Hidden Data

Yesterday I attend a meeting at the Portland Chapter of ISSA (Information System Security Associations). The topic Computer Forensic Investigations in Civil Litigation. I enjoyed the presentation and came away with some deep thoughts. Part of the discussion centered around the use of anti-forensics, the general feeling was that only ninjas really can pull that sort of thing off. For the most part I agree with that, but anti-forensic technologies are becoming more accessible and adapted. For example the use of products such as the onion router that hide and obfuscate network traffic are on the rise.

Alright so its time for my deep thoughts. A technology that has been around a while but is growing and maturing is the art of hiding data in other data this is call Steganography often referred to as stego. There are many tools that are widely and freely available to perform such a task. So here is my though as a forensic analyst how would I know how and when steganography has been utilized. When common implementation of stego is to hide data in image files. Forensically speaking the average computer has thousands of images on it how would I detect if on or more had hidden data.

To be fair there are an ever growing number of tools available that detect if an image or other file has hidden data and can extract such data, but with thousands of images on a single computer how would you know? Is it practical to run all of the images through such a tool? Probably, not. Fortunately I have some ideas on how to accomplish this, so I am setting up some experiments to test my ideas and I will let you know what I come up with. In the mean time if you have any thoughts or ideas on this or other topics, or I just scared the Witt's out of you feel free to leave a comment.