±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 35535
New Yesterday: 1 Visitors: 120

±Latest Articles

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Webinars

Steganography: Implications for the Prosecutor and Computer Forensics Examiner

Steganography: Implications for the Prosecutor and Computer Forensics Examiner

Page: 1/2

by Gary C. Kessler

April 2004

[An edited version of this paper will appear in the June 2004 issue of the National District Attorney's Association Newsletter.]

"Steganography," my colleague asked, "is that a dinosaur or an icicle hanging down in a cave?"

Steganography is the science of "covered writing" and is one of the newer tools in the arsenal of the cybercriminal and cyberterrorist — or any moderately computer-astute user. Steganography is often referred to colloquially as "stego;" for example, references to "stego" software are common.

As previously described in an NCPCA UPDATE four years ago,2 "Steganography: Hidden Images, A New Challenge in the Fight Against Child Porn," steganography provides the means whereby two parties can communicate in such a way that a third party is not aware of the secret communication. Historically, steganographic methods date back thousands of years and include the use of invisible ink, microdots, and tattooing the scalps of slaves. Modern steganographic applications in the digital realm provide a covert communications channel by hiding some type of binary data in another file. The original file that will contain the hidden information is called the carrier medium; the modified carrier file that contains the hidden information is called the steganographic medium. Steganalysis is the detection and recovery of that hidden information -- and is the role of the computer forensics examiner for both law enforcement and anti-terrorism investigations.

The concern in law enforcement, of course, is that steganography is being used to "protect" communication amongst members of a criminal conspiracy. Unlike cryptography, which merely obscures the communication between two parties when observed by a third party, steganography hides the very existence of the communications channel. In the arena of commercial sexual exploitation of children, law enforcement concerns involve the use of steganography by manufacturers and distributers of child pornography to exchange and to hide child pornography.

Consider the following hypothetical scenario. By pre-agreement, the leader of a child pornography distribution ring puts items for sale on eBay every Monday and posts photographs of the items. The items for sale are legitimate; bids are accepted, money is collected and products are dutifully shipped. But at some pre-arranged time during the week, versions of the photos are posted that contain hidden pictures. The ring members know when that time is and download the new photos. Unless the individuals are under active investigation, it is unclear that anyone will notice this activity. Furthermore, the sheer volume of people downloading the pictures will make it difficult to distinguish between the legitimate buyer and the conspirator.

For steganography to be effective, the sender and receiver have to agree upon the carrier files that will transport the hidden messages, the steganographic software to employ, and, possibly, a password. As one may imagine, there are literally an infinite number of audio and image files that can be used as carriers, and users can continue to produce such files forever. The StegoArchive3 lists more than 100 steganographic programs for Windows, DOS, Linux, and other operating systems. Some of the better-known stego programs that are available for free on the Internet include:

  • Gif-It-Up: Hides information in GIF carrier files
  • JPHide-&-Seek: Hides information in JPEG carrier files
  • MP3Stego: Hides information in MP3 carrier files
  • S-Tools: Hides information in BMP, GIF, or WAV carrier files
  • Stash: Hides information in BMP, PCX, PNG, and TIFF carrier files
  • Stegotif: Hides information in TIFF carrier files
  • Stegowav: Hides information in WAV carrier files

Today's steganographic programs can hide any type of binary data into nearly any type of image, audio, or video file. Data can even be hidden inside executable files4 and spam messages5. This flexibility is what makes steganography so problematic for digital forensics investigators and prosecutors alike. To date, little steganography has been found in criminal cases so there is a mindset that it isn't being used. One of the reasons that it isn't being found, however, is partially due to the fact that most investigators do not routinely search for steganographic tools and frequently use improper methods when they look for steganographic content. In an informal survey conducted in late 20036, many investigators reported using S-Tools or JPHide-&-Seek — i.e., the very steganography software that a suspect might use to hide information — to detect steganography in suspect files. Steganographic software is great for hiding information but wholly inadequate for steganographic detection and steganalysis.

Investigators need to take a systematic approach to searching for steganographic content. At this time, the "official" computer forensics manuals7,8 don't provide any steganographic guidelines. Prosecutors might also consider carefully crafting search warrants permitting more detailed forensic examinations for steganalysis. In the interim, consider the following suggestions.

First, look for clues that might suggest the use of steganography, such as:

  • The technical capabilities or sophistication of the computer's owner. Look at the books, articles, magazines, and software manuals in the suspect's library; the literature that the suspect possesses gives clues as to his/her interests and capabilities as well as the software that might be available.

  • Software clues on the computer. Steganographic investigators need to be familiar with the name of common steganographic software and related terminology, and even Web sites about steganography. Investigators should look for file names, Web site references in browser cookie or history files, registry key entries, e-mail messages, chat or instant messaging logs, comments made by the suspect, or receipts that refer to steganography. These will provide hard clues to cause the investigator to look deeper. Finding similar clues for cryptography might also lead one down this path.

  • Other program files. Non-steganographic software might offer clues that the suspect hides files inside other files. Users with binary (hex) editors, disk wiping software, or specialized chat software might demonstrate an inclination to alter files and keep information secret.

  • Multimedia files. Look for the presence of a large volume of suitable carrier files. While a standard Windows computer will contain thousands of graphics and audio files, for example, the vast majority of these files are very small and are an integral part of the graphical user interface. A computer system with an especially large number of files that could be steganographic carriers are potentially suspect; this is particularly true if there are a significant number of seemingly duplicate "carrier" files.

  • Type of crime. The type of crime being investigated may also make an investigator think more about steganography than other types of crime. Child pornographers, for example, might use steganography to hide their wares when posting pictures on a Web site or sending them through e-mail. Crimes that involve business-type records are also good steganography candidates because the perpetrator can hide the files but still get access to them; consider accounting fraud, identity theft (lists of stolen credit cards), drugs, gambling, hacking, smuggling, terrorism, and more.

Next Page (2/2) Next Page