Bytes Omelette: Discovering Hidden Messages
Sometimes, we have to face cases and investigations against people who know how to cover their tracks, and have knowledge on how to avoid forensic discovery. Nowadays, there's lots of people making illicit attacks, using tactics to make things in anti-forensic way.
One of those tactics is using low-level encryption programs to change the order of the binary data, scrambling the bites and making the real message unreadable when viewed in a text editor or word processor.
This is known as “Shifting bit,” and the technique consists in altering byte values of data. This makes the task of analyzing data from a suspected drive more difficult for forensic investigators.
Now, I'm going to show you how proceed using a Hex editor to discover the messages by unscrambling “bytes omelette."
The file used in this lab is a .txt file with this content:
Image 1. File to analysis
Consider this: When someone creates a message or statement, the main character may be the space to separate the words. It's a reasonable and obvious common sense to take into account before starting, correct?
I used Hex Workshop (http://www.hexworkshop.com/) to analyze the file. This tool has options to change the bit order, which will be used at the end of this article.
After opening the file in Hex Workshop, we'll run a report in order to know what items were at the top of the count (Menu > Tools > Character distribution):
Image 2. Character distribution of file
According to the chart (and after clicking on the tallest bar), the result is 0xBF in Hex, 191 in Dec base, with 51 coincidences.
Looking at the content of the file (Image 3), the BF value in binary is 10111111 - as you can see at the right corner in the image.Note: In the green square, you can see that the BF corresponds with a dot. In checking other dots, some of them have another binary value, so the spaces are only the dots matching with BF value.
Image 3. Hex content file in Hex Workshop
The binary value of space or ' ' is 00100000, (You can check this in the binary to hex converter: http://www.binaryhexconverter.com/ascii-text-to-binary-converter).
Finally, in making a comparison of the meaning of BF in binary (10111111) and the space binary value (00100000), the way to find the text of the file is:
- Invert the bitstream (converting the 10111111 to 01000000) - the Inverse Bits Option in Hex Workshop.
- Shift the block to the right (converting the 01000000 to 00100000) - the Block Shift Right Option in Hex Workshop.
The message hidden in the file was the following:
The Web is a more dangerous place than most people may think. With more than one billion websites now living on the Internet and over 100,000 websites created daily, the risk from vulnerable sites is multiplying. In fact, one-third of the most-trafficked websites are risky, new research has revealed.....www.forensicmag.com .2. March 2015..
I hope the information in this article supports the procedures in your forensic routines. When you have a suspected file that appears to be only trash, you may find it's not trash. It may be a bytes omelette!!!
Cheers from Colombia to the Cybrary Community