ware like Regin, Duqu,g or Hammertoss,h
which by security experts are thought to
be created by nation-states to infiltrate a
wide range of international targets and
eventually launch attacks if necessary.
However, currently it can be observed that not only APTs, but even
the typical malware is turning toward
increased utilization of data hiding.
This is somehow expected as typically
sophisticated malicious software is
supported by an actor that is not
strongly resource-constrained (in money, human resources or in time). Therefore, takeover of advanced information
hiding techniques by cybercriminals can
be the result of a “trickle down” effect
from “milware” (that is, state-sponsored
malicious software) to “malware” (
created by non-state groups) as described in
Zielin´ska. 38 It is also worth noting that,
typically, cybercriminals will mostly focus
on hiding as much information as necessary, whereas nation-state actors will try
to conceal as much data as possible.
Based on the aim to be achieved, information-hiding techniques can be
used by criminals/terrorists and other
malicious actors for the following purposes (Figure 3):
˲ As a mean for covert storage: To hide
secret data in such a way that no one
besides the owner is authorized to discover its location and retrieve it. In other
words, the aim is to not reveal the stored
secret to any unauthorized party. This
way criminals/terrorists can store their
secret data in a hidden manner (such in
the case of pedophiles group “Shadowz
Brotherhood” mentioned earlier).
˲ As a covert communication tool:
To communicate messages with the
aim of keeping some aspect of their
exchange secret. Criminals/terrorists
can use information hiding to covertly
exchange their confidential data (for
example, as in case of the Russian spy
ring discovered in U.S.).
˲ As a data exfiltration technique:
Cybercriminals/insiders can use it to
steal/exfiltrate confidential data (this
is the case for a Zeus/Zbot trojani).
g http://resources.infosecinstitute.com/
duqu-2-0-the-most-sophisticated-malware-
ever-seen/#gref
h https://www2.fireeye.com/rs/848-DID-242/im-
ages/rpt-apt29-hammertoss.pdf
i https://blog.malwarebytes.com/threat-analysis/
2014/02/hiding-in-plain-sight-a-story-about-a-
sneaky-banking-trojan/
˲As a mean for covert malware
communication: Finally, malware can
be equipped with information hiding techniques to become stealthier
while residing on the infected host
and/or while communicating with
Command & Control (C&C) servers
(for example, a Hammertoss APT).
From the forensic challenges per-
spective first it must be noted that
there is a huge asymmetry when it
comes to devising new information hid-
ing techniques and its detection/elimi-
nation. Although research on counter-
measures started early (Zander37), their
application in practice can be challeng-
ing or impossible (for example, because
they were designed for the design phase
of a system, not for a forensic analysis).
Developing new data-hiding methods
is usually much easier than the effort
needed to detect them.
Additionally, if the carrier is select-
ed properly (that is, if the carrier is
popular enough so it is not an anoma-
ly itself) even trivial techniques can
remain hidden for long periods of
time. What is worse from a cybercrime
perspective: there are many informa-
tion-hiding tools that are easy to ac-
cess and use, even for an unexperi-
enced user. In April 2014, the
˲ Due to the large number of information hiding techniques and a diversity of poten-
tial carriers, no general and effective off-the-shelf detection solutions exist. As covert
data exchange is typically tightly coupled with the adopted carrier it makes detection
poorly generalizable and a challenging task. Some tools exist to help forensic experts
(the majority is for digital media steganography) but they are typically crafted for a par-
ticular technique or a small group of them (for example, one type of carrier).
˲ Typically, investigators do not focus on recovering hidden data but on discovering
whether any known information hiding program has been installed and used which does
not lead toward revealing what message has been hidden especially if a proprietary tool
is utilized.
˲ There are no guidelines provided for investigators that will allow for the systematic
search for a hidden content.
˲ Some carriers are of a more ephemeral nature, for example, network traffic. If the
traffic it is not captured while being sent, then it is very unlikely that it can be recovered
later. This makes network information hiding and forms of out-of-band covert channels even a greater challenge for forensics examiners than typical “classical” data
hiding methods. Moreover, there are practically no tools for detection of information
hiding in especially network traffic and in the physical medium.
˲ If the inspected computer is infected with information hiding-capable malware,
then for an investigator it could be difficult to discover such a fact.
˲ Forensics examiners often rely solely on hash sets of the known data-hiding tools
or the tools they know, thus they may not recognize a steganographic tool even if they
found it, for example, proprietary.
˲ The existing software for information hiding is becoming increasingly difficult to
discover; it can be placed on a removable media and executed directly, without additional installation. In this case, no remnants of the program would be found on the
suspect’s hard drive. However, it turns out not always to be true as recently a tool called
RSAS (Removed Steganography Application Scanner) has been introduced that allows
to discover artifacts of the known steganographic programs even if they were previously
uninstalled or run from a portable memory storage.
˲ With the ever-increasing amount of network traffic, hard drive storage capacity and
the number of diverse files (images, videos, audio, text files) that a typical user stores,
a complete search for carries with embedded secret data becomes a tremendously time-consuming task.
˲ Given the fact that also passive signaling of hidden information can be applied,
forensics cannot solely focus on active signaling methods during their analysis. For instance, research demonstrates that the timing behavior of server-side applications can
be enough to deduce information about the existence of users on a system. This can be
done by measuring and comparing the response time for requests with different user-names of a web application. 3, 29 A recent vulnerability in the popular OpenSSH daemon
falls into this category.a
a http://seclists.org/fulldisclosure/2016/Jul/51
Challenges for
Forensic Examiners