Home > About Steganography >
"Analytical" Steganography Detection
The analytical approach to steganalysis has been developed by the Steganography
Analysis and Research Center as a byproduct of extensive research of steganography
applications and the techniques they employ to embed hidden information within files.
The premise of this approach is to first determine if any residual file and/or Microsoft
Windows Registry artifacts from a particular steganography application exist on
the suspect media.
- If residual artifacts exist, then the application was probably installed
- If the application was installed, then it was probably used
- If the application was used, then something was probably hidden using it
The analytical approach attempts to determine if there is any evidence that a steganography
application ever existed on the suspect media. Searching for files and registry
entries that have been identified by the SARC as belonging to a steganography application
will identify these residual artifacts. The goal is to determine what application
was used, what type(s) of carrier files it may have been used on, and finding what
was hidden by that particular application.
The analytical approach to steganalysis is intended to be an extension of traditional
computer forensics practices. For example, all deleted files and alternate data
streams should be recovered using traditional forensics utilities prior to conducting
steganalysis.
The Steganography Application Library
The SARC maintains a library of steganography, watermarking, and other data-hiding
applications by routinely searching the Internet for freeware, shareware, and licensed
applications. When found, an application is downloaded and catalogued with the application
name, date and time of download, and location it was found on the Internet. Each
application is installed, tested, and examined before being added to the library.
The Internet is dynamic and ever changing—a steganography application that appears
on a certain website may not be available when a computer forensic examiner needs
to access it at a later date. Thus, the SARC also maintains a physical repository
containing archive copies of all applications on CD-ROM. This repository may be
consulted by computer forensic examiner on a fee-for-service basis if artifacts
of an application are discovered during an examination and the original application
is no longer available.
Process for Analytical Steganalysis
To determine if residual file artifacts of steganography applications exist on the
suspect media, the SARC has developed the Steganography Application Fingerprint
Database (SAFDB). The SAFDB contains file profiles associated with hundreds of steganography,
watermarking, and other data-hiding applications. These file profiles contain identifying
information such as filename, file size, associated application name, and several
unique hash values: CRC-32, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-256, and
SHA-512. These hash values may be used to determine the presence of artifacts of
steganography applications on the media being examined.
The first step in the analytical approach is to hash all files on the suspect media.
Next, compare the generated hash values with those in the SAFDB. A match represents
a file artifact that may be associated with one or more steganography applications.
Each file profile within the SAFDB identifies which steganography application that
artifact belongs to.
Once a list of potential steganography applications has been compiled, carrier file
types that can be manipulated by those applications should be identified. To accomplish
this, the computer forensic examiner should download and experiment with that application.
Next, a focused search should be conducted on the suspect media for carrier file
types that are manipulated by the particular steganography application. Finally,
the suspect carrier files can be subjected to further analysis based on the specific
steganographic techniques that can be used on them.
Once the steganographic technique has been determined, it may be possible to extract
the hidden information. If strong encryption has been used prior to hiding the information
in the carrier file, then complex cryptanalysis may also be necessary to decrypt
the extracted information.
Research conducted in the SARC has revealed that some steganography applications
leave behind signatures, or specific byte patterns, that always appear in a file
after hidden information has been embedded. The signature discovery process can
be very time consuming because each steganography application must be individually
analyzed to determine how the application embeds information. Once a signature is
discovered, an automated process must be developed to search every potential carrier
file for that particular signature.