Communications of the ACM

involves specialized software exploiting this carrier.

Moreover, a covert sender and receiver will often utilize an encryption scheme (and a password/key) that will allow for securing the content even if the hidden communication is discovered. It must be also noted that in practice there is a plethora of various types of information-hiding techniques in which carriers can be modified and a great number of carriers that can be used for this purpose, which adds another dimension to the challenges for the forensic experts.

Current State of Information Hiding in Cybercrime and Forensics Challenges

In general, it is impossible to precisely evaluate how widespread the use of information-hiding techniques is among criminals/terrorists, cybercriminals, or state-sponsored groups. However, there are signs that information-hiding utilization can be heavily underestimated as security experts do not always correctly recognize and classify techniques used. For instance, by observing how malware developers increasingly apply information-hiding techniques we can be certain this trend is most likely going to increase. Figure 2 presents data that can support this claim. It illustrates the percentage of information hiding-capable malware identified (with respect to the total number of discovered malware) between 2011 and 2016 (historical data collected by members of the Criminal Use of Information Hiding—CUIng— initiative, to be discussed later). We treated malicious software as an information hiding-capable malware when it has been used at least once for data-hiding techniques defined in Figure 1. To collect this information, we relied on reports from security companies, our own continuous malware landscape analysis and data from LEAs.

Nevertheless, the trend observed in Figure 1 may still be only a “tip of an iceberg.” As a result, discovery of data-hiding tools will become a great challenge for LEAs, counterterrorism organizations, and forensic experts.

It is also worth noting that informa-
tion-hiding techniques were initially
only found in highly sophisticated mal-
mation hiding methods modify either
the timing or the content of network
traffic, for example, by modifying un-
used bits, the structure of protocol
headers, the rate in which traffic is
sent or the order of packets. 36 First
methods were introduced already in
the 1980s and 1990s, 9, 28 but most hid-
ing methods for networks were pub-
lished after 2000 and were focused on
newer protocols such as IPv620 and
LTE advanced, 27 cyber-physical sys-
tems (such as smart homes/build-
ings), 32 industrial communication
protocols such as Modbus, 19 and
cloud computing. 5 Extensive surveys
discussing more than hundred meth-
ods can be found in Zander, 36 Wend-
zel, 35 and Mazurczyk. 23 While a digital
image allows to carry a rather limited
number of bytes per single file, net-
work traffic can permanently carry
little amounts of data, at day and at
night. A comparison of the two digital
carrier types, such as digital media
(the most well-researched and most
popular cover for information hiding
methods) and network traffic is
shown in the accompanying table.

From this perspective, it must be emphasized that information-hiding technique utilization on a suspect’s computer will not be discovered by a forensic analysis if it is not being directly sought. In general, all that criminals or terrorists need to enable a covert communication is to agree upon the carrier in which the secret data will be embedded. The carrier can be a digital image, audio, video, text file, network traffic, or any other digital medium. Obviously, this also

Figure 3. Use-cases for the criminal application of information hiding methods.

Criminal Use-cases for
Information Hiding
Covert Data
Storage
Covert Communication
Tool
Covert Data
Exfiltration
Stealthy Malware
Command and Control

Figure 2. Percentage of the identified information hiding-capable malware between 2011 and 2016 (historical data collected by members of the CUIng initiative).