StegDetect and StegBreak: A Stenographic Detection & Message Extraction Toolsuite

Traditionally, cryptography has been utilized to encode messages in a manner that renders the content unreadable by anyone other than the sender and the intended recipient. To counter increasing surveillance of electronic communications, in particular, the use of stenography to camouflage a text message within a graphic image has been on the increase both by criminal organizations and terrorist organizations.

The sophistication of stenographic algorithms is steadily improving from the perspective of those employing this technology. On the other hand, detection of digitally altered photographs tends to remain one step behind, metaphorically speaking. With the invention of the digital camera the native resolution possible for an original photograph has surpassed anyone seen produced by tradition point-and-click cameras or even many consumer-grade 35mm SLR cameras.

This paper discusses a stenographic detection tool called StegDetect developed by Niels Provos, a doctoral graduate of the University of Michigan, and its forensic application. StegDetect, licensed under the GNU General Public License (GNU GPL), is available for download at http://www.StegDetect.org without cost in source code form and as a Microsoft Windows executable binary. The current source code version is 0.6, released 2004-09-06, while the most recent pre-compiled binary (Microsoft Windows) is 0.4, released 2001-12-21. The source code version was compiled in a computer running the OpenSuSE Linux operating system for use at the command prompt. This version illustrates the advantages of such a tool in the forensic analysts toolkit. The StegBreak tool was used to extract the actual hidden message or contraband after detection by StegDetect.

METHODOLOGY

To evaluate the software two approaches were taken with the express purpose of comparing the level of detection possible when examining photographs containing a hidden text message and those without any such alteration. In all tests the JPEG format was chosen for the graphic image files since the majority of illicit photographs are stored in this format. Due to monitor resolution variances and in the interest of keeping this report focused on the analysis of the stenographic tools no images have been embedded herein.

In the first set of experiments we determine whether resolution plays any role in the degree to which an altered photograph is visually detectable by the human eye and by StegDetect. A stenographically altered image file of low resolution proved not only easy to detect with the tool but equally detectable by the human eye in almost every case except very short one-word messages. At about 3MP (megapixel) resolution the human eye cannot distinguish between an image without a hidden message and an image containing the equivalent of an inter-office memo. When a photograph shot at 10MP resolution was stenographically-enhanced with a 1KB message and a 1MB message the software identified both as suspect images. The status message “False Positive Likely” was returned for some of the sample files originating from external sources and subsequent use of StegBreak revealed only a digital watermark contained within the files. This was likely due to the one-off nature of the analysis.

In the second set of experiments we are interested in the reliability and accuracy of StegDetect when comparing a random photographic image file to a large set of known “clean” photographic image files. A large sample of JPEG files were collected from various sources including my own library and the World Wide Web to create a detectability baseline using the linear discriminant analysis feature of StegDetect v0.6. All sampled images (photographs, artistic renderings, comic strips, etc.) gathered from the World Wide Web complied with local laws regarding content and age of consent. Compliance of my own personal photographs was trivial because all the pictures were of my dogs. I added a hidden message to several files of varying resolution using a variety of algorithmic techniques (jsteg, jphide, invisible secrets, outguess, F5 header analysis, appendX, and camouflage); these files were not part of the original sampling. In every instance the hidden message was detected by StegDetect and revealed by StegBreak. The status message “False Positive Likely” was returned significantly less frequently for the randomly chosen files originating from external sources when compared against the large pool of sampled files. The results were as expected based upon the advertised claims of the software toolsuite.

OBSERVATIONS

StegDetect is a standalone utility, available in both CLI and GUI varieties, to detect stenographically altered digital photographs for forensic analysis.

The emergence of forensic tools, for a variety of operating systems including UNIX variants and Microsoft Windows, addressing the issue of hidden messages contained within photographs and other graphic files will undoubtedly assist analysts in the efficient detection and decoding of such messages.

This software worked as described by the developer and the various papers published about stenography citing StegDetect. A stenographically altered image file of low resolution proved not only easy to detect with the tool but equally detectable by the human eye in almost every case except very short one-word messages. At about 3MP (megapixel) resolution the human eye cannot distinguish between an image without a hidden message and an image containing the equivalent of an inter-office memo. When a photograph shot at 10MP resolution was stenographically-enhanced with a 1KB message and a 1MB message the software identified both as suspect images. The number of false positives decreased sharply after a large sample of photographic-quality images had been processed by StegDetect and the hyperplane separating the files without embedded messages from those with embedded messages. The hyperplane resembles a scatter graph commonly studied in an introductory college statistics course. The hyperplane can also be thought of in terms of the regions inside and outside of the production possibilities curve as studied in an introductory college economics course.

In closing, tools that facilitate the detection of hidden messages embedded within a digital photograph will help forensic examiners wade through the large volume of digital image content found on various storage media including USB thumb drives, hard disk drives, and even the World Wide Web. Through statistical analysis of the content of digital photographic as well as other image files the forensic examiner can reasonably be assured detection of such contraband will not escape scrutiny. Unlike hash values used to categorize photographic files, detectable stenographic alteration cannot be thwarted by changing a single bit within the file. Knowledge of stenographic techniques serves another valuable purpose for the forensic examiner – the absence of an email or chat client on a suspect computer which has numerous graphical image files stored might point to the use of stenography.

Advertisements

About this entry