|
Steganalysis : How to Detect Steganography
Steganalysis is the discovery of the existence
of hidden information; therefore, like
cryptography and cryptanalysis, the goal of
steganalysis is to discover hidden information
and to break the security of its carriers. In
order to know how the steganalysts work, and
what techniques and methods they use, we suggest
reading what has been published by the Steganography Analysis and Research Center (SARC)
:
"Blind" Steganography Detection:
The
blind detection approach to steganalysis has
been around for a number of years. Blind
detection attempts to determine if a message may
be hidden in a file without any prior knowledge
of the specific steganography application used
to hide the information. Several techniques may
be employed to inspect suspect files including
various visual, structural, and statistical
methods.
Visual analysis methods attempt to detect the
presence of steganography through visual
inspection, either with the naked eye or with
the assistance of automated processes. Visual
inspection with the naked eye can succeed when
steganography is inserted in relatively smooth
areas with nearly equal pixel values. Automated
computer processes can, for example, decompose
an image into its individual bit-planes. A
bit-plane consists of a single bit of memory for
each pixel in an image, and is a typical storage
place for information hidden by steganography
applications. Any unusual appearance in the
display of the least significant bit-plane would
be expected to indicate the existence of
steganography.
Structural analysis methods attempt to reveal
alterations in the format of the data file. For
example, a steganography application may append
hidden information past an image's end-of-file
marker. An image that has been modified using
this appending technique is interpreted by the
operating system just as if it were the original
carrier file. The two files are visually and
digitally identical, because the image's data
bits have not been altered. The hidden
information that is embedded past the
end-of-file marker is simply ignored by the
operating system. Several automated methods for
conducting structural analysis have been
developed in addition to the manual process of
investigating images with a hex editor.
Statistical analysis methods attempt to detect
tiny alterations in a file's statistical
behavior caused by steganographic embedding.
Statistical analysis of files can be difficult
and time consuming, since there are a variety of
approaches to embedding—each modifying the
carrier file in a different way. Therefore,
unified techniques for detecting steganography
using this method are difficult to find.
Determining statistics such as means, variances,
and chi-square tests can measure the amount of
redundant information and/or deviation from the
expected file characteristic. Current research
in blind detection steganalysis is focused on
these statistical methods.
Complications of Blind Detection
In practice, even if the blind detection
technique detects anomalies in suspect files, it
is not very likely that the hidden information
can successfully be extracted. It is often not
possible to identify the particular
steganography application used to embed hidden
information within the suspect file using
current blind detection algorithms. The suspect
file may have characteristics similar to an
anomaly that will trigger a false positive
result. Even if it is possible to extract the
hidden information, which is highly unlikely
using only a blind detection approach, the
hidden information may have been encrypted prior
to being embedded in the carrier file.
The
following four complications are possible when
implementing blind detection techniques for
steganalysis:
•The suspect file may or may not have any information hidden
in it in the first place.
•The hidden message may have been encrypted before being
hidden in the carrier file.
•Some suspect files may have had noise or irrelevant data
encoded in them which reduces the stealth aspect
(i.e., makes it easier to detect use of
steganography) but makes analysis very
time-consuming.
•Unless the hidden information can be found, completely
recovered, and decrypted (if encrypted), it is
often not possible to
be sure whether the suspect carrier file
contained a hidden message in the first
place-all the user end up with is a
probability that the suspect carrier file may
have something hidden within it.
"Analytical" Steganography Detection:
The
analytical approach to steganalysis has been
developed by the Steganography Analysis and
Research Center as a byproduct of extensive
research of steganography applications and the
techniques they employ to embed hidden
information within files. The premise of this
approach is to first determine if any residual
file and/or Microsoft Windows Registry artifacts
from a particular steganography application
exist on the suspect media.
• If residual artifacts exist, then the
application was probably installed.
• If the application was installed, then it was probably used.
• If the application was used, then something was probably hidden
using it.
The
analytical approach attempts to determine if
there is any evidence that a steganography
application ever existed on the suspect media.
Searching for files and registry entries that
have been identified by the SARC as belonging to
a steganography application will identify these
residual artifacts. The goal is to determine
what application was used, what type(s) of
carrier files it may have been used on, and
finding what was hidden by that particular
application.
The
analytical approach to steganalysis is intended
to be an extension of traditional computer
forensics practices. For example, all deleted
files and alternate data streams should be
recovered using traditional forensics utilities
prior to conducting steganalysis.
The Steganography Application Library
The
SARC maintains a library of steganography,
watermarking, and other data-hiding applications
by routinely searching the Internet for
freeware, shareware, and licensed applications.
When found, an application is downloaded and
catalogued with the application name, date and
time of download, and location it was found on
the Internet. Each application is installed,
tested, and examined before being added to the
library.
The
Internet is dynamic and ever changing—a
steganography application that appears on a
certain website may not be available when a
computer forensic examiner needs to access it at
a later date. Thus, the SARC also maintains a
physical repository containing archive copies of
all applications on CD-ROM. This repository may
be consulted by computer forensic examiner on a
fee-for-service basis if artifacts of an
application are discovered during an examination
and the original application is no longer
available.
Process for Analytical Steganalysis
To
determine if residual file artifacts of
steganography applications exist on the suspect
media, the SARC has developed the Steganography
Application Fingerprint Database (SAFDB). The
SAFDB contains file profiles associated with
hundreds of steganography, watermarking, and
other data-hiding applications. These file
profiles contain identifying information such as
filename, file size, associated application
name, and several unique hash values: CRC-32,
MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-256,
and SHA-512. These hash values may be used to
determine the presence of artifacts of
steganography applications on the media being
examined.
The
first step in the analytical approach is to hash
all files on the suspect media. Next, compare
the generated hash values with those in the
SAFDB. A match represents a file artifact that
may be associated with one or more steganography
applications. Each file profile within the SAFDB
identifies which steganography application that
artifact belongs to.
Once a list of potential steganography
applications has been compiled, carrier file
types that can be manipulated by those
applications should be identified. To accomplish
this, the computer forensic examiner should
download and experiment with that application.
Next, a focused search should be conducted on
the suspect media for carrier file types that
are manipulated by the particular steganography
application. Finally, the suspect carrier files
can be subjected to further analysis based on
the specific steganographic techniques that can
be used on them.
Once the steganographic technique has been
determined, it may be possible to extract the
hidden information. If strong encryption has
been used prior to hiding the information in the
carrier file, then complex cryptanalysis may
also be necessary to decrypt the extracted
information.
Research conducted in the SARC has revealed that
some steganography applications leave behind
signatures, or specific byte patterns, that
always appear in a file after hidden information
has been embedded. The signature discovery
process can be very time consuming because each
steganography application must be individually
analyzed to determine how the application embeds
information. Once a signature is discovered, an
automated process must be developed to search
every potential carrier file for that particular
signature.
Reference:
"About Steganography" page on SARC website. |
