Communications of the ACM

have become significantly more sophisticated in recent years. For example, an arising challenge for forensic experts are solutions like SonicVortex Transactions ( http://www.sonic-coin. com/) that can be treated as a next-generation crypto currency platform. It enables hiding encrypted bitcoin transactions in innocent pictures and offers a stealthy address and built-in TOR support. This can potentially provide tremendous difficulties for investigating financial crimes.

In addition, there have been press releases stating that criminals/terrorists are exploiting different aspects of online games/gaming consoles to enable covert communicationj as they offer many aspects including digital images, video, network traffic, and even elements within the virtual world that can be modified in order to conceal messages. It must be noted this option was recognized in the academia community almost a decade ago. 30

A few academic publications already deal with the transfer and storage of hidden data in the Internet of Things (IoT). 23, 32 It is likely it will only be a matter of time before Io T services, such as smart homes and wearables, will be subjected to information hiding-based cybercrime. Io T devices provide entirely new ways to store hidden data in their actuators and in the memory of embedded components—places where no current methods will search for hidden data and for which no tailored tools are available.

Also, other popular and innocent-looking online services like Skype, IP telephony, Bit Torrent, or cloud storage systems can be exploited to enable covert communication. 23 Therefore, network traffic and data exchanged during such transmissions can be utilized for information hiding purposes often without overt sender and overt receiver knowledge or consent.

Moreover, hiding tools became in-
creasingly adaptive. In this context,
adaptiveness refers to a malware
function that can automatically ad-
just to a changing environment. For
instance, imagine an administrator
j http://cjel.law.columbia.edu/preliminary-
reference/2016/communicating-terror-the-
role-of-gaming-consoles-and-backdoors/
Steganography Analysis and Research
Center (SARC) claimed their latest ver-
sion of the Steganography Application
Fingerprint Database contained over

1,250 steganography applications.

It must be also noted that many of the commercial tools for information-hiding detection do not exactly focus on revealing the embedded secret data but rather try to find artifacts left behind by the hiding tools. This appears to be a good approach; however, it is only successful for the list of well-known data hiding tools or under assumption that it was the legitimate user of the device who installed this type of software. In practice, if a proprietary data-hiding tool is utilized or the device is infected with information hiding-capable malware, revealing its artifacts will be not possible or the true intention of the attacker will be still difficult to establish.

In contrast, the detection of hidden data, which is typically done by the forensics examiner for LEAs or anti-terrorism units, is far more challenging and the ex-traction/recovery of the secrets is even harder (for example, due to utilized encryption of covert data).

Another point is that still many forensics examiners do not routinely check a suspect’s computer for information-hiding software and, even if they do, several issues arise (see the accompanying sidebar).

When discussing forensic challenges for information hiding, the two most important aspects that should be considered are technical capabilities of the suspect and type of the crime. 17

The technical capabilities of the suspect may map to the resources that he has on his computer (installed software, hardware) or which he accessed (for example, visited webpages or downloaded e-books).

The type of a suspected crime can also point to a utilization of data hiding. For example, terrorists or child pornographers tend to hide their secrets in images and then send it through email or by posting it on a website. A similar case is with crimes that involve the transfer of business-type records. Obviously, if a cybercrime is investigated then information hiding usage is always a viable option.