InfraGard Conference 2006

Digital Steganography


For many years, designers, developers, and evaluators of “trusted systems” for processing national security sensitive information have wrestled with issues about the ways hardware, operating systems, and application software can be used to establish covert channels in order to steal sensitive information.

In fact, there are four different definitions of covert channels in the National Computer Security Center guide on the topic.1 In the broadest sense, a covert channel for communications is a way for someone to communicate with anyone else in such a way as to conceal the fact the communication is taking place.

Steganography, which comes from the Greek words “steganos,” or “covered” and “graphy,” or “writing,” can be used to establish covert channels between an insider and one, or more, external entities. Essentially, steganography is used to “cover” the “writing” so as to conceal its very existence. Modern use is called digital steganography.

In April 2006, the National Science and Technology Council released the Federal Plan for Cyber Security and Information Assurance Research and Development2, which defines steganography as “the art and science of writing hidden messages in such a way that no one apart from the intended recipient knows of the existence of the message.”

The plan states that international interest in steganography technology research and development has exploded in recent years and because of the potential for using digital steganography applications to establish covert channels for communications, these technologies pose a potential threat to U.S. national security.

It is highly noteworthy that the plan lists use of cyberspace for covert communication immediately after physical attacks against key data centers and communications nodes, particularly by terrorists, on the list of immediate concerns for the U.S. information technology infrastructure.

With digital steganography, it is possible to hide information “inside” a digital file, or message, to conceal it from view. Information hiding could be done by appending information to the end of a file so that the information is not viewable by the application that opens, displays, and manipulates it. It could also be done by embedding information inside a file through a technique that manipulates the least significant bits (LSBs) of bytes representing the color components of each pixel in a digital image. This is generally referred to as the LSB Embedding or Encoding Technique. Finally, it could be done by translating a message into a form that, for all intents and purposes, appears to be e-mail spam. The latter approach is generally referred to as spam mimicry.

Steganography Risk Assessment

The classical approach to Risk Assessment is to first identify and assess the threat, then determine vulnerability to the threat, and finally determine the impact if the vulnerability is exploited.

Threat: Digital steganography applications can be used to steal sensitive information by sending the information outside the local computing environment, through boundary protection mechanisms, to anyone on the outside.

Hundreds of steganography applications are available as freeware or shareware on the Internet. There are some commercially licensed steganography applications that can be purchased for use by individuals. Clearly, not everyone who purchases a license to a steganography application will have malicious intent. However, others do so with the intent to steal sensitive information or conceal evidence of criminal activity.

Not only are steganography applications widely available, they are user friendly as well, many with graphical interfaces (GUIs) with the familiar “drag and drop” functionality to drag a file containing a secret message or other information and drop it onto the carrier file which serves as the container, or carrier, for the hidden information.

Considering how easy it is to find, download, and use digital steganography applications, it would be easy for trusted insiders with malicious intent to use them to steal critical information or to conceal evidence of some type of criminal activity.

Vulnerability: Few organizations, if any, have deployed countermeasures because they do not view steganography as a threat. In fact, few even understand digital steganography; much less know enough about it to perceive any risk.

This is a situation where the threat is high but threat perception is low to non-existent. As a consequence, little effort has been put into developing appropriate security controls to mitigate the threat.

All too often, when the topic of steganography comes up, a typical comment is “Oh, you mean short-hand writing?” It then becomes necessary to explain that short-hand writing is stenography. Others, who understand steganography, don’t believe it to be a threat. A typical retort is “Why would anyone go to the trouble of finding, downloading, installing, and using a steganography application when they can walk out the door with the crown jewels on a thumb drive?” Still others, who understand steganography and acknowledge it is a threat, have adopted the attitude that little or nothing can be done about it because there are no good tools available to detect the presence or use of steganography and then extract the hidden information-referred to as steganalysis.

Admittedly, any empirical data to bolster arguments that steganography is a threat is noticeably lacking. There are, however, some limited efforts underway to determine the prevalence of use of steganography. Unfortunately, there is little evidence proving steganography is being used.

In 2002, Europol cracked a pedophile ring called the Shadowz Brotherhood whose members were reported to be “hiding obscene material in apparently innocent picture files.”3,4 Although the word “steganography” was not used in either of the referenced media articles, from comments in the article, one can infer the group was using one or more steganography applications as a means to distribute the images by putting the files containing the contraband images on web sites accessible via the Internet.

It is believed digital steganography continues to be used as a means to distribute child pornography-sometimes by embedding the contraband images in adult pornographic images.

However, in spite of the Shadowz Brotherhood case, and possibly other cases that have not been widely reported, the question of whether digital steganography is a threat remains a paradox. Not many computer forensic examiners appear to be interested in looking for the use of steganography to conceal evidence of criminal activity until it is proven to be a threat. But, to prove that steganography is, in fact, a threat, computer forensic examiners need to look for it and then offer sanitized summaries of cases that involve the use of steganography when they encounter it during their examinations.

Impact: In his statement to the U.S. Senate Committee on Government Reform, Frank Cilluffo, Co-chairman of the Cyber Threats Task Force, provided a sampling of terrorist attacks on critical infrastructures after telling the committee that infrastructures have been popular terrorist targets for a long time because the destruction or incapacitation of key components could have a debilitating effect on U.S. national and/or economic security.5

Cilluffo also mentioned the many news articles about al Qaeda’s use of the Internet in the aftermath of 9-11 and reports that claimed their cyber tradecraft may have included use of highly sophisticated technology such as steganography.

It does not take much of a stretch of the imagination to consider that steganography may have been used to conceal communication between members of terrorist cells to plan the infrastructure attacks described by Cilluffo-including al Qaeda’s planning for the 9-11 attack.

Consider the banking and finance sector. An insider could use a steganography application to steal sensitive financial information that could result in illegal insider trading which could affect U.S. financial markets and, by logical extension, U.S. economic security.

In the information technology sector an insider could use a steganography application to reveal critical vulnerabilities to malicious hackers facilitating a cyber attack with devastating effects on key components of the Internet and the U.S. information technology infrastructure.

Any critical infrastructure sector that relies on Process Control Systems or Supervisory Control and Data Acquisition (SCADA) technology to control critical functions and processes is vulnerable to an insider who could use a steganography application to reveal critical vulnerabilities or key process parameters that could facilitate an attack on key components of any, or all, of the sectors. The General Accounting Office published a study on the challenges of securing control systems.7 Another excellent treatment of this topic can be found in a paper by Tenable Network Security.8

Countermeasures: The traditional approach to detecting use of digital steganography has been the blind detection approach, also referred to as anomaly-based detection.

The blind detection approach attempts to determine if information may be hidden in a given carrier file without any knowledge of the steganography application that was used, or the embedding technique employed by that application, and without access to a reference copy of the carrier file-a “known clean” copy that hasn’t had any information hidden within it.

There are numerous approaches to blind detection “attacks” on suspect carrier files, each with different potential outcomes.

The “visual attack” involves examining the suspect file, usually an image, to determine if there appear to be any obvious visual cues that the image has been manipulated. This approach typically works best if a reference copy of the carrier file is available for comparison.

The “structural attack” involves analyzing the structure of the particular file type suspected of being a carrier file. Deviations from standard structural elements or components may be indicative that information has been hidden in the file.

The “statistical attack” involves computing the statistical properties of the particular file type. Embedding information in a file generally alters the statistical properties of the file. Thus, the statistical attack seeks to determine the degree of variance from an expected norm. Because some steganography applications go to great lengths to minimize the degree to which they alter the statistical properties of carrier files, this approach is often not conclusive. Typically, a blind detection algorithm employing a statistical attack will yield only a probability that information may be hidden in a given file. This is of little benefit to a law enforcement computer forensic examiner who must find evidence of criminal activity. Thus, the hidden information must be detected and extracted in order to have something of potential evidentiary value to present to a prosecutor.

For an excellent treatment of these techniques along with additional information on steganography, see the article on steganography by Professor Gary Kessler of Champlain College in Forensic Science Communications.9

An evolving technique to detecting the presence or use of digital steganography applications, referred to as the analytical detection approach, is centered on detecting artifacts and signatures of steganography applications. The principle objective of the analytical approach is to discover enough information about the steganography application used to hide information to increase the probability of being able to extract the hidden information when it’s detected. The thinking is that detecting an artifact will identify a specific application. Then, analysis of that application will reveal the embedding technique and the types of files that can be manipulated by the application.

It should be noted that absence of artifacts cannot be interpreted to mean the media being examined does not contain carrier files with hidden information. As with the Cloak™ steganography application, a separate application for the sole purpose of extracting hidden information may be available so that recipients of files or messages containing hidden information don’t have to purchase a full license to the steganography application used to hide the information.

Detecting a signature of a particular steganography application would lead to identifying the application that left the signature. That may, in turn, facilitate the task of extracting the information hidden with that application.

Artifact Detection: The key to artifact detection is determining the complete footprint of each steganography application. This can be done by taking a snapshot of a system after installing an application on a baseline system. Then, any additional files beyond the files on the baseline system were added as a result of installing the steganography application. These files can then be hashed, generating the “fingerprints” of the file artifacts and added to a steganography application artifact database or a “steg hash set.”

In the case of computers running various versions of the Windows operating system, there may be artifacts of a steganography application in the registry. Consider a scenario where a highly, or even moderately, sophisticated user wants to cover their tracks after using a steganography application to hide information in a file. The user might uninstall the application and then delete obvious files and folders associated with the application that the uninstall process didn’t remove. Tracks covered-right?

Not so fast. As it turns out, like many Windows-based applications, steganography applications sometimes create or modify registry keys and/or values. Accordingly, even after going to some lengths to cover their tracks, if the user is not sophisticated enough to edit the registry, there may be evidence there in the form of a single key or value that could be associated with a particular steganography application.

Signature Detection: Some steganography applications leave an identifiable signature, or hexadecimal byte pattern, in the carrier file in which a message is embedded. Signature-based detection of steganography applications is not unlike the signature-based detection employed to detect viruses, worms, trojans, and other forms of malware.

A significant challenge of signature-based steganography detection is the time and effort required to discover the signatures. The typical approach to signature discovery involves use of a hex editor to compare a reference file and a “steg’d” file side by side. The reference file is a file known to be clean, meaning there has been nothing hidden in it. The steg’d file contains a known payload, such as the Declaration of Independence or the U.S. Constitution. The steg’d files are generated with the known payload using every option offered by a particular steganography application. Then, the objective of the steganography analyst, or steganalyst, becomes one of trying to discern anomalies, differences, and/or patterns in the steg’d file to determine how the payload was embedded, the beginning of the payload, the password if one was used, etc. This process can range from hours to days or weeks.

Another significant challenge of signature-based detection is the need for continuous effort to find new steganography applications as they appear on the Internet and then perform the signature discovery process on each and every one to attempt to determine if the application leaves a uniquely identifiable signature in the steg’d file-a daunting task to say the least.

There is also the possibility the application does not leave a uniquely identifiable signature in the steg’d file. In that case, the best chance of determining the application has been used is to detect a file or registry artifact associated with the application. If an artifact is detected, additional analysis, perhaps with expert assistance from a steganalysis expert, may yield the steg’d files and the resulting possibility of extracting information that may have been hidden with the application. The worst-case scenario is one where neither an artifact nor a signature is detected. In that case, any information hidden in steg’d files will simply go undetected.

Some steganography applications can be run from thumb drives or other portable devices that can be plugged into a USB port. In these cases, there may be no fingerprints left in the system that would indicated a steganography application had been used to hide something.

Many steganography applications also provide users with the capability to encrypt the secret message before embedding it within the carrier file. Depending on the strength of the encryption algorithm and how it was implemented, it is entirely possible that hidden information may be detected and extracted, but may turn out to be cipher text. In that case, the examiner is presented with a difficult cryptanalysis problem.

Ultimately, the most effective countermeasures to the threat posed by use of digital steganography will likely evolve into a comprehensive approach that includes the best features of both the analytical approach and the blind detection approach. Combining the best features of both will advance the state-of-the-art of steganalysis.


The use of steganography will never be detected if no one ever looks for it.

Countermeasures to the threat of steganography will not be deployed until only management, computer security professionals, and computer forensic examiners become convinced the threat is real.

To find incontrovertible evidence that steganography is, in fact, being used to steal sensitive information and conceal evidence of criminal activity require, computer forensic examiners need to include steganalysis as a routine aspect of their computer forensic procedures, use the best available tools to detect the presence and use of steganography, and provide feedback through user groups and professional associations and publications.

A comprehensive enterprise security program should include countermeasures to the threat posed by insider use of steganography. The first step is to acknowledge the threat exists by developing and implementing policy to prohibit users from having steganography applications on their workstations. Finally, both passive and active detection tools and techniques should be employed to enforce the “no steg” policy.

James E. Wingate, CISSP-ISSEP, CISM, NSA-IAM, is Vice President for West Virginia Operations and Director, Steganography Analysis and Research Center (SARC) for Backbone Security. Located in North Central West Virginia, the SARC is conducting research to advance the state-of-the-art of digital steganalysis tools, techniques, and procedures.

1 NCSC-TC-TG-030 Version-1, A Guide to Understanding Covert Channel Analysis of Trusted Systems, November 1993.

2 Federal Plan for Cyber Security and Information Assurance Research and Development, Report by the Interagency Working Group on Cyber Security and Information Assurance, April 2006,



5 Statement of Frank J. Cilluffo, Co-chairman, Cyber Threats Task Force, Homeland Defense Project, Center for Strategic & International Studies to the U.S. Senate Committee on Government Reform on October 4, 2001.

6 Towards Eliminating Steganographic Communication,” Anthony Whitehead, Carleton University, Conference Proceedings, Third Annual Conference on Privacy, Security and Trust, Oct 12-14, 2005

7 Critical Infrastructure Protection, Challenges in Security Control Systems, Statement of Robert F. Dacey, Director, Information Security Issues, U.S. GAO, October 1, 2003,

8 Protecting Critical Infrastructure, SCADA Network Security Monitoring, June 7, 2006 (Revision 3),

9 Forensic Science Communications, An Overview of Steganography for the Computer Forensic Examiner, Volume 6-Number 3, July 2004,



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: