Steganography Tool Site Unavailable

In June this year, it was revealed that a Russian Spy Ring had been using Steganographic images to send secret messages to each other.  A series of small, basic mistakes led to the spy ring being uncovered by the FBI and resulted in the arrest of 11 suspects.

A few weeks ago, it was noticed that a top website for distributing steganography freeware and anti-forensic tools had been ‘temporarily disabled’.

I spoke to one of DFM Authors Jim Wingate, who is the Director of the Steganography Analysis and Research Center (SARC) and Vice President of Backbone Security who explained that, “We have been visiting at least every 2-3 months for the past several years because we are continuously searching for new steganography applications, or new versions of old applications, to add to our steganography application archives”.

Suddenly, not too long after the story broke about the Russian spies and how they used steganography to communicate covertly, drops off the net. Over 30 days have passed and the site is still down. Surely, that is not simply a coincidence.

Jim went on to say “I’m not into conspiracy theories so I will not offer a tantalizing scenario as to how the two events may be linked. At the same time though, it doesn’t take too much of a stretch of the imagination to find a linkage between the two events and conjure up a scenario as to why the site, a publicly accessible source of a large number of freeware and shareware steganography applications, is down and remains down to this day.”

Jim has written two articles on Steganography for DFM so far and more are planned. In issue 3 Jim gave an intro into the subject of Steganography ad follow this up in Issue 4 with a more detailed view of how Steganography works. Future articles will deal with anomaly detection and signature detection.



Cell Phone Evidence Extraction

Due to popular demand Detective Cindy Murphy has released her paper on a process for Cellular Evidence and Data Extraction. We at DFM are happy to help get this into the hands of Digital Forensic Investigators globally and whilst it has not been reviewed through our normal technical review process we are happy to help publicise this piece of much needed work. The article is available for download using the link below or subscribers to Digital Forensics Magazine can download the paper from the White Papers Downloads Section of the DFM Website.

Cindy Murphy is a Detective with the City of Madison, WI Police Department and has been a Law Enforcement Officer since 1985. She is a certified forensic examiner (EnCE, CCFT-A, DFCP), and has been involved in computer forensics since 1999. Det. Murphy has directly participated in the examination of hundreds of hard drives, cell phones, and other digital evidence pursuant to criminal investigations including homicides, missing persons, computer intrusions, sexual assaults, child pornography, financial crimes, and various other crimes. She has testified as a computer forensics expert in state and federal court on numerous occasions, using her knowledge and skills to assist in the successful investigation and prosecution of criminal cases involving digital evidence. She is also a part time digital forensics instructor at Madison Area Technical College, and is currently working on her MSc in Forensic Computing and Cyber Crime Investigation through University College in Dublin, Ireland.

Cell Phone Evidence Extraction Process Development 1.8
Mobile Device Forensic Process v3.0



Thwarted Russian Spy Ring Communicated Using Steganography

The FBI investigation that led to the arrest of 11 Russian spies discovered that their method of communication involved the art of hiding text files within images “Steganography”. More than 100 text files were discovered after officials conducted a search and found the 27-character password being used with the steganography program. The password was located on a piece of paper in a suspect’s home, a rookie mistake by anyone’s account.

John Pironti, president of IP Architects, in his comments to Computer World explained that “Humans don’t really do well remembering passwords beyond six characters, so they write them down someplace,” he says. The real mistake was thinking that the home was secure enough to leave the password lying around.”
Another error made by the spies is the use of a steganography program that is not commercially available.

This program was allegedly developed in Moscow, thus linking the ‘illegals’ to Russia and the suspected Sluzhba Vneshney Razvedki (SVR), the Russian Foreign Intelligence Agency. The program was apparently accessed by pressing ‘Ctrl + Alt + E’ and then inputting the 27-character password.

This major incident brings with it a new interest in Steganographic techniques and already unnamed US agencies are funding research in steganography detection techniques. Steganography itself has a rich background stemming all the way from Ancient Greece. It was also used during World War II in the form of invisible inks.

If you want to know more about Steganography, Jim Wingate gave an introduction to Steganography in Issue 3 of Digital Forensics Magazine and has a follow up article in the soon to be released, Issue 4.



Call For The Government To Change Its Approach To Security

Managing Director of BAE Systems-owned consultancy, Detica, Martin Sutherland, speaking at the Homeland and Border Security Conference in London, has called for the Government to change its approach to security.

The audience, which included the new Minister for Security, Paul Neville-Jones, listened as Martin Sutherland analysed how the current economic climate, along the imperative to meet new Government-imposed spending targets, presents extreme challenges when providing security and privacy, especially at a time when the threat level is as high as its ever been. He warned that the current approaches by authorities to strengthen security regimes, “have the potential to become increasingly invasive as organisations sift through ever greater quantities of data in the name of national security”.

Whilst his speech took a strategic look at security across government and how the vast quantities of ever-increasing data needs to be better managed and analysed, the underlying theme was about the technology that could be better utilised to provide the services required by the various government departments charged with the nations security.

His proposed approach initially did not appear to offer anything new; taking a risk based approach to security, automating processes and doing more with less, and using the systems we already have in more intelligent ways. In fact these tenets of security have been at the heart of the government’s security paradigm for many years, however, in the current climate raising and reinforcing these ideals is timely and will resonate with the new Government who need to improve security yet still reduce budgets.

Sutherland went on to suggest that, “Common tools and methods and shared processes across Government”, should address the situation, however, have we not heard this all this many times before? We’ve already seen some successes using these principles, such as with the DVLA integrating information across the Insurance Industry and the Department of Transport to provide information on to Law Enforcement. Nevertheless, these are miniscule gains when compared to the size and amount of data being processed across all Government departments responsible for the nations safety and security.

The real challenge is to change the way Government conducts cross-departmental procurement; budgets are allocated on a departmental basis with little incentive to reward collaboration and sharing. Maybe the new coalition Government will have the appetite to tackle this problem head on, a problem that has been around for a long time?

If we were cynical, we might speculate that this statement by Sutherland is nothing more than a precursor to Detica’s positioning themselves in the circle of trust with the new Cabinet in an attempt to advise on the formulation of the G-Cloud strategy. We’re sure they are not the only service provider looking at how they are going to maintain margin with an ever reducing budget. However, we are not cynical, and Sutherland raises some important issues that do need to be aired. This is certainly a topic that will be returned to over the coming months.



Big problems for AT&T with Apple Data Breach

A massive breach of data security by AT&T’s has exposed some very high profile users’ email addresses and contact information from the celebrity hotlist of Apple’s select early-adopter iPad 3G users. An in-depth report by Ryan Tate (Valleywag) says, “The specific information exposed in the breach included subscribers’ email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T’s network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.”

This is a big blow for Apple, and more so for their already rocky relationship with AT&T. With data breaches like these happening more and more frequently, maybe we’ll see the end of these ridiculous ‘exclusive’ deals we’ve been subject to in both the US and the UK, where we end up locked into AT&T or O2 (in the UK) just because we want a particular type of phone. From now on, maybe the lack of trust that this sort of data loss will undoubtedly breed, will benefit the rest of us as exclusive lock in deals with just one provider might not seem so clever. Then we all all have the privilege to choose which cellular provider we will pay to lose our personal data and leave us pen to fraud. And, as we know… it’s all about freedom of choice!




Net Nanny, the Digital Economy Bill and Moving to Brazil

On Monday, Panorama (BBC current affairs programme) screened an interesting show on the new legislation for Internet policing and anti copyright theft known as the Digital Economy Bill. Keith Cottenden of CY4OR (forensics firm in the UK) ( was interviewed and talked about the pitfalls that UK citizens now face when doing innocuous things such as making copies of their CDs (maybe for your kids) or using file-sharing networks. You can see an overview of Keith’s top tips for protecting yourself at

One interesting point to bear in mind is that the culpable party in the event of someone contravening the Digital Economy Bill is actually the owner of the Internet connection – i.e. the bill payer. This means that when your kids are busy downloading movies or music from their favorite file-sharing site, using the laptop they keep tucked away in their bedroom, it’s actually the adult that pays the bill that will be facing the large fine or criminal charges. Not knowing what your kids are up to is not an excuse!

I think, as a result of this Bill, we’ll see a rise in the use of the ‘Net Nanny’ style of desktop products and it will only take a couple of well publicised cases I the media to really get the population into a mass panic. But what can you do about it?

Windows has a fairly good monitoring and control capability (from Vista onwards it was very good) so that should be your first port of call. However, most people use the administrator account on their computers, so it’s going to be tough for parents to remove their kids’ privileges from the computers that they previously had full control over. And without demoting them to a standard User account, they can simply turn the Parental Controls off if they don’t like what they are doing. The alternative is to put something in the way that blocks access to file sharing sites. Maybe a firewall that both monitors and blocks access, where you can also inspect the ‘surfing’ logs of anyone using the Internet to see what they’ve been up to. However, not many people have the time, recourses or competence to do this, so it’s really not a good solution.

I suppose time will tell when it comes to what the best solution is and it’s like many things, partly about the technology and partly about education. Will Internet users even read the Bill to know what they can and can’t do? I sincerely doubt it.

So, my advice is, if you are an investor in tech companies, find the best parental control company around and take a few shares into your portfolio. Then when the 8£&^ hits the fan and the panic buying sets in, you can cash out and move somewhere less restrictive, like Brazil.



Facebook & Social Engineering

On Thursday, March 18th, 2010 at 8:00 PM GMT the UK’s Tonight with Trevor McDonald investigated “Facing Up to Facebook”. The Tonight program is a news magazine produced by the UK’s Granada Television for the ITV network since 1999 and covers the full range of human interest led current affairs.

In this episode the program investigated the subject of social engineering and the concerns that surround the social networking site Facebook. Following on from the widely covered so-called “Facebook Murder” much in the news in the UK we have this investigative report into the dangers of online social networking and Facebook in particular.

For me this brings a couple of thoughts to my mind. The first is that this is just another electronic extension to the well-known practice of Social Engineering. The rise in social media sites such as Facebook, LinkedIn, Twitter etc. provide a wealth of information to those who want to delve in and find out more about you and has simplified much of the work involved. It was interesting that the representative from Facebook (name escapes me) talked about the 50% who had managed to configure their security settings correctly almost ignoring the other 50% who had not, until he was challenged by the reporter. Have we learned nothing from the past and the history of firewalls where we have a default of “DENY” and the user has to actively engage in what is allowed. Surely if we did this we might have more than 50% of people on Facebook configured better?

If you interested how you can investigate Facebook you can have a look at “Diary of a PDFBook” which was in Issue 1 of DFMag, this looks at a tool to investigate Facebook using a browser. You can also read John Olssen’s article on Forensic Linguistics in Issue 3 of DFMag and how this technique was used in the “Facebook” murder investigation.

Tony Campbell



Digital Forensics crossing into other specialisms

I’ve been working at editing a book review for Issue 3: and what an excellent book it is (the review is pretty good too, I may add). The reviewer could not have praised this book any more than he did and there is good reason for this. Dr John Olsson’s latest book on Forensic Linguistics is a fantastic read and really open up your eyes on what’s possible through the study of words alone. To be able to point the finger at a culprit on nothing more than the phrasing in a fake suicide note takes a lot of skill and experience, but also the understanding of the linguistic formulation of the prose, which is where John’s book really wins, is vital. John has done an article on the role of forensic linguistics in convicting the culprit in the recent terrible events that led to the death of a young girl using Facebook. He discusses the dialogue used between murderer and victim and how, with careful screening, we can discover the motivations of unseen people at the other end of a virtual connection in cyberspace. What intrigues me is the crossover here. SMS, for example, has created the need for a new language and cryptic annotation that is used mostly by teenagers today. When we, the mobile forensic examiners, extract this information, we need to make sense of it to help with the overall investigation. And how can we determine is the suspect is actually the person who sent the incriminating text? This is exactly where Dr Olsson’s skill comes in, and he’s finding himself more and more involved in computer crime investigation. We know that the Forensic Science Regulator in the UK is focusing on integrating digital forensics into the mainstream role of other forensic sciences, which I believe is a great move, allowing a lot tighter collaboration between the various branches of our profession. Dr Olsson shows the benefits in terms of this one case realating to Facebook, but I feel we need to start looking for other such stories in DFM to really show the importance of cross-field collaboration.

Tony Campbell



Criminals Pose as Police Forensics Officers

Get your Free tests for CISSP prep at


Criminals posed as police forensics officers in order to rob a jewelry store in Lincon, UK. Basically, wearing boiler suits, headgear and being a bit dusty, the police forensics logo did the trick. They escaped with £80,000’s worth of jewels in their “police issue” green Vauxhall Astra, later found on fire in a nearby estate. The boiler suits and face masks did a great job of protecting the robbers’ identities, as you can see from the CCTV footage on the BBC website: