Module Code & Module Title

CC6003NI Digital Crime Investigation

Assessment Weightage & Type

50% Individual Coursework

Year and Semester

2019 Autumn

Student Name: Bidhan Pant

London Met ID: 17031042
College ID: NP01NT4A170133
Assignment Due Date: 3rd January, 2020
Assignment Submission Date: 3rd January, 2020
Submitted To: Monil Adhikari
Word Count: 2192

I confirm that I understand my coursework needs to be submitted online via Google Classroom under the
relevant module page before the deadline in order for my assignment to be accepted and marked. I am fully
aware that late submissions will be treated as non-submission and a mark of zero will be awarded
Abstract
The primary objective of information security is confidentiality, integrity and availability.
Over the years, though, information security researchers have found many data shielding
methods that are commonly used on different systems. One data hiding covert channel
technique that emphasizes hiding information about a system, processes, TCP / IP
networking protocols that runs counter to computer policies and regulations. TCP / IP was
found to be vulnerable to covert channel attacks as a protocol suite to specify the data
transmission and communication standards between computers. Such secret networks
often use common protocol vulnerabilities sometimes referred to as steganography of the
network. In addition, I modified the C programming script for TCP data transmission,
parse, and detect covert channels that can be a handy weapon for any forensic
investigator. In addition to the research, Practical solution for which a segment for Proof of
Concept is reserved at the end of this document has been taken into consideration.
Appendix I is full of hidden proof of packets being detected by wireshark.
Contents
1. Introduction......................................................................................................................1

2. Aims and objectives........................................................................................................ 2

3. Scope and Deliveries of report........................................................................................3

4. Background and Literature Review.................................................................................4

4.1. Previous Researches on Covert Channel and TCP/IP............................................ 4

4.2. Contribution on Topic by Previous Researchers...................................................... 5

5. Case Study......................................................................................................................6

5.1. Red Team’s Best Friend: Covert Channel................................................................ 6

5.2. Review......................................................................................................................6

6. Data Hiding and TCP/IP..................................................................................................7

6.1. Network Steganography...........................................................................................7

6.2. Covert Channels.......................................................................................................7

6.2.1. Running the covert script...................................................................................9

6.3. TCP/IP Based Data Hiding.....................................................................................10

6.4. Proof of Concept on DNS Protocol of Application Layer ........................................ 11

7. Conclusion.................................................................................................................... 12

8. References................................................................................................................... 13

9. Appendix.......................................................................................................................14

9.1. Appendix I: Demonstration of Covert TCP and Detection using Wireshark ...........14

9.2. Appendix II: Covert Channels in Transport and Network Layers ........................... 30

9.2.1. TCP (Transmission Control Protocol).................................................................30

Tables of Figures
Figure 1 : Overt Channel & operation of Covert Channel ......................................................1

Figure 2: Scope of covert channel analysis and data hiding in TCP/IP (Ahsan, 2002) .........3

Figure 3 Basic TCP/IP header structure................................................................................5

Figure 4: Network steganography (Józef Lubacz, 2012)\......................................................7

Figure 5: Overt and covert channels (Ahsan, 2002)..............................................................8

Figure 6: Sending message using covert channel.................................................................9

Figure 7: TCP/IP Stack and Protocols................................................................................. 10

Figure 8: Architecture of DNS.............................................................................................. 11

CC6003NI DIGITAL CRIME INVESTIGATION

Covert Channel Analysis and Data Hiding in TCP/IP

1. Introduction
Information Security is now the standard for all, directly or indirectly linked to the
network environment. Recent research and development has supported us with
sophisticated computer networks, software and complex innovations. The issue arises with
the development of sophisticated systems for the security of these systems. Security has
become the hot topic of information security with daily news of data breach.

One of the modern developments of computer networks has provided us TCP / IP stack
that defines the connectivity procedures between computer networks. Virtually all the wide
networks and protocols are designed on the basis of TCP / IP protocol series, like internet.
Protocols such as IPsec, Ftp, SSL, TLS are used to maintain security and privacy across
network communications. Work on TCP / IP found that TCP / IP was susceptible to
different types of attacks such as SYN Flood assault, sniffing, session hijacking, death
ping, IP spoofing, code hiding, and more. By creating a covert channel in protocols to send
confidential information, data hiding in TCP / IP is possible. (Adetokunbo A.A. Adenowo,
2013) Because of the loopholes in their design architecture, data can be hidden in different
protocols. Previous research from various sources is reviewed on this subject and data
concealed via the TCP protocol is shown to demonstrate how the red team can use these
commonly employed systems for penetration testing and also cybercriminals for illegal
transfers of information resulting in the epoch of digital crime evolution.

Figure 1 : Overt Channel & operation of Covert Channel

BIDHAN PANT || 17031042 1

CC6003NI DIGITAL CRIME INVESTIGATION
2. Aims and objectives
The aim of this project focuses on developing secret network channels that exist
even when centralized TCP / IP networks control the transmission lines between network
nodes.

Objectives are:
• With the assistance of research papers, magazines, books from various sources
such as IEEE, SANS, work doors, comprehensive study and research on the TCP /
IP stack.
• Many researchers review, interpret and respond to the same subject.
• Adequate clarification of the TCP / IP interface layers and loopholes on different
protocols such as ICMP, DNS, TCP that rendered them victims of covert channel
assault.
• Clear guidance on mitigating the measures of secret channel attack, which has
become a critical part of any remote forensic investigator.
• Carry out the case study on the subject area in real time to show how to use the
hidden platform for penetration testing.
• Practical, proof-of-concept implementation of the Covert Channel on the widely
used interface to illustrate how often deployed software can be used to move on
secret information.
• Usage of Covert Network for Red Team with the assistance of Case Study during
Penetration Testing.

BIDHAN PANT || 17031042 2

CC6003NI DIGITAL CRIME INVESTIGATION

1. Scope and Deliveries of report

Network Security is one of the most important research fields of today. A detailed
analysis of the existing framework and all aspects relating to the same must be given in
order to address security issues. This thesis tries to cover a picture as a whole. The scope
of the work includes network data sharing, file hiding (mainly related to digital images)
standards linked to network packets, analysis of TCP / IP protocols, network security
mechanisms such as firewalls, and safety development of the Internet Protocol. (Ahsan,
2002) It primarily intends to provide some means of protection through the use of the
usable yet secret bandwidth as specified in these standard network processes to provide
standard network protocols and security procedures.

Figure 2: Scope of covert channel analysis and data hiding in TCP/IP (Ahsan, 2002)

BIDHAN PANT || 17031042 3

CC6003NI DIGITAL CRIME INVESTIGATION

2. Background and Literature Review

Since decades, device shielding techniques have been used and date back to
ancient Greece. The purpose of Information Hiding contact in modern applications back
then and now is the same: to hide secret data in an innocently appearing cover and to
send it to the right recipient who is informed of the process of knowledge hiding. Third
parties in an ideal situation can not perceive the presence of secret contact. Over the
centuries, the way people interact has changed, and stenographic techniques have
evolved. There has been no change in the general principles at the same period. (Llamas,
2015) Covert Channels was first described by Lampson in 1973 as a non-designed
communication channel in 1984 Simmons presents the idea of subliminal channel by
steganography. This definition extended through an open channel to two prisoners who
shared sensitive information about how to survive.

2.1. Previous Researches on Covert Channel and TCP/IP

Katzenbeisser and Petitcolas have noted the ability for data shielding in the TCP /
IP protocol set. The benefit of using TCP / IP stems from the sheer volume of secret
communications that can be learned when using TCP / IP packets with each open link to
carry thousands of internet packets. Katzenbeisser and Petitcolas use the term Internet
steganography for this potential scenario and suggest that ongoing research includes
embedding, downloading and detecting details in TCP / IP packet headers.

The results of Wolf (2008) can be interpreted as a logical extension of but used with
LAN protocols. Wolf institutes the argument that encryption, used for LAN authentication,
can not secure the proper blocking of unlawful information through hidden networks. The
study denotes that in each network where mutual services are used, the presence of
hidden networks can be assumed. (Mileva, 2000) Through analyzing protocol frame
formats, Author explains the relation between protocol layout and covert storage networks,
as well as the relationship between functional protocol elements and covert timing
channels. The Covert storage channels include lining areas, allocated fields, and unused
fields of the container.

BIDHAN PANT || 17031042 4

CC6003NI DIGITAL CRIME INVESTIGATION

Figure 3 Basic TCP/IP header structure

A more specific approach is being followed by Rowland (2010). Rowland developed

efficient encryption and decryption strategies by using fields such as the TCP initial
sequence number, IP identity field, and identification region, sequence number fields.
Rowland gave an indication of the existence and use of hidden networks in the TCP / IP
application suite. There are also several vulnerabilities in TCP / IP, such as IP Spoofing,
SYN Flood, Session Hijacking, Data Hiding, etc.

2.2. Contribution on Topic by Previous Researchers

• Covert channel discovery by Serdar Cabuk of Purdue University on protocols such
as TCP, ICMP, DNS operating on connectivity and TCP / IP network node.
• The different protocols of TCP / IP are vulnerable to attacks from Rowland's
research such as IP Spoofing, Session Hijacking, Information Hiding, SYN Flood
assaults, etc.
• Ser claimed the clandestine networks would then be used after the investigation to
reveal sensitive information to unauthorized parties.

BIDHAN PANT || 17031042 5

CC6003NI DIGITAL CRIME INVESTIGATION
1. Case Study
Every IBM X-Force Red Team event was captured in real time to show that Covert
Channel will support the red team during an organization's penetration testing.

1.1. Red Team’s Best Friend: Covert Channel

When IBM X-Force Red Team's goal was to deliver a malicious payload without
setting up security checks or alerting the defensive team of network leaders. Firefox File
Sharing has been a good fit to transfer encrypted files from our red team's point of view.
Firefox File Sharing provides up to 1 Tb for large file sizes which is wide enough for all
payload and exfiltration files to be sent. (Poudel, 2019) It referred to our need for a siloed,
secret outlet for the company. It would encrypt and decrypt the document for us with an
AES-GCM algorithm directly in the internet browser, but we're not going to have to deal
with any key development or distribution. The payload should stop checking proxies that
can unwrap Transport Layer Security (TLS), remain private and do not connect with any
team along the path, including Mozilla.

1.2. Review
The IBM X Force Team takes advantage of Covert Channel by sharing encrypted
file during Penetration Testing without disturbing the Blue Team. With the aid of the secret
stream, the red team successfully sent the report to port 80. It means Red teams have the
advantage of having only one way through, while blue teams are responsible for securing
both in and out avenues. (Poudel, 2019) This one-sided advantage means that police
need to keep a close eye on attack tactics, techniques and processes before cyber
criminals manipulate secret networks and commit crime through them.

BIDHAN PANT || 17031042 6

CC6003NI DIGITAL CRIME INVESTIGATION

2. Data Hiding and TCP/IP

2.1. Network Steganography
Steganography Network is the art of hiding secret data in digital media such as
photograph, video, and much more. In specific, within networking protocols, procedures
and systems, Network Steganography focuses much more knowledge in covering data.
Network steganography is often used by both penetration testing and cyber criminals for
the distribution of illicit info. (Józef Lubacz, 2012)

Figure 4: Network steganography (Józef Lubacz, 2012)

BIDHAN PANT || 17031042 7

CC6003NI DIGITAL CRIME INVESTIGATION
2.2. Covert Channels
For the first time, Lampson proposed the idea of a hidden network. Lampson's
description defines a hidden network as one used for data exchange, but not for
communication purposes. The simple description is further discussed in [2, 3, 4, 5, 6];
these analyzes expand on the term by integrating hidden networks with resource allocation
rules, shared resources at different system security levels, variable asset status, and
resource management application. Such criteria are related to a system-wide interaction.
For example, a resource state variable is any process variable that a hidden network can
use to transmit data from one point to another within the system, e.g. a view file status
variable at multiple points (states) within a system. Within, there is a more detailed
description which includes the possibility of covert channels including access control policy
and its application. A covert channel is defined as a contact mechanism between two
parties which enables one party to pass data to the other in a way that violates the security
policy of the network. Covert channels are referred to as incovert timing channels and
transmission channels. (Ahsan, 2002) Communication in a secret network for transmission
needs the sender to write hidden information to a storage location (not intended for
communication) and subsequent recovery of that content by the receiving group. On the
other side, contact in a secret timing network enables the sender to signal information by
modulating its own system resources to control the recipient's response time.

Figure 5: Overt and covert channels (Ahsan, 2002)

BIDHAN PANT || 17031042 8

CC6003NI DIGITAL CRIME INVESTIGATION
2.2.1. Running the covert script
This allows the covert tcp to send the packet via the loopback address of 127.0.0.1.
So let’s just send the message and the details will be contained in the IP ID header.
Instead there is a file called file.txt, and it had a couple of words. As shown below, the data
is transmitted through covert networks to the local host.

Figure 6: Sending message using covert channel

Appendix I is shown with a complete covert demo utilizing wireshark. Full evidence of it is
included in Appendix I.

BIDHAN PANT || 17031042 9

CC6003NI DIGITAL CRIME INVESTIGATION
2.3. TCP/IP Based Data Hiding
On the other side, the TCP / IP protocol bundle is built to provide a secure network
for a simple and open communication infrastructure for its users. Steganographic hiding
array provides the quality and flow control functionality. The possibilities for hiding
information from TCP are calculated by analyzing the specific layers:

Figure 7: TCP/IP Stack and Protocols

Application layer provides endless opportunities to transmit covert information as covert
payload can either exist within the protocol headers or be distributed as a payload. A
fruitful way to insert hidden communications is the HTTP protocol. For both organizations,
switching from internal networks to web servers on the Internet needs some HTTP traffic.
(Kwecka, 2006) HTTP protocol compliance packet analysis involves costly software and
can delay significant business web applications. Image can be transmitted through the
HTTP Post request for user and cloud networking apps.

Transport layer renders packets secure. The source IP address can be spoofed as the
intended recipient of the hidden message. The three-way handshake of TCP is the critical
area of study in this field. The twelve fields of the TCP header include many that are
scarcely tested, and others that are entirely random. (James Gimbi, 2012) For example, a
32-bit TCP sequence number defines the position of the first byte of the string. It is
possible to spoof the source ip in this layer to provide false information as well as secret
data showing fertile location in the transport layer for covert channel attack.

BIDHAN PANT || 17031042 10

CC6003NI DIGITAL CRIME INVESTIGATION
Network layer is dominated by Internet Protocol, ICMP, IGMP, ARP, and RARP. The ip
version 4 has 23 areas for routing, service quality and aggregation. The 8-bit value of the
type of service that defines the protocol category can be compromised to hold a hidden
message. Likewise, Craig Rowland's 16-bit IP Identity domain is designed to identify parts
of the datagram that can be exploited to deliver secret messages. (Sbrusch, 2019) The
ICMP approach used to classify host alive but can be used for information hiding by
adding a new IP / ICMP / secret data.

Physical layer like ethernet is highly usable within a LAN network. The low-level protocol
such as ARP which operates in this network to map ip to mac email. Network tunneling
can be created inside the LAN using ARP. ARP's invisible source requires data to be
processed within a LAN network. Because the ARP protocol is always efficient, like hiding
information in ARP, token ring, PPP, and being virtually undetected.

2.4. Proof of Concept on DNS Protocol of Application Layer

The Domain Name System (DNS) turns Internet domain and network names into IP
addresses and vice versa. DNS is not intended for tunneling. In addition, many utilities
were developed to allow tunneling over DNS. DNS often has less emphasis on network
protection than other networks such as web traffic. When DNS tunneling goes undetected,
a business is in high danger. DNS carries out this architecture:

Figure 8: Architecture of DNS

BIDHAN PANT || 17031042 11

CC6003NI DIGITAL CRIME INVESTIGATION
3. Conclusion
This research is a move forward in the study of the presence of hidden networks in
the network setting. Manipulation of the packet header takes advantage of the features of
the TCP / IP protocol package such as consistency, various definitions of the development
policy, re-served and unused fields in headers to define secret streams. Specific network
packet data can include uses foreseen for surveillance processes, digital rights network
level schemes, content delivery networks, and associated accounting and accounting
services. The existing system of packet sorting contributes to the introduction of stego
principles through IPSec software. Identifying and analyzing secret networks at network
and transport scale offers an excellent opportunity to merge steganography research with
network security architecture. In addition to finding its application in existing network node
security mechanisms such as routers and firewalls, a new security model allows the
integration of steganographic principles with network security techniques (using
cryptographic tools). Thus, network protection can be enhanced by combining
steganography with cryptographic devices.

BIDHAN PANT || 17031042 12

CC6003NI DIGITAL CRIME INVESTIGATION

4. References

Adetokunbo A.A. Adenowo, B.A.A. (2013) Software Engineering Methodologies.

International Journal of Scientific & Engineering Research, IV(7), p.8.

Ahsan, K. (2002) Covert Channel Analysis and Data Hiding in TCP/IP. Masters Thesis.

Toronto: Department of Electrical and ComputerEngineering University of Toronto.

James Gimbi, D.J.P.L.a.B.Y. (2012) A Covert Channel Over Transport Layer SourcePorts.

In Schol, e.F.&.S.S.a.R., ed. The InternationalConference on Security and Management.

New York, 2012. Rochester Institute of Technology.

Józef Lubacz, W.M.a.K.S. (2012) Principles and Overview of Network Steganography.

Research paper. Warsaw: Warsaw University of Technology Institute of

Telecommunications, Warsaw University of Technology.

Kwecka, Z. (2006) Application Layer Covert Channel Analysis and Detection. Honour

Project. Edinburgh: Napier University.

Llamas, W.B.a.D. (2015) Covert Channel Analysis and Detection with Reverse Proxy

Servers using Microsoft Windows. Thesis. Scotland: gray world School of Computing,

Napier University.

Mileva, A.a.B.P. (2000) Covert Channels in TCP/IP Protocol Stack. Central European

Journal of Computer Science, V(4), pp.1-30.

Poudel, R. (2019) Covert Channel and Data Hiding inTCP/IP. Technical Report.

Kathmandu: Research Gate Islington College London Metropolitan University.

Sbrusch, R. (2019) Network Covert Channels: Subversive Secrecy. SANS, III, pp.1-20.

BIDHAN PANT || 17031042 13

CC6003NI DIGITAL CRIME INVESTIGATION
5. Appendix
5.1. Appendix I: Demonstration of Covert TCP and Detection using Wireshark
Now, look at how we can first of all store details in some TCP / IP headers and how
we can check for that information.

Let the wireshark be shot so that it can collect the data from the network.
Let's just begin collecting the packet. We'll do it in the local interface here and we'll tell
loopback (Lo) and continue collecting the packets.

BIDHAN PANT || 17031042 14

CC6003NI DIGITAL CRIME INVESTIGATION
Just created the covert tcp script. So let’s run covert tcp to send the packet over the
loopback address whose destination address is 127.0.0.1 and can attach anything that
doesn't really mean a lot to the source address because it’s not receiving an answer. So
just going to send the message and going to cover the information in the IP ID header.
Then generated a file called file.txt, so it had a few words.

Now just send it out.

As can see the sending of data. As it flows in, can see what the message is because it’s
sending character at a time. And ' H ' is the first word, ' I ' is the second character, and then
space is there, so on.

BIDHAN PANT || 17031042 15

CC6003NI DIGITAL CRIME INVESTIGATION
In fact, the IP ID field is 2 bytes long, sending only 1 byte at a time. So what we have is:

It can get some bug that haven't shown in the screenshot above while running it, the bug is
Ipv6 traffic just disregard it. And as the packet is TCP, so filtered the packet as TCP and
now it just shows TCP packet as shown above. Since the destination is 127.0.0.1 and the
source is unknown, i.e. 43.95.43.1, it goes well as wireshark caught the packets
successfully.

BIDHAN PANT || 17031042 16

CC6003NI DIGITAL CRIME INVESTIGATION

Now, let’s jump into the filed IP ID to see the details that already listed why we're moving to
the filed IP ID. We can see what we have got is the first byte is ‘48’ and second byte is ‘0’.
The first byte we can see there is ‘H’ and the second byte is just empty its ‘0’

BIDHAN PANT || 17031042 17

CC6003NI DIGITAL CRIME INVESTIGATION
We can see its ' I ' as we pass on to the next one and we have that again in the area of IP
ID. We got is ' 69 ' is the first byte and ' 0 ' is the second byte. The first byte that we can
see is ' I ' and the second byte is actually emptying the ' 0’.

BIDHAN PANT || 17031042 18

CC6003NI DIGITAL CRIME INVESTIGATION
We realize that the next one should be ' 20 ' bits, because it's a character of space. We
can see this below in the context of IP ID.

BIDHAN PANT || 17031042 19

CC6003NI DIGITAL CRIME INVESTIGATION
At this point like this we can see our all the messages.

BIDHAN PANT || 17031042 20

CC6003NI DIGITAL CRIME INVESTIGATION

BIDHAN PANT || 17031042 21

CC6003NI DIGITAL CRIME INVESTIGATION

BIDHAN PANT || 17031042 22

CC6003NI DIGITAL CRIME INVESTIGATION

BIDHAN PANT || 17031042 23

CC6003NI DIGITAL CRIME INVESTIGATION

BIDHAN PANT || 17031042 24

CC6003NI DIGITAL CRIME INVESTIGATION

BIDHAN PANT || 17031042 25

CC6003NI DIGITAL CRIME INVESTIGATION

BIDHAN PANT || 17031042 26

CC6003NI DIGITAL CRIME INVESTIGATION

BIDHAN PANT || 17031042 27

CC6003NI DIGITAL CRIME INVESTIGATION

By shooting the above image, we can see our entire message generated in text.txt file and
the message is "Hi I am Bidhan." At the same time, as shown in the figure above, you can
see the byte used by the character in the IP ID sector.

BIDHAN PANT || 17031042 28

CC6003NI DIGITAL CRIME INVESTIGATION
So that's how you use covert tcp to hunt for details and we can use the fied IP ID. When
we run the program without parameters, it will inform us the different things that I can do
with it, we can use the default ' ipid' field, we can also use the sequence field i.e.' seq'
which will be the TCP header instead of the IP header and eventually the acknoledgement
field i.e.' ack' will also be the TCP header instead of the IP header.

BIDHAN PANT || 17031042 29

CC6003NI DIGITAL CRIME INVESTIGATION
5.2. Appendix II: Covert Channels in Transport and Network Layers
The section provides a general overview of the various protocol exchange and
network levels. The TCP (Transmission Control Protocol), IGMP (Internet Group
Management Protocol), ICMP (Network Control Message Protocol) and Internet Protocol
(IP) are included in the protocol collection analyzed for possible covert use. It does not
provide a detailed look at potential secret channels, but it is meant to show the simple
storage channels may be used later in the protocols mentioned (future research).

9.2.1. TCP (Transmission Control Protocol)

On the transport layer, TCP is built to provide a safe process-to-process
communication facility in a multi-network environment. TCP is therefore a connection-
oriented and efficient transportation protocol. In below figure, it displays a 6-bit field for the
TCP protocol header known as code bits (URG, ACK, PSH, RST, SYN, FIN). Such parts
define the function and quality of the TCP segment. Such six bits instruct you how to
access a network node in certain fields in the header. There are 64 possible combinations
of these six bits, of which 29 are considered valid under the protocol regulations.

BIDHAN PANT || 17031042 30

CC6003NI DIGITAL CRIME INVESTIGATION
The goal for identifying the covert connection is to examine any redundancy status within
these potential code bit combinations. Many TCP segments have an ACK bit collection (i.e.
the ACK bit frequency is 1) due to the complete duplex nature of the connection between
two networks. This requires piggybacking of data as it is possible to send reports
acknowledgments. One of the conditions for redundancy is shown in the table below:

URG ACK PSH RST SYN FIN

0 1 1 0 0 1

The table above is one of the right combinations of 6-bit code areas. It can be interpreted
as follows: from the end of the communication one end of the virtual link wants to complete
the interaction (FIN=1) and at the same time send an acknowledgment (ACK is set). The
traveling flag is also set as the same end tells the receiving carrier to move the data to
their respective application layer automatically. Since the URGbit is not enabled, the
Urgent Pointer (16 bit) sector of the TCP header shown in the above figure is redundant
and can therefore be used to have a secret data path.

Similarly, there are redundancy requirements for all possible cases where the URG bit is
not set, rendering the urgent pointer area redundant. It is also necessary to combine the
SYN bit set with either the ACK bit set or the URG / PSH set to 1. Therefore, the remaining
bits are worthless for the protocol-enabling possibilities of distributing covert data via TCP
header.

BIDHAN PANT || 17031042 31