http://www.securityportal.com/articles/hexeditors20001208.html

 

From above site

 

December 08, 2000 - A hex editor is a software tool that enables you to read most files stored on a PC. Since information resides on a computer as a series of ones and zeroes (binary data), it becomes easier to read as data in hexadecimal (base 16) format, which is composed of Arabic numerals and alpha characters. For example, 6F72 is 28530 in decimal.

For example, the above paragraph's first line would appear in the hex editor as:

4865 7820 4564 6974 6F72 733A 2041 2053 6563 7572 6974 7920 546F 6F6C

And, the editor's screen would have three sections. The center section contains the actual Hex code as above. A left section would give the memory address for each line of hex. Then, a right section would give the equivalent ASCII text for the Hex code. Probably your reaction is that all this information is interesting, but what does it have to do with computer security?

To answer that question, examining the additional capabilities of the hex editor becomes important.

1.      It can directly edit sectors on your hard drive or floppy disk.

2.      Find and replace hex, bitmasks, decimal, or ASCII values.

3.      Compare differences in files.

4.      Calculate checksums and digests.

5.      Print hex dumps.

By being able to edit sectors on a hard drive, it can offer you a view of what's there that may not have been apparent to the user that wrote the data to that sector. Fragments of data, strings, and even whole sections of text become visible. What was thought erased becomes discoverable. You can also find hidden text generated by the document's application that supplies additional data on its origin.

You can also search for certain sequences of hex or ASCII values. If you are looking for the phrase "document 12376," searching by its hex equivalent (646F 6375 6D65 6E74 2031 3233 3736) becomes easy. So, the hex editor enables an investigator to search a disk at a very low level.

Often knowing the differences between files can tell a great deal about what happened in the processing of the information. Cracking passwords can be done in this manner. One can discover if someone altered data in a file or memory location by examining the differences. If someone tries to hide data inside a file through steganography, "diffing" or comparing differences can sometimes detect the subtle differences.

Calculating checksums and digests makes sure that documents have not been altered even slightly. Even a small change will produce a significant change in a digest. Most hex editors will calculate MD2, MD4, MD5, and SHA1 for an entire, or parts of, a file.

Hex dumps are useful when a detailed printout of the disk or floppy is essential. They document what data was on the drive at which locations when the dump occurred. The dump serves as permanent written evidence. When the drive itself may not be available for extensive examination or its preservation may not be feasible, a dump provides the next best evidence.

Hex editors are popular with computer gamers who use the comparison capabilities of the software to locate where in a program certain values reside. For example, if the amount of "gold credits" that you possess increases your character's strength, then changing that value increases your competitive advantage in the game. The same principle applies when looking for subtle changes in a regular program or large data file. Very often small alterations constitute the basis of a computer crime.

Whether looking for differences or seeking trace data on a hard drive, a hex editor is an inexpensive tool that should be in every computer crime investigator's toolbox. And they are cheap or in many cases free. By using a search engine with the phrase "hex editor," an investigator can find many freeware or shareware versions.

 

Some definitions

http://www.syngress.com/book_catalog/95_hack/chapter_one.htm

 

Steganography - Electronic Spycraft

From

http://securityportal.com/cover/coverstory19991018.html

 

In the physical world, Steganography (literally "covered writing") involves invisible inks or messages in hidden places. Herodotus, the ancient Greek historian, relates how a messenger had his head shaved and then had a secret message written on his scalp. With newly grown hair, he traveled to the targeted destination where his head again shaved revealed the message. In the virtual world, the digital process inserts messages into graphic, sound, and even text files. By using apparently harmless GIF, BMP, JPEG, or WAV files, steganography creates a formidable security threat with the hiding of pornography or the disguising of corporate espionage.

How does steganography work? Think of a graphic image as a host (the "container") composed of pixels (picture elements). Each pixel's color depends upon a numerical value ranging from 0 to 255. An 8-bit base two number represents that value to the computer; for example, the byte 00000000 equals "0." The rightmost bit becomes the least significant bit (LSB), because the seven bits to the LSB's left contain enough information to establish the correct pixel color. Swapping out the LSB's value has no effect on the pixel's appearance to the eye. So, a steganographic program inserts the message's bits into the LSB for each byte of the graphic image. Just visualize substituting one brown egg for a white egg in a white egg carton. At a distance a group of "substituted" white egg cartons will still have an overall white appearance. The same diluting principle works for sound and text files.

According to Neil F. Johnson's article, "Steganography," a 640 X 480 image that utilizes 256 colors could hold a nearly 300 KB message or image. With a 24-bit image 1024 X 768 three bytes determine each pixel's value, so each pixel contains three bits of the message resulting in a 2 MB file. Steganographic images have large capacities in which to hide contraband images or illicit data.

Hiding pornography is a leading use of steganography. In a May 26, 1997 U.S. News and World Report, the U.S. Customs Service indicated that child pornographers were employing steganographic techniques to mask their illegal traffic. Legal adult erotic web sites also encourage access to steganography. The site www.stego.com distributes open source code for steganography and has links to the sponsor's adult entertainment site and to the Steganos proprietary steganographic site.

Steganos Security Suite offers double protection: steganographic and cryptographic protocols. A user first encodes a message or image with strong crypto and then hides it in a container. Even if the steganographic layer gets compromised, the crypto layer of protection remains.

The technology has legitimate uses; for example, proprietary graphics or images can receive a digital watermark to establish ownership and to deter "image piracy" on the web. Yet, beyond assisting pornography, steganography allows industrial spies to hide information thefts. Neil F. Johnson suggests that a spy working within a company could bring in a favorite art or music selection and "mix" in a highly sensitive file containing proprietary data. The spy would then have the options of e-mailing this "container" or taking it out on a diskette. Or, more cleverly, the spy places the graphic on the company's web site. Constituting a covert channel, the graphic serves as a "spy drop" that is downloadable at will and difficult to detect on complex web sites. For the spy, however, any of the options pose little risk given conventional security measures.

Security managers have several remedies to combat the abuses of steganography:

1. If a company can ban cameras and video equipment without a permit, the same goes for steganographic programs. No employee should be allowed to use these programs on company property without a specific permit.

2. Graphic, image, or sound files posted to the company's web site or sent, as e-mail attachments (from sensitive areas), need to be filled with trusted digital watermarks first. The watermarks will overwrite any previous messages.

3. Firewalls need filters to limit the importation of pornography into the company. Employees who generate an unusual amount of non-business related e-mail with frequent graphic attachments need scrutiny. Those that send an inordinate amount of 24-bit images also require close examination.

4. Prohibit the introduction of "outside" graphic, image, or sound files onto PCs that handle highly sensitive data.

Ronald L. Mendell is a Certified Internet Security Specialist. Living in Austin, Texas, he works as a writer and researcher specializing in security and investigative issues. His most recent book, Investigating Computer Crime: A Primer for Security Managers, was published by Charles C. Thomas in 1998.

 

Hosted by www.Geocities.ws

1