Digital Forensic Analysis Methodology

Recently a member of a listserv that I subscribe to asked the list members for assistance with a Digital Forensic Methodology Process. Another member of the same list provided a link to a chart titled “Digital Forensic Analysis Methodology” on the DoJ CCIPS website (http://www.cybercrime.gov/forensics_chart.pdf).

I downloaded the chart and, much to my chagrin, discovered the following at the bottom of the chart: “Return On Investment (Determine when to stop this process. Typically, after enough evidence is obtained for prosecution, the value of additional forensic analysis diminishes.)”

On the one hand, this is understandable because investigators and forensic examiners typically have a large backlog of cases to work on. And, as storage densities have continued to increase, there is an increasing amount of information to process for each case. Coupled with pressure from management and prosecutors to push out as many cases as possible and do it as quickly as possible, it would seem to make sense to take a minimalist approach and spend only as much time as is necessary to find just enough evidence for prosecution or to obtain a plead out and then stop the examination. But does this approach really make sense?

Let’s consider a fictional case involving the use of digital steganography for distribution of child pornography.

After the suspect’s computer and storage media has been seized and imaged, the forensic examiner finds some number of child pornography images in the clear. The images are checked against NCMEC’s CVIP database as the case agent learns the images are part of a collection that has been circulating around the Internet for quite some time. The investigator also learns that all of the children in the images have been identified and rescued from further exploitation and decides to stop the examination at that point and present the evidence to the prosecutor. The suspect pleads nolo contendere and accepts a plea agreement to avoid his family enduring the embarrassment of a public trial. The prosecutor congratulates the investigator and forensic examiner for another job well done in taking another sexual predator off the streets. The case is closed and the investigator and forensic examiner move on to the next case. Everything is hunky-dory, right?

Not so fast. What if the suspect had obtained the illicit images embedded within innocuous looking images such as a toy train collection for sale on eBay or some other set of completely innocuous looking images used as the carrier files? The suspect would have had to use the steganography application that was used to embed the images in order to extract them. Now suppose the suspect had extracted only a few images from the carrier files. There would be other images that had not yet been extracted. Some of these images may contain pictures of children not yet identified in the CVIP database and are, therefore, still be victimized.

In this fictional case, an artifact of the steganography application used by the suspect to extract the illicit images from the carrier files may have been discovered if the examiner had continued the examination instead of stopping after finding images in the clear. The artifact may have been a file associated with the steganography application or a Windows Registry artifact. Discovering the suspect had used steganography may have let to the discovery of the other images still embedded in the carrier files. That may have led to the identification and rescue of previously unidentified child victims.

Far-fetched you say? Perhaps, but one can’t help but wonder how much digital evidence is going undetected because it was hidden with a steganography application but the examiner didn’t conduct steganalysis as a routine aspect of their examination because of the belief the suspect was too stupid, too lazy, or both, to use steganography.

Also, it must be mentioned that stopping an examination after just enough evidence is obtained for prosecution, or a plead out, may result in overlooking evidence that may be more valuable to the investigation and subsequent prosecution than any evidence that may have been easily found in the clear.

While it is true that a typical suspect is not going to think of the word “steganography,” it is equally true, and should be reasonably presumed, the suspect will think of something like “hiding information” or “information hiding.” If you want a real eye opener as to the extent of the threat from criminal use of steganography, simply do a Google search on “information hiding” and Google will return over 8,000,000 hits! Many of the links will lead to web sites where steganography applications can be downloaded as freeware or shareware or a license can be purchased for a small amount.

Given the growing use of anti-forensic tools, including digital steganography, it seems examiners need more comprehensive forensic tools that provide the capability to perform steganalysis and to search for other forensic tools. Thus far, the major forensic tool vendors have not seemed terribly interested in capabilities for detecting anti-forensic tools. That, in and of itself, seems very odd because one would think the first thing an examiner would want to do is determine if the suspect had used any tools that would taint any evidence their forensic tool(s) of choice would find.

Until such time as the major forensic tool vendors decide to incorporate anti-forensic tool detection capability in their tools, examiners are left to find other tools to search for the presence or use of digital steganography applications or other anti-forensic tools.

In summary, I would suggest revising the chart to avoid conveying the message, whether real or implied, that a minimalist approach to digital forensic analysis is sufficient. I would also suggest adding a bullet to the Search Leads table (see graphic) that reads "Search media for presence of digital steganography applications and other anti-forensic tools.”

Steganalysis must become part of the digital forensic analysis methodology or potentially crucial evidence will continue going undetected.

Digital Watermarking—A Specialized Form of Digital Steganography

In classifying digital watermarking programs as digital steganography applications, it is important to distinguish between watermarking programs that embed a visible watermark and those that embed an invisible watermark.

Because the objective of steganography is to conceal the existence of information, a watermarking program that embeds a visible watermark in the carrier file could hardly be considered a steganography application.

However, a watermarking program that leaves an invisible watermark in the carrier file should be properly classified as an application of digital steganography because the embedded watermark is imperceptible to the human senses.

Another characteristic of digital watermarking programs is robustness.

A watermark is considered to be fragile if the mark is not detectable after even the slightest transformation of the carrier file. For example, resizing an image file could destroy a fragile watermark.

On the other hand, a watermark is considered to be robust if the mark is detectable after certain transformations are performed on the carrier file.

Thus, digital watermarking programs that embed robust imperceptible watermarks must be properly classified as digital steganography applications.

Another aspect of digital watermarking programs is the size of the payload that can be embedded in the carrier file. The payload size of a digital watermarking program will be much more restricted than the payload size of other digital steganography applications.

Many steganography applications can accommodate multi-megabyte payloads. However, a digital watermarking program may only embed a few bytes or a few hundred bytes.

The quantity of information that can be embedded in a carrier file is not a good criterion for determining whether or not an application should be considered a steganography application. It is not difficult to imagine scenarios where a single word or number could have a much larger meaning.

Therefore, even though digital watermarking programs have restricted payload capability, the programs that employ techniques to embed robust and imperceptible watermarks must be classified as digital steganography applications

It is important to note that some steganography investigation datasets do not include any digital watermarking programs because the dataset creators do not consider any digital watermarking programs to be steganography applications even if the program embeds a robust imperceptible watermark.

Therefore, digital forensics examiners must be careful when determining which steganography data set to use because selecting the wrong one could result in failure to detect certain digital watermarking programs that may have been used to hide information of evidentiary value in a criminal investigation.

At Backbone Security, we include digital watermarking programs that embed a robust and imperceptible watermark in our Steganography Application Fingerprint Database (SAFDB). Because the watermark embedded by these programs is not detectable by the Human Visual System, it meets our criterion for classification as a digital steganography application.

SAFDB is maintained in our Steganography Analysis and Research Center (SARC) and is the world’s largest hash set exclusive to digital steganography applications.

Jim Wingate is Director of the Steganography Analysis and Research Center and Vice President of Backbone Security and welcomes your views on the proper classification of digital steganography applications.