Real-Time Steganalysis

First published October 2005

A Key Component of a Comprehensive Insider Threat Solution

James E. Wingate, CISSP-ISSEP, CISM, IAM
Director, Steganography Analysis & Research Center (SARC)
Vice President for West Virginia Operations
Backbone Security.Com


Chad W. Davis, CCE
Computer Security Engineer
Backbone Security.Com

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


“Ignorance is bliss.” “What you don’t know can’t hurt you.” We’ve all heard those trite cliches. But, in this digital age, they couldn’t be further from the truth. Much attention is given to external threats such as hackers, phishers, spammers, terrorists, foreign intelligence services, and the like. Consequently, much attention has been focused on perimeter defense. Firewalls and Intrusion Detection Systems (IDS), that are giving way to Intrusion Prevention Systems (IPS), have been employed to establish a barrier between the Internet and the LAN.

The main focus of cyber security defense has been to protect that which is on the inside from that which is on the outside. This has been done in the hopes of establishing an impenetrable perimeter – not unlike putting the shields up on the Starship Enterprise.

However, hope is not a viable strategy for dealing with today’s cyber threats — particularly the threat from the trusted insider.

Asset Protection

Every business has assets that must be protected. Protection of physical assets is a given for most risk management programs. Physical security mechanisms such as locks, gates, and guards for protection of real property and staff or visitors are not difficult to visualize. However, protection of sensitive, or classified, information assets such as financial or medical information on employees, customer account information, proprietary information for business products and services, and any information that fits in the category of Intellectual Property such as copyrights, trademarks, and patents is a much more abstract concept for many.

Consequently, the cyber security mechanisms to protect information assets are not as easily visualized. Nonetheless, management must exercise due diligence in implementing appropriate mechanisms to protect both physical and information assets as part of an overall enterprise risk management program.

What you don’t know can, and most likely will, hurt you

Physical security mechanisms have shape and substance…they can be seen and touched. Some cyber security mechanisms share this property. A firewall can be seen and touched as can other physical hardware platforms that might host other security appliances such as an IDS or IPS. However, the applications and files on user’s computers are typically not visible to most network security applications. There are automated configuration management systems that monitor user workstations to ensure a standard configuration is maintained. However, unless the user’s workstation is “locked down” to prevent other software from being loaded, there is a significant threat from a trusted insider using certain types of software for malicious purposes.

For example, what if Bob in Accounting had a network packet sniffer on his workstation? What if Mary in Sales had an encryption application on her workstation? What if Sam in R&D had a digital steganography application on his workstation?

Now, if Bob were a network administrator it would be reasonable to expect him to have a tool for troubleshooting network connections. And, if Mary were a system security administrator, it would be reasonable to expect her to have tools for providing for the confidentiality of information. But they aren’t in those positions and neither is Sam — so none of them should have the tools they have on their workstations.

Not knowing that users have tools to eavesdrop on network traffic, communicate overtly, but confidentially, through use of encryption, or communicate covertly through the use of a digital steganography application puts sensitive, and possibly classified, information at risk. Information can be easily exfiltrated through the most sophisticated boundary protection devices and will not be detected!

Tools for Covert Communication Freely Available

Tools for hiding information – hiding any digital file inside of another digital file – are freely available and can be quickly found with a simple Web search. Use the search term “Steganography” on any of the popular Internet search engines and hundreds of links to free, or inexpensive, steganography applications will be displayed. Not only are they easy to find but they are also easy to download, install, and use (e.g. utilising drag and drop interfaces).

The widespread availability and ease of use of tools such as these are adding a whole new meaning to the Insider Threat…and a whole new sense of urgency for finding a solution to mitigate that threat.

Now for the bad news … detecting the use of digital steganography applications and then extracting information hidden with those applications is, shall we say, extraordinarily difficult.

But the good news is that research efforts in improved steganalysis techniques and procedures are resulting in new and better tools for detecting the use of digital steganography applications and subsequently extracting the hidden information.

Anomaly-based Detection

Much research has been done, and continues to be done, in the area of “universal blind detection” of steganography, also referred to as anomaly-based detection. Blind detection is an effort to detect the existence of hidden information without any prior knowledge of the application used to hide the information. A variety of approaches are used such as visual observation, structural analysis, and statistical analysis of suspect files with the objective of determining if the file’s characteristics or parameters exceed a “normal” threshold.

The unfortunate reality is there are no really good tools available for performing this type of detection with a high degree of reliability. There are some tools available for doing targeted detection; however, use of those tools is dependent on prior knowledge of the steganographic technique used to hide the information inside another file, typically referred to as the carrier file or ‘steg’d file’. And, it’s important to keep in mind that even if a hidden message can be reliably detected, blind or targeted detection tools are of little help in extracting the hidden information.

Thus, a new approach is needed to counter the growing threat of a trusted insider using a digital steganography application to exfiltrate sensitive, proprietary, or classified information outside the enterprise network.

This situation gives rise to one of those “Gee, wouldn’t it be great” moments as in “Gee, wouldn’t it be great if we only had a way to detect a user’s attempt to obtain or use a steganography application in real-time?” No way. Yes, way.

Establishment of the SARC

Backbone Security’s Steganography Analysis and Research Center (SARC) has developed and tested a working prototype for detecting attempts by trusted insiders to obtain or use digital steganography applications. The prototype evolved from research performed on a large number of steganography applications to develop a repository of hash values of digital steganography applications and tools to detect and extract hidden information.

The SARC was established to establish a database of digital steganography applications that could be consulted by Federal, state, and local law enforcement and intelligence/counter-intelligence computer forensics (CF) examiners when conducting an examination of the storage media from seized computers.

In the process of establishing the database of digital steganography applications and hash values of all files associated with each application, SARC technical staff developed a new hybrid approach to detecting the use of steganography applications that has led to improved hidden information extraction capabilities.

The new analytical approach coupled with blind detection holds great promise for advancing the field of digital steganalysis.

Fingerprint and Signature Detection

Initially developed primarily for use by computer forensic (CF) examiners to extend their traditional CF examinations to include steganalysis, or the detection and extraction of hidden information, the analytical approach involves first searching for evidence that a digital steganography application exists, or did exist at one time, on the storage media being examined. The theory is that if an artifact of a steganography application is found, the associated application was probably used to hide something. Then the focus of the examination can be narrowed to the specific file types that could be used as carrier files by the particular application found on the suspect media. And, knowing the embedding technique employed by that application could facilitate extraction of information hidden with that application.

To implement the fingerprint detection aspect of the analytical approach, an automated tool for detecting fingerprints, or hash values, of artifacts, or files, associated with particular steganography applications was developed. The tool, Steganography Analyzer Artifact Scanner, or StegAlyzerAS, detects the presence of nearly 15,000 artifacts associated with 230 steganography applications by scanning the storage media of seized computers for fingerprints. This amounts to computing hash values for all the files on the storage media and then checking for a match against a set of known hash values of files associated with a steganography application such as those included in the Steganography Application Fingerprint Database (SAFDB) created by the SARC. A match means the file on the storage media has a high probability of being an artifact of a steganography application.

Another tool was developed for detecting the use of a steganography application. As it turns out, research by SARC technical staff revealed that many steganography applications leave behind a unique signature, or hexadecimal byte pattern, in the carrier file after embedding the information to be hidden.

The automated tool for detecting signatures was named Steganography Analyzer Signature Scanner, or StegAlyzerSS. As of the writing of this paper, StegAlyzerSS can detect the presence of 27 unique signatures of steganography applications. More signatures will be added in the future as research continues on additional steganography applications.

Adaptation to Real-time Environment

The initial versions of StegAlyzerAS and StegAlyzerSS were designed for CF examiners conducting an examination on storage media from seized computers.

However, recognizing that detecting the use of a digital steganography application after-the-fact was not unlike shutting the barn door after the horses were gone, SARC technical staff set about adapting the tools for use in a real-time environment.

A prototype capability to perform steganalysis on files reassembled from packets entering and leaving a network soon evolved. The capability was aptly named Steganography Analyzer Real-Time Scanner, or StegAlyzerRTS.

The real-time scanner works by employing various proxies (i.e., FTP, HTTP, SMTP, etc.) implemented on a proxy application firewall designed to reassemble packets entering or leaving a network into files and then performing two essential actions:

1. The hash value of the file is computed and then checked against the SAFDB. If a match is found the file is flagged as a potential artifact of a steganography application and an alert is sent to the security staff.

2. A search of the entire file is then conducted to determine if the file contains a signature of a known steganography application. If a signature is detected the file is flagged as a suspect carrier file and an alert is sent to the security staff.

Modes of Operation

StegAlyzerRTS is available as a turn-key capability on Backbone’s Ribcage® security appliance configured as a proxy application firewall running a customized version of the Linux kernel in a 1U rack-mountable form factor.

It is envisioned that Ribcage with StegAlyzerRTS could be deployed in one of two modes — detection mode or prevention mode —that is essentially analogous to the way Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) are deployed.

In detection mode, StegAlyzerRTS would be configured to detect fingerprints of artifacts and signatures in steg’d files. When either is detected, an alert would be generated with the intent of notifying security staff that a trusted insider may be attempting to obtain or use a steganography application to establish a covert channel for communicating something to someone — but the file would be permitted to continue its journey either into the network to the trusted insider or out of the network—from the trusted insider to an external recipient. When an alert is received, security staff may choose to employ various other mechanisms to increase surveillance on the trusted insider to determine more accurately what they may be up to. What information might they be trying to conceal? With whom might they be communicating?

In prevention mode, StegAlyzerRTS would be configured to detect fingerprints of artifacts and signatures in steg’d files and prevent the file from either entering or leaving the network. In this mode, it is important to understand that attempts at continued or increased surveillance of the trusted insider may fail because they will eventually learn that their attempts at communicating covertly have been detected and they will most likely cease further attempts to obtain or use steganography applications for covert communication.

Ribcage® with StegAlyzerRTS can be easily integrated into an existing boundary protection architecture by placing Ribcage® at a location on the enterprise network where it can receive all packet traffic entering or leaving the network (in the detection configuration) or in-line with an existing firewall to deny packets associated with a file determined to be an artifact of a steganography application or a file that contains a signature of a known steganography application (in the prevention configuration).

Real-Time Defense from Use of Digital Steganography

The threat from use of digital steganography applications by trusted insiders is real and growing. The enterprise risk management program must include countermeasures to this threat or risk the loss of sensitive, proprietary, or classified information.

StegAlyzerRTS can be deployed to counter this threat in a manner that works with minimal interference with user productivity, usability, and functionality and is totally transparent to the Trusted Insider.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles