Anti forensics and data hiding Flashcards
(21 cards)
What are the applications of Stenography
Military
Diplomatic
Personal Property
Intellectual Property
What is stenography
The process of hiding a secret message within an ordinary message and extracting it at its destination
Anyone else viewing it will fail to knows its hidden/encrypted data
Describe the process of modern stenography
Data is encrypted then inserted and hidden using a special algorithm which may add/modify the file contents
Process may append data to file or disperse it throughout
Effective programs apply encrypted data in patterns that appear normal
What is the aim of modern stenography
To only be detectable if a secret key is known
Describe how stenography remains undetected
Unmodified cover medium must be kept secret
If exposed, a comparison between the cover and stego media immediately reveals changes
Define staganalysis
Identifying the existence of a message
NOT extracting the message
What are the methods of detecting the use of stenography
Visual detection
Audible detection
Statistical detection
Structural detection
What is the aim of cryptography
To provide the means to encrypt the message
What are the 5 steps of Cryptanalysis
Identify program used to hide the message
Identify the location of the program signature in the file
Identify the location of the password in the file
Identify the location of the hidden message in the file
Identify the algorithm used to encrypt the hidden message
Describe alternate data streams
One file can be linked to multiple alternate data streams of any size
ADS is hidden
Allows for hiding of files and directories
Difficult to detect
Does not show up using dir command
How do you hide data from Windows explorer and other Windows file searches
Store it in a NTFS stream
What do you do if you find a potentially steganized file while performing forensics
Look for evidence of stenography programs on the computer
Leverage other OS and application passwords found on the machine as they could be the same as the password used to hide the message
Look for other hints such as password written down in notes, letters, diaries, etc.
What is the importance of writing reports
Communicate results of your investigation
Required by courts for expert witnesses
What is an examination plan
What questions to expect when testifying
Used by your attorney to guide you in your testimony
You can propose changes to clarify/define information
Helps your attorney learn the terns and functions used in computer forensics
What is a verbal report
Less structured
Attorneys cannot be forced to release verbal reports
Preliminary report
Addresses areas of investigation yet to be completed
What is a written report
Affidavit or declaration
Limit what you write and pay attention to details
What are the 4 criteria to allow an expert witness to testify to an opinion or conclusion
Opinion/conclusion depends on special knowledge/skills
Expert is qualified as a true expert
Expert must testify to a certain degree of certainty
Experts must either describe facts that their opinions are based on or testify to a hypothetical question
What can be included in a report
Anything you wrote down in your examination
High-risk documents
Spoliation
Same information as verbal report
What is a technical witness
Only testify to facts experienced, not opinions
What is an Expert witness
A qualified third party whose testimony can be accepted in a criminal or civil case
Permitted to issue opinions/ conclusions on matters that relate to their expertise
