit in a particular portion of the file. Also password or other contents are masked using some type of an algorithm based on a secret key, a password or a random seed hidden somewhere else within the file. See you to be hidden.