Paper Info
Title
OleDetection
Abstract
New and improved data hiding techniques pose a problem for forensic analyst investigating computer crime. Computer criminals are able to hide information using stego-channels available in commonly used document formats, thereby hindering an investigator from acquiring possible important evidence. In this paper, we focus on detecting the use of stego-channels in the unused or dead space regions in the Object Linking and Embedding 2 (OLE2) specification used primarily by Microsoft's Office. The OleDetection algorithm [19] presented in this paper is focused on detecting the use of these stego-channels using a three-step process comprising the detection of dead regions in a document, the extraction of binary data and the generation of appropriate statistics using kurtosis and byte-frequency distribution, and the comparison of the calculated statistics with threshold values, which determines whether or not the document contains hidden data. This algorithm extends the work done by the StegOle algorithm [3]. Our experimental results shows that the OleDetection algorithm can correctly identify 99.97 percent of document with previous stego-channel techniques with a flase positive rate of only 0.65 percent. In addition, we present an anti-forensic techniques wherein OLE2 documents can be modified to hide data with greater detection avoidance characteristics [19]; thus reducing the accuracy of the current OleDetection implementation.
Year
DOI
Venue
2009
10.1109/SADFE.2009.18
International Workshop on Systematic Approaches to Digital Forensic Engineering SADFE
Keywords
DocType
Citations 
Forensics,Anti-Forensics,steganography,Covert Channels,OLE2
Conference
0
PageRank 
References 
Authors
0.34
0
3
Name
Order
Citations
PageRank
Robert F. Erbacher120227.65
Jason Daniels200.34
Steena Dominica Steven Monteiro330.81