Steganalysis is the art and science of detecting messages hidden using
steganography; this is analogous to cryptanalysisapplied to cryptography.
The goal of steganalysis is to identify suspected packages, determine whether or not they have a payload encoded into them, and, if possible, recover that payload.
Unlike cryptanalysis, where it is obvious that intercepted data contains a message (though that message is
encrypted), steganalysis generally starts with a pile of suspect data files, but little information about which of the files, if any, contain a payload. The steganalyst is usually something of a forensic statistician, and must start by reducing this set of data files (which is often quite large; in many cases, it may be the entire set of files on a computer) to the subset most likely to have been altered.
The problem is generally handled with statistical analysis. A set of unmodified files of the same type, and ideally from the same source (for example, the same model of digital camera, or if possible, the same digital camera; digital audio from a CD MP3 files have been "ripped" from; etc.) as the set being inspected, are analyzed for various statistics. Some of these are as simple as spectrum analysis, but since most image and audio files these days are compressed with lossy compression algorithms, such as
JPEGand MP3, they also attempt to look for inconsistencies in the way this data has been compressed. For example, a common artifact in JPEG compression is "edge ringing", where high-frequency components (such as the high-contrast edges of black text on a white background) distort neighboring pixels. This distortion is predictable, and simple steganographic encoding algorithms will produce artifacts that are detectably unlikely.
One case where detection of suspect files is straightforward is when the original, unmodified carrier is available for comparison. Comparing the package against the original file will yield the differences caused by encoding the payload-- and, thus, the payload can be extracted.
Noise Floor Consistency Analysis
In some cases, such as when only a single image is available, more complicated analysis techniques may be required. In general, steganography attempts to make distortion to the carrier indistinguishable from the carrier's noise floor. In practice, however, this is often improperly simplified to deciding to make the modifications to the carrier resemble
white noiseas closely as possible, rather than analyzing, modeling, and then consistently emulating the actual noise characteristics of the carrier. In particular, many simple steganographic systems simply modify the least-significant bit (LSB) of a sample; this causes the modified samples to have not only different noise profiles than unmodified samples, but also for their LSBs to have different noise profiles than could be expected from analysis of their higher-order bits, which will still show some amount of noise. Such LSB-only modification can be detected with appropriate algorithms, in some cases detecting encoding densities as low as 1% with reasonable reliability [ [http://patft1.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=6831991.PN.&OS=PN/6831991&RS=PN/6831991 Patent No. 6,831,991, Reliable detection of LSB steganography in color and grayscale images] ; Fridrich, Jessica, et al, issued December 14th, 2004. "(This invention was made with Government support under F30602-00-1-0521 and F49620-01-1-0123 from the U.S. Air Force. The Government has certain rights in the invention.)"] .
Detecting a probable steganographic payload is often only part of the problem, as the payload may have been encrypted first. Encrypting the payload is not always done solely to make recovery of the payload more difficult. Many encryption techniques have the desirable property of making the payload appear much more like well-distributed noise, which can make detection efforts more difficult, and save the steganographic encoding technique the trouble of having to distribute the signal energy evenly (but see above concerning errors emulating the native noise of the carrier).
If inspection of a storage device is considered very likely, the steganographer may attempt to barrage a potential analyst with, effectively, misinformation. This may be a large set of files encoded with anything from random data, to white noise, to meaningless drivel, to deliberately misleading information. The encoding density on these files may be slightly higher than the "real" ones; likewise, the possible use of multiple algorithms of varying detectability should be considered. The steganalyst may be forced into checking these decoys first, potentially wasting significant time and computing resources. The downside to this technique is it makes it much more obvious that steganographic software was available, and was used.
Conclusions and Further Action
Obtaining a warrant or taking other action based solely on steganalytic evidence is a very dicey proposition unless a payload has been completely recovered "and decrypted", because otherwise all the analyst has is a statistic indicating that a file "may" have been modified, and that modification "may" have been the result of steganographic encoding. Because this is likely to frequently be the case, steganalytic suspicions will often have to be backed up with other investigative techniques.
* [http://www.sarc-wv.com/stegalyzeras.aspx StegAlyzerAS] An automated tool to detect the presence of steganography applications by matching artifacts of known files and registry keys on suspect computer media.
* [http://www.sarc-wv.com/stegalyzerss.aspx StegAlyzerSS] An automated tool to detect and extract steganography embedded within various carrier files by numerous steganography applications.
* [http://www.sarc-wv.com Steganography Analysis and Research Center (SARC)] A Backbone Security Center of Excellence providing tools for steganography detection and extraction as well as Certified Steganography Examiner Training.
* [http://www.jjtc.com/Steganalysis Steganalysis] research and papers by [http://www.jjtc.com Neil F. Johnson] addressing attacks against [http://www.jjtc.com/Steganography Steganography and Watermarking] , and Countermeasures to these attacks.
* [http://www.acmqueue.com/modules.php?name=Content&pa=showpage&pid=241 Cyber warfare: steganography vs. steganalysis] For every clever method and tool being developed to hide information in multimedia data, an equal number of clever methods and tools are being developed to detect and reveal its secrets.
* [http://isis.poly.edu/projects/stego/ Research Group] . Ongoing research in Steganalysis.
* [http://diit.sourceforge.net Digital Invisible Ink Toolkit] An open-source image steganography suite that includes both steganography and steganalysis implementations.
* [http://www.krenn.nl/univ/cry/steg/ Steganography - Implementation and detection] Short introduction on steganography, discussing several information sources in which information can be stored
* [http://stegsecret.sourceforge.net/ StegSecret] . StegSecret is a java-based multiplatform steganalysis tool. This tool allows the detection of hidden information by using the most known steganographic methods. It detects EOF, LSB, DCTs and other techniques. (steganography - stegoanalysis).
Wikimedia Foundation. 2010.
Look at other dictionaries:
steganalysis — noun steganographic analysis … Wiktionary
Steganography — is the art and science of writing hidden messages in such a way that no one apart from the sender and intended recipient even realizes there is a hidden message. By contrast, cryptography obscures the meaning of a message, but it does not conceal … Wikipedia
OpenPuff — v3.40 screenshot Developer(s) Eng. Cosimo Oliboni … Wikipedia
Esteganografía — Saltar a navegación, búsqueda Este artículo trata sobre Transporte de Mensajes Ocultos. Aún requiere correcciones. Para Estenografía, véase Taquigrafía. La esteganografía es la disciplina en la que se estudian y aplican técnicas que permiten el… … Wikipedia Español
Detection — In general, detection is the extraction of information from any clear or clouded ambient or otherwise accessible stream of information without neither support from the sender nor synchronization to the sender.In the history of radio… … Wikipedia
Computer forensics — Forensic science Physiological sciences … Wikipedia
Digital watermarking — An image with visible digital watermarking the text Brian Kell 2006 is visible across the center of the image Digital watermarking is the process of embedding information into a digital signal which may be used to verify its authenticity or the… … Wikipedia
Information forensics — is the science of investigation into systemic processes that produce information. Systemic processes utilize primarily computing and communication technologies to capture, treat, store and transmit data. Manual processes complement technology… … Wikipedia
Anti-computer forensics — (sometimes counter forensics) is a general term for a set of techniques used as countermeasures to forensic analysis. Contents 1 Definition 1.1 Sub categories 1.2 Purpose and goals 2 … Wikipedia
Niels Provos — is a researcher in the areas of secure systems, malware and cryptography. He is currently a Principal Software Engineer at Google. He received his PhD in Computer Science from the University of Michigan. He is the author of numerous… … Wikipedia