2. Data Hiding
Data hiding involves changing or manipulating a file to
conceal information. Data-hiding techniques include hiding
entire partitions, changing file extensions, setting file
attributes to hidden, bit-shifting, using encryption, and setting
up password protection. Some of these techniques are
discussed in the following sections.
3. Data-hiding Techniques
File manipulation
Filenames and extensions
Hidden property
Disk manipulation
Hidden partitions
Bad clusters
Encryption
Bit shifting
Steganography
5. As we can be seen above, we encountered an error. Now, a typical user
may say this file is corrupt and thus probably delete the file and move on.
While that may be acceptable for the regular user, a forensics analyst
would need to dig a little deeper.
To dig a little deeper, our shovel will be HxD Hexeditor. A point to note is
that every file type has a header which can be used as a signature to
identify the type of file. Similarly some file types have known trailers,
which marks as the ending of the file. Considering this information, we can
use the Internet to our advantage to learn about file extensions. To
determine our actual file type we will rely on the work already done by
https://www.garykessler.net/library/file_sigs.html.
Let’s open our file in Hx.
Filenames and extensions (continued)
7. If we compare the first 6 bytes “7B 5C 72 74 66 31” to one of the known
entries on garykessler.net, we can see that this file should have an
extension of .rtf. In addition, if we look at the trailer we see that within the
last 10 bytes, we have a 4 byte sequence “5C 70 61 72” that matches part
of the .rtf extension. Let’s focus on the header and change the file to .rtf
instead of .jpg.
The file extension can be changed by either renaming the file in “Windows
Explorer” or by “ren securitynik.jpg securitynik.rtf” in the command
prompt.
Filenames and extensions (continued)
8. Hiding Partitions
Delete references to a partition using a disk editor such as Norton
DiskEdit, this editor will delete any reference to it manually.
Re-create links for accessing it.
Use disk-partitioning utilities
GDisk
Partition Magic
System Commander
or Linux Grand Unified Bootloader (GRUB), which provides a startup
menu where you can select an OS. The system then ignores other
bootable partitions.
Account for all disk space when analyzing a disk
9. For example, in the following code, Disk Manager recognizes the extended
partition (labeled EXT DOS) as being 5381.1 MB (listed as Mbytes). The
LOG DOS labels for partitions E through F indicate that they’re logical
partitions that make up the extended partition. However, if you add the
sizes of drives E and F, the result is only 5271.3 MB, which is your first
clue to examine the disk more closely. The remaining 109.8 MB could be a
previously deleted partition or a hidden partition. For this example, the
following code shows the letter “H” to indicate a hidden partition.
Hiding Partitions (continued)
10. Hiding Partitions (continued)
In fig 1.1 you can see a hidden partition in Disk Manager, which
shows it as an unknown partition. In addition, the drive letters in the
visible partitions are nonconsecutive (drive I is skipped), which can be
another clue that a hidden partition exists. Most skilled users would
make sure this anomaly doesn’t occur, however.
Figure 1.1 Viewing a hidden partition in Disk Manager
11. Hiding Partitions (continued)
In ProDiscover, a hidden partition appears as the highest available drive letter set in the
BIOS. Figure 1.2 shows four partitions, similar to Figure 1,1, except the hidden
partition shows as the drive letter Z. To carve (or salvage) data from the recovered
partition gap, you can use other computer forensics tools, such as FTK or WinHex.
Figure 1.2 Viewing a hidden partition in ProDiscover
12. Marking Bad Clusters
Common with FAT systems.
Place sensitive information on free space.
Use a disk editor to mark space as a bad cluster
To mark a good cluster as bad using Norton Disk
Edit
Type B in the FAT entry corresponding to that
cluster
13. Bit-shifting
Old technique
Shift bit patterns to alter byte values of data
Make files look like binary executable code
Tool
Hex Workshop
Bit-shifting changes data from readable code to data that looks like binary
executable code. Hex Workshop includes a feature for shifting bits and altering
byte patterns of entire files or specified data. To shift bits in a text file, follow
these steps
14. Bit-shifting (continued)
1. Start Notepad, and in a text document, type TEST FILE. Test file is to see how
shifting bits will alter the data in a file.
2. Save the file as test file.txt in your work folder, and exit Notepad.
3. Start Hex Workshop. Click File, Open from the menu. Navigate to your work
folder, and then double-click test file.txt. Figure 3 shows the file open in Hex
Workshop
figure 3 test file.txt open in Hex Workshop
15. 4. To set up Hex Workshop for the bit-shifting exercise, click Tools >> operations
from the menu.
5. In the Customize dialog box, click the Data Operations check box, and then click
OK.
6. Click the Shift Left button (<< icon) on the Data Operations toolbar. The Shift
Left Operation dialog box opens (see Figure 4), where you specify how you want to
treat the data, the ordering scheme to use for bytes, and whether you shift bits for
selected text or the entire file.
Figure 4 The Shift Left Operation dialog box
Bit-shifting (continued)
16. 7. Click OK to accept the default settings and shift the bits in test file.txt to the left.
8. Save the file as Bit_shift_left.txt in your work folder. Figure 5 shows the file in
Hex Workshop, with the @ symbols indicating shifted bits.
Figure 5 Viewing the shifted bits
Bit-shifting (continued)
17. 9. To return the file to its original configuration, shift the bits back to the
right by clicking the Shift Right button (>> icon) on the Data Operations
toolbar. Click OK to accept the default settings in the Shift Right
Operation dialog box. The file is displayed in its original format.
10. Save the file as Bit_shift_right.txt in your work folder, and leave Hex
Workshop open for the next activity
Bit-shifting (continued)
18. Using Steganography to Hide Data
Greek for “hidden writing”
Steganography tools were created to protect copy righted material
By inserting digital watermarks into a file.
EXAMPLE: to notify users that an image is copyrighted. The digital
watermarks used for steganography aren’t usually visible, however,
when you view the file in its usual application and might even be
difficult to find with a disk editor. A non steganographic graphics file is
the same size as an identical steganographic graphics file, and they
look the same when you examine them in a graphics viewing utility,
such as IrfanView. However, if you run an MD5 or SHA-1 hash
comparison on both files, you’ll find that the hash values aren’t equal.
19. EXAMPLE:
To hide data, people can use steganography tools, many of which are
freeware or shareware, to insert information into a variety of files. If you
encrypt a plaintext file with PGP and insert the encrypted text into a
steganography file, for example, cracking the encrypted message is
extremely difficult. However, most steganography tools can insert only
small amounts of data into a file and usually require a password to restrict
access to the inserted data.
Suspect can hide information on image or text document files.
Very hard to spot without prior knowledge.
Tools: S-Tools, DPEnvelope, jpgx, and tte
20. REFRENCES
Text book: Guide to computer forensics and investigation by
BILL NELSON,AMELIA PHILLIPS,AND CHRISTOPHER STEUART.
Tools used
Hex Editor https://www.hhdsoftware.com/free-hex-editor
Hex Workshop Hex Editor (64 bit) http://www.hexworkshop.com/