Transcript Steg_Part2_Slides

Steganography
Part 2 – Detection and Research
Introduction to Steganalysis

What is steganalysis?



The art of detecting messages hidden by
steganography
Alternatively, detection of Steganography by a
third party
Research and analysis of steganography tools to
develop detection methods
Introduction to Steganalysis

Why is it important to Computer Forensics?

Steganography allows a person to hide
information in a non-obvious way, so potentially
tough to find evidence.



Harder to spot steganography than encryption.
Steganography is tough to detect. You need a
tool to help you.
Time intensive to check images etc for
steganography.

Need help to narrow down the search
Detection Methods

Human Methods

Manually look at the file


Extremely hard to detect steg with sight or hearing
Looking for anomalies in image or with sound



Only possible when the hidden message is large compared
to the carrier.
Look for anomalies in file size etc
All human methods are very time intensive and
not reliable.
Detection Methods

Computer Forensic Methods


We can use CF techniques to help find evidence
of steg usage
Search for evidence of steganography tools




Use a tool like EnCase to look for deleted programs
Look in start menu's
Look for remnants of steg tools in registry
If we can find a tool then we know what
steganalysis to run

Detection is typically different for each steg tool so we
want to reduce the number of steg tools we scan for
in our images, mp3s, etc.
Detection Programs

Use a specialized tool

Much like a virus scanner



Scans disk looking at files for steg “signatures”
Can search based on for a specific tool's signature
Freeware/Opensource tool

Stegdetect

Can detect and crack various JPEG based steg tools


Such as JPHide, Outguess, F5, etc
Commerical Products


StegoSuite by Wetstone
StegAnalyzer by SARC
Demo of Stegdetect

Command line tool


Usage: stegdetect <options> <files>
Options



-q only report images that have steg content
-s <number> change the sensitivity of detection
-t <tools> select which tools to search for



Any combination of j, o, p, i.
j = JSteg, o = OutGuess, p = JPHide, i = Invisible Secrets
Example:


stegdetect -q -t jp *.jpg
Search all jpeg's in current directory for usage of
Jsteg and JPHide and report only those that do have
steg.
Detection Tools

Blind Steganography Detection

When you don't know the steg tool used.


Might even be a steg tool thats not widely known
about
Involves statistical techniques

Expected values of image compared to actual




File size, noise levels
Chi-Square tests on distribution of DCT values
 DCT values in a non-steg match a distribution curve
 Modified DCT values don't fit this curve
May give false positives, or false negatives
Some steg tools purposely avoid these statistical
detection techniques by adjusting other values to fool
the Chi-Square test.
Detection Tools

Blind Steganography Detection Con't


Once a file is flagged as being steg'd we need to
extract the hidden message.
May need to break a password or encryption



JPHide uses a password to control how it modifies the
JPEG, therefore we need to know the password in
order to extract the image.
Contained message may be encrypted.
Might have to use brute force to break

Can be extremely time consuming for complex
passwords.
Steganography Research

Finding new ways of detecting steg

Improving blind detection methods

Genetic algorithms



Self modifying algorithm
Adapts to find optimal solution
 In this case, optimal detection of steg
Artificial intelligence

Support Vector Machines
 Consists of classifying an image, steg or non-steg
 Composed of a feature vector
 Specific sections or statistics of an image to look at
 SVM is trained on a series of steg and non-steg images
along with its feature vector and learns how to detect
steg to a high percentage.
Steganography Research

Also finding new ways of steg'ing files



MPEG, PNG, etc
Tells us if we need to be concerned with steg in
certain files
Important in order to adapt our practices of what or
what not to search for in an investigation.
Steganography Research

URI Steganography Research Group



Received a NIJ grant to create a steg detection
tool
Combines own SVM along with commercial
detection software
Provides a single toolchain to analyze, break,
and report.



Gives a single interface to forensic examiners
Easily extendable to new tools, new file formats
without examiner having to learn new tool/technique.
Allows examiner to submit files to be checked and
allows them to continue their examination.