The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content
1. Bill Fanelli
Principal Architect
Carlton Jeffcoat
VP
Allen Corporation of America
Cyber Security Technologies Division
The Message Within: Data Sheet
g
Extending DLP to target
Steganography
3. Introduction
• Data Leakage greatly concerns certain industries
– High value intellectual property
• Pharmaceutical formulas
• Proprietary software algorithms
p y g
– Highly sensitive legal documents
• Data Loss Prevention (DLP) explicitly prevents
the l k
th leakage of this data out of an organization.
f thi d t t f i ti
– DLP monitors the movement of tagged files and data
with keyword content.
– DLP technology is uniquely positioned to help with
forensics efforts in identifying hidden message
carriers.
PAGE 4
4. How to use DLP in Steganography
Detection
• DLP can monitor the movement of likely carrier
files such as image and music files
– DLP will copy these files to a forensic archive
– Other tools can then scan these files for the
presence of hidden data
• This presentation will:
– Describe these forensic procedures
– Detail an implementation of the required workflow
PAGE 5
5. Definition
• Steganography
– Hiding the existence of the message
• Vs. Cryptography
– Ob
Obscures the meaning of a message
e me ning me ge
– Does not conceal the fact that there is a message
• Steganalysis
g y
– Detecting the presence of messages hidden using
steganography
• Legitimate uses of steganography
– Digital Watermarking
PAGE 6
6. Steganography - Ancient Methods
Wax Tablets
• Demaratus of Ariston, exiled
in Persia, received news that
Xerxes was to invade Greece.
• To get word to Sparta he
Sparta,
scraped the wax off writing
tablets and carved a warning
message in the wood. He
h d
then covered the wood with a
fresh coat of wax.
• The tablet was passed by the
sentries without raising any
suspicion.
s spicion
PAGE 7
7. Steganography - Modern Methods
Null Cipher Messages
• The German Embassy in Washington, DC,
y g , ,
sent these messages during World War I
– Apparently neutral’s protest is thoroughly
discounted and ignored Isman hard hit Blockade
hit.
issue affects pretext for embargo on by-products,
ejecting suet's and vegetable oils
• D
Decoding the message by extracting the
di h b i h
second letter from each word reveals the
actual message
– PERSHING SAILS FROM N.Y. JUNE 1
PAGE 8
8. Technical Steganography
• Uses scientific methods to hide a message,
g ,
such as the use of invisible ink or
microdots
• I 1941 th FBI discovered a Micro Dot
In the di d Mi D t
carried on a letter from a suspected agent
– Micro Dot production
p
• Create a postage stamp sized secret message
• Reduce this in size using a reverse microscope
producing an image .05 inches in diameter
– The dot was pressed onto a piece of paper Mark IV microdot camera
using a hypodermic needle in place of a
p
period
PAGE 9
9. Simple Example
Once upon a our poets eve
With darkened sky’s and fallen leaves
The raven came to call outside the door
Time it said always flows through your life
aid, s,
and through the throws,
running faster ever than before
And if you wish to beat the game,
to live a life of wealth and fame
fame,
then try to follow me forever more
For here within the words it said
Like a dream within your head
A secret waits to lead you out the door
Within a code that Bacon knew
In letters just a bit askew
The raven whispers secrets evermore!
10. Once upon a our poets eve
With darkened sky’s and fallen leaves
The raven came to call outside the door
Time it said always flows through your life
aid, s,
and through the throws,
running faster ever than before
And if you wish to beat the game,
to live a life of wealth and fame
fame,
then try to follow me forever more
For here within the words it said
Like a dream within your head
A secret waits to lead you out the door
Within a code that Bacon knew
In letters just a bit askew
The raven whispers secrets evermore!
11. Once upon a our poets eve
With darkened sky’s and fallen leaves
The raven came to call outside the door
Time it said always flows through your life
aid, s,
and through the throws,
running faster ever than before
And if you wish to beat the game,
to live a life of wealth and fame
fame,
then try to follow me forever more
For here within the words it said
Like a dream within your head
A secret waits to lead you out the door
Within a code that Bacon knew
In letters just a bit askew
The raven whispers secrets evermore!
12. Once upon a our poets eve
With darkened sky’s and fallen leaves
The raven came to call outside the door
Time it said always flows through your life
aid, s,
and through the throws,
running faster ever than before
And if you wish to beat the game,
to live a life of wealth and fame
fame,
then try to follow me forever more
For here within the words it said
Like a dream within your head
A secret waits to lead you out the door
Within a code that Bacon knew
In letters just a bit askew
The raven whispers secrets evermore!
13. Concerns to Business
• Data loss
– Covert transmission of corporate IP
• Pharmaceutical formulas
• Proprietary software algorithms
p y g
– Highly sensitive legal documents
• Hiding illicit activity
– Non-job related activity that potentially puts the
organization at risk
• Gambling
• Pornography
• Credit card fraud
• Terrorism
PAGE 14
14. How big is the problem?
600
Steganography Programs in the Wild 505
500
400
300
200
100
0
2001 2002 2003 2004 2005 2006 Today
According to WetStone’s Chief Scientist Chet Hosmer
• Where to find them
– Neil Johnsons’ Steganography and Digital
Watermarking web site
• http://www.jjtc.com/Steganography/toolmatrix.htm
– StegoArchive.com
– Neil Johnsons’ Steganalysis web site
g y
• http://www.jjtc.com/Steganalysis/
PAGE 15
15. Steganalysis Tools
• For our discussions, we will reference the
following steganalysis and malware detection
g g y
tools from Allen Corporation’s WetStone
Technologies
– Stego Suite
– Gargoyle
– Live Wire Investigator
PAGE 16
16. – Stego Suite
• Stego Watch
– Scan a file system and flag suspected files
– Derived from the WetStone’s Steganography and Recovery
Toolkit (S-DART) research project for US Air Force
Research Laboratory
– Exposes an API for researches and developers that allows
for new research and steganography detectors
• Stego Analyst
– Imaging and analysis tool to identify visual clues that
steganography is in use in both image and audio files
• Stego Break
– Obtain the pass p
p phrase that has been used
– Gargoyle
• Hostile program detector with steganography dataset
– Malware tool discovery over the network
– Target at computers where suspect files originated
PAGE 17
17. Known Methods of Steganography
Covert
Channels
Color
24-Bit LSB
Palette
Encoding
Modification
Encoding
Algorithm
g
Modification
Word Formatting
Substitution Modification
Data
Appending
PAGE 18
18. Least Significant Bit Encoding
• This is the most common steganographic
method used with audio and image files
• Used to overwrite
– Legitimate RGB color codings or p
g g palette p
pointers in
GIF and BMP files
– Coefficients in JPEG files
– Pulse Code Modulation in WAV files
Individual Colors
LSB Substitution Combined Color
Before After
RED 1 0 1 1 0 1 0 0 Before After
GREEN 1 1 0 0 0 1 1 1
BLUE 1 1 1 0 0 0 0 0
PAGE 19
22. Implementation – Policy & Procedure
• Use of these capabilities is driven by risk
assessment and A
t d Acceptable Use Policy
t bl U P li
– High risk
• E.G., Government Classified, Corporate Legal, Research Lab
g
• Policy – Not Allowed
• Technical Action – Block, Archive, Examine Content, Scan
Source Computer
• Personnel Action – Possible Termination
– Medium Risk
• E.G., Human Resources, Contracts, Software Development
, , , p
• Policy – Not Allowed
• Technical Action – Log, Archive, Spot Investigations
• Personnel Action – Possible Termination
PAGE 23
23. Implementation - Technology
• DLP
– D t t movement of potential carriers
Detect t f t ti l i
– Copy to DLP archive
• Steganography scan
g g p y
– Stego Suite
– Examine files for potential covert content
• M l
Malware tools scan
l
– Gargoyle
– Scan source workstations
• Live Investigator
– Consolidate findings into forensic documentation
package
k
PAGE 24
24. DLP Configuration
• Technology implementation should always be
derived from security policies and procedures
• Classified environment
– Block and archive everything
• Pharmaceutical company
– Research area
• Block and archive
– Legal department
• Log and archive
– All other areas
• Log only
PAGE 25
25. DLP Architecture
Policy set in ePO server
to archive evidence
files
Evidence files Policy on endpoints
collected in captures evidence files
archive for
steganalysis
PAGE 26
26. Steganography Scan Configuration
• Scan image files in evidence archive
– Identify images as possible Steganography carriers
• Identify workstations where images originated
– S n workstations for steganography tools
Scan o k t tion fo teg nog ph tool
– Possibly scan for other malware tools
• Initiate personnel actions, as necessary
p , y
– Capture evidence as part of forensic investigation
• Continue digital investigation
– Examine suspect files
– Attempt to extract payload
PAGE 27
27. Steganography Scan Architecture
Scan image Scan Capture
files
f l in workstations
k evidence as
id
evidence for malware part of
archive tools forensic
investigation
PAGE 28
30. Future – Stego Stomping
• Server-level technology to filter outgoing e-
mail
• Modify all files to corrupt potential payload but
leave carrier essentially intact
– Essentially apply a randomized stego payload to
every outgoing image
• Proven for JPG formats
– Other formats in development
PAGE 31
31. Want to Learn More?
• Classes
– Steganography Investigator Training
• November 11 - 12, 2008 - Fairfax, VA
•DDecember 10 - 11 2008 - O li
b 11, Online
– Live Investigator Training
• October 24 - 25, 2008 - Gaithersburg, MD
– Hacking BootCamp for Investigators
• October 23 - 25, 2008 - Gaithersburg, MD
• November 18 - 21, 2008 - Vancouver, BC
• December 16 - 18, 2008 - Houston, TX
PAGE 32
32. Contact Us
Corporate Headquarters:
Allen Corporation of America Inc.
p
10400 Eaton Place, Suite 450
Fairfax, VA 22030
(866) HQ - ALLEN
(866) 472-5536
Bill Fanelli
571-321-1648 - bfanelli@allencorp.com
Carlton Jeffcoat
571-321-1641 - cjeffcoat@allencorp.com
www.AllenCorp.com
www.WetStoneTech.com
www WetStoneTech com
A wholly owned subsidiary of Allen Corporation
PAGE 33
33. Stego Suite™
P r o d u c t s
Discovering The Hidden
000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111
000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111
111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000
000101010101010101010101010101010101010101010101000000100000001111111111110000000000000111111111000000000
000011111111111111000000000000001111111111100000000000011111111111110000000000011111110000000000111111111
111111111000000000001111111111110000000000000111111111111111100000000000111111111100000001111111111111111
111110000000000001010101010101010100101010010101011010101010101011010101010101010101010100101010010101100
000011011111001010101010101111111111000000010101010101010101010101010010101010101010010101010101000000000
000000000000011111111111111111111000000000000011111111111111111111000000000000101010101010101101010101010
101010101010101010101010101010101010101010100111111111100000000000011111111100000001111111111010100100101
010101010101010101010101010010101010100101010101001010101010101001010101010101010101001010101010101010101
010101010101001010101001010100000000011111111100000000011111111111100000011111000001111111000001010101001
I n v e s t i g a t i o n
Stego Hunter™ Stego Watch™ Stego Analyst™ Stego Break™
010010100101001010010101010111111111111000000000001111111111000000010101010101010101010101010101010101010
101010101010101010000001111111111111000001010101010101001010101010101010101010101010010101010010101010100
101010111111111111111111111111100000000000000000000000001111111111111111110000000000000111111111000000000
001111111111111100000000011111111111110101010101010101000000011111110000001111000101010100011100001111000
Identify Steganography Applications ■ Detect Presence of Hidden Messages ■ Analyze Image Characteristics ■ Reveal Vital Evidence
010111000000110101010101010101010101010101010101010101010101010010101010101010101100011100011110001111000
111000001111000001111100000001111000000001010101010101010100000001111111111100000000000101010101010100101
Stego Suite is comprised of four specialized products: Stego Hunter™, Stego Watch™, Stego Analyst™, and Stego
Break™. This comprehensive suite of applications is designed to quickly identify, examine and analyze digital images and/or
audio files for the presence of hidden information or covert communication channels. Detecting the presence of
steganography is a tedious process; without advanced tools it is close to impossible to detect. Using Stego Suite investigators
are able to utilize the latest algorithms for flagging suspicious files through a blind anomaly-based approach, examine files
with image filters, analyze DCT coefficient histograms, and track palette manipulation with close color pairs, shortening
investigation time drastically and allowing investigators to work specifically within the four tools provided in the suite.
Key Features: System Recommendations:
▫ Rapid identification of known ▫ Microsoft Windows® 98
steganography programs
▫ 100 MB free disk space
▫ Flag suspicious files through blind
anomaly-based approach ▫ 512 MB RAM
▫ State-of-the-art image and audio analyzer ▫ Pentium® III 1GHz processor
D i g i t a l
▫ Crack and extract payloads from carrier License:
files
▫ Single user license allows for installation
▫ Court ready investigator reports of entire suite
▫ Scan audio files, JPG, BMP, GIF, PNG ▫ Site licenses are available upon request
and more
Free software maintenance for one year from the date of purchase!
Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850
1-877-WETSTONE · www.wetstonetech.com
Copyright 2005-2008 WetStone Technologies All Rights Reserved
34. Gargoyle Investigator™
P r o d u c t s
Enterprise Module
Enterprise Malware Investigation
000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111
000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111
111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000
Internal
000101010101010101010101010101010101010101010101000000100000000001111111111111000000000000011111111100000
Investigation
000000001111111111111100000000000000111111111110000000000001111111111111000000000001111111000000000011111
111111111111100000000000111111111111000000000000011111111111111110000000000011111111110000000111111111111
111111111000000000000101010101010101010010101001010101101010101010101101010101010101010101010010101001010
110000001101111100101010101010111111111100000001010101010101010101010101001010101010101001010101010100000
Incident
000000000000000001111111111111111111100000000000001111111111111111111100000000000010101010101010110101010
Response
101010101010101010101010101010101010101010101010011111111110000000000001111111110000000111111111101010010
010101010101010101010101010101001010101010010101010100101010101010100101010101010101010100101010101010101
010101010101010100101010100101010000000001111111110000000001111111111110000001111100000111111100000101010
I n v e s t i g a t i o n
100101001010010100101001010101011111111111100000000000111111111100000001010101010101010101010101010101010
Enterprise
101010101010101010101000000111111111111100000101010101010100101010101010101010101010101001010101001010101
010010101011111111111111111111111110000000000000000000000000111111111111111111000000000000011111111100000
Reporting
000000111111111111110000000001111111111111010101010101010100000001111111000000111100010101010001110000111
100001011100000011010101010101010101010101010101010101010101010101001010101010101010110001110001111000111
100011100000111100000111110000000111100000000101010101010101010000000111111111110000000000010101010101010
Gargoyle Enterprise Module (GEM) provides corporate IT departments, incident response investigators,
or organizations with large and complex networks, the ability to fight against malicious software within enterprise
computing environments. GEM is designed to quickly target systems under investigation, collecting hashes of files found on
suspect systems. The resulting collection is then analyzed by Gargoyle Investigator Forensic Pro, providing investigators
significant details about each targets activities, motives, and intent. As enterprise networks continue to expand in numbers
and geographic locations, investigators need a tool that will acquire forensic evidence from targets anywhere, anytime
throughout the enterprise.
Key Features: System Recommendations:
▫ Perform enterprise wide collection of ▫ Microsoft Windows® 2000
malicious code hashes on multiple
targets simultaneously ▫ 230 MB free disk space
▫ Includes a single user license of Gargoyle ▫ 1 GB RAM
Investigator™ Forensic Pro
▫ Pentium® III 1GHz processor
D i g i t a l
▫ Dataset Creator™ - create and build
your own categories for detection ▫ Gargoyle Investigator™ Forensic Pro
▫ Interoperates with popular forensic tools License:
such as EnCase™ and FTK™
▫ Enterprise license with 10 scan option,
▫ Timestamped enterprise discovery additional scans of 25, 50 and 100 are
reports for each target suspected available
Free software maintenance for one year from the date of purchase!
Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850
1-877-WETSTONE · www.wetstonetech.com
Copyright 2005-2008 WetStone Technologies All Rights Reserved
35. LiveWire Investigator™
P r o d u c t s
On Demand Digital Investigation
000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111
000000101010101001010101010010101010010101010000000111111100001011010010101000000000000000000000011111111
111111111111000000000000000000011111111111111111000000000000000011111111111100000000000000111111111110000
Live Forensics
000010101010101010101010101010101010101010101010100000010000000000111111111111100000000000001111111110000
000000000111111111111110000000000000011111111111000000000000111111111111100000000000111111100000000001111
111111111111110000000000011111111111100000000000001111111111111111000000000001111111111000000011111111111
111111111100000000000010101010101010101001010100101010110101010101010110101010101010101010101001010100101
Remote Malware
011000000110111110010101010101011111111110000000101010101010101010101010100101010101010100101010101010000
Detection
000000000000000000111111111111111111110000000000000111111111111111111110000000000001010101010101011010101
010101010101010101010101010101010101010101010101001111111111000000000000111111111000000011111111110101001
001010101010101010101010101010100101010101001010101010010101010101010010101010101010101010010101010101010
101010101010101010010101010010101000000000111111111000000000111111111111000000111110000011111110000010101
eCrime
I n v e s t i g a t i o n
010010100101001010010100101010101111111111110000000000011111111110000000101010101010101010101010101010101
010101010101010101010100000011111111111110000010101010101010010101010101010101010101010100101010100101010
101001010101111111111111111111111111000000000000000000000000011111111111111111100000000000001111111110000
000000011111111111111000000000111111111111101010101010101010000000111111100000011110001010101000111000011
eDiscovery
110000101110000001101010101010101010101010101010101010101010101010100101010101010101011000111000111100011
110001110000011110000011111000000011110000000010101010101010101000000011111111111000000000001010101010101
LiveWire Investigator is the ultimate tool for incident response, vulnerability assessment, compliance audits and
criminal investigations. Quickly and inconspicuously exam live running computer systems, providing the ability to assess
vulnerabilities, collect evidence directly from suspect computers, and perform enterprise-wide malware scans. LiveWire
does not require pre-installed software deployed on target computers. The “command and control” of LiveWire can be
on-site or remote, with any on-site operations controlled directly through the LiveWire application. Investigators can now
rapidly and easily collect evidence on live running target systems from anywhere in the world.
Key Features: System Recommendations:
▫ Live forensic discovery and triage of 25 or ▫ Microsoft Windows® 2000 or higher
more “Live” target systems simultaneously
▫ 100 MB free disk space
▫ File system blueprinting
▫ 128 MB RAM
▫ Remote screenshots
▫ Pentium® III 1GHz processor
▫ Live drive and device captures
D i g i t a l
▫ Physical and virtual memory imaging License:
▫ Integrated enterprise malware detection ▫ Single user license with the option to add
▫ Automated timestamped audit trail up to 50 and 100 simultaneous scans
▫ Site licenses are available upon request
*Companion product LiveDiscover™
Free software maintenance for one year from the date of purchase!
Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850
1-877-WETSTONE · www.wetstonetech.com
Copyright 2005-2008 WetStone Technologies All Rights Reserved