steganography Assignment|Course hero helper

Name: _________________________ Date: _____________

Get your paper done on time by an expert in your field.

Order Now

Fill in your name above, put your full response below each question, save the file using the file naming convention: “ ISSC458_Week8_Assignment_LastName_FirstName.doc” where LastName is your last name and FirstName is your first name, then return this document for grading.

Instructions: Steganography allows hiding sensitive information inside image (and audio) files. During a computer forensic investigation, you will need to analyze image files as part of the evidence. In addition to viewing the image looking for any illicit content, you should also consider analyzing all images files concealed data by means of steganography.

For this exercise, each student will use steghide to embed a Word document within an image file, but keep a copy of the original file. Next, students post both the original image file and the modified image to the Week 8 – Assignment forum. Finally, each student will analyze both images from another student with any image viewer and with WinHex to determine the original file and the modified image.

Submission Instructions: Answer the questions

Assignment Rubric ( 100 Points)

Hardware/Software Setup Required

Steghide (available at http://sourceforge.net/projects/steghide/files/ or the EC-Council Certification Portal http://portal.eccouncil.org/ )

WinHex 15-1 SR-8 (available at http://www.x-ways.net/winhex/ or the EC-Council Certification Portal http://portal.eccouncil.org/ )

StegDetect 0.4 (available at http://www.outguess.org/download.php or the EC-Council Certification Portal http://portal.eccouncil.org/ )

Optional resources

DocumentToHide.doc

Stega01.jpg

Problem Description

Steganography allows hiding sensitive information inside image (and audio) files. During a computer forensic investigation, you will most likely need to analyze image files as part of the evidence. In addition to viewing the image looking for any illicit content, you should also consider analyzing all images files for concealed data by means of steganography.

For this exercise, each student will use steghide to embed a Word document within an image file, but keep a copy of the original image file. Next, students post both the original image file and the modified image to the Week 8 – Assignment forum. Finally, each student will analyze both images form another student with any image viewer and with WinHex to determine the original file and the modified image.

In addition, use stegdetect with the modified file and comment on the outcome.

Estimated completion time: 80 minutes

Outcome

Report the required steps for these tasks.

Validation/Evaluation

· What are some of the options for the steghide command?

· Do the original and modified images look the same?

· Can a hex editor help revealing the presence of hidden information?

· Can stegdetect recognize the presence of hidden information? If not, why not?

Assignment Specific Directions:

1. Download steghide from the EC-Council Certification Portal.

2. Unzip the steghide-0.5.1-win32.zip file to C:\steghide.

3. Click Start->Run, write cmd and press Enter to open a new command prompt window.

4. In the command prompt window type cd c:\steghide and press Enter.

5. Type steghide –help and press Enter to get more information about the steghide command.

6. Now, choose the file that you want to hide and move it to c:\steghide. Note: For this exercise, we will be using DocumentToHide.doc. Students are welcome to replace this file and the image file with their own files.

7. In addition, check the size of the file to hide. In our case, the size of DocumentToHide.doc is 323KB.

8. Next, choose the image file that will conceal the file selected in the previous step and also move it to c:\steghide. Note: For this exercise we will be using Stega01.jpg. Again, students can change this file for their own image files.

9. We need to check the capacity of the image file and match it with the size of the file to hide. If the image file has a smaller capacity, we either select a different image or modify the original image file to be bigger. Note: Stega01.jpg was modified with an image editor to increase its capacity so DocumentToHide.doc could be embedded within it. Any student using his or her own image file should modify it accordingly.

10. To check an image capacity type steghide –info Stega01.jpg and press Enter.

11. When asked if you want to get information about the embedded data, just type n.

12. The following are the options for embedding the file:

a. Encryption algorithm: AES (Rijndael)

b. Passphrase: “steganography”

c. Compression level: maximum supported

13. To find out the information about supported encryption algorithms, type steghide –encinfo and press Enter.

Note that there are two Rijndael options: rijndael-128 and rijndael-256.

14. In step 5, we learned that the –p <passphrase> option allows us to specify a passphrase. In addition, the –z <l> allows us to specify a compression level being 9 the best compression option.

15. Use Windows Explorer to make a copy of the original image file. Note: We will call this copy Copy of Stega01.jpg.

16. Now, to conceal the information within the image file, type steghide –embed -ef DocumentToHide.doc -cf Stega01.jpg -p steganography -e rijndael-128 -z 9 -v and press Enter. Note: you can refer back to step 5 for an explanation of each of these options or type steghide –help for more information.

17. Next, we will open both the original image file and the modified image file with any image viewer to verify that they are the same image .

18. Finally, rename both images as Img01.jpg and Img02.jpg and exchange images with your lab partner for the second part of this lab .

At this point, students should exchange files. The next steps will apply to the files received from each student’s lab partner.

19. We will try to determine what file is the original image and what file contains the modified image.

20. First, open both received files with an image viewer to check for differences in both images.

21. As shown above, both images look very alike .

22. This time, use WinHex (download and install it if you haven’t done that before) to open both files .

23. A quick inspection shows that although both files display the same image, their contents are indeed different.

24. A closer inspection reveals the following:

a. Img02.jpg has a header with Adobe Photoshop information.

b. Img02.jpg has several blocks with 00 values; this is very rare for Img01.jpg.

Note: Large blocks of 00 values are used by steganography tools to conceal information.

25. Based on the above observations, one can conclude that Img02.jpg is the original image. Check these results with your partner.

26. For the final part of the lab, download StegDetect 0.4- Windows Binary from http://www.outguess.org/download.php

27. Unzip the stegdetect.zip file to c:\stegdetect.

28. Run xsteg.exe.

29. Open the Img01.jpg file using the File->Open option.

30. Stegdetect will automatically examine the file looking for concealed information and report the results. In this case, the results were negative for all scan options.

Final Comments

Steganography is a powerful tool for concealing information. As shown before, an image hiding information looks very similar to the original image, being almost impossible for the naked eye to detect the difference. A hex editor is required for this task.

Although there are several automated steganalysis tools, they are often tailored for specific steganography flavors or tools. The experience and judgment of the investigator is essential for the entire analysis process and cannot be replaced by any tool.

Even if you find a tool that can tell that an image file is hiding some other information, it is common for steganography tools to encrypt the information before hiding it. This additional step complicates the entire process even further. Now, the investigator not only needs to extract the concealed information but also decrypt it. This last task can prove very difficult if the steganography tool used known standard encryption algorithms and a strong key.

However, a crafty investigator can detect a modified image by following the steps above, using steganalysis tools, or any other technique. In various countries, the presence of concealed information can be considered an attempt to commit a crime, which can be the basis for a warrant for the concealing process and key. This information can be later used to reveal the hidden information.