OleDetection Forensics and Anti-forensics of Steganography in OLE2-Formatted Documents

New and improved data hiding techniques pose a problem for forensic analysts investigating computer crime. Computer criminals are able to hide information using stego-channels available in commonly used document formats, thereby hindering an investigator from acquiring possibly important evidence. In this paper, we focus on detecting the use of stego-channels in the unused or dead space regions in the Object Linking and Embedding 2 (OLE2) specification used primarily by Microsoft´s Office. The OleDetection algorithm presented in this paper is focused on detecting the use of these stego-channels using a three-step process comprising the detection of dead regions in a document, the extraction of binary data and the generation of appropriate statistics using kurtosis and byte-frequency distribution, and the comparison of the calculated statistics with threshold values, which determines whether or not the document contains hidden data. This algorithm extends the work done by the StegOle algorithm. Our experimental results show that the OleDetection algorithm can correctly identify 99.97 percent of documents with previous stego-channel techniques with a false positive rate of only 0.65 percent. In addition, we present an anti-forensic technique wherein OLE2 documents can be modified to hide data with greater detection avoidance characteristics; thus reducing the accuracy of the current OleDetection implementation.