- Email: [email protected]
FAUST: Forensic artifacts of uninstalled steganography tools
digital investigation 6 (2009) 25–38
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/diin
FAUST: Forensic artifacts of uninstalled steganography tools Rachel Zax, Frank Adelstein* ATC-NY, Cornell Business and Technology Park, 33 Thornwood Drive Suite 500, 14850-1250, Ithaca, NY, United States
article info
abstract
Article history:
Images and data, such as child pornography and credit card numbers, can be hidden in files
Received 16 September 2008
through the use of steganography. Many steganography programs are freely available on
Received in revised form
the Internet. Searching data files for hidden, embedded content through steganalysis is
4 February 2009
a time-consuming process. Often steganography programs leave traces behind, such as
Accepted 12 February 2009
files, directories, or registry keys, even after they have been removed or uninstalled from the system. An alternative to steganalysis is for a forensic investigator to perform a quick search for these telltale indications that steganography has been used. In this paper, we
Keywords:
present the results of a study to detect traces left behind after a number of freely available
Steganography detection
steganography tools were installed, run, and uninstalled. ª 2009 Elsevier Ltd. All rights reserved.
Artifacts Evidence Uninstalled programs Registry keys Files Directories
1.
Introduction
In recent years, digital steganography has become popular, and information about it is readily available (Cole, 2003). Steganography can be used to hide illicit or illicitly-obtained data, such as child pornography or stolen personal information, from forensic investigators. Recent news reports describe cases of both the threat and the use of steganography (SARC). For example, the Times Online reports that a raid on a terrorist organization in the UK by Scotland Yard, in October 2008, discovered that secret messages were being embedded in child pornography images (Kerbaj and Kennedy, 2008) (note that this is atypical; usually the child pornography is the hidden data, not the carrier). Other articles discuss how the use of steganography can hamper forensic investigations. Hundreds of steganography programs can be downloaded for free from web sites, such as
stegoarchive1 and jjtc2, making these tools readily available to criminals. The fact that steganography tools hide the presence of data from investigators makes it difficult to predict how likely an investigator might encounter them in a case and how much time and effort should be spent pursuing the possibility of their presence. However, digital forensic investigators cannot simply ignore steganography. They need a way to quickly detect traces of common steganography tools. A detailed steganographic analysis of the data files on the disk will scale with the number of files on the disk, or roughly speaking, the size of the disk. Since all files need to be examined, this is comparable to a string indexing process, which can be very slow (hours, if not days). An alternative to this approach is to search for known artifacts associated with steganography tools. This type of search entails looking for a small number of artifacts (files, directories, registry keys) on a disk, well under 1000, and should take seconds to complete.
* Corresponding author. Tel.: þ1 607 266 7104; fax: þ1 607 257 1972. E-mail address: [email protected] (F. Adelstein). 1 http://home.comcast.net/webm.md/stego/software.html. 2 http://www.jjtc.com/Steganography/tools.html. 1742-2876/$ – see front matter ª 2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2009.02.002
26
digital investigation 6 (2009) 25–38
While a detailed steganalysis would be too time consuming as a general practice, investigators can quickly perform an efficient search for steganography tools as part of the initial triage phase. A quick, preliminary search would be helpful to determine whether a time-intensive examination is warranted. If traces of such tools are discovered, the investigator can conduct a thorough examination of the contents of every file during the analysis phase of the investigation. Existing general purpose forensic tools provide very limited support for steganography detection, and special purpose tools tend to have problems, such as detecting only the presence of steganography, but not what tool or encoding technique was used, or requiring time to examine all the files on the disk to determine whether any of them contain hidden data. Such detection tools can become out of date quickly, as new steganography programs are released. In addition, many existing detection tools are not freely available. See Section 5 for a detailed discussion of Related Work. A different approach is to perform a quick triage to look for telltale traces of steganography programs, which frequently leave artifacts in the file system and registry. A file can easily be detected via a hash, or the file or directory name. Similarly, the names and values of registry keys are good indicators. This raises the question of what can be done if such tools have been deleted from the computer. Specifically, what forensic artifacts remain after the steganography tools have been removed or uninstalled? Such artifacts would form a list of useful clues that could quickly be checked to determine whether an in-depth steganographic analysis is required. We conducted an experiment on a number of popular steganography tools to determine whether such artifacts exist and if so, what they are. This article answers the question of what traces, if any, remain once these tools have been uninstalled. We describe our approach in Section 2, present the results in Section 3, analyze those results in Section 4, discuss related work in Section 5, and present our conclusions and recommendations in Section 6.
2.
Methodology
We first identified popular, readily available steganography tools. Such tools were identified by compiling information from Internet sites that list or discuss these tools. Sources included StegoArchive.com; Johnson & Johnson Technology Consultants, LLC (Johnson, 2008); the Anti-Child Porn Organization (Astrowsky, 2005); securityfocus.com; Packetderm, LLC (Packetderm, 2003); brothersoft.com; Tistory.com (Tistory.com, 2008); Spacegate (Spacegate, 2004); Wowarea (Wowarea, 2006); and various Google discussion groups. We selected tools with large numbers of downloads (software sites such as sourceforge.net, pcworld.com, filetransit. com, and soft32.com provide that information), whose latest versions had been released in the last few years, and that were topics of discussion on web sites, web logs, or mailing lists. We considered even old tools worthy of study if they had provoked much recent discussion. Finally, of course, the tools had to be available for download; this study examined only programs offered as freeware.
Our initial study focused on Windows-based programs. Because Windows programs rarely are simple command-line tools, they are likely to leave traces; and Windows machines represent the vast majority of computers that forensic examiners encounter. Table 1 lists the software we considered, along with the URL at which each tool was found. We next ran the tools in a controlled environment. We used a virtual machine (VM) in order to maintain isolation, and to provide us with a clean system without the need to reinstall an operating system. This also afforded us protection against any malicious code that might have been embedded in the programs we ran, as the VM was used only for this experiment. We used Virtual Box (Virtual Box) to run a Windows XP Professional SP2 system. The VM was configured to have 256 MB memory and 2.4 GB disk. Because this study was intended to assist with quick, in-the-field triage-based examinations, we focused on forensic artifacts that would not require an in-depth disk analysis. Specifically, we looked for active files (as opposed to deleted files), directories, and registry keys. Several of the programs required installation via a provided install script; the other tools were packaged within zip files and had to be extracted before running. Each program
Table 1 – List of Software Tested in Study. Name Digital Invisible Ink Toolkit FreeOTFE Gif-it-up Hide and Seek Hide in Picture Invisible Secrets Jpeg-jsteg
JPHide/JPSeek MP3Stego OpenStego PGE Snow Stealth Steganography Steghide Stegodos StegoMagic S-Tools wbStego wnStorm (White Noise Storm)
URL http://sourceforge.net/project/showfiles. php?group_id ¼ 139031 http://www.freeotfe.org http://www.stegoarchive.com/software http://www.searchlores.org/stego.htm http://sourceforge.net/projects/ hide-in-picture/ http://www.softpedia.com/get/Security/ Encrypting/Invisible-Secrets.shtml http://www.theargon.com/achilles/ steganography/jpeg-steg/ (download both jpeg-v4.tar.gz and jpeg-jsteg-v4.diff.gz) http://nixbit.com/cat//security/jphs/ http://www.petitcolas.net/fabien/ steganography/mp3stego/index.html http://sourceforge.net/project/ showfiles.php?group_id ¼ 211815 http://home.earthlink.net/wemilbrandt/ stego/softwaredos.html http://www.darkside.com.au/snow/ http://www.wowarea.com/english/ help/stega.htm http://securekit.net/download.htm http://steghide.sourceforge.net/ download.php http://cd.textfiles.com/hackersencyc/ PROGRAMS/FILES.HTM http://www.programmersheaven.com/ download/38361/download.aspx http://www.spychecker.com/program/ stools.html http://wbstego.wbailer.com/ http://arachelian.com/
27
digital investigation 6 (2009) 25–38
was downloaded, installed or unzipped, run using one or more of the supported file types as sample data, and then uninstalled or deleted. In the case of programs that ran without being installed, we deleted the zip file and, if applicable, the folder to which it had been extracted, but left any other files that had been created during the process. We used the Windows SysInternals tools File Monitor (Russinovich and Cogswell, 2006a) and Registry Monitor (Russinovich and Cogswell, 2006b) (Fig. 1) to monitor the steganography tools’ activitiesdspecifically, to detect the creation of new files, directories, and registry keys. After the programs were uninstalled or the files deleted, we searched through the file system and Registry Editor (regedit), aided by File Monitor and Registry Monitor, and determined what artifacts remained.
3.
Results
Several of the programs tested left behind obvious and permanent traces, including folders, files, and registry keys bearing the names of the programs or their authors. Others did not leave such definitive evidence, but left clues in the information created by auxiliary programs that had interacted with the tools (e.g., WinZip). Some of the programs did not leave any evidence beyond files and keys in temporary caches. Many of the programs that did not leave useful evidence were simple binaries, which did little besides reading input and producing output. Detecting the use of such programs would be difficult, at best, using this forensic method. We did not record data that were left in most recently used (MRU) caches and in the home directory’s Recent and Temp subdirectories; however, we noted artifacts left in other shortterm caches, such as WinZip’s extract and filemenu registry keys and the WINDOWS\Prefetch directory. While these
Table 2 – Programs and Artifacts. Name Digital Invisible Ink Toolkit FreeOTFE Gif-it-up Hide and Seek Hide in Picture Invisible Secrets Jpeg-jsteg JPHide/JPSeek MP3Stego OpenStego PGE Snow Stealth Steganography Steghide Stegodos StegoMagic S-Tools wbStego wnStorm (White Noise Storm)
Artifacts? Registry?
Files and Installed? Directories?
N
N
N
N
Y Y N Y Y N N N N N N N Y N N Y Y Y Y
Y Y N Y Y N N N N N N N Y N N Y Y Y N
Y N N N Y N N N N N N N Y N N N N N Y (desktop)
Y N N N Y N N N N N N N Y N N N N N N
resources provide useful information in a real examination, we considered them too ephemeral for this study to use as a red flag. Table 2 summarizes the data, taking into account only permanent artifacts. The first column gives the name of the program; the second indicates whether any useful and permanent artifacts were found; the third and fourth indicate whether these artifacts were found in the registry or in the file system; and the last indicates whether the program required
Fig. 1 – Registry Monitor during the process of installing and running FreeOTFE. CreateKey requests are highlighted.
28
digital investigation 6 (2009) 25–38
installation, or was instead packaged in a zip file. Full results can be found in Appendix A.
4.
A detailed forensic analysis using other techniques might reveal deleted files, but that is beyond the scope of our investigation.
Analysis 5.
The programs left behind a variety of forensic evidence, some clues more reliable than others. Several created artifacts bearing their names and did not remove them upon installation. These traces are the most reliable. In addition, many of the programs were registered as handlers for various file extensions, creating evidence under the HKCU\Soft ware\Microsoft\Windows\CurrentVersion\Explorer\ FileExts registry key. These preferences can be overwritten when other programs are installed; however, if no new program installation overwrites them, they will remain in the registry. Some evidence was created by programs the tools interacted with, not by the steganography tools themselves. WinZip (2008) was used to handle tools packaged in zip files, and it left evidence under the key HKCU\Software\Nico Mak Computing\WinZip. Although the presence of these artifacts provides evidence that the tools were downloaded, their absence provides no information. Other auxiliary programs might be used instead, leaving different artifacts or possibly no artifacts. In addition, these artifacts are not permanent. The steganography tools also left evidence in MRU lists and other temporary caches. These artifacts disappear over time as well and thus no conclusions can be drawn from their absence. Some artifacts, although permanent, would not be useful as evidence because they did not uniquely identify the program that created them. For example, running the Hide and Seek executable HIDE.EXE always produces a file called outfile.gif. However, an investigator discovering such a file name could not conclude that it was produced by Hide and Seek, thus the presence of that artifact is of limited value. Another factor to consider is where artifacts are stored in the file system: even a non-savvy user might recognize and delete incriminating files from the desktop (where both White Noise Storm and Hide and Seek place files, for example), while files stored elsewhere might not capture the user’s attention. Programs that required installation tended to leave better evidence than those packaged in zip files. The installed programs more often created fixtures during setup that would be used for each run of the program, whereas the simpler tools packaged in zip files required less overhead. One program requiring installation, FreeOTFE, created many registry keys connected with the various encryption algorithms that the program supports. The Unix-style, command-line based tools left no permanent evidence. Typically they require the user to specify two input files, i.e., the information to be hidden and the file in which to hide the information, and to produce an output file. They require neither configuration files nor need to track any internal state from one invocation to another. The only traces of such programs would be the executable itself, which, if uninstalled, would be in unallocated disk space. Extracting such files (called ‘‘carving’’) and identifying them is beyond the scope of this study.
Related work
One way to detect the presence of steganography is to examine the properties of every possible carrier file on a computer, looking for tell-tale signs. Two approaches to examining files are signature-based detection and blind detection. Signature-based detection searches files for known byte patterns left by specific steganography programs. Because a signature match reveals which tool was used to hide the information, it can provide insight regarding how to extract the data. Blind detection examines statistical properties of the file (e.g., entropy measurements) that are affected by steganographic algorithms. A blind match merely indicates that it is likely that something is hidden, without addressing what is hidden or how. An investigator can also look for differences between the suspected file and its original version, if available. These techniques require a time-consuming, detailed examination of all the files that could contain hidden information. Since disks commonly contain tens or hundreds of gigabytes of data, these detection techniques cannot be done quickly as part of a first response or triage. Much work has been done in the area of steganography detection (also known as steganalysis). Recently developed tools include Stego Suite and Gargoyle (WetStone Technologies), Forensic Toolkit (AccessData), EnCase (Guidance Software), Steganography Analyzer Artifact Scanner (Backbone Security) and Stegdetect and Stegbreak (Niels Provos). Stego Suite comprises four separate programs: Stego Hunter, Stego Watch, Stego Analyst, and Stego Break. Stego Hunter looks for the presence of steganography programs, as we did in this study. While the specific detection techniques are not published, we assume that Stego Hunter looks for resources such as file and directory names, file signatures (hashes), and registry keys. Stego Hunter also flags the types of files that may have been used as carriers. Stego Watch then analyzes files to determine how likely it is that they carry hidden data, as well as which algorithm was most likely used to hide the information. Stego Watch uses both signaturebased detection and blind detection. Stego Analyst is used to search for visual evidence of steganography in image and audio files. The tool displays statistical information and also allows an investigator to view images through different filters. Stego Break aims to recover hidden information by finding the passkey needed to unlock the file (WetStone Technologies Inc., 2008a). Gargoyle is used to detect whether steganography tools are present. Gargoyle compares the hashes of the files to be searched with those of files associated with known steganography software (WetStone Technologies Inc., 2008b). Other steganography detection programs that make similar use of hash sets include Forensic Toolkit and EnCase (Kessler, 2004). Recently, Backbone Security has come out with a new version of their steganalysis tool, Steganography Analyzer
digital investigation 6 (2009) 25–38
Artifact Scanner (StegAlyzerAS). The software can scan the file system and registry for artifacts known to be associated with steganography tools (Steganography Analysis and Research Center, 2008). Stegdetect can find information hidden in JPEG images by a variety of steganographic tools, including JSteg, JPHide, Invisible Secrets, OutGuess 0.13b, F5, AppendX, and Camouflage. The tool uses linear discriminant analysis: given examples of normal images and examples of steganographically altered images, it computes a linear detection function to separate the two groups. The function can then be used to classify other images. Stegbreak is a companion program that can be used against suspected JPEG carrier files created by JSteg-Shell, JPHide, and OutGuess 0.13b. Stegbreak launches dictionary attacks d i.e., brute-force attempts to retrieve the hidden information, using the words and phrases in a dictionary as potential passkeys (Provos, 2004). Previously developed tools often focus on the potential carrier files themselves, using signature-based and/or blind detection. However, some steganography applications are resistant to the statistical methods of blind detection. For example, Allan Latham’s JPHide/JPSeek tool uses pseudorandom numbers to determine where to store the bits to be hidden. According to Latham, this minimizes statistical distortion, whereas the common, simple algorithm that stores data in the carrier file’s least significant bits produces significant statistical effects (Latham, 2006). Czeskis et al. (2008) describe artifacts left by the TrueCrypt program, such as short cuts and registry keys, when attempting to use it to make a ‘‘deniable file system,’’ which is, essentially, a hidden file system. A new technique, described in Adee (2008), is designed to disrupt steganography rather than detect it, by making similar changes to data files that are undetectable by humans. Some of the abovementioned tools search for artifacts in the file system and registry, as we did in this study. However, our work focuses on the artifacts indicating that steganography tools were at some point used on a computer, even if the tools were later uninstalled or deleted. The goal is to compile a list of file, directory, and registry key ‘‘red flags’’ for forensic examiners to quickly check for indications of steganography. Such an approach would be useful even when the suspect has tried to cover his tracks by removing any steganography tools. Our work in no way replaces the other tools, and even if no red flags are found, a detailed analysis using other steganalysis tools may be warranted if other evidence suggests that steganography tools were used.
6.
29
directly for steganographically altered files, a process that can be cumbersome. The presence of forensic artifacts would give the investigator further reason to conduct a thorough search for files containing hidden data. If no artifacts are found, the investigator must then rely on other, external factors to determine whether a detailed steganographic analysis is appropriate, as is already done. However, the results in this paper suggest that the investigator perform a quick check for certain directories, files, and registry keys in the initial phase of the investigation. In addition to providing evidence that would encourage the investigator to proceed, such artifacts may provide helpful clues. For example, knowing the identity of the program used would allow the investigator to focus his search on the types of files that tool uses to hide data. A program that searched for the forensic artifacts described in this paper could also be useful to an investigator who was able to obtain only a restricted warrant to search a computer’s contents. If such a program, looking only for specific artifacts, discovered any evidence, it could provide probable cause for the investigator to obtain a warrant to conduct a more thorough and invasive search of the computer’s files. Similarly, such a program could be useful for consent searches (‘‘knock and talk’’) or by parole officers to validate compliance with terms of parole. A very simple example of an automated tool to search for these artifacts is provided in Appendix B. This program is intended to demonstrate the mechanics of doing registry lookups. Obviously, it needs a more sophisticated way of specifying the registry, such as an external file or via a URL, since the data in it would quickly become obsolete. It only includes a few keys for demonstration purposes. One way to keep this type of program current would be to maintain it on an open-source site and allow forensic investigators and researchers to submit updates, for example through Source Forge or the Forensic Wiki.3 The work presented in this paper focused on a relatively small set of steganography tools available for Windows. Future work can focus on other tools and platforms. Although Unix platforms have no registry, some clues indicating the use of installed packages may remain in RPM or similar logs. Recent work in forensic analysis (Dolan-Gavitt, 2008; Morgan, 2008) of the Windows Registry shows that in some cases registry keys can be retrieved even after they have been deleted. Such keys can be retrieved from the registry files (or hives) or system memory, as opposed to unallocated space, meaning a search for these keys could be quickly done as part of a triage step. This means that it may be possible to detect evidence of the prior presence of steganography tools even if the installer/uninstaller properly deleted all of the installed directories, files, and registry tools.
Conclusion and recommendations Appendix A. Artifacts
We examined several popular steganography programs to determine what, if any, artifacts remain after the program has been installed, run, and then uninstalled. Roughly half of the programs we examined left some traces behind. Forensic artifacts can provide evidence that steganography tools have been used. Investigators may wish to search for traces that indicate the use of such programs before looking
Notes: 1. Artifacts in the table are from steganography programs that were installed, run, and then uninstalled. 3
http://www.forensicswiki.org/.
30
digital investigation 6 (2009) 25–38
2. File artifacts are listed below the directories in which they are found; similarly, value names and data are listed below the registry keys in which they are found. 3. Registry value names involving arbitrary numbers (which depended on the order in which they were tested) – such as ‘‘filemenu1’’ or ‘‘extract3’’ – have been given as ‘‘filemenuX’’ or ‘‘extractX’’ to indicate this. Similarly, an asterisk (*) as a value name symbolizes an arbitrary lowercase letter (which, again, depended on the order of testing). 4. Registry keys listed under HKCU were also found at the equivalent addresses under HKU.
5. Whenever the user was given the chance to rename files or folders that would be installed, the defaults were used. 6. The value names and data in certain registry keys (e.g. WinZip, MUICache) depended on where the program was saved when downloaded. For example, a program that was saved to the desktop would correspond to a name or data such as C:\Documents and Settings\{username}\Desktop\{file name}. A program that was opened without saving it explicitly would have a name or data such as C:\Documents and Settings\{username}\Local Settings\Temp\{file name}. Table 3 Complete list of artifacts.
Table 3 – Programs and Artifacts. Program Name Artifacts (registry keys, value names and value data; directories and files) Digital Invisible Ink Toolkit no artifacts FreeOTFE Registry Key: HKLM\SYSTEM\CurrentControlSet\Enum\Root Subkeys: LEGACY_FREEOTFECYPHERAES_LTC LEGACY_FREEOTFECYPHERBLOWFISH LEGACY_FREEOTFECYPHERCASTS LEGACY_FREEOTFECYPHERCAST6_GLADMAN LEGACY_FREEOTFECYPHERDES LEGACY_FREEOTFECYPHERMARS_GLADMAN LEGACY_FREEOTFECYPHERRC6_GLADMAN LEGACY_FREEOTFECYPHERRC6_LTC LEGACY_FREEOTFECYPHERSERPENT_GLADMAN LEGACY_FREEOTFECYPHERTWOFISH_LTC LEGACY_FREEOTFEHASHMD LEGACY_FREEOTFEHASHRIPEMD LEGACY_FREEOTFEHASHSHA LEGACY_FREEOTFEHASHTIGER LEGACY_FREEOTFEHASHWHIRLPOOL (each of the above FreeOTFE subkeys was also found, equivalently, under HKLM\SYSTEM\ControlSet002\Enum\Root) Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: FreeOTFE.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vol\OpenWithList Value Name: * Value Data: FreeOTFE.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\FreeOTFE Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Local Settings\Temp\wnsu.tmp\ Au_.exe, Value Data: FreeOTFE Value Name: C:\Documents and Settings\{username}\My Documents\FreeOTFE_4_00.exe, Value Data: FreeOTFE Value Name: C:\Program Files\FreeOTFE\FreeOTFE.exe, Value Data: FreeOTFE Directory: C:\Program Files\FreeOTFE Subdirectory: alternate_drivers Files: FreeOTFECypherAES_Gladman FreeOTFECypherTwoFish_Gladman FreeOTFECypherTwoFish_HifnCS Subdirectory: weak_drivers Files: FreeOTFECypherNull FreeOTFECypherXOR FreeOTFEHashNull Subdirectories: amd64 x86 (the same files were found under each of these directories)
digital investigation 6 (2009) 25–38
31
Table 3 – (continued).
Gif-it-up
Hide and Seek
Hide in Picture
Files: FreeOTFE FreeOTFECypherBlowfish FreeOTFECypherCAST6_Gladman FreeOTFECypherMARS_Gladman FreeOTFECypherRC6_ltc FreeOTFECypherTwofish_ltc FreeOTFEHashRIPEMD FreeOTFEHashTiger FreeOTFECypherAES_ltc FreeOTFECypherCAST5 FreeOTFECypherDES FreeOTFECypherRC6_Gladman FreeOTFECypherSerpent_Gladman FreeOTFEHashMD FreeOTFEHashSHA FreeOTFEHashWhirlpool Directory: My Documents Files: FreeOTFE_4_00 Directory: C:\WINDOWS\Prefetch Files: FREEOTFE.EXE-1BCEAFCB.pf FREEOTFE.EXE-16362389.pf FREEOTFE_4_00.EXE-3610AC25.pf Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Program Files\NelsonSoft\Gifitup\Gitifup.exe Value Data: Gif it Up V1.0 Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList Value Name: * Value Data: GitifUp.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList Value Name: * Value Data: GitifUp.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rtf\OpenWithList Value Name: * Value Data: GitifUp.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: GitifUp.exe Directory: C:\WINDOWS\Prefetch Files: GITIFUP.EXE-065F260F.pf (note: ‘‘Gifitup’’ was misspelled in the artifacts above; other versions of the software may create correctly spelled artifacts) Registry Key: HKCU\Software\Nico Mak Computing\WinZip\extract Value Name: extractX Value Data: C:\Program Files\hdsk4.1 Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\hdsk4.1.zip Directory: C:\Documents and Settings\{username}\Desktop Files: OUTFILE.GIF Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList Value Name: * Value Data: winhip_cs_nogif.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: winhip_cs_nogif.exe Registry Key; HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Local Settings\Temp\ winhip_cs_nogif.exe Value Data: winhip_cs_nogif Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\hip21_cs_nogif.zip (continued on next page)
32
digital investigation 6 (2009) 25–38
Table 3 – (continued).
Invisible Secrets
Jpeg-jsteg
JPHide/JPSeek
OpenStego
PGE
Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Local Settings\Temp\winhip_cs_nogif.exe Value Data: winhip_cs_nogif Directory: C:\WINDOWS\Prefetch Files: WINHIP_CS_NOGIF.EXE-10A339CB.pf Registry Key: HKCR\Invisible Secrets 4\Shell\Open\Command Value Name: (Default) Value Data: C:\PROGRAw1\INVISIw1\invsecr.exe\d ‘‘%1’’ Registry Key: HKLM\SOFTWARE\Classes\Invisible Secrets 4\Shell\Open\Command Value Name: (Default) Value Data: C:\PROGRAw1\INVISIw1\invsecr.exe\d ‘‘%1’’ Registry Key: HKCU\Software\NeoByte Solutions\Invisible Secrets 4 Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Invisible Secrets 4 Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList Value Name: * Value Data: invsecr.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: invsecr.exe Registry Key: HKCU\Software\Digital River\Software Passport\Neobyte Solutions\Invisible Secrets 4 Registry Key: HKCU\Software\Digital River\SoftwarePassport\Download Manager\897848178739EB095F1545A3CD4D5681 Value Name: LMNameoftheProduct Value Data: 06042008160351: Invisible Secrets 4 Value Name: LMxmlfilename Value Data: 06042008160403: C:\Program Files\Download Manager\Invisible Secrets 4\LMDOWNLOADINFO.xml Value Name: Title Value Data: Invisible Secrets 4 Value Name: SaveAs Value Data: C:\DOCUMEw1\ADMINIw1\LOCALSw1\Temp\DRDId\invsecr-trial.exe Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\DOCUMEw1\ADMINIw!\LOCALSw!\Temp\GLB17.tmp Value Data: Invisible Secrets Setup Value Name: C:\PROGRAw!\INVISIw1\invsecr.exe Value Data: Invisible Secrets Value Name: C:\Program Files\Invisible Secrets 4\UNWISE.EXE Value Data: UNWISE Value Name: C:\Documents and Settings\{username}\My Documents\Download_invsecrtrial.exe Value Data: Download Manager Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Invisible Secrets 4 Directory: C:\Program Files\Common Files\Download Manager\Invisible Secrets 4 Directory: C:\Program Files\Invisible Secrets 4 Directory: My Documents File: Download_invsecr-trial Directory: C:\WINDOWS\Prefetch Files: INVSECR.EXE-1EC4E0C5.pf INVSECR-TRIAL.EXE-21F89080.pf DOWNLOAD_INVSECR-TRIAL.EXE-077C7A8E.pf Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\jpeg-jsteg-v4.diff Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\jpeg-v4.tar.gz Registry Key: HKCU\Software\Niko Mac Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\jphs-0.3.tgz Registry Key: HKCU\Software\Niko Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\openstego-0.4.2.zip Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\pge20.zip
33
digital investigation 6 (2009) 25–38
Table 3 – (continued).
Snow
Stealth
Steganography
Steghide
Stegodos
StegoMagic
Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\LocalSettings/Temp/PGE20.COM Value Data: PGE20 Value Name: C:\Documents and Settings\{username}\LocalSettings/Temp/PGECLEAR.COM Value Data: PGECLEAR Value Name: C:\Documents and Settings\{username}\Localhttp://Settings/Temp/UNPGE20.COM Value Data: UNPGE20 Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\My Documents\snwdos32.zip Directory: C:\WINDOWS\Prefetch Files: SNOW.EXE-26C9146A.pf SNOW.EXE-183F17AE.pf Registry Key: HKCU\Software\Niko Mac Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\stealth1.2.tar.gz Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList Value Name: * Value Data: Steganography.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: Steganography.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Steganography Directory: C:\Program Files\Steganography Directory: My Documents Files: sg Directory: C:\WINDOWS\Prefetch Files: SG.EXE-210BFB5D.pf SG.TMP-1DC77321.pf STEGANOGRAPHY.EXE-0E117F1A.pf Registry Key: HKCU\Software\Nico Mak Computing\WinZip\extract Value Name: extractX Value Data: C:\Program Files\steghide Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\steghide-0.5.1.-win32.zip Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Local Settings\Temp\steghide.exe Value Data: steghide Directory: C:\WINDOWS\Prefetch Files: STEGHIDE.EXE-3764F9FF.pf STEGHIDE.EXE-2755533B.pf Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\STEGODOS.ZIP Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList Value Name: * Value Data: StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList Value Name: * Value Data: StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList Value Name: * Value Data: StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.steg\OpenWithList Value Name: * Value Data: StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\OpenWithList Value Name: * (continued on next page)
34
digital investigation 6 (2009) 25–38
Table 3 – (continued).
S-Tools
wbStego
wnStorm (White Noise Storm)
Value Data: StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Local Settings\Temp\StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Local Settings\Temp\StegoMagic.exe Directory: C:\WINDOWS\Prefetch Files: STEGOMAGIC.EXE-2C98CF3C.pf Registry Key: HKCU\Software\S-Tools\4.0 Registry Key: HKCU\Software\Nico Mak Computing\WinZip\Extract Value Name: extractX Value Data: C:\Program Files\s-tools Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\My Documents\s-tools4.zip Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: S-Tools.exe Directory: C:\WINDOWS\Prefetch Files: S-TOOLS.EXE-1BA8DF44.pf Registry Key: HKCU\Software\Wbailer\wbStego Value Name: Version Value Data: wbStego4.3 english 32bit Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\wbStego Steganography Tool Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList Value Name: * Value Data: wbStego4.3open.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: wbStego4.3open.exe Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Desktop\wbStego4.3open.exe Value Data: wbStego4.3open Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\My Documents\wbs43open-win32.zip Directory: C:\WINDOWS\Prefetch Files: WBSTEGO4.3OPEN.EXE-0004A6C2.pf Registry Key: HKCU\Software\Niko Mac Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\wns210.zip Directory: C:\Documents and Settings\{username}\Desktop Files: WNOUTFIL.TXT WNSTEGO.PCX
Appendix B: Example Registry Key Look-up Code /* * stegcheck – check for certain indicators * of steganography * * Simple program that takes 3 parallel arrays * of (hive, key, value) and performs a look up * and prints if they exist or not. *
digital investigation 6 (2009) 25–38
* To compile under cygwin: * cc –mno-cygwin stegcheck.c –o stegcheck –ladvapi32 –lws2_32 * * Copyright 2009, Frank Adelstein. * All rights reserved. * * Permission to use, copy, modify, and distribute * this software is hereby granted without fee, * provided that the copyright notice and permission * notice are not removed. * * */ #include #include #include #include #include /* * The following are legal values for Steghives[]: * HKEY_CLASSES_ROOT * HKEY_CURRENT_CONFIG * HKEY_CURRENT_USER * HKEY_LOCAL_MACHINE * HKEY_PERFORMANCE_DATA * HKEY_PERFORMANCE_NLSTEXT * HKEY_PERFORMANCE_TEXT * HKEY_USERS */ /* array of registry hive names */ HKEY Steghives[] ¼ { HKEY_LOCAL_MACHINE, HKEY_LOCAL_MACHINE, HKEY_CURRENT_USER, HKEY_CURRENT_USER, HKEY_CURRENT_USER, NULL }; /* array of registry key names */ wchar_t *Stegkeys[] ¼ { L"SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_FREEOTFECYPHERAES_LTC", L"SOFTWARE\\Classes\\Invisible Secrets 4\\Shell\\Open\\Command", L"Software\\S-Tools\\4.0", L"Software\\Microsoft\\Windows\\CurrentVersion\\Run", L"Software\\Wbailer\\wbStego", NULL }; /* Array of values for keys; L"" for "(Default)" value */ wchar_t *Stegvals[] ¼ { L"", L"", L"", L"ctfmon.exe", L"Version", NULL }; /********/
35
36
digital investigation 6 (2009) 25–38
/* main */ /********/ int main(int argc, char *argv[], char *envp[]) { wchar_t *value; DWORD length; int
i, error;
i ¼ 0; while (Stegkeys[i] ! ¼ NULL) { error¼ regGetValue(Steghives[i], Stegkeys[i], Stegvals[i], &value, &length); if (error) { (void)fprintf(stdout, "Key [%ls] and value [%ls] not found\n", Stegkeys[i], (*Stegvals[i]¼ ¼ ’\0’?L"(default)":Stegvals[i])); } else { (void)fprintf(stdout, "Found key [%ls] and value [%ls], data ¼ [%ls]\n", Stegkeys[i], Stegvals[i], value); } i++; } exit(0); } /* * input: * hive: registry "hive" (type: HKEY) * keyname: name of the key (type: wide string) * value: name of the value (type: string) * * output: * returnval: * data of value of key * (type: pointer to wide string) * returnlength: length of returnval * (type: pointer to int) * * Note: regGetValue malloc()s space for the * string returned as returnval. * * returns: * 0 on success * -1 on error * */ int regGetValue(const HKEY hive, const wchar_t *keyname, const wchar_t *valname, wchar_t **returnval, DWORD *returnlength) { int rc1, rc2; HKEY key; DWORD valtype; void *data; /* open the key */ rc1 ¼ RegOpenKeyExW(hive, keyname, 0L, KEY_QUERY_VALUE, &key); /* if it worked */
digital investigation 6 (2009) 25–38
if (rc1 ¼ ¼ ERROR_SUCCESS) { rc2 ¼ RegQueryValueExW(key, valname, NULL, &valtype, NULL, returnlength); if (rc2 ¼ ¼ ERROR_SUCCESS) { data ¼ (char *) malloc(*returnlength + 1); if (data ¼ ¼ NULL) { fprintf(stderr, "Can’t malloc in regGetValue()!\n"); exit (-1); } /* got how big the value is */ rc2 ¼ RegQueryValueExW(key, valname, NULL, &valtype, data, returnlength); if (rc2 ¼ ¼ ERROR_SUCCESS) { if (valtype ¼ ¼ REG_EXPAND_SZ) { /* expand the environment variable if present */ int size; void *newdata; /* call it once with a NULL buffer to get the size of the buffer we’ll need */ size¼ ExpandEnvironmentStringsW(data, NULL, 0); if (size ¼ ¼ 0) { fprintf(stderr, "ExpandEnvironmentStrings() returned 0\n"); } /* allocate the new buffer */ newdata¼ (wchar_t *) malloc(sizeof(wchar_t) * (size + 1)); if (newdata ¼ ¼ NULL) { fprintf(stderr, "Can’t malloc for env variable in regGetValue()!\n"); exit (-1); } /* second time actually expands the env variable */ size ¼ ExpandEnvironmentStringsW(data, newdata, size); if (size ¼ ¼ 0) { fprintf(stderr, "ExpandEnvironmentStrings() returned 0\n"); } (void) free(data); data ¼ newdata; } /* endif valtype ¼ ¼ REG_EXPAND_SZ */ /* assign the data string to the return value pointer */ *returnval ¼ (wchar_t *) data; } else { fprintf(stderr, "RegOpenKeyExW() failed, rc ¼ %d.\n", rc2); } } /* endif RegQueryValueExW worked */ } else { return -1; } /* endif RegOpenKeyExW failed */ RegCloseKey(key); return 0; }
37
38
digital investigation 6 (2009) 25–38
references
Adee Sally. Spy vs. Spy. IEEE Spectrum Online, August 2008, Retrieved 25 August 2008 from http://www.spectrum.ieee.org/ aug08/6593. Astrowsky Brad. Steganography: hidden images, a new challenge in the fight against child porn, http://antichildporn.org/ steganog.html; 2005. Cole Eric. Hiding in plain sight: steganography and the art of covert communication. Wiley; 2003. Czeskis Alexei, St. Hilaire David J, Koscher Karl, Gribble Steven D, Kohno Tadayoshi, Schneier Bruce. Defeating encrypted and deniable file systems: TrueCrypt v5.1a and the case of the tattling OS and applications. 3rd USENIX workshop on hot topics in security (HOTSEC’08), San Jose, CA; July 29, 2008. Available at: http://www.usenix.org/event/hotsec08/tech/full_ papers/czeskis/czeskis.pdf. Dolan-Gavitt Brendan. Forensic analysis of the windows registry in memory. In: Proceedings of the 8th annual DFRWS conference. Baltimore, MD; August 2008. p. S26–32. Johnson Neil. Steganography software, http://www.jjtc.com/ Steganography/tools.html; 2008. Kerbaj Richard, Kennedy Domic. Link between child porn and Muslim terrorists discovered in police raids. The Times October 17, 2008. retrieved January 11, 2009, http:// www.timesonline.co.uk/tol/news/uk/crime/ article4959002.ece. Kessler Gary. Steganography for the computer forensics examiner, http://www.garykessler.net/library/fsc_stego.html; 2004.
Latham Allan. Hide and seek for Linux; 2006. Retrieved 8 August 2008, from http://nixbit.com/cat//security/jphs/. Morgan Timothy. Recovering deleted data from the windows registry. In: Proceedings of the 8th annual DFRWS conference. Baltimore, MD; August 2008. p. S33–42. Packetderm LLC. COTSE – steganography tools, http://www.cotse. com/tools/stega.htm; 2003. Provos Niels. Outguess – steganography detection, http://www. outguess.org/detection.php; 2004. Russinovich Mark, Cogswell Bryce. FileMon for windows, http:// technet.microsoft.com/en-us/sysinternals/bb896642.aspx; November 1, 2006. Russinovich Mark, Cogswell Bryce. RegMon for windows, http:// technet.microsoft.com/en-us/sysinternals/bb896652.aspx; November 1, 2006. SARC – Steganography Analysis and Research Center. http:// www.sarc-wv.com/news.aspx. Spacegate. Privacy tools, http://spacegate.xs4all.nl/; 2004. Steganography Analysis and Research Center. Steganography analyzer artifact scanner, http://www.sarc-wv.com/ stegalyzeras.aspx; 2008. Tistory.com. Steganography Tools, http://boanchanggo.tistory. com/219; 2008. Virtual Box. Downloads. http://www.virtualbox.org/. WinZip. The zip file utility for Windows. http://www.winzip.com/ index.htm; 2008. WetStone Technologies, Inc. Stego Suite. https://www. wetstonetech.com/cgi/shop.cgi?view, vol. 1; 2008a. WetStone Technologies, Inc. Gargoyle Investigator. https://www. wetstonetech.com/cgi/shop.cgi?view, vol. 2; 2008b. Wowarea. Steganography, http://www.wowarea.com/english/ help/stega.htm; 2006.
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/diin
FAUST: Forensic artifacts of uninstalled steganography tools Rachel Zax, Frank Adelstein* ATC-NY, Cornell Business and Technology Park, 33 Thornwood Drive Suite 500, 14850-1250, Ithaca, NY, United States
article info
abstract
Article history:
Images and data, such as child pornography and credit card numbers, can be hidden in files
Received 16 September 2008
through the use of steganography. Many steganography programs are freely available on
Received in revised form
the Internet. Searching data files for hidden, embedded content through steganalysis is
4 February 2009
a time-consuming process. Often steganography programs leave traces behind, such as
Accepted 12 February 2009
files, directories, or registry keys, even after they have been removed or uninstalled from the system. An alternative to steganalysis is for a forensic investigator to perform a quick search for these telltale indications that steganography has been used. In this paper, we
Keywords:
present the results of a study to detect traces left behind after a number of freely available
Steganography detection
steganography tools were installed, run, and uninstalled. ª 2009 Elsevier Ltd. All rights reserved.
Artifacts Evidence Uninstalled programs Registry keys Files Directories
1.
Introduction
In recent years, digital steganography has become popular, and information about it is readily available (Cole, 2003). Steganography can be used to hide illicit or illicitly-obtained data, such as child pornography or stolen personal information, from forensic investigators. Recent news reports describe cases of both the threat and the use of steganography (SARC). For example, the Times Online reports that a raid on a terrorist organization in the UK by Scotland Yard, in October 2008, discovered that secret messages were being embedded in child pornography images (Kerbaj and Kennedy, 2008) (note that this is atypical; usually the child pornography is the hidden data, not the carrier). Other articles discuss how the use of steganography can hamper forensic investigations. Hundreds of steganography programs can be downloaded for free from web sites, such as
stegoarchive1 and jjtc2, making these tools readily available to criminals. The fact that steganography tools hide the presence of data from investigators makes it difficult to predict how likely an investigator might encounter them in a case and how much time and effort should be spent pursuing the possibility of their presence. However, digital forensic investigators cannot simply ignore steganography. They need a way to quickly detect traces of common steganography tools. A detailed steganographic analysis of the data files on the disk will scale with the number of files on the disk, or roughly speaking, the size of the disk. Since all files need to be examined, this is comparable to a string indexing process, which can be very slow (hours, if not days). An alternative to this approach is to search for known artifacts associated with steganography tools. This type of search entails looking for a small number of artifacts (files, directories, registry keys) on a disk, well under 1000, and should take seconds to complete.
* Corresponding author. Tel.: þ1 607 266 7104; fax: þ1 607 257 1972. E-mail address: [email protected] (F. Adelstein). 1 http://home.comcast.net/webm.md/stego/software.html. 2 http://www.jjtc.com/Steganography/tools.html. 1742-2876/$ – see front matter ª 2009 Elsevier Ltd. All rights reserved. doi:10.1016/j.diin.2009.02.002
26
digital investigation 6 (2009) 25–38
While a detailed steganalysis would be too time consuming as a general practice, investigators can quickly perform an efficient search for steganography tools as part of the initial triage phase. A quick, preliminary search would be helpful to determine whether a time-intensive examination is warranted. If traces of such tools are discovered, the investigator can conduct a thorough examination of the contents of every file during the analysis phase of the investigation. Existing general purpose forensic tools provide very limited support for steganography detection, and special purpose tools tend to have problems, such as detecting only the presence of steganography, but not what tool or encoding technique was used, or requiring time to examine all the files on the disk to determine whether any of them contain hidden data. Such detection tools can become out of date quickly, as new steganography programs are released. In addition, many existing detection tools are not freely available. See Section 5 for a detailed discussion of Related Work. A different approach is to perform a quick triage to look for telltale traces of steganography programs, which frequently leave artifacts in the file system and registry. A file can easily be detected via a hash, or the file or directory name. Similarly, the names and values of registry keys are good indicators. This raises the question of what can be done if such tools have been deleted from the computer. Specifically, what forensic artifacts remain after the steganography tools have been removed or uninstalled? Such artifacts would form a list of useful clues that could quickly be checked to determine whether an in-depth steganographic analysis is required. We conducted an experiment on a number of popular steganography tools to determine whether such artifacts exist and if so, what they are. This article answers the question of what traces, if any, remain once these tools have been uninstalled. We describe our approach in Section 2, present the results in Section 3, analyze those results in Section 4, discuss related work in Section 5, and present our conclusions and recommendations in Section 6.
2.
Methodology
We first identified popular, readily available steganography tools. Such tools were identified by compiling information from Internet sites that list or discuss these tools. Sources included StegoArchive.com; Johnson & Johnson Technology Consultants, LLC (Johnson, 2008); the Anti-Child Porn Organization (Astrowsky, 2005); securityfocus.com; Packetderm, LLC (Packetderm, 2003); brothersoft.com; Tistory.com (Tistory.com, 2008); Spacegate (Spacegate, 2004); Wowarea (Wowarea, 2006); and various Google discussion groups. We selected tools with large numbers of downloads (software sites such as sourceforge.net, pcworld.com, filetransit. com, and soft32.com provide that information), whose latest versions had been released in the last few years, and that were topics of discussion on web sites, web logs, or mailing lists. We considered even old tools worthy of study if they had provoked much recent discussion. Finally, of course, the tools had to be available for download; this study examined only programs offered as freeware.
Our initial study focused on Windows-based programs. Because Windows programs rarely are simple command-line tools, they are likely to leave traces; and Windows machines represent the vast majority of computers that forensic examiners encounter. Table 1 lists the software we considered, along with the URL at which each tool was found. We next ran the tools in a controlled environment. We used a virtual machine (VM) in order to maintain isolation, and to provide us with a clean system without the need to reinstall an operating system. This also afforded us protection against any malicious code that might have been embedded in the programs we ran, as the VM was used only for this experiment. We used Virtual Box (Virtual Box) to run a Windows XP Professional SP2 system. The VM was configured to have 256 MB memory and 2.4 GB disk. Because this study was intended to assist with quick, in-the-field triage-based examinations, we focused on forensic artifacts that would not require an in-depth disk analysis. Specifically, we looked for active files (as opposed to deleted files), directories, and registry keys. Several of the programs required installation via a provided install script; the other tools were packaged within zip files and had to be extracted before running. Each program
Table 1 – List of Software Tested in Study. Name Digital Invisible Ink Toolkit FreeOTFE Gif-it-up Hide and Seek Hide in Picture Invisible Secrets Jpeg-jsteg
JPHide/JPSeek MP3Stego OpenStego PGE Snow Stealth Steganography Steghide Stegodos StegoMagic S-Tools wbStego wnStorm (White Noise Storm)
URL http://sourceforge.net/project/showfiles. php?group_id ¼ 139031 http://www.freeotfe.org http://www.stegoarchive.com/software http://www.searchlores.org/stego.htm http://sourceforge.net/projects/ hide-in-picture/ http://www.softpedia.com/get/Security/ Encrypting/Invisible-Secrets.shtml http://www.theargon.com/achilles/ steganography/jpeg-steg/ (download both jpeg-v4.tar.gz and jpeg-jsteg-v4.diff.gz) http://nixbit.com/cat//security/jphs/ http://www.petitcolas.net/fabien/ steganography/mp3stego/index.html http://sourceforge.net/project/ showfiles.php?group_id ¼ 211815 http://home.earthlink.net/wemilbrandt/ stego/softwaredos.html http://www.darkside.com.au/snow/ http://www.wowarea.com/english/ help/stega.htm http://securekit.net/download.htm http://steghide.sourceforge.net/ download.php http://cd.textfiles.com/hackersencyc/ PROGRAMS/FILES.HTM http://www.programmersheaven.com/ download/38361/download.aspx http://www.spychecker.com/program/ stools.html http://wbstego.wbailer.com/ http://arachelian.com/
27
digital investigation 6 (2009) 25–38
was downloaded, installed or unzipped, run using one or more of the supported file types as sample data, and then uninstalled or deleted. In the case of programs that ran without being installed, we deleted the zip file and, if applicable, the folder to which it had been extracted, but left any other files that had been created during the process. We used the Windows SysInternals tools File Monitor (Russinovich and Cogswell, 2006a) and Registry Monitor (Russinovich and Cogswell, 2006b) (Fig. 1) to monitor the steganography tools’ activitiesdspecifically, to detect the creation of new files, directories, and registry keys. After the programs were uninstalled or the files deleted, we searched through the file system and Registry Editor (regedit), aided by File Monitor and Registry Monitor, and determined what artifacts remained.
3.
Results
Several of the programs tested left behind obvious and permanent traces, including folders, files, and registry keys bearing the names of the programs or their authors. Others did not leave such definitive evidence, but left clues in the information created by auxiliary programs that had interacted with the tools (e.g., WinZip). Some of the programs did not leave any evidence beyond files and keys in temporary caches. Many of the programs that did not leave useful evidence were simple binaries, which did little besides reading input and producing output. Detecting the use of such programs would be difficult, at best, using this forensic method. We did not record data that were left in most recently used (MRU) caches and in the home directory’s Recent and Temp subdirectories; however, we noted artifacts left in other shortterm caches, such as WinZip’s extract and filemenu registry keys and the WINDOWS\Prefetch directory. While these
Table 2 – Programs and Artifacts. Name Digital Invisible Ink Toolkit FreeOTFE Gif-it-up Hide and Seek Hide in Picture Invisible Secrets Jpeg-jsteg JPHide/JPSeek MP3Stego OpenStego PGE Snow Stealth Steganography Steghide Stegodos StegoMagic S-Tools wbStego wnStorm (White Noise Storm)
Artifacts? Registry?
Files and Installed? Directories?
N
N
N
N
Y Y N Y Y N N N N N N N Y N N Y Y Y Y
Y Y N Y Y N N N N N N N Y N N Y Y Y N
Y N N N Y N N N N N N N Y N N N N N Y (desktop)
Y N N N Y N N N N N N N Y N N N N N N
resources provide useful information in a real examination, we considered them too ephemeral for this study to use as a red flag. Table 2 summarizes the data, taking into account only permanent artifacts. The first column gives the name of the program; the second indicates whether any useful and permanent artifacts were found; the third and fourth indicate whether these artifacts were found in the registry or in the file system; and the last indicates whether the program required
Fig. 1 – Registry Monitor during the process of installing and running FreeOTFE. CreateKey requests are highlighted.
28
digital investigation 6 (2009) 25–38
installation, or was instead packaged in a zip file. Full results can be found in Appendix A.
4.
A detailed forensic analysis using other techniques might reveal deleted files, but that is beyond the scope of our investigation.
Analysis 5.
The programs left behind a variety of forensic evidence, some clues more reliable than others. Several created artifacts bearing their names and did not remove them upon installation. These traces are the most reliable. In addition, many of the programs were registered as handlers for various file extensions, creating evidence under the HKCU\Soft ware\Microsoft\Windows\CurrentVersion\Explorer\ FileExts registry key. These preferences can be overwritten when other programs are installed; however, if no new program installation overwrites them, they will remain in the registry. Some evidence was created by programs the tools interacted with, not by the steganography tools themselves. WinZip (2008) was used to handle tools packaged in zip files, and it left evidence under the key HKCU\Software\Nico Mak Computing\WinZip. Although the presence of these artifacts provides evidence that the tools were downloaded, their absence provides no information. Other auxiliary programs might be used instead, leaving different artifacts or possibly no artifacts. In addition, these artifacts are not permanent. The steganography tools also left evidence in MRU lists and other temporary caches. These artifacts disappear over time as well and thus no conclusions can be drawn from their absence. Some artifacts, although permanent, would not be useful as evidence because they did not uniquely identify the program that created them. For example, running the Hide and Seek executable HIDE.EXE always produces a file called outfile.gif. However, an investigator discovering such a file name could not conclude that it was produced by Hide and Seek, thus the presence of that artifact is of limited value. Another factor to consider is where artifacts are stored in the file system: even a non-savvy user might recognize and delete incriminating files from the desktop (where both White Noise Storm and Hide and Seek place files, for example), while files stored elsewhere might not capture the user’s attention. Programs that required installation tended to leave better evidence than those packaged in zip files. The installed programs more often created fixtures during setup that would be used for each run of the program, whereas the simpler tools packaged in zip files required less overhead. One program requiring installation, FreeOTFE, created many registry keys connected with the various encryption algorithms that the program supports. The Unix-style, command-line based tools left no permanent evidence. Typically they require the user to specify two input files, i.e., the information to be hidden and the file in which to hide the information, and to produce an output file. They require neither configuration files nor need to track any internal state from one invocation to another. The only traces of such programs would be the executable itself, which, if uninstalled, would be in unallocated disk space. Extracting such files (called ‘‘carving’’) and identifying them is beyond the scope of this study.
Related work
One way to detect the presence of steganography is to examine the properties of every possible carrier file on a computer, looking for tell-tale signs. Two approaches to examining files are signature-based detection and blind detection. Signature-based detection searches files for known byte patterns left by specific steganography programs. Because a signature match reveals which tool was used to hide the information, it can provide insight regarding how to extract the data. Blind detection examines statistical properties of the file (e.g., entropy measurements) that are affected by steganographic algorithms. A blind match merely indicates that it is likely that something is hidden, without addressing what is hidden or how. An investigator can also look for differences between the suspected file and its original version, if available. These techniques require a time-consuming, detailed examination of all the files that could contain hidden information. Since disks commonly contain tens or hundreds of gigabytes of data, these detection techniques cannot be done quickly as part of a first response or triage. Much work has been done in the area of steganography detection (also known as steganalysis). Recently developed tools include Stego Suite and Gargoyle (WetStone Technologies), Forensic Toolkit (AccessData), EnCase (Guidance Software), Steganography Analyzer Artifact Scanner (Backbone Security) and Stegdetect and Stegbreak (Niels Provos). Stego Suite comprises four separate programs: Stego Hunter, Stego Watch, Stego Analyst, and Stego Break. Stego Hunter looks for the presence of steganography programs, as we did in this study. While the specific detection techniques are not published, we assume that Stego Hunter looks for resources such as file and directory names, file signatures (hashes), and registry keys. Stego Hunter also flags the types of files that may have been used as carriers. Stego Watch then analyzes files to determine how likely it is that they carry hidden data, as well as which algorithm was most likely used to hide the information. Stego Watch uses both signaturebased detection and blind detection. Stego Analyst is used to search for visual evidence of steganography in image and audio files. The tool displays statistical information and also allows an investigator to view images through different filters. Stego Break aims to recover hidden information by finding the passkey needed to unlock the file (WetStone Technologies Inc., 2008a). Gargoyle is used to detect whether steganography tools are present. Gargoyle compares the hashes of the files to be searched with those of files associated with known steganography software (WetStone Technologies Inc., 2008b). Other steganography detection programs that make similar use of hash sets include Forensic Toolkit and EnCase (Kessler, 2004). Recently, Backbone Security has come out with a new version of their steganalysis tool, Steganography Analyzer
digital investigation 6 (2009) 25–38
Artifact Scanner (StegAlyzerAS). The software can scan the file system and registry for artifacts known to be associated with steganography tools (Steganography Analysis and Research Center, 2008). Stegdetect can find information hidden in JPEG images by a variety of steganographic tools, including JSteg, JPHide, Invisible Secrets, OutGuess 0.13b, F5, AppendX, and Camouflage. The tool uses linear discriminant analysis: given examples of normal images and examples of steganographically altered images, it computes a linear detection function to separate the two groups. The function can then be used to classify other images. Stegbreak is a companion program that can be used against suspected JPEG carrier files created by JSteg-Shell, JPHide, and OutGuess 0.13b. Stegbreak launches dictionary attacks d i.e., brute-force attempts to retrieve the hidden information, using the words and phrases in a dictionary as potential passkeys (Provos, 2004). Previously developed tools often focus on the potential carrier files themselves, using signature-based and/or blind detection. However, some steganography applications are resistant to the statistical methods of blind detection. For example, Allan Latham’s JPHide/JPSeek tool uses pseudorandom numbers to determine where to store the bits to be hidden. According to Latham, this minimizes statistical distortion, whereas the common, simple algorithm that stores data in the carrier file’s least significant bits produces significant statistical effects (Latham, 2006). Czeskis et al. (2008) describe artifacts left by the TrueCrypt program, such as short cuts and registry keys, when attempting to use it to make a ‘‘deniable file system,’’ which is, essentially, a hidden file system. A new technique, described in Adee (2008), is designed to disrupt steganography rather than detect it, by making similar changes to data files that are undetectable by humans. Some of the abovementioned tools search for artifacts in the file system and registry, as we did in this study. However, our work focuses on the artifacts indicating that steganography tools were at some point used on a computer, even if the tools were later uninstalled or deleted. The goal is to compile a list of file, directory, and registry key ‘‘red flags’’ for forensic examiners to quickly check for indications of steganography. Such an approach would be useful even when the suspect has tried to cover his tracks by removing any steganography tools. Our work in no way replaces the other tools, and even if no red flags are found, a detailed analysis using other steganalysis tools may be warranted if other evidence suggests that steganography tools were used.
6.
29
directly for steganographically altered files, a process that can be cumbersome. The presence of forensic artifacts would give the investigator further reason to conduct a thorough search for files containing hidden data. If no artifacts are found, the investigator must then rely on other, external factors to determine whether a detailed steganographic analysis is appropriate, as is already done. However, the results in this paper suggest that the investigator perform a quick check for certain directories, files, and registry keys in the initial phase of the investigation. In addition to providing evidence that would encourage the investigator to proceed, such artifacts may provide helpful clues. For example, knowing the identity of the program used would allow the investigator to focus his search on the types of files that tool uses to hide data. A program that searched for the forensic artifacts described in this paper could also be useful to an investigator who was able to obtain only a restricted warrant to search a computer’s contents. If such a program, looking only for specific artifacts, discovered any evidence, it could provide probable cause for the investigator to obtain a warrant to conduct a more thorough and invasive search of the computer’s files. Similarly, such a program could be useful for consent searches (‘‘knock and talk’’) or by parole officers to validate compliance with terms of parole. A very simple example of an automated tool to search for these artifacts is provided in Appendix B. This program is intended to demonstrate the mechanics of doing registry lookups. Obviously, it needs a more sophisticated way of specifying the registry, such as an external file or via a URL, since the data in it would quickly become obsolete. It only includes a few keys for demonstration purposes. One way to keep this type of program current would be to maintain it on an open-source site and allow forensic investigators and researchers to submit updates, for example through Source Forge or the Forensic Wiki.3 The work presented in this paper focused on a relatively small set of steganography tools available for Windows. Future work can focus on other tools and platforms. Although Unix platforms have no registry, some clues indicating the use of installed packages may remain in RPM or similar logs. Recent work in forensic analysis (Dolan-Gavitt, 2008; Morgan, 2008) of the Windows Registry shows that in some cases registry keys can be retrieved even after they have been deleted. Such keys can be retrieved from the registry files (or hives) or system memory, as opposed to unallocated space, meaning a search for these keys could be quickly done as part of a triage step. This means that it may be possible to detect evidence of the prior presence of steganography tools even if the installer/uninstaller properly deleted all of the installed directories, files, and registry tools.
Conclusion and recommendations Appendix A. Artifacts
We examined several popular steganography programs to determine what, if any, artifacts remain after the program has been installed, run, and then uninstalled. Roughly half of the programs we examined left some traces behind. Forensic artifacts can provide evidence that steganography tools have been used. Investigators may wish to search for traces that indicate the use of such programs before looking
Notes: 1. Artifacts in the table are from steganography programs that were installed, run, and then uninstalled. 3
http://www.forensicswiki.org/.
30
digital investigation 6 (2009) 25–38
2. File artifacts are listed below the directories in which they are found; similarly, value names and data are listed below the registry keys in which they are found. 3. Registry value names involving arbitrary numbers (which depended on the order in which they were tested) – such as ‘‘filemenu1’’ or ‘‘extract3’’ – have been given as ‘‘filemenuX’’ or ‘‘extractX’’ to indicate this. Similarly, an asterisk (*) as a value name symbolizes an arbitrary lowercase letter (which, again, depended on the order of testing). 4. Registry keys listed under HKCU were also found at the equivalent addresses under HKU.
5. Whenever the user was given the chance to rename files or folders that would be installed, the defaults were used. 6. The value names and data in certain registry keys (e.g. WinZip, MUICache) depended on where the program was saved when downloaded. For example, a program that was saved to the desktop would correspond to a name or data such as C:\Documents and Settings\{username}\Desktop\{file name}. A program that was opened without saving it explicitly would have a name or data such as C:\Documents and Settings\{username}\Local Settings\Temp\{file name}. Table 3 Complete list of artifacts.
Table 3 – Programs and Artifacts. Program Name Artifacts (registry keys, value names and value data; directories and files) Digital Invisible Ink Toolkit no artifacts FreeOTFE Registry Key: HKLM\SYSTEM\CurrentControlSet\Enum\Root Subkeys: LEGACY_FREEOTFECYPHERAES_LTC LEGACY_FREEOTFECYPHERBLOWFISH LEGACY_FREEOTFECYPHERCASTS LEGACY_FREEOTFECYPHERCAST6_GLADMAN LEGACY_FREEOTFECYPHERDES LEGACY_FREEOTFECYPHERMARS_GLADMAN LEGACY_FREEOTFECYPHERRC6_GLADMAN LEGACY_FREEOTFECYPHERRC6_LTC LEGACY_FREEOTFECYPHERSERPENT_GLADMAN LEGACY_FREEOTFECYPHERTWOFISH_LTC LEGACY_FREEOTFEHASHMD LEGACY_FREEOTFEHASHRIPEMD LEGACY_FREEOTFEHASHSHA LEGACY_FREEOTFEHASHTIGER LEGACY_FREEOTFEHASHWHIRLPOOL (each of the above FreeOTFE subkeys was also found, equivalently, under HKLM\SYSTEM\ControlSet002\Enum\Root) Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: FreeOTFE.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vol\OpenWithList Value Name: * Value Data: FreeOTFE.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\FreeOTFE Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Local Settings\Temp\wnsu.tmp\ Au_.exe, Value Data: FreeOTFE Value Name: C:\Documents and Settings\{username}\My Documents\FreeOTFE_4_00.exe, Value Data: FreeOTFE Value Name: C:\Program Files\FreeOTFE\FreeOTFE.exe, Value Data: FreeOTFE Directory: C:\Program Files\FreeOTFE Subdirectory: alternate_drivers Files: FreeOTFECypherAES_Gladman FreeOTFECypherTwoFish_Gladman FreeOTFECypherTwoFish_HifnCS Subdirectory: weak_drivers Files: FreeOTFECypherNull FreeOTFECypherXOR FreeOTFEHashNull Subdirectories: amd64 x86 (the same files were found under each of these directories)
digital investigation 6 (2009) 25–38
31
Table 3 – (continued).
Gif-it-up
Hide and Seek
Hide in Picture
Files: FreeOTFE FreeOTFECypherBlowfish FreeOTFECypherCAST6_Gladman FreeOTFECypherMARS_Gladman FreeOTFECypherRC6_ltc FreeOTFECypherTwofish_ltc FreeOTFEHashRIPEMD FreeOTFEHashTiger FreeOTFECypherAES_ltc FreeOTFECypherCAST5 FreeOTFECypherDES FreeOTFECypherRC6_Gladman FreeOTFECypherSerpent_Gladman FreeOTFEHashMD FreeOTFEHashSHA FreeOTFEHashWhirlpool Directory: My Documents Files: FreeOTFE_4_00 Directory: C:\WINDOWS\Prefetch Files: FREEOTFE.EXE-1BCEAFCB.pf FREEOTFE.EXE-16362389.pf FREEOTFE_4_00.EXE-3610AC25.pf Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Program Files\NelsonSoft\Gifitup\Gitifup.exe Value Data: Gif it Up V1.0 Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList Value Name: * Value Data: GitifUp.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList Value Name: * Value Data: GitifUp.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rtf\OpenWithList Value Name: * Value Data: GitifUp.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: GitifUp.exe Directory: C:\WINDOWS\Prefetch Files: GITIFUP.EXE-065F260F.pf (note: ‘‘Gifitup’’ was misspelled in the artifacts above; other versions of the software may create correctly spelled artifacts) Registry Key: HKCU\Software\Nico Mak Computing\WinZip\extract Value Name: extractX Value Data: C:\Program Files\hdsk4.1 Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\hdsk4.1.zip Directory: C:\Documents and Settings\{username}\Desktop Files: OUTFILE.GIF Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList Value Name: * Value Data: winhip_cs_nogif.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: winhip_cs_nogif.exe Registry Key; HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Local Settings\Temp\ winhip_cs_nogif.exe Value Data: winhip_cs_nogif Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\hip21_cs_nogif.zip (continued on next page)
32
digital investigation 6 (2009) 25–38
Table 3 – (continued).
Invisible Secrets
Jpeg-jsteg
JPHide/JPSeek
OpenStego
PGE
Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Local Settings\Temp\winhip_cs_nogif.exe Value Data: winhip_cs_nogif Directory: C:\WINDOWS\Prefetch Files: WINHIP_CS_NOGIF.EXE-10A339CB.pf Registry Key: HKCR\Invisible Secrets 4\Shell\Open\Command Value Name: (Default) Value Data: C:\PROGRAw1\INVISIw1\invsecr.exe\d ‘‘%1’’ Registry Key: HKLM\SOFTWARE\Classes\Invisible Secrets 4\Shell\Open\Command Value Name: (Default) Value Data: C:\PROGRAw1\INVISIw1\invsecr.exe\d ‘‘%1’’ Registry Key: HKCU\Software\NeoByte Solutions\Invisible Secrets 4 Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Invisible Secrets 4 Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList Value Name: * Value Data: invsecr.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: invsecr.exe Registry Key: HKCU\Software\Digital River\Software Passport\Neobyte Solutions\Invisible Secrets 4 Registry Key: HKCU\Software\Digital River\SoftwarePassport\Download Manager\897848178739EB095F1545A3CD4D5681 Value Name: LMNameoftheProduct Value Data: 06042008160351: Invisible Secrets 4 Value Name: LMxmlfilename Value Data: 06042008160403: C:\Program Files\Download Manager\Invisible Secrets 4\LMDOWNLOADINFO.xml Value Name: Title Value Data: Invisible Secrets 4 Value Name: SaveAs Value Data: C:\DOCUMEw1\ADMINIw1\LOCALSw1\Temp\DRDId\invsecr-trial.exe Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\DOCUMEw1\ADMINIw!\LOCALSw!\Temp\GLB17.tmp Value Data: Invisible Secrets Setup Value Name: C:\PROGRAw!\INVISIw1\invsecr.exe Value Data: Invisible Secrets Value Name: C:\Program Files\Invisible Secrets 4\UNWISE.EXE Value Data: UNWISE Value Name: C:\Documents and Settings\{username}\My Documents\Download_invsecrtrial.exe Value Data: Download Manager Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Invisible Secrets 4 Directory: C:\Program Files\Common Files\Download Manager\Invisible Secrets 4 Directory: C:\Program Files\Invisible Secrets 4 Directory: My Documents File: Download_invsecr-trial Directory: C:\WINDOWS\Prefetch Files: INVSECR.EXE-1EC4E0C5.pf INVSECR-TRIAL.EXE-21F89080.pf DOWNLOAD_INVSECR-TRIAL.EXE-077C7A8E.pf Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\jpeg-jsteg-v4.diff Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\jpeg-v4.tar.gz Registry Key: HKCU\Software\Niko Mac Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\jphs-0.3.tgz Registry Key: HKCU\Software\Niko Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\openstego-0.4.2.zip Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\pge20.zip
33
digital investigation 6 (2009) 25–38
Table 3 – (continued).
Snow
Stealth
Steganography
Steghide
Stegodos
StegoMagic
Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\LocalSettings/Temp/PGE20.COM Value Data: PGE20 Value Name: C:\Documents and Settings\{username}\LocalSettings/Temp/PGECLEAR.COM Value Data: PGECLEAR Value Name: C:\Documents and Settings\{username}\Localhttp://Settings/Temp/UNPGE20.COM Value Data: UNPGE20 Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\My Documents\snwdos32.zip Directory: C:\WINDOWS\Prefetch Files: SNOW.EXE-26C9146A.pf SNOW.EXE-183F17AE.pf Registry Key: HKCU\Software\Niko Mac Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\stealth1.2.tar.gz Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList Value Name: * Value Data: Steganography.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: Steganography.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Steganography Directory: C:\Program Files\Steganography Directory: My Documents Files: sg Directory: C:\WINDOWS\Prefetch Files: SG.EXE-210BFB5D.pf SG.TMP-1DC77321.pf STEGANOGRAPHY.EXE-0E117F1A.pf Registry Key: HKCU\Software\Nico Mak Computing\WinZip\extract Value Name: extractX Value Data: C:\Program Files\steghide Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\steghide-0.5.1.-win32.zip Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Local Settings\Temp\steghide.exe Value Data: steghide Directory: C:\WINDOWS\Prefetch Files: STEGHIDE.EXE-3764F9FF.pf STEGHIDE.EXE-2755533B.pf Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\STEGODOS.ZIP Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList Value Name: * Value Data: StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\OpenWithList Value Name: * Value Data: StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\OpenWithList Value Name: * Value Data: StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.steg\OpenWithList Value Name: * Value Data: StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\OpenWithList Value Name: * (continued on next page)
34
digital investigation 6 (2009) 25–38
Table 3 – (continued).
S-Tools
wbStego
wnStorm (White Noise Storm)
Value Data: StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Local Settings\Temp\StegoMagic.exe Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Local Settings\Temp\StegoMagic.exe Directory: C:\WINDOWS\Prefetch Files: STEGOMAGIC.EXE-2C98CF3C.pf Registry Key: HKCU\Software\S-Tools\4.0 Registry Key: HKCU\Software\Nico Mak Computing\WinZip\Extract Value Name: extractX Value Data: C:\Program Files\s-tools Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\My Documents\s-tools4.zip Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: S-Tools.exe Directory: C:\WINDOWS\Prefetch Files: S-TOOLS.EXE-1BA8DF44.pf Registry Key: HKCU\Software\Wbailer\wbStego Value Name: Version Value Data: wbStego4.3 english 32bit Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\wbStego Steganography Tool Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList Value Name: * Value Data: wbStego4.3open.exe Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList Value Name: * Value Data: wbStego4.3open.exe Registry Key: HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache Value Name: C:\Documents and Settings\{username}\Desktop\wbStego4.3open.exe Value Data: wbStego4.3open Registry Key: HKCU\Software\Nico Mak Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\My Documents\wbs43open-win32.zip Directory: C:\WINDOWS\Prefetch Files: WBSTEGO4.3OPEN.EXE-0004A6C2.pf Registry Key: HKCU\Software\Niko Mac Computing\WinZip\filemenu Value Name: filemenuX Value Data: C:\Documents and Settings\{username}\Desktop\wns210.zip Directory: C:\Documents and Settings\{username}\Desktop Files: WNOUTFIL.TXT WNSTEGO.PCX
Appendix B: Example Registry Key Look-up Code /* * stegcheck – check for certain indicators * of steganography * * Simple program that takes 3 parallel arrays * of (hive, key, value) and performs a look up * and prints if they exist or not. *
digital investigation 6 (2009) 25–38
* To compile under cygwin: * cc –mno-cygwin stegcheck.c –o stegcheck –ladvapi32 –lws2_32 * * Copyright 2009, Frank Adelstein. * All rights reserved. * * Permission to use, copy, modify, and distribute * this software is hereby granted without fee, * provided that the copyright notice and permission * notice are not removed. * * */ #include
35
36
digital investigation 6 (2009) 25–38
/* main */ /********/ int main(int argc, char *argv[], char *envp[]) { wchar_t *value; DWORD length; int
i, error;
i ¼ 0; while (Stegkeys[i] ! ¼ NULL) { error¼ regGetValue(Steghives[i], Stegkeys[i], Stegvals[i], &value, &length); if (error) { (void)fprintf(stdout, "Key [%ls] and value [%ls] not found\n", Stegkeys[i], (*Stegvals[i]¼ ¼ ’\0’?L"(default)":Stegvals[i])); } else { (void)fprintf(stdout, "Found key [%ls] and value [%ls], data ¼ [%ls]\n", Stegkeys[i], Stegvals[i], value); } i++; } exit(0); } /* * input: * hive: registry "hive" (type: HKEY) * keyname: name of the key (type: wide string) * value: name of the value (type: string) * * output: * returnval: * data of value of key * (type: pointer to wide string) * returnlength: length of returnval * (type: pointer to int) * * Note: regGetValue malloc()s space for the * string returned as returnval. * * returns: * 0 on success * -1 on error * */ int regGetValue(const HKEY hive, const wchar_t *keyname, const wchar_t *valname, wchar_t **returnval, DWORD *returnlength) { int rc1, rc2; HKEY key; DWORD valtype; void *data; /* open the key */ rc1 ¼ RegOpenKeyExW(hive, keyname, 0L, KEY_QUERY_VALUE, &key); /* if it worked */
digital investigation 6 (2009) 25–38
if (rc1 ¼ ¼ ERROR_SUCCESS) { rc2 ¼ RegQueryValueExW(key, valname, NULL, &valtype, NULL, returnlength); if (rc2 ¼ ¼ ERROR_SUCCESS) { data ¼ (char *) malloc(*returnlength + 1); if (data ¼ ¼ NULL) { fprintf(stderr, "Can’t malloc in regGetValue()!\n"); exit (-1); } /* got how big the value is */ rc2 ¼ RegQueryValueExW(key, valname, NULL, &valtype, data, returnlength); if (rc2 ¼ ¼ ERROR_SUCCESS) { if (valtype ¼ ¼ REG_EXPAND_SZ) { /* expand the environment variable if present */ int size; void *newdata; /* call it once with a NULL buffer to get the size of the buffer we’ll need */ size¼ ExpandEnvironmentStringsW(data, NULL, 0); if (size ¼ ¼ 0) { fprintf(stderr, "ExpandEnvironmentStrings() returned 0\n"); } /* allocate the new buffer */ newdata¼ (wchar_t *) malloc(sizeof(wchar_t) * (size + 1)); if (newdata ¼ ¼ NULL) { fprintf(stderr, "Can’t malloc for env variable in regGetValue()!\n"); exit (-1); } /* second time actually expands the env variable */ size ¼ ExpandEnvironmentStringsW(data, newdata, size); if (size ¼ ¼ 0) { fprintf(stderr, "ExpandEnvironmentStrings() returned 0\n"); } (void) free(data); data ¼ newdata; } /* endif valtype ¼ ¼ REG_EXPAND_SZ */ /* assign the data string to the return value pointer */ *returnval ¼ (wchar_t *) data; } else { fprintf(stderr, "RegOpenKeyExW() failed, rc ¼ %d.\n", rc2); } } /* endif RegQueryValueExW worked */ } else { return -1; } /* endif RegOpenKeyExW failed */ RegCloseKey(key); return 0; }
37
38
digital investigation 6 (2009) 25–38
references
Adee Sally. Spy vs. Spy. IEEE Spectrum Online, August 2008, Retrieved 25 August 2008 from http://www.spectrum.ieee.org/ aug08/6593. Astrowsky Brad. Steganography: hidden images, a new challenge in the fight against child porn, http://antichildporn.org/ steganog.html; 2005. Cole Eric. Hiding in plain sight: steganography and the art of covert communication. Wiley; 2003. Czeskis Alexei, St. Hilaire David J, Koscher Karl, Gribble Steven D, Kohno Tadayoshi, Schneier Bruce. Defeating encrypted and deniable file systems: TrueCrypt v5.1a and the case of the tattling OS and applications. 3rd USENIX workshop on hot topics in security (HOTSEC’08), San Jose, CA; July 29, 2008. Available at: http://www.usenix.org/event/hotsec08/tech/full_ papers/czeskis/czeskis.pdf. Dolan-Gavitt Brendan. Forensic analysis of the windows registry in memory. In: Proceedings of the 8th annual DFRWS conference. Baltimore, MD; August 2008. p. S26–32. Johnson Neil. Steganography software, http://www.jjtc.com/ Steganography/tools.html; 2008. Kerbaj Richard, Kennedy Domic. Link between child porn and Muslim terrorists discovered in police raids. The Times October 17, 2008. retrieved January 11, 2009, http:// www.timesonline.co.uk/tol/news/uk/crime/ article4959002.ece. Kessler Gary. Steganography for the computer forensics examiner, http://www.garykessler.net/library/fsc_stego.html; 2004.
Latham Allan. Hide and seek for Linux; 2006. Retrieved 8 August 2008, from http://nixbit.com/cat//security/jphs/. Morgan Timothy. Recovering deleted data from the windows registry. In: Proceedings of the 8th annual DFRWS conference. Baltimore, MD; August 2008. p. S33–42. Packetderm LLC. COTSE – steganography tools, http://www.cotse. com/tools/stega.htm; 2003. Provos Niels. Outguess – steganography detection, http://www. outguess.org/detection.php; 2004. Russinovich Mark, Cogswell Bryce. FileMon for windows, http:// technet.microsoft.com/en-us/sysinternals/bb896642.aspx; November 1, 2006. Russinovich Mark, Cogswell Bryce. RegMon for windows, http:// technet.microsoft.com/en-us/sysinternals/bb896652.aspx; November 1, 2006. SARC – Steganography Analysis and Research Center. http:// www.sarc-wv.com/news.aspx. Spacegate. Privacy tools, http://spacegate.xs4all.nl/; 2004. Steganography Analysis and Research Center. Steganography analyzer artifact scanner, http://www.sarc-wv.com/ stegalyzeras.aspx; 2008. Tistory.com. Steganography Tools, http://boanchanggo.tistory. com/219; 2008. Virtual Box. Downloads. http://www.virtualbox.org/. WinZip. The zip file utility for Windows. http://www.winzip.com/ index.htm; 2008. WetStone Technologies, Inc. Stego Suite. https://www. wetstonetech.com/cgi/shop.cgi?view, vol. 1; 2008a. WetStone Technologies, Inc. Gargoyle Investigator. https://www. wetstonetech.com/cgi/shop.cgi?view, vol. 2; 2008b. Wowarea. Steganography, http://www.wowarea.com/english/ help/stega.htm; 2006.