Steganography &

Stegananalysis: A Technical
& Psychological Perspective
-Prince Komal Boonlia
-Dr. Reena Bhansali
There are only 10 kind of people in the world
Those who understand binary and those who dont

nullcon Goa 2010 http://nullcon.net

 The Presentation Outline

Section 1: Basics of Images

Section 2: Image file formats
Section 3: Stegnography
Section 4: Steganalysis
Section 5: Psychology as an aid

nullcon Goa 2010 http://nullcon.net

 Steganogrphy
The art of data hiding in carrier files
BMP files (.bmp)
JPEG files (.jpg/.jpeg)
Gif Files (.gif)
Wav audio files (.wav)
MP3 audio files (.mp3)
Video files (.avi/.mpg/.vob…)
Executable files (.exe)
In fact any file can be used……….
nullcon Goa 2010 http://nullcon.net
 Essentials before we begin
Do you know the Binary, decimal and hexadecimal?
Do you know that there are several formats of images
including BMP, JPEG and so on
Do you know that every format stores data in a different
manner
Have you ever used a hex editor
Do you know that every file has a structure and any package
reading that file actually reads the structure of the file
and then interprets and displays the data accordingly
Do you have a copy and pen
Do you know how to use windows calculator to convert binary
into hex, decimal and vice versa
Hope you are not on sleeping pills…..A single second you
miss might render your entire session useless
 The process

•Carrier File
•Stego File

•Data File
 Section 1

BASICS OF IMAGES
Clours
Pixel
Colour depth

nullcon Goa 2010 http://nullcon.net

Pixel: The building block of
Image
 BMP files
The colour palette can be 1, 2, 3, 4, 8,
16, 24, 32 bit (In fact any size)
Colour palette: BMP = Shade card: Painted house
The extension is .bmp
The standard format is Device independent bitmap
Uses 3 Basic Colours (Standard format)
Red
Green
Blue
 GrayscaleImages with colour
palettes

•1 Bit •2 Bit •4 Bit •8 Bit

monochrome Grayscale Grayscale Grayscale

•21 = 2 •22 = 4 •24 = 16

colours colours •28 = 256
colours
colours
 RGB colour images with colour
palette

•9 Bit RGB with 3

•3 Bit RGB •6 Bit RGB with 2 bits each for Red,
with 1 bit bits each for Red, Green and Blue
each for Green and Blue Colour Thus 8
Red, Green Colour Thus 4 shades of each
and Blue shades of each colour
Colour colour
 24 bit BMP image with
•
the palette
Green

•Blue

•Image •Red

•RGB Cube

•Palette
 Section 2

Understanding Image file

formats
BMP Files
JPEG files
GIF Files

nullcon Goa 2010 http://nullcon.net

 Bitmap image
The File Structure
Stores general information about the BMP
BMP File Header
file.
Bitmap Information (DIB Stores detailed information about the
header) bitmap image.
Stores the definition of the colors being
Color Palette used for indexed color bitmaps. (At times
not needed)
Bitmap Data Stores the actual image, pixel by pixel.
 The BMP header

This is intel Processor so Use little Endian system

 The DIB header
Offset # Size Purpose
Eh 4 the size of this header (40 bytes)
12h 4 the bitmap width in pixels
16h 4 the bitmap height in pixels.
1Ah 2 the number of color planes being used. Must be set to 1.
the number of bits per pixel, which is the color depth of the image. Typical values are 1, 4, 8, 16, 24 and
1Ch 2
32.
1Eh 4 the compression method being used.

22h 4 the image size. This is the size of the raw bitmap data , and should not be confused with the file size.

26h 4 the horizontal resolution of the image. (pixel per meter, signed integer)

2Ah 4 the vertical resolution of the image. (pixel per meter, signed integer)
2Eh 4 the number of colors in the color palette, or 0 to default to 2 n.
32h 4 the number of important colors used, or 0 when every color is important; generally ignored.
 With the structure ready its time to fill the pixels
in the image

Pixel Red Green Blue Colour

No value Value Value of
pixel
1 8B=139 87 = 135 A0=160
•Same
2 8D=141 89=137 A2=162 Colours?
3 8F=143 8B=139 A4=164
.. .. .. ..
n C6=198 F7=247 FF=255
 The JPEG File Format
JPEG is a lossy image format
The standard is very flexible and there are several file
formats that are used e.g. JFIF, EXIF, JPEG 2000 and so
on.
The file format consists of several segments of
variable/ fixed length. Every segment starts with a
marker (FF) followed by the segment marker of 1 byte.
The image undergoes a whole process before arriving at
the final data to be stored
The loss of data occurs during the compression phase
(Quantization phase). This means that the data can be
hidden only after the compression has been done.

nullcon Goa 2010 http://nullcon.net

 Bytes
JPEG File structure (JFIF)
Payload Name Comments
0xFFD8 none Start Of Image
Start Of Frame Indicates that this is a baseline DCT-based JPEG, and specifies the width, height, number
0xFFC0 variable
(Baseline DCT) of components, and component subsampling (e.g., 4:2:0).
Start Of Frame Indicates that this is a progressive DCT-based JPEG, and specifies the width, height,
0xFFC2 variable
(Progressive DCT) number of components, and component subsampling (e.g., 4:2:0).
0xFFC4 variable Huffman Table(s) Specifies one or more Huffman tables.
0xFFDB variable Quantization Table(s) Specifies one or more quantization tables.

Specifies the interval between RSTn markers, in macroblocks. This marker is followed by
0xFFDD 2 bytes Define Restart Interval
two bytes indicating the fixed size so it can be treated like any other variable size segment.
Begins a top-to-bottom scan of the image. In baseline DCT JPEG images, there is
generally a single scan. Progressive DCT JPEG images usually contain multiple scans.
0xFFDA variable Start Of Scan
This marker specifies which slice of data it will contain, and is immediately followed by
entropy-coded data.
0xFFD0 … Inserted every r macroblocks, where r is the restart interval set by a DRI marker. Not used
none Restart
0xFFD7 if there was no DRI marker. The low 3 bits of the marker code, cycles from 0 to 7.
For example, an Exif JPEG file uses an APP1 marker to store metadata, laid out in a
0xFFEn variable Application-specific
structure based closely on TIFF.
0xFFFE variable Comment Contains a text comment.
0xFFD9 none End Of Image

nullcon Goa 2010 http://nullcon.net Source: Wikipedia

 The Compression Process
Colour space
Down Sampling Block Splitting (8X8,
transformation from
(4:4:4 or 4:2:2 or 16 X8 or 16X16)
RGB to YCbCr
4:2:0) (Optional)
(Optional)

Results in higher values at top left of the Discrete Cosine

matrix and a lot of low value at the bottom transform
right
The division table resulting in actual Quantization
compression with lot of zero values at the
bottom right corner
Arranging the values in zig zag manner to
get all the zero values at the end. Thus Entropy Coding
using a single byte to represent them

Final JPEG image data

Data hiding in LSB’s here

nullcon Goa 2010 http://nullcon.net

 The JPEG Compression at work
Averaged
out
matrix

8 X 8 Pixel data for one component

e.g “Y”
DCT

DCT Coefficients of the block

nullcon Goa 2010 http://nullcon.net

 Cont….

Quantization table
DCT Coefficients of the block

Round off quantized DCT

Coefficients

nullcon Goa 2010 http://nullcon.net

 Cont….

Round off quantized DCT

Coefficients

Zig-Zag arrangement of binaries

-26, -3, 0, -3, -2,

-6, 2, -4, 1, -4, 1,
1, 5, 1, 2, -1, 1, Finally compressed block
-12, 0, 0, 0, 0, 0,
-1, -1, EOB

nullcon Goa 2010 http://nullcon.net

 GIF image
Introduced by CompuServe it has two variants GIF87a and
GIF89a
It uses colour palette as a reference to fill the colours
in the image
The colour palette is made up of maximum 256 colours
chosen from the full 24 bit RGB colour space
GIF supports Frames and thus there can be multiple image
frames stored in a single file. This provides for the
animation
GIF uses LZW lossless compression
When there are multiple frames in an image file there is
one palette viz. Global colour table that defines the
colours in the frames. There might be on Local colour
table for a frame. If such LCT is present it takes
precedence over Global Colour palette

nullcon Goa 2010 http://nullcon.net

 Section 3

Steganography techniques
Appending data at the end of
file
Hiding data in comment or junk
field
Hiding data in LSB’s
Palette manipulation

nullcon Goa 2010 http://nullcon.net

 Appending data at the end of
the file
Can be rarely termed as
steganography
Simply adds the data at the end
of file so its not read by the
image reading packages
Easily detectable
Example: Max file encryption,

nullcon Goa 2010 http://nullcon.net

 Inserting data in comment or junk field

In most image format there is a field to

insert the comment.
This comment field is not rendered by
normal image viewing packages
This is again easily detectable as most of
the comments will be text. If it is not
text then there is something hidden in it
Example: Invisible secretes (For JPEG
Carrier files)

nullcon Goa 2010 http://nullcon.net

 Data hiding with LSB
Used in the lossless and uncompressed file
formats like BMP
Doesn’t results in change in the file size
For BMP the LSB of Pixel data is used in
uncompressed format
For GIF the pixel data referring to the
palette is used with palette manipulation
For JPEG quantized DCT coefficients are
used

nullcon Goa 2010 http://nullcon.net

 Concept of LSB
•8 •1
•LSB 1

•LSB 2 11111110 01111111

•7 •2

10111111
11111101
•LSB 3 •3
•6 •1111111
1
11011111
11111011 •5 •4

11110111 11101111

•Least significant bit illustrated with pure red colour

 Data hiding with LSB
•S = •Data to be hidden
01010011
•A0 •10100000 •0 •10100000 •A0
•87 •10000111 •1 •10000111 •87
•8B •10001011 •0 •10001010 •8A
•A2 •10100010 •1 •10100011 •A3
•89 •10001001 •0 •10001000 •88
•AD •10101101 •0 •10101100 •AC
•A4 •10100100 •1 •10100101 •A5
•8B •10001011 •1 •10001011 •8B

Image Image Image Image

date in date in date in date in
hex Binary Binary hex after
before before after hiding
hiding hiding hiding data
data data data
 Palette manipulation

Hiding the data in palette

itself if the image has less
colours and data size are small

nullcon Goa 2010 http://nullcon.net

 Palette manipulation
Palette/ colour Duplication: Using two sets of
palettes / colours. One representing 0 and other
representing 1 (Results in image degradation for
image having 256 colours)

A better variation can be not using

•Represents 0 the exact colour but using the near
approximation of that colour

•Represents 1

nullcon Goa 2010 http://nullcon.net

 Data Hiding strategies
Encryption: The data to be hidden can be either in the original
unencrypted form or can be encrypted before hiding. Most of the
steganography packages encrypt data before hiding to provide
added security and escape LSB enhancement visual attacks
Location: The location of the bytes to be used in the BMP file
for data hiding is an important factor. Few packages hide data
sequentially in the bitmap, few of them choose a scattered
pattern and more efficient ones choose the psudo-random
ordering based on the key or password used.
Statistical balancing: When data is hidden in the LSB’s the
statistical properties of the image changes. These results in
technique being prone to statistical analysis like X 2 test.
Most packages have no mechanism to balance these changes but
few like Outguess and F5 have these mechanism where in some
other bits are flipped so as to maintain the original
statistical properties

nullcon Goa 2010 http://nullcon.net

 Section 4
Steganalysis Techniques
LSB Enhancement
Chi Square Test
Cracking the algorithm
Other methods
• Histogram Analysis
• Compression analysis
• Hash comparison
• Palette Examination
• Known Package artifacts

nullcon Goa 2010 http://nullcon.net

 LSB Enhancement

File: test.bmp File: test1.bmp

(Contains no hidden data) (Contains hidden data)
Launch an LSB enhancement attack
(Replacing all the bits in every byte with the LSB of that Byte)

•test.bmp •test1.bmp
•Emerging pattern LSB
LSB indicating Plain text
enhanced enhanced
data hidden

•Did you observer the behavior of black and white colours? Can
you see there are only 16 colours in this image??? WHY?
 Explanation
All the character starting from
“a” till “z” have first 3 binaries
(011) as common and rest 5 are
variable
With LSB enhancement we will have
a common pattern of 3 bytes being
all”0”, all1” and all”1” followed
by random 5 bytes.
This generates a repetitive
pattern every 3 byte after every 5
bytes resulting in a pattern
formation
 Why this pattern emerge
(Nature of the ASCII )
Decim Decim
Char Binary Hex Char Binary Hex
al al
a 97 01100001 61 n 110 01101110 6E
b 98 01100010 62 o 111 01101111 6F
c 99 01100011 63 p 112 01110000 70
d 100 01100100 64 q 113 01110001 71
e 101 01100101 65 r 114 01110010 72
f 102 01100110 66 s 115 01110011 73
g 103 01100111 67 t 116 01110100 74
h 104 01101000 68 u 117 01110101 75

I 105 01101001 69 v 118 01110110 76

j 106 01101010 6A w 119 01110111 77

k 107 01101011 6B x 120 01111000 78

l 108 01101100 6C y 121 01111001 79

m 109 01101101 6D z 122 01111010 7A

 Data encryption
(The new challenge that defeats LSB
enhancement attack)
If the data is encrypted before hiding
there is no particular pattern if it is a
binary encryption.
In absence of any pattern the LSB
enhancement attack fails in few cases
where image is very colourful or grayscale
and data hidden is too less
The chi Square test comes to rescue upto
certain level
Beyond that more system level analysis is
required to find the data
Same text with various encryption and
LSB enhanced images

Text encrypted as Text encrypted as Binary Image with no data

ASCII with IDEA encryption hidden
(S-Tools)
Which is the better option for hiding the
data
1 3

4
2
Take a break and look at this
Image

nullcon Goa 2010 http://nullcon.net

 Chi square test
•What is it:
•Chi-square is a statistical test commonly used to compare observed data with
data we would expect to obtain according to a specific hypothesis. For
example, if, according to Mendel's laws, you expected 10 of 20 offspring from a
cross to be male and the actual observed number was 8 males, then you might
want to know about the "goodness to fit" between the observed and expected.
Were the deviations (differences between observed and expected) the result of
chance, or were they due to other factors. How much deviation can occur
before you, the investigator, must conclude that something other than chance is
at work, causing the observed to differ from the expected. The chi-square test
is always testing what scientists call the null hypothesis, which states that
there is no significant difference between the expected and observed result.
 How chi square works in
steganalysis
The data binary encrypted is very random data.
This means that the probability of LSB being 0 or
1 is equal i.e. 0.5
The images in general have a predominance of
certain colours like background or some artifact
with a particular colour
This means that in general the images doesn’t have
data with near equal numbers of 0 or 1 as LSB
The presence of black or white colours in certain
images results in high presence of 0 or 1 as LSB.
More colourful the image is less is the chance of
detection of hidden encrypted data
Lets see the chi square result of the
images shown
Chi square with encrypted data in
pure black image

•Chi square without data hidden

•Chi square with data hidden

 Cracking the algorithm
Jsteg
Hides data without encryption
Hides data in quantized coefficient
Reversing requires de compressing of jpeg image,
reversing the entropy encoding and then getting the
quantized DCT (QDCT)
Start sequentially and use the binary values except
00h and 01h. Jsteg doesn’t hide data in these
binaries
The LSB’s of First 5 Bytes of QDCT contains the
length of next field.
The next field contains the size of the hidden file
After this field the data portion starts that can be
extracted bit by bit

nullcon Goa 2010 http://nullcon.net

 Camouflage
Stores Password Xored with the
predefined key at the end portion
(Before last padding) adding it
after the end of file marker “FFD9”
The Key is
02957A220CA614E1E1CFBF65206F9EB3 99654A53FBF67554AD23CD7E9C29E7FC
E2F94DD2424E06C0F89A1C6238742400 55DF41CB01A2B7F38F8ADDAC33836029
F378243E7AEBD3E49D9D43944AC7456D 2574EB0B98C97CFCC8BA326B00D3C5C2
9434AFB0E5957D2A84A45FE56E272ADB 967E3E483946CF6F71AA3C319AA99E8F
8973B339CA32D5F031597C022E8637F9 2B7E51F241810CD46515F770D4199820
BF20B85567CC81188C133C633C9211E4 5B1B0822604C4AC58AB3C575C3907AF2
B2B6C8D0388AC286F0ACE9CA5C4E3E09 297829995A84D5BA5ED5927A38FAD060
ECF527BAEEB7DE9F9BDE65D47639769C DA688DA8A0A61ED9DB0F4DAB92CD71  

nullcon Goa 2010 http://nullcon.net

 Other Methods
Histogram analysis

File with no
Hidden data

File with
Hidden data

nullcon Goa 2010 http://nullcon.net

 Other methods
Compression analysis

With no data hidden it was compressed to

98.4% with Winrar If the hidden
data is more
than the file size
in JPEG the
compression
will be close to
0
With 5 MB of data hidden the file could
not achieve any compression with winrar

nullcon Goa 2010 http://nullcon.net

 Other methods
Compression analysis in BMP

Extremely colorful image of 2.25

Plain white BMP image of MB without any data hidden was
1.42 MB was compressed compressed to 43.5% with winrar
to 2 kb with winrar

Extremely colorful image of 2.25 MB

Plain white BMP image of 1.42 MB with 500 KB of hidden datwithout any
with 18 KB of hidden data was data hidden was compressed to 46.8%
compressed to 48 kb with winrar with winrar

nullcon Goa 2010 http://nullcon.net

 Other Methods

Hash Comparison
There are bunch of image files that are
available either with OS as wallpaper or those
are taken from internet.
A hash database is part of most Forensic
Toolkits wherein a database of known files is
kept
Slightest change in the file will result in
changed Hash and it can be compared with the
stegano file to detect the steganography

nullcon Goa 2010 http://nullcon.net

 Other Methods

Palette Examination (For GiF)

Search for duplicate palettes
Search for duplicate colours
Check for close proximate colours
Check the arrangement patterns

nullcon Goa 2010 http://nullcon.net

 Check these palettes

Palette of complete
Palette of complete black image as
black image original changed by S-tools
after hiding the data

nullcon Goa 2010 http://nullcon.net

 Check these palettes

Original Palette of Palette as changed

image with Black by S-tools
red and a custom
colour

nullcon Goa 2010 http://nullcon.net

 Other Methods
Several Statistical analysis presented
and tools
Pair based analysis (RS attack and PV attack)
QIM Histogram attack
Sample pair analysis
Check for installation of steganography package on the system
Check for the steganography tool used based on the tool’s signature
in the file (Stegspy.py)
Search for post un-installation remains in the system
Blind detection
Password attacks (Steg break)
Search in memory dumps
Search in hibernation file
Cold boot attack on memory
Check the temporary location for remains of extracted files
Check for the carrier file copy
STILL NOT FOUND?????????????????

nullcon Goa 2010 http://nullcon.net

 Few Steganalysis tools

Few steganalysis tools are available for

detection of steganography
Stegdetect
SteganalyserAS
Image Spyer
Stegsecret

STILL NOT DETECTED???????

(Technology has its limitations, Lets
look at Human Psychology for the help)
 Section 5
Beyond Technology

Dr. Reena Bhansali

Prince Komal Boonlia
Peeping in Expressions

Body Language
Micro expressions
Body Language
 Is it important

•Words are only 7% of communication

•Emotions are linked to Body language
•Reduce Mixed Messages
•Improve communication skill
•Give important cues about things
 •Verbal :- 7%

•Vocal :-38%

•Non Verbal:- 55%

 Deception
A successful or unsuccessful deliberate attempt without forewarning, to create in
another belief which the communicator considers to be untrue.
Deception involves acting in such a way which leads another person to believe
something, that you, yourself, do not believe to be true (Ekman, Miller and Stiff).

If you have nothing to hide, why not tell the complete truth?
 Non verbal Behavior and deception

Emotions Content Complexity

Attempted Control Behaviour

 Emotions
Telling lie evokes emotions
undergo Guilt, Fear, Duping Delight
Liars might feel guilty because they are lying, might be afraid of getting
caught, or might be excited about having the opportunity to fool someone
The strength of these emotions depends on the personality of the liar and
on the circumstances under which the lie takes place
Guilt might results in gaze aversion
Fear and Excitement might result in signs of arousal, limb movements,
speech fillers, speech errors, facial emotional expressions or a high pitched
voice.
 Content Complexity
•Liars have to think of plausible answers, avoid contradiction, consistency, avoid slip of tongue
•People engaged in cognitively complex tasks make more speech fillers, speech errors, pause more and
wait long before giving answers
•It leads to fewer limb movements and to more gaze aversions, reduced animations.
 Attempted Behavioral Control

Liars are busy in Impression Management

Convincing others requires suppressing nerves effectively, masking evidence of
heightened cognitive load, knowledge of how an honest person normally behaves and
ability to show the behavior.
Usually they tend to over control themselves, resulting in behavior that looks rehearsed
and rigid and speech that sounds too smooth.
Performance may look contrived due to lack of involvement.
 Non Verbal Cues
During Deception
Non Verbal
High Pitch of Voice >
Speech errors >
Illustrators <
Hand/Finger Movement <
Verbal Cues
Unstructured Production <
Logical Structure <
Quantity of detail <
Contextual Embedding <
Description of interactions <
Reproduction of speech <
Unusual Detail <
Spontaneous Correction <
Admitting lack of memory <

•< occurs less during deception, > occurs more during deception
 Verbal Behavior and deception
CBCA:- Criteria Based Content Analysis-is a tool to assess the veracity of written statements, and is
used as evidence in criminal courts in several countries in the world. CBCA scores are expected to be
higher for truth tellers than for liars.
Assumptions:-
(i) Lying is cognitively more difficult than truth telling,
(ii)Liars are more concerned with the impression they make on others than truth tellers.
Three Phase
A specific interview procedure to obtain a statement from information about what constitute a properly
conducted interview
Coding of the transcribed statement using the CBCA procedure
An evaluation of the CBCA outcomes
 Physiological Reactions and Deception
•Modern way of detecting physiological activity in liars is by using a polygraph
•Polygraph is a scientific measuring device which can which can display via ink pens onto chart or via computer
visual display unit, a direct and valid representation of various types of bodily activities

•The polygraph accurately records even very small

differences by amplifying signals picked up from sensors
attached to different parts of the body.
•It measures and record changes associated with arousal.

A polygraph does not detect lies but only the arousal which may accompany
telling a lie. E.g. Sweating of fingers, Respiration and Blood Pressure
 Polygraph

•CQT •GKT
•Control Question Technique •Guilt Knowledge Test
 CQT:- Control Question technique

Consists of approximately 10 questions

Relevant questions deal with the question at hand (crime, security, etc) and control questions deal
with possible past behaviors that may elicit emotional reactivity
Assumption is that relevant questions will generate more emotional reactivity than control
questions

Control questions measure the person’s level of reactivity

Control questions must elicit lying, must be chosen carefully

Innocent will respond to both control and relevant questions with equal emotional reactivity

Guilty person will show more reactivity to relevant questions than control questions.. Creating a
difference in score
 GKT:- Guilt Knowledge Test

Provide quite convincing evidence of guilt in certain situations.

In this test, the suspect is asked a number of multiple-choice type questions about the crime with
respect to evidence that only the crime investigators and the criminal would know about.
e.g., hat left behind at crime scene
If the suspect consistently shows the strongest emotional reaction to the correct alternative, that would
suggest he is the criminal.
Works best if conducted double-blind. That is, if the person asking the questions does not know the
right answer.
 Validity of Polygraphs

Two types of studies

Laboratory Studies and Field Studies

Laboratory Studies - asked college students to commit a crime and then lie about it

• Advantage of knowing the ‘truth’

• Lack ecological validity
 Field Studies

• Include a representative sample of polygraph tests administered under real-life conditions

• Charts scored by independent polygraph examiners (blind scoring) - use of only the charts and
no additional information

• Compare score of polygraph to an independent criterion (some other determination of guilt or

innocence)
 Counter-Measures to the Polygraph

Physical and Mental Counter Measures

Physical
Suppressing physiological responses

Augmenting physiological responses

Suppressing overall physical activity (sedatives)

 How Effective are Physical Counter-measures?

Can result in inconclusive results rather than

truthful results

Use of more than one counter measure

simultaneously is more effective

Training and practice is necessary

Some physical counter-measures can be detected

by the examiner; others may be missed
 Mental Counter-Measures

Artificially producing responses to control questions

Attenuating responses to relevant questions

Mental dissociation

Can not be detected by examiner

Less effective than physical measures
Most effective - think of emotionally arousing
events during baseline questions
 Micro Expressions
•A micro expression is a brief, involuntary facial expression shown on the face of humans when one is trying to conceal or
repress an emotion. They usually occur in high-stakes situations, where people have something to lose or gain. Unlike regular
facial expressions, few can fake a micro expression.
•Faces and bodies very rarely lie. Behavioural cues can be found in very subtle intensities that a person may be busy telling a
lie or hiding something with the intention of deceit. Even the most efficient, pathological or compulsive liars still reveal the
same
•Micro Expressions gestures although, more difficult to detect, but never impossible.
•The human face contains 44 muscles that can show isolated and specific facial Macro and Micro Expressions as well as
various emotions.  There are seven main universal areas which are the same throughout the world regardless of race, country
or culture.  They are Fear, Disgust, Anger, Happiness, Sadness, Surprise and Contempt. H uman face can show Facial and
Micro Expressions of Pain, Distrust, Attraction, Enjoyment, Shame, Guilt, Embarrassment, Awe, Despair, Ecstasy, Scepticism,
Distress, Amusement, Excitement, Pride, Relief, Satisfaction & Sensory Pleasure
 Peeping in Words

Statement Analysis
 Statement Analysis
Statement Analysis is a very useful interviewing technique for detecting deception on the part of either the suspect or the
victim. It's the process of examining a person's words to see exactly what they're saying.
 It's based on the principle that people do not lie. Most people want to tell the truth. Even liars will tell a partial truth. It's
easier to tell a partial truth than to completely fabricate a statement
It's been theorized that the psychological ID part of our personality, the subconscious primitive part, tends to be truthful at all
times.
If we're being deceptive, a conflict occurs with our ID and it creates stress.
"Vrij and Winkel (1993) stated that the deception framework includes both emotional and cognitive components." When a
person lies, this causes a conflict within ourselves and creates stress (emotional).
That stress then triggers a sympathetic nervous system to act, as part of the "Fight or Flight" syndrome. 
 Technique
Norm
Investigators determine what is typical of a truthful statement

Deviation from the norm

Truthful statements differ from fabricated ones in both

content and quality
 Part of Speech

Extraneous Components Balance in

Information statement

Lack of
Conviction
 Important Parts Of Speech

•Parts of speech form the foundation of statement analysis.

•Pronouns

•Nouns

•Verbs

If a deviation from the norm appears, they then should ask,

"Why?"
 Extraneous Information
Extraneous information in a statement also can provide clues to deception.
A truthful person with nothing to hide, when asked the question, "What happened," will recount the
events chronologically and concisely.
Any information given that does not answer this question is extraneous.
People involved in crimes may feel the need to justify their actions.
In such cases, the information in the statements will not follow a logical time frame or will skirt what
really happened.
They also may include more information than is necessary to tell the story. In such instances,
investigators should scrutinize this extraneous information and question why this person felt the need to
include it.
 Lack of conviction

When analyzing a statement, investigators should note if the person feigns a

loss of memory by repeatedly inserting "I don't remember" or "I can't recall."
They also should look to see if the person hedges during the narrative by
using such phrases as "I think," "I believe," "to the best of my knowledge," or
"kind of."
These phrases, also called qualifiers, serve to temper the action about to be
described, thereby discounting the message before it even is transmitted.
 Balance of statement

A statement given by a suspect or an alleged victim should be examined

by investigators for overall balance.
Statements should be more than just a series of details.
They need to sound like an account of the event.
 Truthful statement has THREE parts

•Occurrence

•Details before •After the

event •33 1/3% event

•33 1/3% •33 1/3%

If any part of a statement is incomplete or missing altogether, then the statement

is probably false.
 Signs to Observe

Truthful                                                                Deceptive
 Nervous at first ; calms down as interview progresses  Angry; nonspecific; won't calm down
 Anger; specific                                                          Overly anxious; seems confused
 Composed attitude; self assured                                                  Overly polite
 Wants you to know he's innocent                             Defensive
 Cooperates with investigation  Will be quiet; afraid he will say something to get him in trouble
 appears without an attorney  Evasive in answers
 Willing to prove innocence  Non committal in response
 Answers questions directly                                                            Complains; uncooperative
 Willing to take lie detector test                             Guarded about what they tell you
 Open; Will volunteer info                          Have to give a reason why they don't cooperate
 Unyielding & adamant in denials  Defeated; slumps head forward
 Willl sit forward in the chair & ask what one want to know      
 Graphology

Top six red flags of handwriting specifics that could indicate

deception:
Script of the writer is inferior in certain places than in others.
Writer starts with one slant and then changes the slant.
Broken vowels are found in the sentence under question.
Double loops are found in letters within a sentence when otherwise not
present.
Subject uses long sweeping pre-strokes.
Subject's handwriting is almost unreadable in certain places. 
 Time
Time is an important element in the subject's statement.
It can give us clues as to how much information the subject has provided.
Truthful people will provide a logical statement that follows a chronological time
frame.
Deceptive people often won't.
Gaps in a statement indicate deception.
When a person says, "I don't remember," they are often concealing a critical detail.
Any missing time elements should raise red flags
 Emotions
• Truthful people tend to be very emotional when giving a tatement.
•They're not rehearsed and they tend to use words like: stolen, theft, fraud.
•Deceptive persons will be very controlled.
•They tend to use words like: missing, gone, etc.
•When we are wrongly accused of something, our emotions soar. We become highly indignant. We
intend to prove our innocence.
•A truthful person who becomes a suspect in a criminal investigation is very quick to demand a lie
detector test. 
•Stuttering or repeating words.
•Answering a question with a question - stalling for time.
Hesitation marks - stalling for time. Um, UGH, Let's see!
 Peeping in Mind
Brain Fingerprinting
 Criminal Brain
• The prefrontal cortex (PFC) of men who have antisocial personality disorder (ASPD) has 11% less gray matter & is
less active (PET scan measures glucose uptake of cell when its active) . As PFC is known to inhibit the limbic system,
which is an area of the brain that gives rise to emotions. PET scans showed increased activity in the thalamus,
amygdala, and limbic system by 6% compared to normal human. All of these areas control basic
emotions e.g; aggression, sexual desire, and anger, and therefore increased activity in these regions would suggest
stronger emotions.
• Corpus Callosum : A lower level of communication between the two hemispheres of the brain is found in murderers.
The activity in the corpus callosum, which is the bridge that links the two sides of the brain, was 18% less active than
normal. This is significant because the left side is usually considered the rational side, and the right side is the
irrational side.                                                                                                                    
Brain Fingerprinting is a controversial forensic science technique that determines whether specific
information is stored in a subject’s brain by measuring electrical brainwave responses to words, phrases, or
pictures that are presented on a computer screen (Farwell & Smith 2001)
Brain fingerprinting was invented by Lawrence Farwell
The brain’s processing of known information, such as the details of a crime stored in the brain, is revealed
by a specific pattern in the EEG (electroencephalograph)
"Brain fingerprinting" is a computer-based test that is designed to discover, document, and provide
evidence of guilty knowledge regarding crimes, and to identify individuals with a specific training or
expertise such as members of dormant terrorist cells or bomb makers.
It has also been used to evaluate brain functioning as a means of early detection of Alzheimer’s and other
cognitively degenerative diseases, and to evaluate the effectiveness of advertising by measuring brain
responses.
 Techniques

• The technique uses the well known fact that an electrical signal known as P300 is
emitted from an individual's brain beginning approximately 300 milliseconds after it is
confronted with a stimulus of special significance, e.g. a rare vs. a common stimulus or a
stimulus the subject is asked to count
• The application of this in brain fingerprinting is to detect the P300 as a response to
stimuli related to the crime or other investigated situation, e.g., a murder weapon,
victim's face, or knowledge of the internal workings of a terrorist cell. Because it is
based on EEG signals, the system does not require the subject to issue verbal responses
to questions or stimuli.
 Techniques

• The person to be tested wears a special headband with electronic sensors that measure the EEG from
several locations on the scalp. The subject views stimuli consisting of words, phrases, or pictures
presented on a computer screen
• Stimuli are of three types:
– “Irrelevant” stimuli that are irrelevant to the investigated situation and to the test subject,
– “Target” stimuli that are relevant to the investigated situation and are known to the subject,
– “Probe” stimuli that are relevant to the investigated situation and that the subject denies knowing.
Probes contain information that is known only to the perpetrator and investigators, and not to the
general public or to an innocent suspect who was not at the scene of the crime.
 Role in Criminal Findings

Investigation
Interview
Scientific Testing
Adjudication
 Investigation

Science of Brain Fingerprinting accurately determines whether or not specific information is stored in a
specific person’s brain. 
It detects the presence or absence of specific information in the brain. 
The job of the investigator is to find features relevant to the crime that have the following attributes
They are salient features that perpetrator almost certainly encountered in the course of committing the crime.
The suspect has not been exposed to them in some other context, i.e., interrogation or court proceedings.
 Investigation

Probe Stimuli 
If the suspect knows specific features of the crime, and has had no access to this
information other than through committing the crime, then this will provide
evidence of his involvement in the crime. 
If the suspect lacks this knowledge, this will provide evidence supporting his
innocence. 
Brain Fingerprinting tests for the presence or absence of this information stored in
the suspect’s brain. 
 Interview of the subject

• Once evidence has been accumulated through investigation, and before the Brain Fingerprinting test is
conducted to determine if the evidence can be linked to the suspect, it can in some cases be very valuable
to obtain the suspect’s account of the situation
• The interview with the suspect may help to determine which scientific tests to conduct, or how to
conduct the tests
• The suspect is asked if he would have any legitimate reason for knowing any of the information that is
contained in the potential probe stimuli. 
• This information is described without revealing which stimuli are probes and which are irrelevant
 Interview of the subject
• It is vital that the suspect be given a chance before the Brain Fingerprinting test to disclose any familiarity he may
have with the crime, so that any probes that he knows about for a legitimate reason can be eliminated from the test. 
• Recall that the probes contain crime-relevant information that the suspect has no way of knowing except through
having been present at the crime.
• The targets are also discussed in the interview.  Recall that the targets contain information about the crime that the
suspect knows whether he committed the crime or not, and are used to establish a baseline brain response for
information known to be significant to this subject in the context of the crime
 Interview of the subject

• In the interview, the suspect is also given a list of all of the stimuli to be presented in
the test, without disclosing which stimuli are probes and which are irrelevants. 
• The suspect is asked to identify any stimuli that are significant to him for reasons that
have nothing to do with the crime. 
• If any stimulus is significant to the suspect for reasons having nothing to do with the
crime, then that stimulus is eliminated from the test. 
 Keep in mind

•Brain Fingerprinting determines scientifically and accurately what information is stored in

a person’s brain. 
•It does not determine how that information got there. 
•In order for Brain Fingerprinting to be useful in identifying a perpetrator – that is, in
order for a correct “information present”
•Brain Fingerprinting result to be useful evidence regarding a suspect’s participation in a
crime – investigators must first discover information that would be known to a perpetrator
but not to an innocent suspect, and ensure that the subject in question has not obtained that
information through some means other than participation in the crime. 
 Keep in mind

•The interview serves to refine the selection of stimuli

– Test results will provide useful and relevant information
– To establish the relevance of the stimuli
– To eliminate potential confounds in the scientific test
– To provide a background for interpretation of the test results once they are
obtained.
 Scientific Testing with Brain Fingerprinting

• Brain Fingerprinting determines scientifically whether or not specific information is stored in a specific
person’s brain.
• Brain Fingerprinting tells us the following, no more and no less: “These specific details about this crime
are (or are not) stored in this person’s brain.” 
 •Investigation and
Interview

•Probe
•Input
Stimuli
•Output

•Information present or Information absent

 Attributes

• This science is testable and has been tested

• This science has been peer reviewed and published
• This science is accurate, has an error rate extremely close to zero, and has
standard procedures for its application
• This science is well accepted in the relevant scientific community
 Scientific Testing with Brain Fingerprinting

• Brain Fingerprinting determines scientifically what information is stored in

a person’s brain. 
• It does not determine how that information got there. 
• In order for a determination that certain information is (or is not) stored in
a suspect’s brain to be useful to a judge and jury, the significance of this
finding with regard to the crime must be established. 
 Scientific Testing with Brain Fingerprinting

• The science of Brain Fingerprinting does not tell us what information to test for. 
• This is determined according to the skill and judgment of the investigator – which is in the end
evaluated by the judge and jury. 
• Brain Fingerprinting does not test whether a person is guilty of a crime.  This is adjudicated by the judge
and jury.  The question of guilt or innocence is a legal determination to be made by a judge and jury, not
a scientific one to be made by a scientist or a computer. 
• What Brain Fingerprinting does is to provide evidence that can be weighed by the judge and jury in
making their determination of guilt or innocence.
 A Good Password
Lot of awareness has been created for keeping a SAFE PASSWORD
Now the ONUS is on us when we need to BREAK the sturdy walls created
and constructed by us.
We taught them to be safe in turn they backstabbed us by using our
knowledge for the WRONG
Ones we have detected the CRIME or traced where the things are
hidden
The next step is finding PASSWORD of the person committing
Is it ethical to trace the password
But is it EHTICAL to commit crime
The debate is long and never ending
Psychology and Technology has to go hand in hand
There is no sure shot answer anywhere unless the criminal in
front of us
Even if CRIMINAL reveals all, are we sure he is not lying.
 •Social
Engineering
Social Engineering should we USE or not
BUT
If they can why cant we!!!!
 Why use Social Engineering
•The reasons for using social engineering to gain access are simple: once mastered, social engineering can be used on a system
despite the platform or the quality of the hardware and software present.
•Social engineering comes in many forms, but they are all based on the principle of disguising oneself as a no hacker who needs
or deserves the information to gain access to the system.
•Aside from user larger security systems, another tactic that security professionals employ is 'security through obscurity,' which is
providing little or no information to a user, assuming that legitimate users have already been trained,and that the hackers would
be discouraged by having to guess different commands or procedures.
•Security through obscurity methods can also be accomplished by hiding certain files or information systems or having confusing
login prompts.
•This method of security is completely undermined when social engineering is involved. With a legitimate human user providing
information, all the information that allowed for security through obscurity would also be divulged to the hacker.
 Reverse Social Engineering

•Reverse social engineering is a superior form of social engineering that deals with the
common difficulties that come with normal social engineering. This form can be
described as a legitimate user of a system asking the hacker questions for information.
In reverse social engineering (RSE), the hacker is thought to be a higher-level that the
legitimate user, who is actually a target. In order to pull of an RSE attack, however, the
attacker must be knowledgeable of the system and usually must also have previous
access granted to him, usually through normal social engineering.
 Reverse /Social Engineering

•Reverse social engineering is a superior form of social engineering that deals with the
common difficulties that come with normal social engineering. This form can be
described as a legitimate user of a system asking the hacker questions for information.
In reverse social engineering (RSE), the hacker is thought to be a higher-level that the
legitimate user, who is actually a target. In order to pull of an RSE attack, however, the
attacker must be knowledgeable of the system and usually must also have previous
access granted to him, usually through normal social engineering.
 Reverse Social Engineering

•Social Engineering: The hacker places the calls and is dependent on the user
• Reverse Social Engineering: The user places the calls and are dependent the hacker
• Social Engineering: The user feels that the hacker is indebted to them.
• Reverse Social Engineering: The user feels indebted to the hacker.
• Social Engineering: Questions often remain unresolved to the victim.
• Reverse Social Engineering: All the problems are corrected, no suspicious loose ends
• Social Engineering: The user has control by providing information.
• Reverse Social Engineering: The hacker has complete control.
• Social Engineering: Little or no preparation required.
• Reverse Social Engineering: Lots of planning and previous access usually needed
 Why it works!!!!

•A human being trusts another human up to a certain point

•People tend to obey to someone's orders when they see they got superior knowledge
•Makes all means of software and hardware protections uselss
•Only very few companies and people are actually aware of the dangers of Social
Engineering
•Usually humans do not like to say NO
•Flaws in human logic:
 You can reach us at

[email protected]
[email protected]

nullcon Goa 2010 http://nullcon.net