The introduction of Unicode characters (such as Persian, Cyrillic and Arabic characters) has introduced both a simple means of fingerprinting intellectual property (signature stamping) and a very simple steganographic data hiding technique.

The following is an extract from the Cyrillic Unicode character set [1].

Unicode #    Character

0410         А         CYRILLIC CAPITAL LETTER A

0430         а         CYRILLIC SMALL LETTER A

0412         В         CYRILLIC CAPITAL LETTER VE

0415         Е         CYRILLIC CAPITAL LETTER IE 0435 е CYRILLIC SMALL LETTER IE

041C         М        CYRILLIC CAPITAL LETTER EM

041E         О         CYRILLIC CAPITAL LETTER O

043E         о         CYRILLIC SMALL LETTER O

0420         Р         CYRILLIC CAPITAL LETTER ER

0440         р         CYRILLIC SMALL LETTER ER

0422         Т         CYRILLIC CAPITAL LETTER TE

0443         у         CYRILLIC SMALL LETTER U

0405         Ѕ         CYRILLIC CAPITAL LETTER DZE (this is the Old Cyrillic zelo – Macedonian)

0455         ѕ         CYRILLIC SMALL LETTER DZE

The basic Latin character table reflects these same symbols. The difference is that the displayed character is not the same. For instance, this can be used by an attacker seeking to complete a phishing attach using a similar domain name now that the registration of Unicode characters has been allowed. For instance, the following domains are distinctly different, but appear the same:

Microsoft.com

\x004D\x0069\x0063\x0072\x006F \x0073\x006F\x0066\x0074\x002E\x0063\x006F\x006D

and

Мiсrоѕоft.com

\x041C\x0069\x0441\x072\x043E\x0445\x043E\x0066\x0074\x002E\x0063\x006F\x006D

At the same time there are positive uses for this type of technique. Word documents can be embedded with seemingly harmless information. If this document is ever published on the web, it can be searched for using an engine such as Google. Also, it can be added as a string for a standard forensic string search. Find the string and you have your document.

Think of file names as well. Windows will allow names to be created using Unicode characters. Hence, if you are looking for a file called “cat.txt“, a simple string search will miss “cat.txt” defined using the following Unicode, (\x0441\x00430\x00074\x002E\x0074\x0078\x0074). I have linked a site that does online Unicode conversions and display.

An issue with trying to uncover all versions and possible combinations is that this is an NP infeasible problem. There are more ways to hide data than there are to create simple string searches. This means that we as forensic professionals need to use our greatest tool – our Brain. Things are not always as they seem.

[1]     Unicode Character Table: Cyrillic

http://jrgraphix.net/research/unicode_blocks.php?block=8

Author: Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law as well as working on his 4^th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he is helping to launch a Masters degree in digital forensics. He starts his second doctorate, a PhD on the quantification of information system risk at CSU in April this year.

Security experts are urging administrators using Microsoft’s Internet Information Services version 6 to exercise extreme care following the discovery that the popular web server is vulnerable to a simple attack that exposes password-protected files and folders.

The vulnerability resides in the part of IIS6 that processes commands based on the WebDAV protocol. By adding several unicode characters to a web address, attackers can access sensitive files that are supposed to be available only with a system password. What’s more, the flaw can also be used to upload malicious files to protected parts of the server, according to Nikolaos Rangos, a security researcher who published his findings on Friday.

“The web server fails to properly handle unicode tokens when parsing the URI and sending back data,” his advisory warns. It goes on to show how several GET requests can give outsiders easy access to vulnerable systems.
The US Computer Emergency Readiness Team is already seeing “active exploitation” of the bug. The group is advising that WebDAV be temporarily disabled until things can be sorted out. The vulnerabilities are present in version 6 of IIS only, and WebDAV is not enabled by default.

Members of Microsoft’s security team are looking into the report, a spokesman said Monday morning. “We’re currently unaware of any attacks trying to use the claimed vulnerability or of customer impact,” he wrote in an email.

According to the advisory, the following four strings are all that’s needed to access a theoretical password-protected file called protected.zip in a restricted folder called protected:

GET /..%c0%af/protected/protected.zip HTTP/1.1 Translate: f Connection: close Host: servername

The unicode character “%c0%af” is in essence converted to a “/” (or slash). The additional commands in turn prompt IIS6 to interpret the string as a valid file path. The web server dutifully responds by sending the attacker the file without first asking for authentication.

The attack can also be used to list, access, or upload files in a password-protected WebDAV folder, according to Rangos’s advisory. Secunia rates the bug “moderately critical,” the third-highest rating on its five-tier severity scale.

The report is oddly reminiscent of a directory traversal bug that plagued IIS in 2001. It happened because subroutines in IIS 4 and 5 for checking the security of user-supplied input happened before it was converted from unicode to ascii. That enabled data disclosure and denial-of-service attacks.  (TheRegister)

A couple of weeks ago, Quinn Shamblin posted his article on recovering mp3 data from unallocated space. This set me to thinking. The methods he described seemed generically applicable to other types of multimedia content, but I’m not an expert on those types of file formats, so I went looking. A few comments back and forth later (Thanks drpaha!), and I had a new tool to try out, Defraser. From the Sourceforge project page:

“Defraser is a forensic analysis application that can be used to detect full and partial multimedia files in datastreams. It is typically used to find (and restore) complete or partial audio/video files in datastreams (for instance, unallocated diskspace)”

I downloaded and installed the tool (Late note: It’s under active development. As I’m writing this, they just released a new version), then exported all of the unallocated space (15GB of it) from a disk image I had handy, created a new project inside defraser, and added the unallocated space for analysis. After the processing completed (a few hours later), I simply selected the root of the displayed multimedia tree, right-clicked, and selected ‘Save Selection as Separate Files’, and it proceeded to dump out all of the media streams it had detected as about 600 individual files in the folder I specified. All was not beer & pretzels, however. Going through these to categorize them was quite tedious, as many were corrupted (at least as far as VLC Media Player, which I was using to play them, was concerned), and only a very few actually had any playable content.

Note, by the way, that while I’m primarily concerned with video content here, Defraser also extracts audio-only content.

What I really needed at this point was a way to dump out some reference frames from the video content so that I could easily identify those clips that contained responsive content. Google is your friend! A short bout of Internet research later, I’d discovered Ffmpeg. From its home page:

“Ffmpeg is a complete, cross-platform solution to record, convert and stream audio and video. It includes libavcodec – the leading audio/video codec library.”

I compiled, and installed this tool under cygwin using the following commands:

./configure

make

make install

Unofficial precompiled Windows builds are also available from http://ffmpeg.arrozcru.org/builds/

Then I simply changed directories into the folder where I’d saved the files extracted by Defraser, and ran the tool with the appropriate options on each of those files:

for I in *; do ffmpeg -i “$I” -y -ss 5 -an -sameq -r 1/5 “$I%03d.jpg”; done

The result was a set of .jpg files with the same initial names as the files from which they were derived, but with a three digit number dot jpg appended onto the end. To my delighted surprise, many of the ‘corrupted’ files which I had been unable to play with VLC were apparently parseable by ffmpeg, and so I found myself in possession of reference frames for them as well. The -ss 5 and -r 1/5 options in the above command line set the initial offset before the first reference frame, and the delay between subsequent frames to five seconds. In addition, the ffplay utility that comes with ffmpeg is sufficiently versatile that I’m now considering using it to replace VLC player as my primary multimedia viewer application. It will play many of the ‘corrupted’ files which Defraser extracts.

I tried this again on the same unallocated space file after the most recent update to Defraser, and it found a substantially larger number (over 142000) of video clips, probably due to the new mpeg-4 detector. The ffmpeg reference frame extraction technique was really valuable here, as it only extracted frames from the valid ones, and there weren’t very many more of those. However, I did note, in reviewing a few of the larger clips manually, that it’s apparently possible for a clip to be damaged in such a way that reference frame extraction will fail, but the clip will still be playable with ffplay. I also tried the new Defraser version on the unallocated space from another image, only 11GB this time, and it proceeded to run my x64 system with 8GB of RAM out of memory, and execute overnight before I finally killed it. I then broke the file down into 2GB chunks, and was able to analyze it, though the application did throw an odd error on several of the chunks (I filed a bug report). Deselecting the 3GPP/QT/MP4 Container Detector allowed me to successfully complete processing of those chunks. None of the chunks caused particularly high memory utilization by the application.

It’s worth mentioning that the Defraser application itself displays the following notes:

Warning: Known issue: scanning a file using particular combinations of detectors may yield varying results.

Advice: First scan using the Container Detectors, optionally combined with Codec Detectors. To see if anything was missed, do a subsequent scan using only the Codec Detectors.

I’m not sure how comprehensive Defraser really is, but I found a number of interesting unallocated video clips on my test image, and both of these tools are definitely going in the box for future reference. Enjoy!

Author: John McCash, GCFA Silver #2816, is currently a Forensic Investigator employed by a fortune 500 telecommunications equipment provider.
(http://sansforensics.wordpress.com/2009/05/13/automated-recovery-of-multimedia-from-unallocated-space/)