involves specialized software exploiting this carrier.
Moreover, a covert sender and receiver will often utilize an encryption
scheme (and a password/key) that will
allow for securing the content even if
the hidden communication is discovered. It must be also noted that in
practice there is a plethora of various
types of information-hiding techniques in which carriers can be modified and a great number of carriers
that can be used for this purpose,
which adds another dimension to the
challenges for the forensic experts.
Current State of Information
Hiding in Cybercrime and
Forensics Challenges
In general, it is impossible to precisely
evaluate how widespread the use
of information-hiding techniques
is among criminals/terrorists, cybercriminals, or state-sponsored
groups. However, there are signs that
information-hiding utilization can
be heavily underestimated as security experts do not always correctly
recognize and classify techniques
used. For instance, by observing how
malware developers increasingly apply information-hiding techniques
we can be certain this trend is most
likely going to increase. Figure 2
presents data that can support this
claim. It illustrates the percentage of
information hiding-capable malware
identified (with respect to the total
number of discovered malware) between 2011 and 2016 (historical data
collected by members of the Criminal
Use of Information Hiding—CUIng—
initiative, to be discussed later). We
treated malicious software as an information hiding-capable malware when
it has been used at least once for data-hiding techniques defined in Figure 1.
To collect this information, we relied
on reports from security companies,
our own continuous malware landscape analysis and data from LEAs.
Nevertheless, the trend observed in
Figure 1 may still be only a “tip of an
iceberg.” As a result, discovery of data-hiding tools will become a great challenge for LEAs, counterterrorism organizations, and forensic experts.
It is also worth noting that informa-
tion-hiding techniques were initially
only found in highly sophisticated mal-
mation hiding methods modify either
the timing or the content of network
traffic, for example, by modifying un-
used bits, the structure of protocol
headers, the rate in which traffic is
sent or the order of packets. 36 First
methods were introduced already in
the 1980s and 1990s, 9, 28 but most hid-
ing methods for networks were pub-
lished after 2000 and were focused on
newer protocols such as IPv620 and
LTE advanced, 27 cyber-physical sys-
tems (such as smart homes/build-
ings), 32 industrial communication
protocols such as Modbus, 19 and
cloud computing. 5 Extensive surveys
discussing more than hundred meth-
ods can be found in Zander, 36 Wend-
zel, 35 and Mazurczyk. 23 While a digital
image allows to carry a rather limited
number of bytes per single file, net-
work traffic can permanently carry
little amounts of data, at day and at
night. A comparison of the two digital
carrier types, such as digital media
(the most well-researched and most
popular cover for information hiding
methods) and network traffic is
shown in the accompanying table.
From this perspective, it must be
emphasized that information-hiding
technique utilization on a suspect’s
computer will not be discovered by a
forensic analysis if it is not being directly sought. In general, all that
criminals or terrorists need to enable
a covert communication is to agree
upon the carrier in which the secret
data will be embedded. The carrier
can be a digital image, audio, video,
text file, network traffic, or any other
digital medium. Obviously, this also
Figure 3. Use-cases for the criminal application of information hiding methods.
Criminal Use-cases for
Information Hiding
Covert Data
Storage
Covert Communication
Tool
Covert Data
Exfiltration
Stealthy Malware
Command and Control
Figure 2. Percentage of the identified information hiding-capable malware between 2011
and 2016 (historical data collected by members of the CUIng initiative).
30
25
20
15
10
5
0
2011 2012 2013 2014 2015 2016
12
4
16
20
24
24