Alternate Data Stream (Ads) and Steganography Hiding

Alternate Data Stream (ADS) and Steganography Hiding Techniques

This paper provides a review of the relevant literature concerning alternate data stream (ADS) and steganography data-hiding techniques, including how users can utilize ADS to hide data and use them for destructive purposes and a discussion concerning rootkits and their use as alternative data-hiding techniques. Finally, a description of the processes and tools that can be used to detect steganographic applications is followed by a description of two steganography tools that can be used to hide data.

Explain how a user could utilize ADS to hide data and explain other destructive uses which exist for ADS. According to Vacca and Rudolph (2011), alternative data streams (ADSs) can be used in a number of different ways to hide data. In this regard, Vacca and Rudolph report that, "For example, kernel space filters such as kdl use ADS by attaching their log files to system files or directories" (p. 152). In addition, other methods used to hide data utilizing ADS include the following:

1. Using stream names such as encrypted, archive, or other common Windows terms;

2. Creating streams that have no extension identifier;

3. Creating streams attached to obscure system files for data dumps, log files, etc.;

4. Storing encrypted data in single streams or across multiple streams;

5. Storing binary data across multiple streams to be reassembled and executed at the time of use to avoid detection; and,

6. Storing device drivers as streams (Vacca & Rudolph, 2011, p. 152).

Besides hiding data, some ADS techniques are also destructive, including the following:

1. Flooding a guaranteed available critical space file with useless stream data to use all available disk space;

2. Attaching Trojans, worms, viruses, spyware and other malware as streams;

3. Embedding trade secrets in streamed files (Vacca & Rudolph, 2011, p. 152).

Determine how rootkits can be used as an alternative for data hiding and explicate why they can be used for this purpose.

In some cases, rootkits do not hide data per se (Gale, 2006). Rather, Vacca and Rudolph (2011) report that rootkits "subverts the tools an investigator might use to find the data" (p. 154). In other cases, "The rootkit hides installed processes and files. The software hidden by rootkit allows the attacker to establish the Internet footprint of the targeted organization" (Vacca & Rudolph, 2011, p. 154).

Describe the processes and tools used by an investigator in determining whether signs of steganography are present in a given situation.

The purpose of steganography is to conceal the existence of data from a third party (Kessler, 2004). According to Vacca and Rudolph (2011), "An absolute indication of the use of steganography is the discovery of steganography software," but the use of steganography software can also be discerned from traces of its use left in various locations (Vacca & Rudolph, 2011). Forensic investigators have specialized software tools for these purposes (Vacca & Rudolph, 2011).