the message within - using mcafee dlp to detect hidden steganographic content

Bill FanelliPrincipal Architect Carlton Jeffcoat

VP Allen Corporation of America

The Message Within: Data Sheet

Cyber Security Technologies Division

gExtending DLP to target Steganography

Steganography

Discovering Critical Evidence - hidden in plain sight -

Introduction

• Data Leakage greatly concerns certain industries – High value intellectual property

• Pharmaceutical formulas • Proprietary software algorithms p y g

– Highly sensitive legal documents

• Data Loss Prevention (DLP) explicitly prevents th l k f thi d t t f i ti the leakage of this data out of an organization. – DLP monitors the movement of tagged files and data

with keyword content. – DLP technology is uniquely positioned to help with

forensics efforts in identifying hidden message carriers.

PAGE 4

How to use DLP in Steganography Detection

• DLP can monitor the movement of likely carrier files such as image and music files– DLP will copy these files to a forensic archive – Other tools can then scan these files for the – Other tools can then scan these files for the

presence of hidden data

• This presentation will:– Describe these forensic procedures – Detail an implementation of the required workflow

PAGE 5

Definition

• Steganography– Hiding the existence of the message

• Vs. CryptographyOb e the me ning of me ge– Obscures the meaning of a message

– Does not conceal the fact that there is a message

• Steganalysisg y– Detecting the presence of messages hidden using

steganography

• Legitimate uses of steganography• Legitimate uses of steganography– Digital Watermarking

PAGE 6

Steganography - Ancient MethodsWax Tablets

• Demaratus of Ariston, exiled in Persia, received news that Xerxes was to invade Greece.

• To get word to Sparta he • To get word to Sparta, he scraped the wax off writing tablets and carved a warning

h dmessage in the wood. He then covered the wood with a fresh coat of wax.

• The tablet was passed by the sentries without raising any s spicion

PAGE 7

suspicion.

Steganography - Modern MethodsNull Cipher Messages

• The German Embassy in Washington, DC, y g , ,sent these messages during World War I– Apparently neutral’s protest is thoroughly

discounted and ignored Isman hard hit Blockade discounted and ignored Isman hard hit. Blockade issue affects pretext for embargo on by-products, ejecting suet's and vegetable oils

D di h b i h • Decoding the message by extracting the second letter from each word reveals the actual messageactual message– PERSHING SAILS FROM N.Y. JUNE 1

PAGE 8

Technical Steganography

• Uses scientific methods to hide a message, g ,such as the use of invisible ink or microdots I 1941 th FBI di d Mi D t • In 1941 the FBI discovered a Micro Dot carried on a letter from a suspected agent– Micro Dot productionp

• Create a postage stamp sized secret message• Reduce this in size using a reverse microscope

producing an image .05 inches in diameter

– The dot was pressed onto a piece of paper using a hypodermic needle in place of a period

Mark IV microdot camera

PAGE 9

p

Simple Example

Once upon a our poets eve

With darkened sky’s and fallen leaves

The raven came to call outside the door

Time it said always flows through your life Time it said, always flows, through your life

and through the throws,

running faster ever than before

And if you wish to beat the game,

to live a life of wealth and fame to live a life of wealth and fame,

then try to follow me forever more

For here within the words it said

Like a dream within your head

A secret waits to lead you out the door A secret waits to lead you out the door

Within a code that Bacon knew

In letters just a bit askew

The raven whispers secrets evermore!

Once upon a our poets eve

With darkened sky’s and fallen leaves

The raven came to call outside the door

Time it said always flows through your life Time it said, always flows, through your life

and through the throws,

running faster ever than before

And if you wish to beat the game,

to live a life of wealth and fame to live a life of wealth and fame,

then try to follow me forever more

For here within the words it said

Like a dream within your head

A secret waits to lead you out the door A secret waits to lead you out the door

Within a code that Bacon knew

In letters just a bit askew

The raven whispers secrets evermore!

Concerns to Business

• Data loss– Covert transmission of corporate IP

• Pharmaceutical formulas • Proprietary software algorithms p y g

– Highly sensitive legal documents

• Hiding illicit activity– Non-job related activity that potentially puts the

organization at risk• Gambling• Pornography• Credit card fraud• Terrorism

PAGE 14

How big is the problem?

505

400

500

600 Steganography Programs in the Wild

100

200

300

400

According to WetStone’s Chief Scientist Chet Hosmer

• Where to find them

0

100

2001 2002 2003 2004 2005 2006 Today

• Where to find them– Neil Johnsons’ Steganography and Digital

Watermarking web site• http://www.jjtc.com/Steganography/toolmatrix.htm

– StegoArchive.com– Neil Johnsons’ Steganalysis web site

PAGE 15

g y• http://www.jjtc.com/Steganalysis/

Steganalysis Tools

• For our discussions, we will reference the following steganalysis and malware detection g g ytools from Allen Corporation’s WetStone Technologies

Stego Suite– Stego Suite– Gargoyle– Live Wire Investigator

PAGE 16

– Stego Suite• Stego Watch

Scan a file system and flag suspected files – Scan a file system and flag suspected files – Derived from the WetStone’s Steganography and Recovery

Toolkit (S-DART) research project for US Air Force Research Laboratory

– Exposes an API for researches and developers that allows for new research and steganography detectors

• Stego Analyst Imaging and analysis tool to identify visual clues that – Imaging and analysis tool to identify visual clues that steganography is in use in both image and audio files

• Stego Break – Obtain the pass phrase that has been used p p

– Gargoyle• Hostile program detector with steganography dataset

– Malware tool discovery over the network

PAGE 17

Malware tool discovery over the network – Target at computers where suspect files originated

Known Methods of Steganography

CovertChannels

ColorPalette24-Bit LSB Palette

ModificationEncodingAlgorithm

Encoding

FormattingModification

WordSubstitution

gModification

DataAppending

ModificationSubstitution

PAGE 18

Appending

Least Significant Bit Encoding

• This is the most common steganographic method used with audio and image filesmethod used with audio and image files

• Used to overwrite – Legitimate RGB color codings or palette pointers in g g p p

GIF and BMP files– Coefficients in JPEG files– Pulse Code Modulation in WAV files– Pulse Code Modulation in WAV files

REDBefore Combined ColorIndividual Colors

After

01 0 1 1 0 1 0LSB Substitution

RED

GREEN

BLUE

Before After01 0 1 1 0 1 0

1 1 0 0 0 1 1 1

PAGE 19

BLUE 1 1 1 0 0 0 0 0

Adding a Payload to a Carrier

PAGE 20

Steganalysis

PAGE 21

Image Filtering

PAGE 22

Implementation – Policy & Procedure

• Use of these capabilities is driven by risk t d A t bl U P liassessment and Acceptable Use Policy

– High risk• E.G., Government Classified, Corporate Legal, Research Labg• Policy – Not Allowed• Technical Action – Block, Archive, Examine Content, Scan

Source Computer• Personnel Action – Possible Termination

– Medium Risk• E.G., Human Resources, Contracts, Software Development, , , p• Policy – Not Allowed• Technical Action – Log, Archive, Spot Investigations• Personnel Action – Possible Termination

PAGE 23

Implementation - Technology

• DLPD t t t f t ti l i– Detect movement of potential carriers

– Copy to DLP archive

• Steganography scang g p y– Stego Suite– Examine files for potential covert content

M l l • Malware tools scan– Gargoyle– Scan source workstations Scan source workstations

• Live Investigator– Consolidate findings into forensic documentation

k

PAGE 24

package

DLP Configuration

• Technology implementation should always be derived from security policies and procedures

• Classified environmentBlock and archive everything– Block and archive everything

• Pharmaceutical company– Research area

• Block and archive

– Legal department• Log and archive• Log and archive

– All other areas• Log only

PAGE 25

DLP Architecture

Policy set in ePO server to archive evidence

files

Policy on endpoints captures evidence files

Evidence files collected in archive for

PAGE 26

steganalysis

Steganography Scan Configuration

• Scan image files in evidence archive – Identify images as possible Steganography carriers

• Identify workstations where images originatedS n o k t tion fo teg nog ph tool– Scan workstations for steganography tools

– Possibly scan for other malware tools

• Initiate personnel actions, as necessaryp , y– Capture evidence as part of forensic investigation

• Continue digital investigation– Examine suspect files– Attempt to extract payload

PAGE 27

Steganography Scan Architecture

Scan k

Capture id

Scan image f l workstations

for malware tools

evidence as part of forensic investigation

files in evidence archive

PAGE 28

Evidence Archive Scan

PAGE 29

Suspect Workstation Scan

PAGE 30

Future – Stego Stomping

• Server-level technology to filter outgoing e-mail

• Modify all files to corrupt potential payload but leave carrier essentially intactleave carrier essentially intact– Essentially apply a randomized stego payload to

every outgoing image

• Proven for JPG formats– Other formats in development

PAGE 31

Want to Learn More?

• Classes– Steganography Investigator Training

• November 11 - 12, 2008 - Fairfax, VAD b 10 11 2008 O li• December 10 - 11, 2008 - Online

– Live Investigator Training• October 24 - 25, 2008 - Gaithersburg, MDOctober 24 25, 2008 Gaithersburg, MD

– Hacking BootCamp for Investigators• October 23 - 25, 2008 - Gaithersburg, MD • November 18 - 21, 2008 - Vancouver, BC• December 16 - 18, 2008 - Houston, TX

PAGE 32

Contact Us

Corporate Headquarters:

Allen Corporation of America Inc.p10400 Eaton Place, Suite 450Fairfax, VA 22030(866) HQ - ALLEN (866) 472-5536

Bill FanelliBill Fanelli571-321-1648 - [email protected]

Carlton Jeffcoat571-321-1641 - [email protected]

www.AllenCorp.comwww WetStoneTech com

PAGE 33

www.WetStoneTech.comA wholly owned subsidiary of Allen Corporation

000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000000101010101010101010101010101010101010101010101000000100000001111111111110000000000000111111111000000000000011111111111111000000000000001111111111100000000000011111111111110000000000011111110000000000111111111111111111000000000001111111111110000000000000111111111111111100000000000111111111100000001111111111111111111110000000000001010101010101010100101010010101011010101010101011010101010101010101010100101010010101100000011011111001010101010101111111111000000010101010101010101010101010010101010101010010101010101000000000000000000000011111111111111111111000000000000011111111111111111111000000000000101010101010101101010101010101010101010101010101010101010101010101010100111111111100000000000011111111100000001111111111010100100101010101010101010101010101010010101010100101010101001010101010101001010101010101010101001010101010101010101010101010101001010101001010100000000011111111100000000011111111111100000011111000001111111000001010101001010010100101001010010101010111111111111000000000001111111111000000010101010101010101010101010101010101010101010101010101010000001111111111111000001010101010101001010101010101010101010101010010101010010101010100101010111111111111111111111111100000000000000000000000001111111111111111110000000000000111111111000000000001111111111111100000000011111111111110101010101010101000000011111110000001111000101010100011100001111000010111000000110101010101010101010101010101010101010101010101010010101010101010101100011100011110001111000111000001111000001111100000001111000000001010101010101010100000001111111111100000000000101010101010100101

Stego Suite™

D i s c o v e r i n g T h e H i d d e n

Di

gi

ta

l

In

ve

st

ig

at

io

n

Pr

od

uc

ts

Stego Suite is comprised of four specialized products: Stego Hunter™, Stego Watch™, Stego Analyst™, and Stego Break™. This comprehensive suite of applications is designed to quickly identify, examine and analyze digital images and/or audio files for the presence of hidden information or covert communication channels. Detecting the presence of steganography is a tedious process; without advanced tools it is close to impossible to detect. Using Stego Suite investigators are able to utilize the latest algorithms for flagging suspicious files through a blind anomaly-based approach, examine files with image filters, analyze DCT coefficient histograms, and track palette manipulation with close color pairs, shortening investigation time drastically and allowing investigators to work specifically within the four tools provided in the suite.

Free software maintenance for one year from the date of purchase!

Key Features:

▫ Rapid identification of known steganography programs

▫ Flag suspicious files through blind anomaly-based approach

▫ State-of-the-art image and audio analyzer ▫ Crack and extract payloads from carrier files

▫ Court ready investigator reports ▫ Scan audio files, JPG, BMP, GIF, PNG and more

System Recommendations:

▫ Microsoft Windows® 98 ▫ 100 MB free disk space ▫ 512 MB RAM ▫ Pentium® III 1GHz processor

License:

▫ Single user license allows for installation of entire suite

▫ Site licenses are available upon request

Identify Steganography Applications ■ Detect Presence of Hidden Messages ■ Analyze Image Characteristics ■ Reveal Vital Evidence

Stego Break™ Stego Watch™ Stego Analyst™

Cornell Business and Technology Park · 20 Thornwood Dr., Suite 105 · Ithaca, NY 14850

1-877-WETSTONE · www.wetstonetech.com

Stego Hunter™

Copyright 2005-2008 WetStone Technologies All Rights Reserved

000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111000000101010101001010101010001010100101010100000001111111000010110100101010000000000000000000000111111111111111111110000000000000000000111111111111111110000000000000000111111111111000000000000001111111111100000000101010101010101010101010101010101010101010101000000100000000001111111111111000000000000011111111100000000000001111111111111100000000000000111111111110000000000001111111111111000000000001111111000000000011111111111111111100000000000111111111111000000000000011111111111111110000000000011111111110000000111111111111111111111000000000000101010101010101010010101001010101101010101010101101010101010101010101010010101001010110000001101111100101010101010111111111100000001010101010101010101010101001010101010101001010101010100000000000000000000001111111111111111111100000000000001111111111111111111100000000000010101010101010110101010101010101010101010101010101010101010101010101010011111111110000000000001111111110000000111111111101010010010101010101010101010101010101001010101010010101010100101010101010100101010101010101010100101010101010101010101010101010100101010100101010000000001111111110000000001111111111110000001111100000111111100000101010100101001010010100101001010101011111111111100000000000111111111100000001010101010101010101010101010101010101010101010101010101000000111111111111100000101010101010100101010101010101010101010101001010101001010101010010101011111111111111111111111110000000000000000000000000111111111111111111000000000000011111111100000000000111111111111110000000001111111111111010101010101010100000001111111000000111100010101010001110000111100001011100000011010101010101010101010101010101010101010101010101001010101010101010110001110001111000111100011100000111100000111110000000111100000000101010101010101010000000111111111110000000000010101010101010

Gargoyle Investigator™ E n t e r p r i s e M o d u l e

E n t e r p r i s e M a l w a r e I n v e s t i g a t i o n

Di

gi

ta

l

In

ve

st

ig

at

io

n

Pr

od

uc

ts

Gargoyle Enterprise Module (GEM) provides corporate IT departments, incident response investigators, or organizations with large and complex networks, the ability to fight against malicious software within enterprise computing environments. GEM is designed to quickly target systems under investigation, collecting hashes of files found on suspect systems. The resulting collection is then analyzed by Gargoyle Investigator Forensic Pro, providing investigators significant details about each targets activities, motives, and intent. As enterprise networks continue to expand in numbers and geographic locations, investigators need a tool that will acquire forensic evidence from targets anywhere, anytime throughout the enterprise.


Key Features:

▫ Perform enterprise wide collection of malicious code hashes on multiple targets simultaneously ▫ Includes a single user license of Gargoyle Investigator™ Forensic Pro ▫ Dataset Creator™ - create and build your own categories for detection ▫ Interoperates with popular forensic tools such as EnCase™ and FTK™

▫ Timestamped enterprise discovery reports for each target suspected


▫ Microsoft Windows® 2000 ▫ 230 MB free disk space ▫ 1 GB RAM ▫ Pentium® III 1GHz processor ▫ Gargoyle Investigator™ Forensic Pro License:

▫ Enterprise license with 10 scan option, additional scans of 25, 50 and 100 are available

Internal

Investigation

Incident Response

Enterprise Reporting


1-877-WETSTONE · www.wetstonetech.com

Copyright 2005-2008 WetStone Technologies All Rights Reserved

000000000000001111111111111111111000000000000011100000111000001111111111100000000111111111000000011111111000000101010101001010101010010101010010101010000000111111100001011010010101000000000000000000000011111111111111111111000000000000000000011111111111111111000000000000000011111111111100000000000000111111111110000000010101010101010101010101010101010101010101010100000010000000000111111111111100000000000001111111110000000000000111111111111110000000000000011111111111000000000000111111111111100000000000111111100000000001111111111111111110000000000011111111111100000000000001111111111111111000000000001111111111000000011111111111111111111100000000000010101010101010101001010100101010110101010101010110101010101010101010101001010100101011000000110111110010101010101011111111110000000101010101010101010101010100101010101010100101010101010000000000000000000000111111111111111111110000000000000111111111111111111110000000000001010101010101011010101010101010101010101010101010101010101010101010101001111111111000000000000111111111000000011111111110101001001010101010101010101010101010100101010101001010101010010101010101010010101010101010101010010101010101010101010101010101010010101010010101000000000111111111000000000111111111111000000111110000011111110000010101010010100101001010010100101010101111111111110000000000011111111110000000101010101010101010101010101010101010101010101010101010100000011111111111110000010101010101010010101010101010101010101010100101010100101010101001010101111111111111111111111111000000000000000000000000011111111111111111100000000000001111111110000000000011111111111111000000000111111111111101010101010101010000000111111100000011110001010101000111000011110000101110000001101010101010101010101010101010101010101010101010100101010101010101011000111000111100011110001110000011110000011111000000011110000000010101010101010101000000011111111111000000000001010101010101

LiveWire Investigator™

O n D e m a n d D i g i t a l I n v e s t i g a t i o n

Di

gi

ta

l

In

ve

st

ig

at

io

n

Pr

od

uc

ts

LiveWire Investigator is the ultimate tool for incident response, vulnerability assessment, compliance audits and criminal investigations. Quickly and inconspicuously exam live running computer systems, providing the ability to assess vulnerabilities, collect evidence directly from suspect computers, and perform enterprise-wide malware scans. LiveWire does not require pre-installed software deployed on target computers. The “command and control” of LiveWire can be on-site or remote, with any on-site operations controlled directly through the LiveWire application. Investigators can now rapidly and easily collect evidence on live running target systems from anywhere in the world.


Key Features:

▫ Live forensic discovery and triage of 25 or more “Live” target systems simultaneously

▫ File system blueprinting ▫ Remote screenshots ▫ Live drive and device captures ▫ Physical and virtual memory imaging ▫ Integrated enterprise malware detection ▫ Automated timestamped audit trail *Companion product LiveDiscover™


▫ Microsoft Windows® 2000 or higher ▫ 100 MB free disk space ▫ 128 MB RAM ▫ Pentium® III 1GHz processor

License:

▫ Single user license with the option to add up to 50 and 100 simultaneous scans

▫ Site licenses are available upon request

Live Forensics

Remote Malware Detection

eCrime

eDiscovery


1-877-WETSTONE · www.wetstonetech.com Copyright 2005-2008 WetStone Technologies All Rights Reserved