29-09-2012, 11:34 AM
Steganalysis: Detecting hidden information with computer forensic analysis
Steganalysis.pdf (Size: 132.9 KB / Downloads: 29)
Introduction
With the wide use and abundance of steganography tools on the Internet, law
enforcement authorities have concerns in the trafficking of illicit material through
web page images, audio, and other files. Methods of detecting hidden
information and understanding the overall structure of this technology is crucial in
uncovering these activities.
Digital image steganography is growing in use and application. In areas where
cryptography and strong encryption are being outlawed [1], people are using
steganography to avoid these policies and to send these messages secretly.
In this paper I shall give a brief definition of steganography and steganalysis in
general to provide a good understanding of these two terms, but more
importantly, I shall talk about how to detect the existence of hidden information
such as innocent looking carriers of digital media like text, JPEG images, and
MP3 audio files with the help of various tools.
What is steganography?
The word steganography comes from the Greek name “steganos” (hidden or
secret) and “graphy” (writing or drawing) and literally means hidden writing.
Steganography uses techniques to communicate information in a way that is
hidden.
Steganography hides the existence of a message by transmitting information
through various carriers. Its goal is to prevent the detection of a secret message.
The most common use of steganography is hiding information from one file within
the information of another file. For example, cover carriers, such as images,
audio, video, text, or code represented digitally, hold the hidden information. The
hidden information may be plaintext, ciphertext, images, or information hidden
into a bit stream. The cover carrier and the hidden information create a stegocarrier.
A stegokey, such as a password, is additional information to further
conceal a message. An investigator who does not possess the name of the file
and the password cannot know about the file’s existence.
Tools used to hide information
There are two possible groups of steganographic tools: the image domain and
the transform domain.
Image domain tools include bit-wise methods that apply least significant bit (LSB)
insertion and noise manipulation. The tools used in this group are StegoDos, STools,
Mandelsteg, EzStego, Hide and Seek (versions 4.1 through 1.0 for
Windows 95), Hide4PGP, Jpeg-Jsteg, White Noise Storm, and Steganos. The
image formats used in these steganography methods cannot be lost and the
information can be rearranged or recovered.
The transform domain tools include those groups that manage algorithms and
image transforms such as Discrete Cosine Transformation (DCT).
The DCT is a technique used to compress JPEG, MJPEG and MPEG in which
pixel values are converted to frequency values for further processing. This
process makes it difficult for visual analysis attacks against the JPEG images.
[11]
These two methods hide information in more areas of the cover and may
manipulate image properties such as luminance or the color palette. These
methods will allow more hidden information (about 30 percent the size of the
carrier) in a carrier file. JPEG images are used on the Internet because of their
compression quality, which does not degrade the image.
What is steganalysis?
Steganalysis is the discovery of the existence of hidden information; therefore,
like cryptography and cryptanalysis, the goal of steganalysis is to discover hidden
information and to break the security of its carriers [4].
Steganography signatures
Unusual patterns in the stego-image are obvious and create suspicion. For
example, unused areas on a disk can be used to hide information. A number of
disk analysis utilities such as EnCase [5] and ILook Investigator © [6] are
available, which can report on and filter hidden information in unused clusters or
partitions in storage devices.
Filters can also be applied to capture TCP/IP packets that contain hidden or
invalid information in the packet headers. TCP/IP packets have unused space in
the packet headers. The TCP packet header has six reserved or unused bits,
and the IP packet header has two reserved bits [10]. Information can also be
hidden in the unused bits found in the Type of Service (TOS) Field and Flags of
IP headers. Other methods to hide information under TCP/IP are exploiting the
optional fields in IP headers, Timestamp, and Time to Live (TTL). These
techniques can also be applied to other protocols such as Novell NetWare [13].
Thousands of packets are transmitted with each communication channel, which
provide an excellent way to communicate secretly. This technique of hiding
information is unsafe because TCP/IP headers might get overwritten in the
routing process, and reserved bits could be overwritten, thus rendering the
hidden information useless.
Visual detection
By looking at repetitive patterns, you can detect hidden information in stego
images. These repetitive patterns might reveal the identification or signature of a
steganography tool or hidden information. Even small distortions can reveal the
existence of hidden information.
You can analyze these patterns by comparing the original cover images with the
stego images and try to see differences. This is called a known-cover attack. By
comparing numerous images, patterns become possible signatures to a
steganography tool. A few of these signatures might identify the existence of
hidden information and the tools used to embed the messages. With this
information, if the cover images are not available for comparison, the derived
known signatures are enough to imply the existence of a message and identify
the tool used to embed the message.