It appears that steganography is a growing challenge for forensics investigators and organizations using content monitoring or filtering to protect sensitive data.
The art and science of steganography has been around for centuries. It’s used to write hidden messages in a way that prevents anyone but the recipient from interpreting them. As technology grew it was only natural for steganographic techniques to find their way into electronic processes. It appears that steganography is a growing challenge for forensics investigators and organizations using content monitoring or filtering to protect sensitive data.
What is steganography?
Many forms of steganography have been developed over the years. Wikipedia is a good resource for exploring them. In this article, we’ll investigate how it is used in electronic computing environments.
The most common method of hiding information on a computer is the use of a bitmap image. According to Russell Kay, “Steganography strips less important information from digital content and injects hidden data in its place” (“How Steganography Works”, ComputerWorld, June 10, 2002). This bit replacement is typically performed across the entire image. A detailed example is found in Kay’s article. A Steganographically modified image can be visually identical to the original, as in Figure 1 (“Steganography: Hiding Data Within Data”, Gary C. Kessler, September 2001).
The image on the right contains a 14K text file. I didn’t see any differences. When I showed the images to my wife, an artist, she immediately commented that several of the colors in the modified image appeared washed out when compared to the original. For example, look at the yellow calendar on the cubicle wall in center-right in the image. (Download Kessler's paper for a better view.)
Once the text is inserted in the image, the “stego_medium” is locked with a password. Kessler provides a simple formula to describe the process of creating a steganographic image:
stego_medium = cover_medium + hidden_data + stego_key
In our example, the cover_medium is the bitmap image and the stego_key is the password. The size of the cover_medium determines the maximum size of the hidden_data.
What’s the risk?
A recent article at lifehacker.com, “Hide data in files with easy steganography tools”, prompted me to write this article (Gina Trapani, January 24, 2007). It describes the how anyone can obtain easy-to-use software to hide information. I decided to research the business risk from this type of user activity. It didn’t take long to find an instance in which steganographic techniques were used with criminal intent.
In 2000, an engineering firm was the victim of insider intellectual property theft. When a third party forensics investigation firm was called in, it found the stolen information hidden in images attached to email messages (“Steganography: Hidden Data”, Deborah Radcliff, ComputerWorld, June 10, 2002). Content filtering or monitoring solutions would have been of little help in preventing this incident.
In addition to intellectual property, personally identifiable information (PII) and electronic protected health information (ePHI) are also at risk. It isn’t difficult to effect general or medical identity theft when it’s not easy to observe anomalous behavior.
Mounting a defense
The best defense is to periodically scan PCs for questionable software. The presence of steganography software on any system should be prohibited unless specifically required for business purposes. Table 1 is from Radcliff’s article. It describes possible uses for steganography in a business network. Radcliff’s “drawbacks” column makes it clear that there are usually more viable options.
A paper entitled “An overview of Steganography for the Computer Forensics examiner”, on the FBI’s Forensics Science Communications web site, details methods to detect and defend against theft by steganography (Gary C. Kessler, July 2004), including:
- Looking for markers like the slight color differences between the examples in Figure 1.
- A large number of duplicate colors in an image is sometimes an indicator of steganography.
- If the suspect image is larger than the base image, the size difference might be caused by hidden information.
In addition to all of these approaches assuming the forensics investigator has the original image, special tools are required to confirm the presence of hidden information and to potentially recover it. The use of steganography software, like WetStone’s Stega Suite, can be a big help when hidden data hiding is suspected—whether or not the original images are available.
For more information about steganography, or for a list of available steganography software, visit StegoArchive.com.