NS CASE STUDY

On
Steganography & steganolysis

Submitted by:-
Somay Trivedi
R.No. 99
Class: B.Tech. Sem-1 2017
Branch: Comp.-2
PRN: 1714110198
Introduction
With the wide use and abundance of steganography tools on the Internet, law enforcement
authorities have concerns in the trafficking of illicit material through web page images,
audio, and other files. Methods of detecting hidden information and understanding the
overall structure of this technology is crucial in uncovering these activities.

Digital image steganography is growing in use and application. In areas where

cryptography and strong encryption are being outlawed [1], people are using
steganography to avoid these policies and to send these messages secretly.
In this paper I shall give a brief definition of steganography and steganalysis in general to
provide a good understanding of these two terms, but more importantly, I shall talk about
how to detect the existence of hidden information such as innocent looking carriers of
digital media like text, JPEG images, and MP3 audio files with the help of various tools.

What is steganography?
The word steganography comes from the Greek name “steganos” (hidden or secret)
and “graphy” (writing or drawing) and literally means hidden writing.
Steganography uses techniques to communicate information in a way that is
hidden.
Steganography hides the existence of a message by transmitting information through
various carriers. Its goal is to prevent the detection of a secret message.

The most common use of steganography is hiding information from one file within the
information of another file. For example, cover carriers, such as images, audio, video, text,
or code represented digitally, hold the hidden information. The hidden information may be
plaintext, ciphertext, images, or information hidden into a bit stream. The cover carrier and
the hidden information create a stego-carrier. A stegokey, such as a password, is additional
information to further conceal a message. An investigator who does not possess the name of
the file and the password cannot know about the file’s existence.

For example, the result of information hidden within a cover image is a stego-image, and
the result of information hidden within a video is a stego-video and so forth. The process
may be defined as follows:

cover medium + hidden information + stegokey = stego-medium

Most people would probably detect no loss in the quality of the image. Therefore, an image
posted on the Internet could contain a secret message and avoid suspicion. An article in USA
Today [3] claimed that terrorist groups are using steganography to communicate without
being detected. According to experts, the article lacked technical information to prove these
claims. But, of course, there are many other ways that steganography is being used by
people with harmless motives. For example, some photo agencies will use steganography to
create digital “watermarks” of their pictures to protect their trademark.
Steganography is different from cryptography. Cryptography enciphers or garbles files to
hide the information. A decryption key or password is needed to retrieve the information.
A drawback to cryptography is that there are many ways to retrieve this encrypted
information once it has been discovered. The most obvious example is by knowing about
its existence, investigators can apply the many softwares available to decrypt the hidden
information. Another obvious way is to obtain the password or decryption key from the
owner.

Why is steganography used?

There are many reasons why steganography is used, and it is often used in significant
fields. It can be used to communicate with complete freedom even under conditions that
are censured or monitored. It can also be used to protect private communications where
the use of the cryptography is normally not allowed or would raise suspicion.

There are also at least two techniques that are part of steganography.

Watermarking:
- Protects copyright owners of digital documents by hiding a signature in the
information in a way that even a modified part of the document conserves the
signature.

- Prevents discovery by marking in a hidden and unique way every copy of a

confidential document.

Cover channel:
- Allows people to communicate secretely by establishing a secret
communication protocol.

- Allows non-authorized communication through authorized communication of a

firewall.

Tools used to hide information

There are two possible groups of steganographic tools: the image domain and the
transform domain.

Image domain tools include bit-wise methods that apply least significant bit (LSB)
insertion and noise manipulation. The tools used in this group are StegoDos, S-Tools,
Mandelsteg, EzStego, Hide and Seek (versions 4.1 through 1.0 for Windows 95),
Hide4PGP, Jpeg-Jsteg, White Noise Storm, and Steganos. The image formats used in
these steganography methods cannot be lost and the information can be rearranged or
recovered.
The transform domain tools include those groups that manage algorithms and image
transforms such as Discrete Cosine Transformation (DCT).

The DCT is a technique used to compress JPEG, MJPEG and MPEG in which pixel
values are converted to frequency values for further processing. This process makes it
difficult for visual analysis attacks against the JPEG images .

These two methods hide information in more areas of the cover and may manipulate
image properties such as luminance or the color palette. These methods will allow
more hidden information (about 30 percent the size of the carrier) in a carrier file.
JPEG images are used on the Internet because of their compression quality, which
does not degrade the image.
What is steganalysis?
Steganalysis is the discovery of the existence of hidden information; therefore, like
cryptography and cryptanalysis, the goal of steganalysis is to discover hidden
information and to break the security of its carriers [4].

Types of attacks used by the steganalyst

Stego-only attack: Only the stego-object is available for analysis. For example, only
the stego-carrier and hidden information are available.
Known cover attack: The original cover-object is compared with the stego-object and
pattern differences are detected. For example, the original image and the image containing
the hidden information are available and can be compared.

Known message attack: A known message attack is the analysis of known patterns that correspond to
hidden information, which may help against attacks in the future. Even with the message, this may be
very difficult and may be considered the same as a stego-only attack.
Chosen stego attack: The steganography tool (algorithm) and stego-object are known.
For example, the software and the stego-carrier and hidden information are known.

Chosen message attack: The steganalyst generates a stego-object from some

steganography tool or algorithm of a chosen message. The goal in this attack is to
determine corresponding patterns in the stego-object that may point to the use of
specific steganography tools or algorithms.

Known stego attack: The stegonography tool (algorithm) is known and both the
original and stego-object are available.

Steganography signatures
Unusual patterns in the stego-image are obvious and create suspicion. For example,
unused areas on a disk can be used to hide information. A number of disk analysis
utilities such as EnCase [5] and ILook Investigator © [6] are available, which can
report on and filter hidden information in unused clusters or partitions in storage
devices.

Filters can also be applied to capture TCP/IP packets that contain hidden or invalid
information in the packet headers. TCP/IP packets have unused space in the packet
headers. The TCP packet header has six reserved or unused bits, and the IP packet
header has two reserved bits [10]. Information can also be hidden in the unused bits
found in the Type of Service (TOS) Field and Flags of IP headers. Other methods to
hide information under TCP/IP are exploiting the optional fields in IP headers,
Timestamp, and Time to Live (TTL). These techniques can also be applied to other
protocols such as Novell NetWare [13]. Thousands of packets are transmitted with each
communication channel, which provide an excellent way to communicate secretly. This
technique of hiding information is unsafe because TCP/IP headers might get
overwritten in the routing process, and reserved bits could be overwritten, thus
rendering the hidden information useless.
The technology of firewalls is also greatly improving. For example, you can set filters to
determine if packets are coming from within the firewall’s domain. Also, with the validity
of the SYN and ACK bits, the filters can be configured to catch packets that have
information in presumed unused or reserved space, just like you can set certain firewalls to
exclude such packets with spoofed addresses.

Visual detection
By looking at repetitive patterns, you can detect hidden information in stego images.
These repetitive patterns might reveal the identification or signature of a steganography
tool or hidden information. Even small distortions can reveal the existence of hidden
information.
You can analyze these patterns by comparing the original cover images with the stego
images and try to see differences. This is called a known-cover attack. By comparing
numerous images, patterns become possible signatures to a steganography tool. A few of
these signatures might identify the existence of hidden information and the tools used to
embed the messages. With this information, if the cover images are not available for
comparison, the derived known signatures are enough to imply the existence of a
message and identify the tool used to embed the message.

Detecting hidden information with various tools

1) Guidance Software, Inc.

2) ILookInvestigator

3) Detecting hidden information with Stegdetect and Xsteg

4) Detecting hidden information with file compression

5) Detecting hidden information with Stego Watch from WetStone Technologies

Inc. (commercial product).

Conclusion
Steganography certainly has some beneficial advantages. It is an effective tool for protecting
personal information, and organizations are spending a lot of energy and time in analyzing
steganography techniques to protect their integrity. However, steganography can also be
detrimental. It is hindering law enforcement authorities in gathering evidence to stop illegal
activities, because these techniques of hiding information are becoming more sophisticated.

Although steganography is becoming more advanced, it is still a science that is not

well-known. But it may become very popular in the near future. Its use on the Internet is
certainly promising. That is why law enforcement authorities must continually stay
abreast of this technology, because there will always be some new program to hinder
their efforts.