±Forensic Focus Partners
New Today: 2
New Yesterday: 3
±Follow Forensic Focus
· FT Cyber Security Summit Europe – London 22nd September
· The Future of Mobile Forensics
· TSFIC 2015 – Recap
· Evidence Acquisition and Analysis from Live Exchange
· TDFCon 2015 – Recap
· Acquiring Windows PCs
· Evidence Acquisition and Analysis from iCloud
· TSFIC 2015 – Myrtle Beach 31st May – 3rd June
· Forensics Europe Expo 2015 – Recap
Steganography: Implications for the Prosecutor and Computer Forensics ExaminerBack to top Back to main Skip to menu
Steganography: Implications for the Prosecutor and Computer Forensics Examiner
[An edited version of this paper will appear in the June 2004 issue of the National District Attorney's Association Newsletter.]
Steganography is the science of "covered writing" and is one of the newer tools in the arsenal of the cybercriminal and cyberterrorist or any moderately computer-astute user. Steganography is often referred to colloquially as "stego;" for example, references to "stego" software are common.
As previously described in an NCPCA UPDATE four years ago,2 "Steganography: Hidden Images, A New Challenge in the Fight Against Child Porn," steganography provides the means whereby two parties can communicate in such a way that a third party is not aware of the secret communication. Historically, steganographic methods date back thousands of years and include the use of invisible ink, microdots, and tattooing the scalps of slaves. Modern steganographic applications in the digital realm provide a covert communications channel by hiding some type of binary data in another file. The original file that will contain the hidden information is called the carrier medium; the modified carrier file that contains the hidden information is called the steganographic medium. Steganalysis is the detection and recovery of that hidden information -- and is the role of the computer forensics examiner for both law enforcement and anti-terrorism investigations.
Consider the following hypothetical scenario. By pre-agreement, the leader of a child pornography distribution ring puts items for sale on eBay every Monday and posts photographs of the items. The items for sale are legitimate; bids are accepted, money is collected and products are dutifully shipped. But at some pre-arranged time during the week, versions of the photos are posted that contain hidden pictures. The ring members know when that time is and download the new photos. Unless the individuals are under active investigation, it is unclear that anyone will notice this activity. Furthermore, the sheer volume of people downloading the pictures will make it difficult to distinguish between the legitimate buyer and the conspirator.
For steganography to be effective, the sender and receiver have to agree upon the carrier files that will transport the hidden messages, the steganographic software to employ, and, possibly, a password. As one may imagine, there are literally an infinite number of audio and image files that can be used as carriers, and users can continue to produce such files forever. The StegoArchive3 lists more than 100 steganographic programs for Windows, DOS, Linux, and other operating systems. Some of the better-known stego programs that are available for free on the Internet include:
- Gif-It-Up: Hides information in GIF carrier files
- JPHide-&-Seek: Hides information in JPEG carrier files
- MP3Stego: Hides information in MP3 carrier files
- S-Tools: Hides information in BMP, GIF, or WAV carrier files
- Stash: Hides information in BMP, PCX, PNG, and TIFF carrier files
- Stegotif: Hides information in TIFF carrier files
- Stegowav: Hides information in WAV carrier files
Today's steganographic programs can hide any type of binary data into nearly any type of image, audio, or video file. Data can even be hidden inside executable files4 and spam messages5. This flexibility is what makes steganography so problematic for digital forensics investigators and prosecutors alike. To date, little steganography has been found in criminal cases so there is a mindset that it isn't being used. One of the reasons that it isn't being found, however, is partially due to the fact that most investigators do not routinely search for steganographic tools and frequently use improper methods when they look for steganographic content. In an informal survey conducted in late 20036, many investigators reported using S-Tools or JPHide-&-Seek i.e., the very steganography software that a suspect might use to hide information to detect steganography in suspect files. Steganographic software is great for hiding information but wholly inadequate for steganographic detection and steganalysis.
Investigators need to take a systematic approach to searching for steganographic content. At this time, the "official" computer forensics manuals7,8 don't provide any steganographic guidelines. Prosecutors might also consider carefully crafting search warrants permitting more detailed forensic examinations for steganalysis. In the interim, consider the following suggestions.
First, look for clues that might suggest the use of steganography, such as:
The technical capabilities or sophistication of the computer's owner. Look at the books, articles, magazines, and software manuals in the suspect's library; the literature that the suspect possesses gives clues as to his/her interests and capabilities as well as the software that might be available.
Software clues on the computer. Steganographic investigators need to be familiar with the name of common steganographic software and related terminology, and even Web sites about steganography. Investigators should look for file names, Web site references in browser cookie or history files, registry key entries, e-mail messages, chat or instant messaging logs, comments made by the suspect, or receipts that refer to steganography. These will provide hard clues to cause the investigator to look deeper. Finding similar clues for cryptography might also lead one down this path.
Other program files. Non-steganographic software might offer clues that the suspect hides files inside other files. Users with binary (hex) editors, disk wiping software, or specialized chat software might demonstrate an inclination to alter files and keep information secret.
Multimedia files. Look for the presence of a large volume of suitable carrier files. While a standard Windows computer will contain thousands of graphics and audio files, for example, the vast majority of these files are very small and are an integral part of the graphical user interface. A computer system with an especially large number of files that could be steganographic carriers are potentially suspect; this is particularly true if there are a significant number of seemingly duplicate "carrier" files.
Type of crime. The type of crime being investigated may also make an investigator think more about steganography than other types of crime. Child pornographers, for example, might use steganography to hide their wares when posting pictures on a Web site or sending them through e-mail. Crimes that involve business-type records are also good steganography candidates because the perpetrator can hide the files but still get access to them; consider accounting fraud, identity theft (lists of stolen credit cards), drugs, gambling, hacking, smuggling, terrorism, and more.