Cyber crooks vs digital sleuths

Speculation that the late Osama bin Laden and Al-Qaeda used steganography to distribute data to members of the terrorist group by hiding it in seemingly innocuous web sites may ultimately prove to be just that. But security and academic researchers have been looking at ways that steganography, along with digital watermarking and cryptography, can be used for a range of less malign purposes, including copyrighting and law enforcement activities.

Steganography involves embedding data, such as text or other images, into an image so that it is not immediately obvious to the human eye. It can be done in subtle ways, like slightly altering the colour red green blue (RGB) or greyscale pixel depth, or replacing the eighth bit, or least significant bit (LSB), with something else.

Professor Anthony Ho is head of the computing department at the University of Surrey, where he leads the institution’s multimedia security and forensics research group. “The human eye is not very good at recognising small changes in shape or colour, so the original value [of the pixel] could be 200, but you could change it to something between 190 or 205 and nobody would notice the difference,” he said.

Those wanting to view the embedded images either need to know in advance which pixels to look for or will have a key, often encrypted, that decodes a random scatter in order to work out which have been altered.

Like other researchers and commercial software companies, Ho is also working on new forms of digital watermarks that embed information into audio, image or video files, as well as legal or other important documents, which are difficult to remove for anybody trying to copy or alter them.

“The legal profession is already using digital watermarking to copyright documents - there is commercialised watermarking software licensed to HP, for example - so you know who created it and can protect its integrity against manipulation,” he said.

In many cases, however, the criminals are further ahead in digital forensics technology than those trying to thwart them. This was acknowledged at a meeting of the House of Commons Science and Technology Committee, held in March as part of its inquiry into the re-organisation of the UK Forensic Science Service.

“The criminal justice system continually has problems responding to new technology, though that is not unique to UK,” said professor Jim Fraser, of the Centre for Forensic Science at the University of Strathclyde. “Any research and development should be focused on the operational benefits to the police and the justice system, but I can see a situation where new technology comes along and the criminal justice system waits for there to be a problem before it responds: we should not wait to act retrospectively.”

Ho pointed out that terrorists, paedo-philes, pornographers and organised gangs have been using these methods for some time: “a long time before the police knew”. He also believes the UK is behind the rest of Europe and the Asia Pacific region in finding new uses for digital forensic technology.

Digital evidence pertaining to traffic enforcement and insurance claims is admissible in court in Japan, for example, where forensics obtained from digital cameras and mobile phone cameras can be used to prevent fraud. In this case, investigators can trace the exact device used to take an image by looking for anomalies such as chips, scratches or fixed noise patterns on the CCD array. This ensures that the image has not been altered to show a different number plate, location or vehicle.

The UK police force is currently subject to strict rules laid down by the Association of Chief Police Officers (ACPO) when collecting digital forensic evidence, which can cover the examination of any computer or mobile phone that might store data. Digital forensics can also extract information from LANs and WANs, sometimes by capturing network traffic at the packet level, databases or other application or non-specific information repositories, and web sites.

A handful of IT vendors offer customised hardware and software designed to speed up that collection process and help field officers stay within the rules. Dell, for instance, provides a Mobile Digital Forensics device built around a ruggedised PC loaded with Evidence Talks Spektor software that automatically indexes the data it finds for analysis back at the police station.

“The guidelines say they have to be very careful when handling devices at the scene of a crime not to alter their physical state - if you are dealing with organised crime, there might be remote delete capability, for example, and then you’re stuffed,” said Dell government and defence spokesman Ben Chapman.