Analysis of Steganographic on Digital Evidence using General Computer Forensic Investigation Model Framework

Steganography is one of the anti-forensic techniques used by criminals to hide information in other messages which can cause problems in the investigation process and difficulties in obtaining original information evidence on the digital crime. Digital forensic analysts are required ability to find and extract the messages that have been inserted by using proper tools. The purpose of this research is to analyze the hidden digital evidence using steganography techniques. This research uses the static forensics method by applying five stages in the Generic Forensics Investigation Model framework, namely pre-process, acquisition & preservation, analysis, presentation, and postprocess as well as extracting files that have been infiltrated based on case scenarios involving digital crime. The tools used are FTK Imager, Autopsy, WinHex, Hiderman, and StegSpy. The results on the steganographic file insertion experiment of 20 files indicate that StegSpy and Hiderman are effective on the steganographic analysis of digital evidence. StegSpy can detect the presence of secret messages with 85% success rate. The extraction process using Hiderman for 18 files with containing steganographic messages had 100% successful. Keywords—Steganography; anti forensics; general computer forensic investigation model; hiderman


I. INTRODUCTION
Various kinds of crimes and criminal acts currently involve information and communication technology [1] [2]. The widespread of computers and other digital devices usage without security can lead various parties to crimes [3]. Perpetrators of crimes can be subject to punishment based on the evidence [4]. Digital criminals usually use anti-forensic techniques thus causing difficulties to find the digital evidence [5]. One of the anti-forensic techniques is steganography [6]. Steganography is an interesting science to study and research today [7]. Confidentiality, security, or integrity of the information to be conveyed are the main factors in steganography [8] [9]. This technique allows the perpetrator to hide information by inserting the information into other messages in the form of digital media such as text, images, audio or video without arousing suspicion. [10] [11]. Computer crimes related to the misuse of steganographic techniques have been reported through the mass media, including a report from Trend Micro November 2017 with the title "REDBALDKNIGHT's Daserf Backdoor Now Using Steganography". It has been reported that the Bronze Butler or Tick type malware was spread by the creator through a steganography technique by inserting it into an image with the extension jpg to spy on Japanese, South Korean, Russian, Singaporean and Chinese companies. Reported by Kompas.com December 9th, 2017 entitled "16 Years of 9/11 Attack: WTC Collapsed not because of a Plane Collision?". At that time, terrorists hide their terror activities in various digital media such as images, audios, and videos. The maps and photos of targets as well as orders for terrorist activity in sport chat rooms, porn bulletin boards, and other websites. The existence of cases reported by the mass media regarding crimes using steganography techniques inserted in electronic storage media. It's becomes a challenge that must be resolved by investigators and law enforcers in order to reveal the mode, objective, and perpetrators of crimes related to evidence obtained. Therefore, the process of steganography detection is very important for digital forensic investigators [12].
Digital forensics is a applied science to identify, extract, analyze, and present the evidence that has been stored on digital devices [13] [14], or help prevent illegal acts in the process of operating activities carried out [15] use generally accepted methods to make the evidence acceptable in court [16]. Forensic techniques and forensic analysis based on correct methods will have almost 100% success in collecting forensic data [17]. The process of digital forensic investigations on computers or similar devices can be carried out using live forensics or static forensics methods [18]. In this study, static forensic is used. Static forensic is an investigation carried out when the computer is turned off, because of the data can change when the computer is turned on [19]. The forensic framework can implement a framework of several standards that can be used in the forensic process according to international standards including the National Institute of Justice (NIJ), Digital Forensics Research Workshop (DFRWS), Integrated Digital Forensics Investigation Framework (IDFIF), Generic Computer Forensic Investigation Model (GCFIM), Systematic Digital Forensic Investigation Model (SRDFIM) or other forensic process frameworks [20].
The evidence is classified into two forms, namely electronic evidence and digital evidence [21]. Electronic evidence is physical evidence that can be recognized visually, so investigators and forensic analysts need to understand the Corresponding Author www.ijacsa.thesai.org evidence when they are searching for evidence at a crime scene. While digital evidence is very vulnerable to changes in the data, therefore we need extra careful handling to keep digital evidence intact [22].
To make easier by investigators for data collecting related to the cases being investigated, forensic software is needed [23]. Forensic software usually multi-purpose, able to perform multiple tasks in the specific application. Computer forensic software complements the hardware available to law enforcement to obtain and analyze digital evidence gathered from suspect devices.
Research with a similar this topic has been conducted by [24] which is the investigation process and finds digital evidence in steganographic files. The process of steganographic analysis uses software, namely WinHex, InvisibleSecrets, and FTK Imager. The methodology or research stages are systematically carried out, namely literature review, observation & data collection, scenario case, preparation system, investigation & analysis case, and report & documentation.
Study with a similar theme was also carried out with the title Steganographic Engineering Analysis and Steganalysis on Multimedia Files Using the Net Tools and Hex Editor [25]. This research discusses use the WinHex application to perform analysis on messages hidden using the Net Tools into the container image. The method used experimental methods, namely identification problem, literature study, testing, and analysis.
The other reference in [26], steganographic file analysis was carried out by applying the Computer Forensic Investigative Process method which is divided into four stages, namely Acquisition, Identification, Evaluation, and Admission.
Further research was carried out by [27]. This research discusses the importance of computer forensic examiners in knowing the types of steganography tools that can be applied to the victim's computer. The tools used are S-tool and OpenStego.
Based on the background described, the objective of this digital forensics research is to find and analyze evidence in the form of files with text, audio, image, and video formats hidden by criminals by using steganography techniques. The static forensics method and GCFIM framework implemented in order to retrieving data on digital evidence, so that the data obtained can be used as legal evidence in court.

A. Case Scenario
Digital evidence in this research will obtained from the results of case scenario as shown in Fig. 1.

B. Research Stages
The research was carried out in accordance with the work steps in the GCFIM framework which were added with one initial stage, namely implementation and case scenario. GCFIM describes the stages of research so that research steps can be known systematically and can be used as an investigative model for any digital investigation as shown in Fig. 2.
GCFIM has a back and forth flow, where it is possible for investigators to return to the previous stage due to the possibility of situations that can change such as the crime scene (both physical and digital), the investigation tools used, the crime tools used, and the investigator's level of expertise. The stages in the GCFIM framework are described as follows:  Pre-Process. This stage is also called the preparation stage. Investigator doing related work before carrying out an investigation, such as preparing letters and official documents from legal authorities, and preparing tools.
 Acquisition & Preservation. At this stage, all relevant data are retrieved, stored, and prepared.
 Analysis. This stage is the main process in a computer forensic investigation, which is an analysis of the data that has been obtained to identify the source of the crime, the motive for the crime, and ultimately to find the person responsible for the crime.
 Presentation. This stage makes a presentation of the results that have been obtained to the competent authorities. This is important considering that the results of the analysis must not only be presented, but also must be supported by adequate/eligible and acceptable evidence. The results of this stage are to prove and/or deny the alleged criminal act.
 Post-Process. Digital and physical evidence must be returned to the rightful owner and stored in a safe place. The investigator reviews the investigation process that has been carried out so that it can be used to improve the further investigation process.  (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 11, 2020 317 | P a g e www.ijacsa.thesai.org

A. Implementation Results and Case Scenario
The case scenario is implemented by using the Hiderman application. The hide files process is function to insert steganographic messages into several file formats such as documents, videos, images, and audio which are then stored on flash disk storage media. In this research, the inserted file in the form of stego text. The processing time to hide files is depends on the size of the file inserted. The larger the file size will longer time of insertion process. Fig. 3 is the process of hiding files. The next step after selecting the container file is to select the files to be hidden or inserted by selecting the Choose the Files You Want to Hide menu as in Fig. 4.
The process in Fig. 4 is to select a secret file that will be inserted into the container file. In this process, the ratio of messages to be hidden can be found. A good ratio when hiding messages is 1 to 10. The hidden files must be 10 times smaller than the container files. After getting the right ratio file, the next step is to select the Hide File (s) menu.

B. Pre-process Results
At this stage, the things that must be prepared by the investigator can be seen in Table I.

C. Acquisition and Preservation Results
This stage is the starting stage for the identification of evidence at the scene of the crime which is continued with the process of acquisition and maintenance of the originality of the evidence. The aim is to secure the evidence from changes in physical form or changes in data by storing it in a safe place. The data acquisition process on physical evidence (flash disk) is carried out using the FTK Imager tool. Choose the create disk image option and the physical drive option is selected for the full acquisition process. The source drive selection option is made with the name "Kingston Data Traveler 2.0". Choose the destination of the storage drive. Then select the image type with the Raw (dd) format. Fig. 5 and 6 is the process of create an image of evidence.
The acquisition results in two hash values, namely Message-Digest Algorithm 5 (MD5) and Secure Hash Algorithm 1 (SHA1) which are used to verify the authenticity of the duplicated image files. The hash value obtained by the recipient then compared with the hash value sent by the sender of the message to check the suitability and authenticity of the message. Fig. 7 is the log result and acquisition hash value on flash disk evidence using the FTK Imager tool.   Based on Fig. 6, the information regarding the MD5 hash value in the image file is "1Hw91XA9c1CuLKp9PhAt1 ujZ963ZsagEBf", while the SHA1 hash value is "ca0751 fde2f308d7a0823945980d3d2a4ad3853e". Furthermore, the preservation stage is carried out to prove the integrity of the acquired image file is identical to the file on the original evidence.

D. Preservation Results
This stage is retested by matching the MD5 and SHA1 hash values between the hash values of the original evidence and the evidence files of the acquisition or imaging results. Checking the hash value of original evidence is done using the Winhex tool. The MD5 and SHA1 hash values of the original evidence files can be seen as in Fig. 8.
After obtaining the hash value of the original evidence file, the next step is to match the hash value between the imaging evidence and the hash value of the original evidence which can be seen in Table II. The hash value of the acquisition/imaging evidence has the same value as the original evidence. Therefore, it can be concluded that the cloned evidence file is identical to the original evidence.

E. Results of Analysis
The analysis stage is divided into three stages, namely the identification stage, the steganalysis stage, and the extraction stage.

1) Identification stage:
Analysis of the "image" file resulted from the acquisition & preservation process is carried out in this stage. The initial analysis process uses the Autopsy tool. Autopsy has several advantages for conducting content analysis and identification, data recovery, and metadata analysis. The process of input cases (case) on the Autopsy tool as shown in Fig. 9 as the initial stage of starting the "image" analysis phase.   Autopsy identify all the details of the data contained in the storage of evidence (flash disk) which has been neatly arranged and has become a data source in Autopsy. It is divided into several components including file types, deleted files, and file size. The file listing that is suspected of having confidential content is a file with the name of the audio, document, image, video folder, and one file in the .txt format which can be seen in Fig. 10.
Furthermore, the file extraction process is carried out in the suspected folder based on Fig. 10. The extraction process aims to obtain files so that re-analysis of the suspected file contents is carried out. The file extraction process can be seen in Fig. 11.
The file extraction process is carried out in order to export the image file based on the suspected folder. Files obtained after the extract process which consists of 4 folders and 1 file with the .txt format as listed in Fig. 11.

2) Steganalysis stage:
The steganalysis process is carried out on the extracted files from the initial analysis to identify the files with secret messages that have been inserted. The second stage of the analysis process is shown as in Fig. 12 using the StegSpy tool in each extracted file.
The results of the analysis of the existence of secret files are shown in Table III. Based on the test results on 21 files, it was found that 18 files were identified to contain steganographic messages, Based on Table III, StegSpy has successfully detected 18 steganographic files that have been inserted in various file formats and provided information about the detected marker values while three files were not detected.   (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 11, 2020 320 | P a g e www.ijacsa.thesai.org

3) Extraction stage:
The extraction stage is the analysis process carried out to reveal the presence of steganographic messages that have been detected in the steganalysis process. Based on the extraction results in the previous stage, after observation, there is a file with the file name info1.txt which contains information as in Fig. 13.
Based on Fig. 12, the file with the name info1 in the .txt format is suspected to be the key used to open the secret message contained in the detected file. Furthermore, at this stage an analysis is carried out using the Hiderman forensic tool to decrypt the steganography file using the "trial" key. The process of encrypting steganography files can be seen in Fig. 14.
After selecting a file that is infiltrated with steganographic messages, the next step as shown in Fig. 15, is to select the extract data menu and determine the place where the extracted file is stored.
After the key input process is done, the hidden secret files can be discovered automatically. The secret file obtained is in the form of a .txt text message as shown in Fig. 16.  (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 11, No. 11, 2020 321 | P a g e www.ijacsa.thesai.org The final step in the extraction process is to enter the key or password found based on the contents of the info1 file, as shown in Fig. 17. Information regarding the confidential files that have been found is shown in Table IV.

F. Presentation Results
After the analysis process on digital evidence was carried out using Stegspy and Hiderman, digital evidence was obtained on the flash disk image file as in Table V. Based on the process of detecting and extracting digital evidence, secret messages regarding delivery schedules are found.

IV. CONCLUSION
The analysis process uses the static forensics method with the Generic Computer Forensic Investigation Model framework successfully implemented. The secret message that has been inserted using steganography technique was found steganographic messages in the form of stegotext. The success rate of the StegSpy forensic tool based on the detection process of digital evidence containing an average of 85% steganography and 15% unknown files. The accuracy of the Hiderman tool based on digital evidence that has been successfully extracted is 100%.