SlideShare uma empresa Scribd logo
1 de 35
Baixar para ler offline
Bill Fanelli
Principal Architect
Carlton Jeffcoat
VP
Allen Corporation of America
Cyber Security Technologies Division



The Message Within: Data Sheet
          g
Extending DLP to target
Steganography
Steganography




            Discovering Critical Evidence
               - hidden in plain sight -
Introduction



• Data Leakage greatly concerns certain industries
         – High value intellectual property
            • Pharmaceutical formulas
            • Proprietary software algorithms
                 p      y            g
         – Highly sensitive legal documents
• Data Loss Prevention (DLP) explicitly prevents
  the l k
  th leakage of this data out of an organization.
               f thi d t    t f           i ti
         – DLP monitors the movement of tagged files and data
           with keyword content.
         – DLP technology is uniquely positioned to help with
           forensics efforts in identifying hidden message
           carriers.

PAGE 4
How to use DLP in Steganography
Detection


• DLP can monitor the movement of likely carrier
  files such as image and music files
         – DLP will copy these files to a forensic archive
         – Other tools can then scan these files for the
           presence of hidden data
• This presentation will:
         – Describe these forensic procedures
         – Detail an implementation of the required workflow




PAGE 5
Definition



• Steganography
         – Hiding the existence of the message
• Vs. Cryptography
         – Ob
           Obscures the meaning of a message
                 e      me ning        me    ge
         – Does not conceal the fact that there is a message
• Steganalysis
     g    y
         – Detecting the presence of messages hidden using
           steganography
• Legitimate uses of steganography
         – Digital Watermarking



PAGE 6
Steganography - Ancient Methods
 Wax Tablets


• Demaratus of Ariston, exiled
  in Persia, received news that
  Xerxes was to invade Greece.
• To get word to Sparta he
                   Sparta,
  scraped the wax off writing
  tablets and carved a warning
  message in the wood. He
                h      d
  then covered the wood with a
  fresh coat of wax.
• The tablet was passed by the
  sentries without raising any
  suspicion.
  s spicion
PAGE 7
Steganography - Modern Methods
 Null Cipher Messages


• The German Embassy in Washington, DC,
                     y         g    ,    ,
  sent these messages during World War I
         – Apparently neutral’s protest is thoroughly
           discounted and ignored Isman hard hit Blockade
                                                hit.
           issue affects pretext for embargo on by-products,
           ejecting suet's and vegetable oils
• D
  Decoding the message by extracting the
       di    h           b        i    h
  second letter from each word reveals the
  actual message
         – PERSHING SAILS FROM N.Y. JUNE 1


PAGE 8
Technical Steganography



• Uses scientific methods to hide a message,
                                          g ,
  such as the use of invisible ink or
  microdots
• I 1941 th FBI discovered a Micro Dot
  In       the     di        d Mi     D t
  carried on a letter from a suspected agent
         – Micro Dot production
                     p
            • Create a postage stamp sized secret message
            • Reduce this in size using a reverse microscope
              producing an image .05 inches in diameter
         – The dot was pressed onto a piece of paper           Mark IV microdot camera
           using a hypodermic needle in place of a
           p
           period

PAGE 9
Simple Example




                        Once upon a our poets eve
                   With darkened sky’s and fallen leaves
                  The raven came to call outside the door
                 Time it said always flows through your life
                          aid,           s,
                          and through the throws,
                       running faster ever than before
                     And if you wish to beat the game,
                      to live a life of wealth and fame
                                                   fame,
                     then try to follow me forever more
                      For here within the words it said
                       Like a dream within your head
                   A secret waits to lead you out the door
                      Within a code that Bacon knew
                          In letters just a bit askew
                   The raven whispers secrets evermore!
Once upon a our poets eve
  With darkened sky’s and fallen leaves
 The raven came to call outside the door
Time it said always flows through your life
         aid,           s,
         and through the throws,
      running faster ever than before
    And if you wish to beat the game,
     to live a life of wealth and fame
                                  fame,
    then try to follow me forever more
     For here within the words it said
      Like a dream within your head
  A secret waits to lead you out the door
     Within a code that Bacon knew
         In letters just a bit askew
  The raven whispers secrets evermore!
Once upon a our poets eve
  With darkened sky’s and fallen leaves
 The raven came to call outside the door
Time it said always flows through your life
         aid,           s,
         and through the throws,
      running faster ever than before
    And if you wish to beat the game,
     to live a life of wealth and fame
                                  fame,
    then try to follow me forever more
     For here within the words it said
      Like a dream within your head
  A secret waits to lead you out the door
     Within a code that Bacon knew
         In letters just a bit askew
  The raven whispers secrets evermore!
Once upon a our poets eve
  With darkened sky’s and fallen leaves
 The raven came to call outside the door
Time it said always flows through your life
         aid,           s,
         and through the throws,
      running faster ever than before
    And if you wish to beat the game,
     to live a life of wealth and fame
                                  fame,
    then try to follow me forever more
     For here within the words it said
      Like a dream within your head
  A secret waits to lead you out the door
     Within a code that Bacon knew
         In letters just a bit askew
  The raven whispers secrets evermore!
Concerns to Business



• Data loss
          – Covert transmission of corporate IP
             • Pharmaceutical formulas
             • Proprietary software algorithms
                  p      y            g
          – Highly sensitive legal documents
• Hiding illicit activity
          – Non-job related activity that potentially puts the
            organization at risk
             •   Gambling
             •   Pornography
             •   Credit card fraud
             •   Terrorism


PAGE 14
How big is the problem?

                      600
                            Steganography Programs in the Wild          505
                      500

                      400

                      300

                      200

                      100

                        0
                            2001   2002   2003   2004   2005   2006   Today
                   According to WetStone’s Chief Scientist Chet Hosmer

• Where to find them
          – Neil Johnsons’ Steganography and Digital
            Watermarking web site
             • http://www.jjtc.com/Steganography/toolmatrix.htm
          – StegoArchive.com
          – Neil Johnsons’ Steganalysis web site
                              g    y
             • http://www.jjtc.com/Steganalysis/
PAGE 15
Steganalysis Tools


• For our discussions, we will reference the
  following steganalysis and malware detection
          g    g    y
  tools from Allen Corporation’s WetStone
  Technologies
          – Stego Suite
          – Gargoyle
          – Live Wire Investigator




PAGE 16
– Stego Suite
             • Stego Watch
                – Scan a file system and flag suspected files
                – Derived from the WetStone’s Steganography and Recovery
                  Toolkit (S-DART) research project for US Air Force
                  Research Laboratory
                – Exposes an API for researches and developers that allows
                  for new research and steganography detectors
             • Stego Analyst
                – Imaging and analysis tool to identify visual clues that
                  steganography is in use in both image and audio files
             • Stego Break
                – Obtain the pass p
                             p    phrase that has been used
          – Gargoyle
             • Hostile program detector with steganography dataset
                – Malware tool discovery over the network
                – Target at computers where suspect files originated

PAGE 17
Known Methods of Steganography



                           Covert
                          Channels
                                          Color
          24-Bit LSB
                                          Palette
          Encoding
                                        Modification
                          Encoding
                          Algorithm
                            g
                         Modification
             Word                       Formatting
          Substitution                  Modification
                           Data
                         Appending

PAGE 18
Least Significant Bit Encoding



• This is the most common steganographic
  method used with audio and image files
• Used to overwrite
          – Legitimate RGB color codings or p
              g                        g    palette p
                                                    pointers in
            GIF and BMP files
          – Coefficients in JPEG files
          – Pulse Code Modulation in WAV files
                                    Individual Colors
           LSB Substitution                                Combined Color
                                  Before          After
  RED 1 0 1 1 0 1 0 0                                     Before     After
GREEN 1 1 0 0 0 1 1 1
 BLUE 1 1 1 0 0 0 0 0
PAGE 19
Adding a Payload to a Carrier




PAGE 20
Steganalysis




PAGE 21
Image Filtering




PAGE 22
Implementation – Policy & Procedure



• Use of these capabilities is driven by risk
  assessment and A
             t   d Acceptable Use Policy
                          t bl U P li
          – High risk
             • E.G., Government Classified, Corporate Legal, Research Lab
                                                         g
             • Policy – Not Allowed
             • Technical Action – Block, Archive, Examine Content, Scan
               Source Computer
             • Personnel Action – Possible Termination
          – Medium Risk
             •   E.G., Human Resources, Contracts, Software Development
                      ,                  ,         ,                  p
             •   Policy – Not Allowed
             •   Technical Action – Log, Archive, Spot Investigations
             •   Personnel Action – Possible Termination


PAGE 23
Implementation - Technology



• DLP
          – D t t movement of potential carriers
            Detect          t f t ti l      i
          – Copy to DLP archive
• Steganography scan
     g   g p y
          – Stego Suite
          – Examine files for potential covert content
• M l
  Malware tools scan
             l
          – Gargoyle
          – Scan source workstations
• Live Investigator
          – Consolidate findings into forensic documentation
            package
               k

PAGE 24
DLP Configuration



• Technology implementation should always be
  derived from security policies and procedures
• Classified environment
          – Block and archive everything
• Pharmaceutical company
          – Research area
             • Block and archive
          – Legal department
             • Log and archive
          – All other areas
             • Log only



PAGE 25
DLP Architecture




                    Policy set in ePO server
                      to archive evidence
                               files




Evidence files         Policy on endpoints
 collected in        captures evidence files
  archive for
 steganalysis

 PAGE 26
Steganography Scan Configuration



• Scan image files in evidence archive
          – Identify images as possible Steganography carriers
• Identify workstations where images originated
          – S n workstations for steganography tools
            Scan o k t tion fo teg nog ph tool
          – Possibly scan for other malware tools
• Initiate personnel actions, as necessary
           p                ,            y
          – Capture evidence as part of forensic investigation
• Continue digital investigation
          – Examine suspect files
          – Attempt to extract payload



PAGE 27
Steganography Scan Architecture




          Scan image      Scan           Capture
          files
          f l in          workstations
                              k          evidence as
                                            id
          evidence        for malware    part of
          archive         tools          forensic
                                         investigation



PAGE 28
Evidence Archive Scan




PAGE 29
Suspect Workstation Scan




PAGE 30
Future – Stego Stomping



• Server-level technology to filter outgoing e-
  mail
• Modify all files to corrupt potential payload but
  leave carrier essentially intact
          – Essentially apply a randomized stego payload to
            every outgoing image
• Proven for JPG formats
          – Other formats in development




PAGE 31
Want to Learn More?



• Classes
          – Steganography Investigator Training
             • November 11 - 12, 2008 - Fairfax, VA
             •DDecember 10 - 11 2008 - O li
                    b        11,        Online
          – Live Investigator Training
             • October 24 - 25, 2008 - Gaithersburg, MD
          – Hacking BootCamp for Investigators
             • October 23 - 25, 2008 - Gaithersburg, MD
             • November 18 - 21, 2008 - Vancouver, BC
             • December 16 - 18, 2008 - Houston, TX



PAGE 32
Contact Us


          Corporate Headquarters:
            Allen Corporation of America Inc.
                       p
            10400 Eaton Place, Suite 450
            Fairfax, VA 22030
            (866) HQ - ALLEN
            (866) 472-5536
          Bill Fanelli
            571-321-1648 - bfanelli@allencorp.com
          Carlton Jeffcoat
            571-321-1641 - cjeffcoat@allencorp.com
          www.AllenCorp.com
          www.WetStoneTech.com
          www WetStoneTech com
          A wholly owned subsidiary of Allen Corporation

PAGE 33
Stego Suite™
P r o d u c t s



                                                         Discovering The Hidden

                            000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111
                            000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111
                            111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000
                            000101010101010101010101010101010101010101010101000000100000001111111111110000000000000111111111000000000
                            000011111111111111000000000000001111111111100000000000011111111111110000000000011111110000000000111111111
                            111111111000000000001111111111110000000000000111111111111111100000000000111111111100000001111111111111111
                            111110000000000001010101010101010100101010010101011010101010101011010101010101010101010100101010010101100
                            000011011111001010101010101111111111000000010101010101010101010101010010101010101010010101010101000000000
                            000000000000011111111111111111111000000000000011111111111111111111000000000000101010101010101101010101010
                            101010101010101010101010101010101010101010100111111111100000000000011111111100000001111111111010100100101
                            010101010101010101010101010010101010100101010101001010101010101001010101010101010101001010101010101010101
                            010101010101001010101001010100000000011111111100000000011111111111100000011111000001111111000001010101001
I n v e s t i g a t i o n




                                  Stego Hunter™                   Stego Watch™                   Stego Analyst™                     Stego Break™
                            010010100101001010010101010111111111111000000000001111111111000000010101010101010101010101010101010101010
                            101010101010101010000001111111111111000001010101010101001010101010101010101010101010010101010010101010100
                            101010111111111111111111111111100000000000000000000000001111111111111111110000000000000111111111000000000
                            001111111111111100000000011111111111110101010101010101000000011111110000001111000101010100011100001111000
                             Identify Steganography Applications ■ Detect Presence of Hidden Messages ■ Analyze Image Characteristics ■ Reveal Vital Evidence
                            010111000000110101010101010101010101010101010101010101010101010010101010101010101100011100011110001111000
                            111000001111000001111100000001111000000001010101010101010100000001111111111100000000000101010101010100101

                              Stego Suite         is comprised of four specialized products: Stego Hunter™, Stego Watch™, Stego Analyst™, and Stego
                              Break™. This comprehensive suite of applications is designed to quickly identify, examine and analyze digital images and/or
                              audio files for the presence of hidden information or covert communication channels. Detecting the presence of
                              steganography is a tedious process; without advanced tools it is close to impossible to detect. Using Stego Suite investigators
                              are able to utilize the latest algorithms for flagging suspicious files through a blind anomaly-based approach, examine files
                              with image filters, analyze DCT coefficient histograms, and track palette manipulation with close color pairs, shortening
                              investigation time drastically and allowing investigators to work specifically within the four tools provided in the suite.


                                 Key Features:                                                                                                 System Recommendations:
                                 ▫ Rapid identification of known                                                                               ▫ Microsoft Windows® 98
                                  steganography programs
                                                                                                                                               ▫ 100 MB free disk space
                                 ▫ Flag suspicious files through blind
                                  anomaly-based approach                                                                                       ▫ 512 MB RAM

                                 ▫ State-of-the-art image and audio analyzer                                                                   ▫ Pentium® III 1GHz processor
D i g i t a l




                                 ▫ Crack and extract payloads from carrier                                                                     License:
                                  files
                                                                                                                                               ▫ Single user license allows for installation
                                 ▫ Court ready investigator reports                                                                             of entire suite
                                 ▫ Scan audio files, JPG, BMP, GIF, PNG                                                                        ▫ Site licenses are available upon request
                                  and more

                                                              Free software maintenance for one year from the date of purchase!




                                                 Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850
                                                                      1-877-WETSTONE · www.wetstonetech.com
                                                                               Copyright 2005-2008 WetStone Technologies All Rights Reserved
Gargoyle Investigator™
P r o d u c t s


                                                                     Enterprise Module

                                                       Enterprise Malware Investigation

                            000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111
                            000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111
                            111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000
                                                                                                                            Internal
                            000101010101010101010101010101010101010101010101000000100000000001111111111111000000000000011111111100000
                                                                                                                       Investigation
                            000000001111111111111100000000000000111111111110000000000001111111111111000000000001111111000000000011111
                            111111111111100000000000111111111111000000000000011111111111111110000000000011111111110000000111111111111
                            111111111000000000000101010101010101010010101001010101101010101010101101010101010101010101010010101001010
                            110000001101111100101010101010111111111100000001010101010101010101010101001010101010101001010101010100000
                                                                                                                            Incident
                            000000000000000001111111111111111111100000000000001111111111111111111100000000000010101010101010110101010
                                                                                                                           Response
                            101010101010101010101010101010101010101010101010011111111110000000000001111111110000000111111111101010010
                            010101010101010101010101010101001010101010010101010100101010101010100101010101010101010100101010101010101
                            010101010101010100101010100101010000000001111111110000000001111111111110000001111100000111111100000101010
I n v e s t i g a t i o n




                            100101001010010100101001010101011111111111100000000000111111111100000001010101010101010101010101010101010
                                                                                                                         Enterprise
                            101010101010101010101000000111111111111100000101010101010100101010101010101010101010101001010101001010101
                            010010101011111111111111111111111110000000000000000000000000111111111111111111000000000000011111111100000
                                                                                                                          Reporting
                            000000111111111111110000000001111111111111010101010101010100000001111111000000111100010101010001110000111
                            100001011100000011010101010101010101010101010101010101010101010101001010101010101010110001110001111000111
                            100011100000111100000111110000000111100000000101010101010101010000000111111111110000000000010101010101010


                              Gargoyle Enterprise Module (GEM)                                       provides corporate IT departments, incident response investigators,
                              or organizations with large and complex networks, the ability to fight against malicious software within enterprise
                              computing environments. GEM is designed to quickly target systems under investigation, collecting hashes of files found on
                              suspect systems. The resulting collection is then analyzed by Gargoyle Investigator Forensic Pro, providing investigators
                              significant details about each targets activities, motives, and intent. As enterprise networks continue to expand in numbers
                              and geographic locations, investigators need a tool that will acquire forensic evidence from targets anywhere, anytime
                              throughout the enterprise.

                                  Key Features:                                                                                                  System Recommendations:
                                  ▫ Perform enterprise wide collection of                                                                        ▫ Microsoft Windows® 2000
                                    malicious code hashes on multiple
                                    targets simultaneously                                                                                       ▫ 230 MB free disk space

                                  ▫ Includes a single user license of Gargoyle                                                                   ▫ 1 GB RAM
                                    Investigator™ Forensic Pro
                                                                                                                                                 ▫ Pentium® III 1GHz processor
D i g i t a l




                                  ▫ Dataset Creator™ - create and build
                                    your own categories for detection                                                                            ▫ Gargoyle Investigator™ Forensic Pro

                                  ▫ Interoperates with popular forensic tools                                                                    License:
                                   such as EnCase™ and FTK™
                                                                                                                                                 ▫ Enterprise license with 10 scan option,
                                  ▫ Timestamped enterprise discovery                                                                              additional scans of 25, 50 and 100 are
                                    reports for each target suspected                                                                             available
                                                             Free software maintenance for one year from the date of purchase!




                                                Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850
                                                                        1-877-WETSTONE · www.wetstonetech.com
                                                                                 Copyright 2005-2008 WetStone Technologies All Rights Reserved
LiveWire Investigator™
P r o d u c t s



                                              On Demand Digital Investigation

                            000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111
                            000000101010101001010101010010101010010101010000000111111100001011010010101000000000000000000000011111111
                            111111111111000000000000000000011111111111111111000000000000000011111111111100000000000000111111111110000
                                                                                                                    Live Forensics
                            000010101010101010101010101010101010101010101010100000010000000000111111111111100000000000001111111110000
                            000000000111111111111110000000000000011111111111000000000000111111111111100000000000111111100000000001111
                            111111111111110000000000011111111111100000000000001111111111111111000000000001111111111000000011111111111
                            111111111100000000000010101010101010101001010100101010110101010101010110101010101010101010101001010100101
                                                                                                                  Remote Malware
                            011000000110111110010101010101011111111110000000101010101010101010101010100101010101010100101010101010000
                                                                                                                          Detection
                            000000000000000000111111111111111111110000000000000111111111111111111110000000000001010101010101011010101
                            010101010101010101010101010101010101010101010101001111111111000000000000111111111000000011111111110101001
                            001010101010101010101010101010100101010101001010101010010101010101010010101010101010101010010101010101010
                            101010101010101010010101010010101000000000111111111000000000111111111111000000111110000011111110000010101
                                                                                                                            eCrime
I n v e s t i g a t i o n




                            010010100101001010010100101010101111111111110000000000011111111110000000101010101010101010101010101010101
                            010101010101010101010100000011111111111110000010101010101010010101010101010101010101010100101010100101010
                            101001010101111111111111111111111111000000000000000000000000011111111111111111100000000000001111111110000
                            000000011111111111111000000000111111111111101010101010101010000000111111100000011110001010101000111000011
                                                                                                                        eDiscovery
                            110000101110000001101010101010101010101010101010101010101010101010100101010101010101011000111000111100011
                            110001110000011110000011111000000011110000000010101010101010101000000011111111111000000000001010101010101


                              LiveWire Investigator                 is the ultimate tool for incident response, vulnerability assessment, compliance audits and
                              criminal investigations. Quickly and inconspicuously exam live running computer systems, providing the ability to assess
                              vulnerabilities, collect evidence directly from suspect computers, and perform enterprise-wide malware scans. LiveWire
                              does not require pre-installed software deployed on target computers. The “command and control” of LiveWire can be
                              on-site or remote, with any on-site operations controlled directly through the LiveWire application. Investigators can now
                              rapidly and easily collect evidence on live running target systems from anywhere in the world.

                                   Key Features:                                                                                                System Recommendations:
                                   ▫ Live forensic discovery and triage of 25 or                                                                ▫ Microsoft Windows® 2000 or higher
                                    more “Live” target systems simultaneously
                                                                                                                                                ▫ 100 MB free disk space
                                   ▫ File system blueprinting
                                                                                                                                                ▫ 128 MB RAM
                                   ▫ Remote screenshots
                                                                                                                                                ▫ Pentium® III 1GHz processor
                                   ▫ Live drive and device captures
D i g i t a l




                                   ▫ Physical and virtual memory imaging                                                                        License:
                                   ▫ Integrated enterprise malware detection                                                                    ▫ Single user license with the option to add
                                   ▫ Automated timestamped audit trail                                                                           up to 50 and 100 simultaneous scans

                                                                                                                                                ▫ Site licenses are available upon request
                                   *Companion product LiveDiscover™

                                                                Free software maintenance for one year from the date of purchase!




                                                Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850
                                                                         1-877-WETSTONE · www.wetstonetech.com
                                                                                Copyright 2005-2008 WetStone Technologies All Rights Reserved

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

모의해킹 전문가 되기
모의해킹 전문가 되기모의해킹 전문가 되기
모의해킹 전문가 되기
 
About Steganography
About SteganographyAbout Steganography
About Steganography
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
 
Information security
Information securityInformation security
Information security
 
Cyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptxCyber Security PPT - 2023.pptx
Cyber Security PPT - 2023.pptx
 
Social Engineering new.pptx
Social Engineering new.pptxSocial Engineering new.pptx
Social Engineering new.pptx
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Malware
MalwareMalware
Malware
 
Ransomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDFRansomware: History, Analysis, & Mitigation - PDF
Ransomware: History, Analysis, & Mitigation - PDF
 
User Authentication: Passwords and Beyond
User Authentication: Passwords and BeyondUser Authentication: Passwords and Beyond
User Authentication: Passwords and Beyond
 
Steganography(Presentation)
Steganography(Presentation)Steganography(Presentation)
Steganography(Presentation)
 
SSL Nedir
SSL NedirSSL Nedir
SSL Nedir
 
Windows Hacking
Windows HackingWindows Hacking
Windows Hacking
 
Presentation On Steganography
Presentation On SteganographyPresentation On Steganography
Presentation On Steganography
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Steganography
SteganographySteganography
Steganography
 
1 securite-des-reseaux.2 p
1 securite-des-reseaux.2 p1 securite-des-reseaux.2 p
1 securite-des-reseaux.2 p
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Overview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) TechnologyOverview of Data Loss Prevention (DLP) Technology
Overview of Data Loss Prevention (DLP) Technology
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 

Destaque

Securing Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the CloudSecuring Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the CloudLiwei Ren任力偉
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)Trustmarque
 
Steganography
SteganographySteganography
Steganographysandeipz
 
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.Netskope
 
Steganography
Steganography Steganography
Steganography Uttam Jain
 

Destaque (8)

Securing Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the CloudSecuring Your Data for Your Journey to the Cloud
Securing Your Data for Your Journey to the Cloud
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 
Enterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - IntelEnterprise API Security & Data Loss Prevention - Intel
Enterprise API Security & Data Loss Prevention - Intel
 
McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)McAfee Total Protection for Data Loss Prevention (DLP)
McAfee Total Protection for Data Loss Prevention (DLP)
 
Steganography
SteganographySteganography
Steganography
 
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
Lions, Tigers, and PHI, Oh My! The latest in data loss prevention in the cloud.
 
PACE-IT, Security+2.9: Goals of Security Controls
PACE-IT, Security+2.9: Goals of Security ControlsPACE-IT, Security+2.9: Goals of Security Controls
PACE-IT, Security+2.9: Goals of Security Controls
 
Steganography
Steganography Steganography
Steganography
 

Semelhante a The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content

Steganography.
Steganography.Steganography.
Steganography.yprajapati
 
Stegnography final
Stegnography finalStegnography final
Stegnography finalHeena Bohra
 
Information Security, some illustrated principles
Information Security, some illustrated principlesInformation Security, some illustrated principles
Information Security, some illustrated principlesboskabout
 
steganography-252-uzLRCSm.pptx
steganography-252-uzLRCSm.pptxsteganography-252-uzLRCSm.pptx
steganography-252-uzLRCSm.pptxAkashBhosale50
 
Steganography (Distributed computing)
Steganography (Distributed computing)Steganography (Distributed computing)
Steganography (Distributed computing)Sri Prasanna
 
Stegnography final
Stegnography finalStegnography final
Stegnography finalNikhil Kumar
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio
 
CSE steganography for data writing and reading
CSE steganography for data writing and readingCSE steganography for data writing and reading
CSE steganography for data writing and readingmisbanausheenparvam
 
Phd T H E S I Sproposal
Phd T H E S I SproposalPhd T H E S I Sproposal
Phd T H E S I Sproposalguest6caaab
 
Steganography
SteganographySteganography
SteganographyPREMKUMAR
 
sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- Nikhil Praharshi
 
Digital preservation and institutional repositories
Digital preservation and institutional repositoriesDigital preservation and institutional repositories
Digital preservation and institutional repositoriesDorothea Salo
 

Semelhante a The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content (20)

Steganography.
Steganography.Steganography.
Steganography.
 
Stegnography final
Stegnography finalStegnography final
Stegnography final
 
Information Security, some illustrated principles
Information Security, some illustrated principlesInformation Security, some illustrated principles
Information Security, some illustrated principles
 
steganography-252-uzLRCSm.pptx
steganography-252-uzLRCSm.pptxsteganography-252-uzLRCSm.pptx
steganography-252-uzLRCSm.pptx
 
Steganography (Distributed computing)
Steganography (Distributed computing)Steganography (Distributed computing)
Steganography (Distributed computing)
 
Stegnography final
Stegnography finalStegnography final
Stegnography final
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
CSE steganography for data writing and reading
CSE steganography for data writing and readingCSE steganography for data writing and reading
CSE steganography for data writing and reading
 
Steganography
SteganographySteganography
Steganography
 
Final2
Final2Final2
Final2
 
steganography
steganographysteganography
steganography
 
Steganography
SteganographySteganography
Steganography
 
digital stega slides
digital stega slidesdigital stega slides
digital stega slides
 
Phd T H E S I Sproposal
Phd T H E S I SproposalPhd T H E S I Sproposal
Phd T H E S I Sproposal
 
Steganography
SteganographySteganography
Steganography
 
sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography- sharing the data using audio and image Steganography-
sharing the data using audio and image Steganography-
 
Digital preservation and institutional repositories
Digital preservation and institutional repositoriesDigital preservation and institutional repositories
Digital preservation and institutional repositories
 
Steganography
SteganographySteganography
Steganography
 
GenomeBrowser
GenomeBrowserGenomeBrowser
GenomeBrowser
 
Genome Browser
Genome BrowserGenome Browser
Genome Browser
 

Último

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 

Último (20)

Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 

The Message Within - Using McAfee DLP to Detect Hidden Steganographic Content

  • 1. Bill Fanelli Principal Architect Carlton Jeffcoat VP Allen Corporation of America Cyber Security Technologies Division The Message Within: Data Sheet g Extending DLP to target Steganography
  • 2. Steganography Discovering Critical Evidence - hidden in plain sight -
  • 3. Introduction • Data Leakage greatly concerns certain industries – High value intellectual property • Pharmaceutical formulas • Proprietary software algorithms p y g – Highly sensitive legal documents • Data Loss Prevention (DLP) explicitly prevents the l k th leakage of this data out of an organization. f thi d t t f i ti – DLP monitors the movement of tagged files and data with keyword content. – DLP technology is uniquely positioned to help with forensics efforts in identifying hidden message carriers. PAGE 4
  • 4. How to use DLP in Steganography Detection • DLP can monitor the movement of likely carrier files such as image and music files – DLP will copy these files to a forensic archive – Other tools can then scan these files for the presence of hidden data • This presentation will: – Describe these forensic procedures – Detail an implementation of the required workflow PAGE 5
  • 5. Definition • Steganography – Hiding the existence of the message • Vs. Cryptography – Ob Obscures the meaning of a message e me ning me ge – Does not conceal the fact that there is a message • Steganalysis g y – Detecting the presence of messages hidden using steganography • Legitimate uses of steganography – Digital Watermarking PAGE 6
  • 6. Steganography - Ancient Methods Wax Tablets • Demaratus of Ariston, exiled in Persia, received news that Xerxes was to invade Greece. • To get word to Sparta he Sparta, scraped the wax off writing tablets and carved a warning message in the wood. He h d then covered the wood with a fresh coat of wax. • The tablet was passed by the sentries without raising any suspicion. s spicion PAGE 7
  • 7. Steganography - Modern Methods Null Cipher Messages • The German Embassy in Washington, DC, y g , , sent these messages during World War I – Apparently neutral’s protest is thoroughly discounted and ignored Isman hard hit Blockade hit. issue affects pretext for embargo on by-products, ejecting suet's and vegetable oils • D Decoding the message by extracting the di h b i h second letter from each word reveals the actual message – PERSHING SAILS FROM N.Y. JUNE 1 PAGE 8
  • 8. Technical Steganography • Uses scientific methods to hide a message, g , such as the use of invisible ink or microdots • I 1941 th FBI discovered a Micro Dot In the di d Mi D t carried on a letter from a suspected agent – Micro Dot production p • Create a postage stamp sized secret message • Reduce this in size using a reverse microscope producing an image .05 inches in diameter – The dot was pressed onto a piece of paper Mark IV microdot camera using a hypodermic needle in place of a p period PAGE 9
  • 9. Simple Example Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
  • 10. Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
  • 11. Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
  • 12. Once upon a our poets eve With darkened sky’s and fallen leaves The raven came to call outside the door Time it said always flows through your life aid, s, and through the throws, running faster ever than before And if you wish to beat the game, to live a life of wealth and fame fame, then try to follow me forever more For here within the words it said Like a dream within your head A secret waits to lead you out the door Within a code that Bacon knew In letters just a bit askew The raven whispers secrets evermore!
  • 13. Concerns to Business • Data loss – Covert transmission of corporate IP • Pharmaceutical formulas • Proprietary software algorithms p y g – Highly sensitive legal documents • Hiding illicit activity – Non-job related activity that potentially puts the organization at risk • Gambling • Pornography • Credit card fraud • Terrorism PAGE 14
  • 14. How big is the problem? 600 Steganography Programs in the Wild 505 500 400 300 200 100 0 2001 2002 2003 2004 2005 2006 Today According to WetStone’s Chief Scientist Chet Hosmer • Where to find them – Neil Johnsons’ Steganography and Digital Watermarking web site • http://www.jjtc.com/Steganography/toolmatrix.htm – StegoArchive.com – Neil Johnsons’ Steganalysis web site g y • http://www.jjtc.com/Steganalysis/ PAGE 15
  • 15. Steganalysis Tools • For our discussions, we will reference the following steganalysis and malware detection g g y tools from Allen Corporation’s WetStone Technologies – Stego Suite – Gargoyle – Live Wire Investigator PAGE 16
  • 16. – Stego Suite • Stego Watch – Scan a file system and flag suspected files – Derived from the WetStone’s Steganography and Recovery Toolkit (S-DART) research project for US Air Force Research Laboratory – Exposes an API for researches and developers that allows for new research and steganography detectors • Stego Analyst – Imaging and analysis tool to identify visual clues that steganography is in use in both image and audio files • Stego Break – Obtain the pass p p phrase that has been used – Gargoyle • Hostile program detector with steganography dataset – Malware tool discovery over the network – Target at computers where suspect files originated PAGE 17
  • 17. Known Methods of Steganography Covert Channels Color 24-Bit LSB Palette Encoding Modification Encoding Algorithm g Modification Word Formatting Substitution Modification Data Appending PAGE 18
  • 18. Least Significant Bit Encoding • This is the most common steganographic method used with audio and image files • Used to overwrite – Legitimate RGB color codings or p g g palette p pointers in GIF and BMP files – Coefficients in JPEG files – Pulse Code Modulation in WAV files Individual Colors LSB Substitution Combined Color Before After RED 1 0 1 1 0 1 0 0 Before After GREEN 1 1 0 0 0 1 1 1 BLUE 1 1 1 0 0 0 0 0 PAGE 19
  • 19. Adding a Payload to a Carrier PAGE 20
  • 22. Implementation – Policy & Procedure • Use of these capabilities is driven by risk assessment and A t d Acceptable Use Policy t bl U P li – High risk • E.G., Government Classified, Corporate Legal, Research Lab g • Policy – Not Allowed • Technical Action – Block, Archive, Examine Content, Scan Source Computer • Personnel Action – Possible Termination – Medium Risk • E.G., Human Resources, Contracts, Software Development , , , p • Policy – Not Allowed • Technical Action – Log, Archive, Spot Investigations • Personnel Action – Possible Termination PAGE 23
  • 23. Implementation - Technology • DLP – D t t movement of potential carriers Detect t f t ti l i – Copy to DLP archive • Steganography scan g g p y – Stego Suite – Examine files for potential covert content • M l Malware tools scan l – Gargoyle – Scan source workstations • Live Investigator – Consolidate findings into forensic documentation package k PAGE 24
  • 24. DLP Configuration • Technology implementation should always be derived from security policies and procedures • Classified environment – Block and archive everything • Pharmaceutical company – Research area • Block and archive – Legal department • Log and archive – All other areas • Log only PAGE 25
  • 25. DLP Architecture Policy set in ePO server to archive evidence files Evidence files Policy on endpoints collected in captures evidence files archive for steganalysis PAGE 26
  • 26. Steganography Scan Configuration • Scan image files in evidence archive – Identify images as possible Steganography carriers • Identify workstations where images originated – S n workstations for steganography tools Scan o k t tion fo teg nog ph tool – Possibly scan for other malware tools • Initiate personnel actions, as necessary p , y – Capture evidence as part of forensic investigation • Continue digital investigation – Examine suspect files – Attempt to extract payload PAGE 27
  • 27. Steganography Scan Architecture Scan image Scan Capture files f l in workstations k evidence as id evidence for malware part of archive tools forensic investigation PAGE 28
  • 30. Future – Stego Stomping • Server-level technology to filter outgoing e- mail • Modify all files to corrupt potential payload but leave carrier essentially intact – Essentially apply a randomized stego payload to every outgoing image • Proven for JPG formats – Other formats in development PAGE 31
  • 31. Want to Learn More? • Classes – Steganography Investigator Training • November 11 - 12, 2008 - Fairfax, VA •DDecember 10 - 11 2008 - O li b 11, Online – Live Investigator Training • October 24 - 25, 2008 - Gaithersburg, MD – Hacking BootCamp for Investigators • October 23 - 25, 2008 - Gaithersburg, MD • November 18 - 21, 2008 - Vancouver, BC • December 16 - 18, 2008 - Houston, TX PAGE 32
  • 32. Contact Us Corporate Headquarters: Allen Corporation of America Inc. p 10400 Eaton Place, Suite 450 Fairfax, VA 22030 (866) HQ - ALLEN (866) 472-5536 Bill Fanelli 571-321-1648 - bfanelli@allencorp.com Carlton Jeffcoat 571-321-1641 - cjeffcoat@allencorp.com www.AllenCorp.com www.WetStoneTech.com www WetStoneTech com A wholly owned subsidiary of Allen Corporation PAGE 33
  • 33. Stego Suite™ P r o d u c t s Discovering The Hidden 000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111 000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111 111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000 000101010101010101010101010101010101010101010101000000100000001111111111110000000000000111111111000000000 000011111111111111000000000000001111111111100000000000011111111111110000000000011111110000000000111111111 111111111000000000001111111111110000000000000111111111111111100000000000111111111100000001111111111111111 111110000000000001010101010101010100101010010101011010101010101011010101010101010101010100101010010101100 000011011111001010101010101111111111000000010101010101010101010101010010101010101010010101010101000000000 000000000000011111111111111111111000000000000011111111111111111111000000000000101010101010101101010101010 101010101010101010101010101010101010101010100111111111100000000000011111111100000001111111111010100100101 010101010101010101010101010010101010100101010101001010101010101001010101010101010101001010101010101010101 010101010101001010101001010100000000011111111100000000011111111111100000011111000001111111000001010101001 I n v e s t i g a t i o n Stego Hunter™ Stego Watch™ Stego Analyst™ Stego Break™ 010010100101001010010101010111111111111000000000001111111111000000010101010101010101010101010101010101010 101010101010101010000001111111111111000001010101010101001010101010101010101010101010010101010010101010100 101010111111111111111111111111100000000000000000000000001111111111111111110000000000000111111111000000000 001111111111111100000000011111111111110101010101010101000000011111110000001111000101010100011100001111000 Identify Steganography Applications ■ Detect Presence of Hidden Messages ■ Analyze Image Characteristics ■ Reveal Vital Evidence 010111000000110101010101010101010101010101010101010101010101010010101010101010101100011100011110001111000 111000001111000001111100000001111000000001010101010101010100000001111111111100000000000101010101010100101 Stego Suite is comprised of four specialized products: Stego Hunter™, Stego Watch™, Stego Analyst™, and Stego Break™. This comprehensive suite of applications is designed to quickly identify, examine and analyze digital images and/or audio files for the presence of hidden information or covert communication channels. Detecting the presence of steganography is a tedious process; without advanced tools it is close to impossible to detect. Using Stego Suite investigators are able to utilize the latest algorithms for flagging suspicious files through a blind anomaly-based approach, examine files with image filters, analyze DCT coefficient histograms, and track palette manipulation with close color pairs, shortening investigation time drastically and allowing investigators to work specifically within the four tools provided in the suite. Key Features: System Recommendations: ▫ Rapid identification of known ▫ Microsoft Windows® 98 steganography programs ▫ 100 MB free disk space ▫ Flag suspicious files through blind anomaly-based approach ▫ 512 MB RAM ▫ State-of-the-art image and audio analyzer ▫ Pentium® III 1GHz processor D i g i t a l ▫ Crack and extract payloads from carrier License: files ▫ Single user license allows for installation ▫ Court ready investigator reports of entire suite ▫ Scan audio files, JPG, BMP, GIF, PNG ▫ Site licenses are available upon request and more Free software maintenance for one year from the date of purchase! Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850 1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved
  • 34. Gargoyle Investigator™ P r o d u c t s Enterprise Module Enterprise Malware Investigation 000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111 000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111 111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000 Internal 000101010101010101010101010101010101010101010101000000100000000001111111111111000000000000011111111100000 Investigation 000000001111111111111100000000000000111111111110000000000001111111111111000000000001111111000000000011111 111111111111100000000000111111111111000000000000011111111111111110000000000011111111110000000111111111111 111111111000000000000101010101010101010010101001010101101010101010101101010101010101010101010010101001010 110000001101111100101010101010111111111100000001010101010101010101010101001010101010101001010101010100000 Incident 000000000000000001111111111111111111100000000000001111111111111111111100000000000010101010101010110101010 Response 101010101010101010101010101010101010101010101010011111111110000000000001111111110000000111111111101010010 010101010101010101010101010101001010101010010101010100101010101010100101010101010101010100101010101010101 010101010101010100101010100101010000000001111111110000000001111111111110000001111100000111111100000101010 I n v e s t i g a t i o n 100101001010010100101001010101011111111111100000000000111111111100000001010101010101010101010101010101010 Enterprise 101010101010101010101000000111111111111100000101010101010100101010101010101010101010101001010101001010101 010010101011111111111111111111111110000000000000000000000000111111111111111111000000000000011111111100000 Reporting 000000111111111111110000000001111111111111010101010101010100000001111111000000111100010101010001110000111 100001011100000011010101010101010101010101010101010101010101010101001010101010101010110001110001111000111 100011100000111100000111110000000111100000000101010101010101010000000111111111110000000000010101010101010 Gargoyle Enterprise Module (GEM) provides corporate IT departments, incident response investigators, or organizations with large and complex networks, the ability to fight against malicious software within enterprise computing environments. GEM is designed to quickly target systems under investigation, collecting hashes of files found on suspect systems. The resulting collection is then analyzed by Gargoyle Investigator Forensic Pro, providing investigators significant details about each targets activities, motives, and intent. As enterprise networks continue to expand in numbers and geographic locations, investigators need a tool that will acquire forensic evidence from targets anywhere, anytime throughout the enterprise. Key Features: System Recommendations: ▫ Perform enterprise wide collection of ▫ Microsoft Windows® 2000 malicious code hashes on multiple targets simultaneously ▫ 230 MB free disk space ▫ Includes a single user license of Gargoyle ▫ 1 GB RAM Investigator™ Forensic Pro ▫ Pentium® III 1GHz processor D i g i t a l ▫ Dataset Creator™ - create and build your own categories for detection ▫ Gargoyle Investigator™ Forensic Pro ▫ Interoperates with popular forensic tools License: such as EnCase™ and FTK™ ▫ Enterprise license with 10 scan option, ▫ Timestamped enterprise discovery additional scans of 25, 50 and 100 are reports for each target suspected available Free software maintenance for one year from the date of purchase! Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850 1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved
  • 35. LiveWire Investigator™ P r o d u c t s On Demand Digital Investigation 000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111 000000101010101001010101010010101010010101010000000111111100001011010010101000000000000000000000011111111 111111111111000000000000000000011111111111111111000000000000000011111111111100000000000000111111111110000 Live Forensics 000010101010101010101010101010101010101010101010100000010000000000111111111111100000000000001111111110000 000000000111111111111110000000000000011111111111000000000000111111111111100000000000111111100000000001111 111111111111110000000000011111111111100000000000001111111111111111000000000001111111111000000011111111111 111111111100000000000010101010101010101001010100101010110101010101010110101010101010101010101001010100101 Remote Malware 011000000110111110010101010101011111111110000000101010101010101010101010100101010101010100101010101010000 Detection 000000000000000000111111111111111111110000000000000111111111111111111110000000000001010101010101011010101 010101010101010101010101010101010101010101010101001111111111000000000000111111111000000011111111110101001 001010101010101010101010101010100101010101001010101010010101010101010010101010101010101010010101010101010 101010101010101010010101010010101000000000111111111000000000111111111111000000111110000011111110000010101 eCrime I n v e s t i g a t i o n 010010100101001010010100101010101111111111110000000000011111111110000000101010101010101010101010101010101 010101010101010101010100000011111111111110000010101010101010010101010101010101010101010100101010100101010 101001010101111111111111111111111111000000000000000000000000011111111111111111100000000000001111111110000 000000011111111111111000000000111111111111101010101010101010000000111111100000011110001010101000111000011 eDiscovery 110000101110000001101010101010101010101010101010101010101010101010100101010101010101011000111000111100011 110001110000011110000011111000000011110000000010101010101010101000000011111111111000000000001010101010101 LiveWire Investigator is the ultimate tool for incident response, vulnerability assessment, compliance audits and criminal investigations. Quickly and inconspicuously exam live running computer systems, providing the ability to assess vulnerabilities, collect evidence directly from suspect computers, and perform enterprise-wide malware scans. LiveWire does not require pre-installed software deployed on target computers. The “command and control” of LiveWire can be on-site or remote, with any on-site operations controlled directly through the LiveWire application. Investigators can now rapidly and easily collect evidence on live running target systems from anywhere in the world. Key Features: System Recommendations: ▫ Live forensic discovery and triage of 25 or ▫ Microsoft Windows® 2000 or higher more “Live” target systems simultaneously ▫ 100 MB free disk space ▫ File system blueprinting ▫ 128 MB RAM ▫ Remote screenshots ▫ Pentium® III 1GHz processor ▫ Live drive and device captures D i g i t a l ▫ Physical and virtual memory imaging License: ▫ Integrated enterprise malware detection ▫ Single user license with the option to add ▫ Automated timestamped audit trail up to 50 and 100 simultaneous scans ▫ Site licenses are available upon request *Companion product LiveDiscover™ Free software maintenance for one year from the date of purchase! Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850 1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved