Friday, August 11, 2017

Look for steganography software on the suspect’s computer and CTF

 A blatant clue is finding stego-creating software on the suspect’s computer. The trick is to recognize the different types (experience is needed here) or known hash values of stego software using hash analysis. Many investigators have no clue how many steganographic software packages exist and may overlook the software as being “just part of the system.” The software JPHS for Windows can decrypt some images. Notice that the software gives you details about the original file, the hidden file, and, toward the bottom, the new file with the stego.

Use stego detection software.  Software such as Gargoyle ( can be used to detect files that have steganographic signatures. They may not always detect it, though, if a new algorithm was used or the algorithm is so good that it escapes detection.

Yes, sometimes you get a question that’s relatively easy, and this is a prime example. Hiding files is exactly what it sounds like—find a way to hide files on the system. There are innumerable ways to accomplish this, but steganography (which includes hiding all sorts of stuff inside images, video, and such) and NTFS file streaming are the two you’ll most likely see referenced on the exam from the Ethical hacker CEH.
Which of the following tools can assist in discovering the use of NTFS file streams? (Choose all that apply.)
       A.      LADS B. ADS Spy C. Sfind D. Snow 
A , B , C . NTFS streaming (alternate data streaming) isn’t a huge security problem, but it is something many security administrators concern themselves with. If you want to know where it’s going on, you can use any of these tools: LADS and ADS Spy are freeware tools that list all alternate data streams of an NTFS directory. ADS Spy can also remove alternate data streams (ADS) from NTFS file systems. Sfind, probably the oldest one here, is a Foundstone forensic tool you can use for finding ADS. As an aside, dir /R on Windows systems does a great job of pointing these out.

D is incorrect because Snow is a steganography tool used to conceal messages in ASCII text by appending whitespace to the end of lines.

CTF – from cyberspace game.

To resolve the CTF – finding the flag for this specific image founded in the source code with a different name, I used this sequence to find the hidden message in the image:
first – download the stegsolve on linux
chmod +x stegsolve.jar  /* to give authority to the program.
mkdir bin – create a directory
mv stegsolve.jar bin/  - move to the folder
to run the .jar file – do:
java –jar jarfilename.jar
if you image is compressed, do:
unrar e yourfilename.rar
I clicked in stegsolve- menu analyze – file format and I found the flag, but you can play here to find more information in different files.

Recommended reading
For anyone interested in the history of code making and code breaking, the book to read is  [KAHN96]. Although it is concerned more with the impact of cryptology than its technical development, it is an excellent introduction and makes for exciting reading. Another excellent historical account is [SING99].
A short treatment covering the techniques of this chapter, and more, is [GARD72].  There are many books that cover classical cryptography in a more technical vein; one of the  best is [SINK09]. [KORN96] is a delightful book to read and contains a lengthy section on  classical techniques. Two cryptography books that contain a fair amount of technical material on classical techniques are [GARR01] and [NICH99]. For the truly interested reader,  the two-volume [NICH96] covers numerous classical ciphers in detail and provides many  ciphertexts to be cryptanalyzed, together with the solutions. An excellent treatment of rotor machines, including a discussion of their cryptanalysis is found in [KUMA97]. [KATZ00] provides a thorough treatment of steganography. Another good source is  [WAYN09].

GARD72 Gardner, M. Codes, Ciphers, and Secret Writing. New York: Dover, 1972.
GARR01 Garrett, P. Making, Breaking Codes: An Introduction to Cryptology. Upper
Saddle River, NJ: Prentice Hall, 2001.
KAHN96 Kahn, D. The Codebreakers: The Story of Secret Writing. New York:
Scribner, 1996.
KATZ00 Katzenbeisser, S., ed. Information Hiding Techniques for Steganography and
Digital Watermarking. Boston: Artech House, 2000.
KORN96 Korner, T. The Pleasures of Counting. Cambridge, England: Cambridge
University Press, 1996.
KUMA97 Kumar, I. Cryptology. Laguna Hills, CA: Aegean Park Press, 1997.
NICH96 Nichols, R. Classical Cryptography Course. Laguna Hills, CA: Aegean Park
Press, 1996.
NICH99 Nichols, R., ed. ICSA Guide to Cryptography. New York: McGraw-Hill, 1999.
SING99 Singh, S. The Code Book: The Science of Secrecy from Ancient Egypt to
Quantum Cryptography. New York: Anchor Books, 1999.
SINK09 Sinkov, A., and Feil, T. Elementary Cryptanalysis: A Mathematical Approach.
Washington, D.C.: The Mathematical Association of America, 2009.
WAYN09 Wayner, P. Disappearing Cryptography. Boston: AP Professional Books,

 From the Linux Format - Magazine