Digital Evidence Analysis: Steganography Detection

On this page, find:

What Is Steganography and How Is It Used for Illegal Activities?

Steganography is the technique of hiding a message inside another seemingly harmless message (such as a grocery list or a spam e-mail) so that no one suspects the existence of the hidden message. Though the practice dates back to the days of the ancient Greeks, the advent of the personal computer spawned the creation of new digital steganographic techniques — messages hidden in text, image and video files.

Steganography, also known as steg or stego, poses a major challenge to law enforcement. Often, the files are not just hidden but also encrypted, adding another layer of security in attempts to thwart investigators. Data can be hidden "in plain sight" in a wide range of digital files, including video and music. Files on a computer's hard disk can be made invisible to those who do not have the file name and its corresponding password.

Not only are there many steganographic algorithms and programs readily available, but their techniques are growing in sophistication. Currently, there are more than 30 publicly available steg-encoding programs employing many different encryption algorithms and these diverse techniques have to date precluded any universal test for steganography.

One of the most common illicit uses of steganography is for the possession and storage of child pornography images. However, steganography can also be used to commit fraud, terrorist activities and other illegal acts.

Steganography made news headlines when the U.S. Department of Justice charged 11 individuals in two separate criminal complaints with conspiring to act as unlawful agents of the Russian Federation within the United States. The defendants allegedly used steganography to embed messages in more than 100 image files posted on public websites.

Steganography: Challenges to Law Enforcement

Although there have been some advances in steganography detection and breaking, there is currently no single easy-to-use tool available to law enforcement. Several factors heighten the challenge faced by law enforcement in detecting steganography:

  • Steganography detection is usually handled separately from steganography decryption. An automated tool that integrates steg detection and decryption in a way that is familiar and easily accessible to law enforcement has not been developed.
  • Newer steganography-encoding techniques are being rapidly developed, rendering the current detection tools ineffective.
  • Video steganography is an emerging problem area for law enforcement, but there are currently no detection tools available.

Steganography-Detection Tools Supported by NIJ

NIJ is currently funding two projects to help detect the use of steganography in criminal activities. First, the University of Rhode Island is developing a module that aims to address the needs of steganography detection, decryption and original document extraction.

This automated steganography detection tool could:

  • Identify altered files and flag for further investigation.
  • Begin working to "break" the file's encryption and uncover the hidden material.
  • Be integrated into existing technology suites.

A range of steganography tools are available from WetStone Technologies; the new steganography-detection algorithms being developed by University of Rhode Island will be integrated into the company's StegoSuite. (Law enforcement personnel should contact WetStone Exit Notice for pricing.)

For the second project, NIJ awarded a grant to the Defense Cyber Crime Center (DC3), which is developing technologies to identify and defeat steganography, data encryption and Encrypting File Systems (EFS). Through this project, DC3 develop or improve the following:

  • Steganalysis and Steg-Extraction: DC3 will develop one or more methods of extracting data hidden by steganography programs identified through the steganalysis process. Three new tools are expected to identify at least 36 steg algorithms with reasonable accuracy.
  • Registry Examination: DC3 will develop a tool which - based on evidence found in the Windows registry - will output a list of steganography programs that have been run from the suspect's system, independent of whether the programs were run from the hard drive or external media, such as a thumb drive, CD or floppy disk.
  • Forensic Carving Tool: The general purpose forensic carving tool will continue to be upgraded, adding features that are deemed useful to the law enforcement and forensic communities.

The tools will be distributed for free to state and local law enforcement.

Date Created: November 5, 2010