By Paladion

May 15, 2005

Steganalysis is the technology that attempts to defeat steganography--by detecting the hidden information and extracting or destroying it. Let us look at these interesting techniques that extract/destroys the hidden data from the Stego-object (the modified medium with the hidden information).

Last month we looked at Steganography, the technique used for hiding information within seemingly harmless media. As with almost all such techniques it becomes imperative, for law enforcement agencies, to decipher the message or at least make it useless to the receiver. Steganalysis is the technology that attempts to defeat steganography--by detecting the hidden information and extracting or destroying it. Let us look at these interesting techniques that extract/destroys the hidden data from the Stego-object (the modified medium with the hidden information).

Detecting hidden information

Steganography tools can create stego-images in which the change or distortion in the carrier is not obvious to the human eye. However, this distortion when detected can lead to the tools used for steganography. Let us look at a few examples:

  1. Images: A lot of image steganography tools use least significant bit (LSB) modification to hide information. In low resolution images with 8 bit color, the modification of LSB can cause a noticeable shift in the color palette making it possible to detect hidden content. Another sign to the presence of hidden information is padding or cropping of an image. The Hide-and-Seek tool can only produce images of fixed sizes. If an image does not fit into one of these sizes it is cropped or padded with black spaces. StegoDos has a similar problem.
  2. Disks: Unused areas on a disk that can be used to hide information. Tools like EnCase and ILook Investigator look for hidden information in unused clusters or partitions in storage devices.
  3. TCP/IP Packets: TCP/IP packets have unused space in the packet headers. The TCP packet header has six reserved or unused bits, and the IP packet header has two reserved bits. Information can be hidden in these unused bits. Thousands of packets are transmitted with each communication channel, which provide an excellent way to communicate secretly. Filters can be applied, on firewalls for example, to detect TCP/IP packets that contain hidden information in places supposed to be unused.

Destroying hidden information

At times when it is known or suspected that the hidden information exists, destroying the content so that it cannot be recovered any more from the cover is sufficient to defeat the purpose of steganography. Since there are various methods applied in steganography, the ways to defeat it also vary.

For example, for LSB methods of inserting data, simply using a lossy compression technique, such as JPEG, renders the embedded message useless since the pixels are modified. However, the image still appears normal to the human eye.

Utilities are also available which "clean" or wipe unused storage areas. In wiping, disks are overwritten several times to ensure any data has been removed.

Similarly, reserved / unused bits in the TCP header can be overwritten to destroy any steganographic content.


Niels Provos' Stegdetect is a common steganalysis tool. Stegdetect can find hidden information in JPEG images using such steganography schemes as F5, Invisible Secrets, JPHide, and JSteg. It also has a graphical interface called Xsteg.

WetStone Technologies' Stego Suite is comprised of three products. Stego Watch is a steganography tool that looks for hidden content in digital image or audio files. Stego Analyst is an image and audio file analyzer which integrates with Stego Watch to provide more detailed analysis of suspect files and Stego Break is a password cracker designed to obtain the passphrase for a file found to contain steganography.

Steganalysis methods

There are various methods of analysis depending on what information is available:

  1. Stego-only attack: Only the stego-object is available for analysis.
  2. Known cover attack: The stego-object as well as the original medium is available. The stego-object is compared with the original cover object to detect any hidden information.
  3. Known message attack: The hidden message and the corresponding stego-image are known. The analysis of patterns that correspond to the hidden information could help decipher such messages in future.
  4. Known stego attack:The steganography algorithm is known and both the original and stego-object are available.
  5. Chosen stego attack:The steganography algorithm and stego-object are known.
  6. Chosen message attack:The steganalyst generates a stego-object from some steganography tool or algorithm of a chosen message. The goal in this attack is to determine patterns in the stego-object that may point to the use of specific steganography tools or algorithms.

The Future

The fact that steganography cannot be detected at all times makes steganalysis an area of ongoing research. The limitations are magnified due to the fact that steganography is not an exact technique. Today's steganographic programs can hide any type of binary data into various types of cover media. One can never predict whether there is a secret message to begin with; it's much like looking for needles in haystack! The use of steganography by terrorists and criminals is likely to increase in the future, posing a problem for law enforcement agencies. Steganalysis needs to be further developed to help counter high tech terrorism and cases of industrial espionage.

Tags: Technical






Buyer’s Guide to Managed Detection and Response


Get AI Powered

Managed Detection and Response





AI-Driven Managed Detection and Response

Download Report



Why Your ‘Likes’ on Facebook May Be Revealing Far More than You Thought

Click URL in the Post for the Full Podacst
  • FacebookAsset
  • LinkedinAsset
  • TwitterAsset