Bytes Omelette: Discovering Hidden Messages

December 21, 2015 | Views: 2793

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Sometimes, we have to face cases and investigations against people who know how to cover their tracks, and have knowledge on how to avoid forensic discovery. Nowadays, there’s lots of people making illicit attacks, using tactics to make things in anti-forensic way.

One of those tactics is using low-level encryption programs to change the order of the binary data, scrambling the bites and making the real message unreadable when viewed in a text editor or word processor.

This is known as “Shifting bit,” and the technique consists in altering byte values of data. This makes the task of analyzing data from a suspected drive more difficult for forensic investigators.

Now, I’m going to show you how proceed using a Hex editor to discover the messages by unscrambling “bytes omelette.”

The file used in this lab is a .txt file with this content:

file1

Image 1. File to analysis

Consider this: When someone creates a message or statement, the main character may be the space to separate the words. It‘s a reasonable and obvious common sense to take into account before starting, correct?

I used Hex Workshop (http://www.hexworkshop.com/) to analyze the file. This tool has options to change the bit order, which will be used at the end of this article.

After opening the file in Hex Workshop, we’ll run a report in order to know what items were at the top of the count (Menu > Tools > Character distribution):

file2

Image 2. Character distribution of file

According to the chart (and after clicking on the tallest bar), the result is 0xBF in Hex, 191 in Dec base, with 51 coincidences.

Looking at the content of the file (Image 3), the BF value in binary is 10111111 – as you can see at the right corner in the image.

Note: In the green square, you can see that the BF corresponds with a dot. In checking other dots, some of them have another binary value, so the spaces are only the dots matching with BF value.

file3

Image 3. Hex content file in Hex Workshop

The binary value of space or ‘ ‘ is 00100000, (You can check this in the binary to hex converter: http://www.binaryhexconverter.com/ascii-text-to-binary-converter).

Finally, in making a comparison of the meaning of BF in binary (10111111) and the space binary value (00100000), the way to find the text of the file is:

  1. Invert the bitstream (converting the 10111111 to 01000000) – the Inverse Bits Option in Hex Workshop.
  2. Shift the block to the right (converting the 01000000 to 00100000) – the Block Shift Right Option in Hex Workshop.

The message hidden in the file was the following:

The Web is a more dangerous place than most people may think. With more than one billion websites now living on the Internet and over 100,000 websites created daily, the risk from vulnerable sites is multiplying. In fact, one-third of the most-trafficked websites are risky, new research has revealed…..www.forensicmag.com .2. March 2015..

I hope the information in this article supports the procedures in your forensic routines. When you have a suspected file that appears to be only trash, you may find it’s not trash. It may be a bytes omelette!!!

Cheers from Colombia to the Cybrary Community

Save

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
6 Comments
  1. Thanks. When might you know to use such a tool? What clues would indicate bit-shifting in the first place?

    • Hi, when you’re in a forensic process, some clues could be the history and recently files opened by the suspect; you can looking on the hives of the registry for example to find those top files and documents.

      Even, you can suspect about information sent by email accounts with the bit shifted file and with pendrives copying or trying copying this sort of data apparently garbage.

  2. It’s really interesting to see how the more I dig into the forensic side of things, the less I realize I know. I had no idea it would be possible to do what you just did. Thanks for the “simple” write up!

  3. I learned something so I give it a 3 Excellent. Thanks!

  4. Nicely crafted. Too simple for the experts(not me) but concise for the beginners. Kudos andresBello

  5. excellent explanation and tools

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel