Communications of the ACM

ware like Regin, Duqu,g or Hammertoss,h which by security experts are thought to be created by nation-states to infiltrate a wide range of international targets and eventually launch attacks if necessary.

However, currently it can be observed that not only APTs, but even the typical malware is turning toward increased utilization of data hiding. This is somehow expected as typically sophisticated malicious software is supported by an actor that is not strongly resource-constrained (in money, human resources or in time). Therefore, takeover of advanced information hiding techniques by cybercriminals can be the result of a “trickle down” effect from “milware” (that is, state-sponsored malicious software) to “malware” ( created by non-state groups) as described in Zielin´ska. 38 It is also worth noting that, typically, cybercriminals will mostly focus on hiding as much information as necessary, whereas nation-state actors will try to conceal as much data as possible.

Based on the aim to be achieved, information-hiding techniques can be used by criminals/terrorists and other malicious actors for the following purposes (Figure 3):

˲ As a mean for covert storage: To hide secret data in such a way that no one besides the owner is authorized to discover its location and retrieve it. In other words, the aim is to not reveal the stored secret to any unauthorized party. This way criminals/terrorists can store their secret data in a hidden manner (such in the case of pedophiles group “Shadowz Brotherhood” mentioned earlier).

˲ As a covert communication tool: To communicate messages with the aim of keeping some aspect of their exchange secret. Criminals/terrorists can use information hiding to covertly exchange their confidential data (for example, as in case of the Russian spy ring discovered in U.S.).

˲ As a data exfiltration technique: Cybercriminals/insiders can use it to steal/exfiltrate confidential data (this is the case for a Zeus/Zbot trojani).

g http://resources.infosecinstitute.com/
duqu-2-0-the-most-sophisticated-malware-
ever-seen/#gref
h https://www2.fireeye.com/rs/848-DID-242/im-
ages/rpt-apt29-hammertoss.pdf
i https://blog.malwarebytes.com/threat-analysis/
2014/02/hiding-in-plain-sight-a-story-about-a-
sneaky-banking-trojan/

˲As a mean for covert malware communication: Finally, malware can be equipped with information hiding techniques to become stealthier while residing on the infected host and/or while communicating with Command & Control (C&C) servers (for example, a Hammertoss APT).

From the forensic challenges per-
spective first it must be noted that
there is a huge asymmetry when it
comes to devising new information hid-
ing techniques and its detection/elimi-
nation. Although research on counter-
measures started early (Zander37), their
application in practice can be challeng-
ing or impossible (for example, because
they were designed for the design phase
of a system, not for a forensic analysis).
Developing new data-hiding methods
is usually much easier than the effort
needed to detect them.
Additionally, if the carrier is select-
ed properly (that is, if the carrier is
popular enough so it is not an anoma-
ly itself) even trivial techniques can
remain hidden for long periods of
time. What is worse from a cybercrime
perspective: there are many informa-
tion-hiding tools that are easy to ac-
cess and use, even for an unexperi-
enced user. In April 2014, the
˲ Due to the large number of information hiding techniques and a diversity of poten-
tial carriers, no general and effective off-the-shelf detection solutions exist. As covert
data exchange is typically tightly coupled with the adopted carrier it makes detection
poorly generalizable and a challenging task. Some tools exist to help forensic experts
(the majority is for digital media steganography) but they are typically crafted for a par-
ticular technique or a small group of them (for example, one type of carrier).

˲ Typically, investigators do not focus on recovering hidden data but on discovering whether any known information hiding program has been installed and used which does not lead toward revealing what message has been hidden especially if a proprietary tool is utilized.

˲ There are no guidelines provided for investigators that will allow for the systematic search for a hidden content.

˲ Some carriers are of a more ephemeral nature, for example, network traffic. If the traffic it is not captured while being sent, then it is very unlikely that it can be recovered later. This makes network information hiding and forms of out-of-band covert channels even a greater challenge for forensics examiners than typical “classical” data hiding methods. Moreover, there are practically no tools for detection of information hiding in especially network traffic and in the physical medium.

˲ If the inspected computer is infected with information hiding-capable malware, then for an investigator it could be difficult to discover such a fact.

˲ Forensics examiners often rely solely on hash sets of the known data-hiding tools or the tools they know, thus they may not recognize a steganographic tool even if they found it, for example, proprietary.

˲ The existing software for information hiding is becoming increasingly difficult to discover; it can be placed on a removable media and executed directly, without additional installation. In this case, no remnants of the program would be found on the suspect’s hard drive. However, it turns out not always to be true as recently a tool called RSAS (Removed Steganography Application Scanner) has been introduced that allows to discover artifacts of the known steganographic programs even if they were previously uninstalled or run from a portable memory storage.

˲ With the ever-increasing amount of network traffic, hard drive storage capacity and the number of diverse files (images, videos, audio, text files) that a typical user stores, a complete search for carries with embedded secret data becomes a tremendously time-consuming task.

˲ Given the fact that also passive signaling of hidden information can be applied, forensics cannot solely focus on active signaling methods during their analysis. For instance, research demonstrates that the timing behavior of server-side applications can be enough to deduce information about the existence of users on a system. This can be done by measuring and comparing the response time for requests with different user-names of a web application. 3, 29 A recent vulnerability in the popular OpenSSH daemon falls into this category.a