QuickStudy: Steganography: Hidden Data

:: Bismillahirrahmanirrahim ::

June 10, 2002 (Computerworld) — An engineering firm suspected that an insider was transmitting valuable intellectual property out of its network. When Seattle-based forensics consulting firm Electronic Evidence Discovery Inc. (EED) investigated the case in June 2000, it couldn’t find the evidence on the local hard drive. After checking mail logs, however, investigators found the smoking gun: two e-mails with harmless-looking image attachments sent by an engineer. Turns out, the images were hiding two of the company’s most precious engineering specifications.

The technique used to hide the specifications inside image files is a high-tech version of a process called steganography, which has been around since the beginning of recorded history, says Sayan Chakraborty, vice president of engineering at Sigaba Corp. in San Mateo, Calif.

During the Roman Empire, he explains, secret information was tattooed on a messenger’s shaved head. When the hair grew back, the messenger was sent out with the secret message on his scalp and a decoy message in hand.

In the IT realm, steganography replaces unneeded bits in image and sound files with secret data. Instead of protecting data the way encryption does, steganography hides the very existence of the data. And it’s undetectable under traditional traffic-pattern analysis.

There are few legitimate uses for steganography, say forensics professionals. And despite reports circulating about terrorists using steganography to communicate secretly, experts doubt that’s the case.

“Most people study steganography either as an academic discipline or a curiosity, but I don’t know if even terrorist groups would actually use it,” says Chakraborty.

Last year, after reading a USA Today article about steganography and terrorism, Neils Provos, a Ph.D. student in computer science at the University of Michigan in Ann Arbor, decided do his dissertation on steganography.

Provos developed detection and cracking tools to analyze images for signs of steganography, such as overly large files and uneven bit mapping. He tested the tools and then used them to compare 2 million images on San Jose-based eBay Inc.‘s Web site, which has been cited as a possible place for posting and retrieving hidden messages. Provos found no cases of steganography.

“Steganography becomes the focus of attention, dies down, and then the public is all over it again,” says Provos. “But it will never be pervasive, because the amount of data you can actually hide in the images is fairly small. And if someone wanted to steal intellectual property, it’d be easier to copy the data on a disk and carry it out in your pocket.”

Even if steganography is present, forensics experts prefer to start by investigating less complex areas. But in some cases, the only evidence might be hidden in image or sound files, so investigators need to be aware of steganography and the tools used to detect and crack it, say experts.

“It’s true that steganography is very little used, but we need to be aware of it when doing almost any forensics analysis,” advises Kenneth Shear, vice president of technology and law at EED.

Used to combine explanatory information with an image (like doctor’s notes accompanying an X-ray) Could accidentally degrade or render an image misleading
Embedding corrective audio or image data in case corrosion occurs from a poor connection or transmission Could counteract and be counterproductive with the original image
Peer-to-peer private communications Doesn’t hide the fact that an e-mail was sent, negating the purpose of secret communications
Posting secret communications on the Web to avoid transmission Someone else with a steganography detection and cracking tool could expose the message
Copyright protection A form of this already exists, called digital watermarking, but requires use of separate hardware tools because steganographic software can’t use separate hardware tools. Steganographic software also can’t protect the watermark.
Maintaining anonymity Easier to open free Web-based e-mail or use cloaked e-mail
Hiding data on the network in case of a breach Better to understand and effectively use standardized encryption

June 10, 2002 (Computerworld) — Steganography strips less important information from digital content and injects hidden data in its place. This is done over the spectrum of the entire image. Here’s one way it could be implemented:

The following sequence of 24 bits represents a single pixel in an image. Its 3 bytes of color information provide a total of 256 different values for each color (red, green and blue) and thus can represent a total of 16.7 million colors. This particular value displays as a dark green:

How It Works

Now, let’s take 11 of these pixels that represent, say, part of a solid-color background. In the following sequence, the least significant (rightmost) bit of each 8-bit byte has been co-opted to hide a text message—the four characters Aha!—in ASCII binary:

How It Works

Here are the bits behind those 11 pixels:

How It Works

The hidden message occupies 32 of those 264 bits (about 12%) and contains four 8-bit bytes. In the diagram, each maroon or gold box represents a bit that had to be changed to include the hidden message. Notice that only 15 of 264 bits (less than 6%) had to be changed and only eight of the 11 pixels were altered.

The two figures below represent the 11 colored pixels we’ve been manipulating. The figure on the left is the original, unaltered version. The one on the right has been modified, as shown above. Can you see a difference? I can’t either.

How It Works

If instead of 11 pixels we had a 300KB bitmap file, we could accommodate a text message of 36KB, or about 6,000 words.

— Russell Kay

June 10, 2002 (Computerworld)Online Resources
There are about a dozen freeware sites on steganography. But data-hiding instructors at New Technologies Inc. in Gresham, Ore., recommend the Web site of Neil Johnson, IT consultant and associate director at the Center for Secure Information Systems at George Mason University in Fairfax, Va.
Favorite tool: F5 steganography with robust encryption.
Steganalysis tools by Niels Provos, doctoral candidate at the University of Michigan at Ann Arbor, include the following:

  • Stegdetect identifies possible steganographic images based on value distributions
  • Stegbreak, which uses dictionary guessing to break the encoding password
  • In development: self-teaching tools that will understand the common values in image and sound files


Steganography and Digital Watermarking Vendors


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: