Click here to load reader
Click here to load reader
Apr 07, 2015
ABSTRACTSteganography is a useful tool that allows covert transmission of information over an overt communications channel. Combining covert channel exploitation with the encryption methods of substitution ciphers and/or one time pad cryptography, steganography enables the user to transmit information masked inside of a file in plain view. The hidden data is both difficult to detect and when combined with known encryption algorithms, equally difficult to decipher.This paper provides a general overview of the following subject areas: historical cases and examples using steganography, how steganography works, what steganography software is commercially available and what data types are supported, what methods and automated tools are available to aide computer forensic investigators and information security professionals in detecting the use of steganography, after detection has occurred, can the embedded message be reliably extracted, can the embedded data be separated from the carrier revealing the original file, and finally, what are some methods to defeat the use of steganography even if it cannot be reliably detected.
1. INTRODUCTIONWithin the field of Computer Forensics, investigators should be aware that steganography can be an effective means that enables concealed data to be transferred inside of seemingly innocuous carrier files. Knowing what software applications are commonly available and how they work gives forensic investigators a greater probability of detecting, recovering, and eventually denying access to the data that mischievous individuals and programs are openly concealing.Generally speaking, steganography brings science to the art of hiding information. The purpose of steganography is to convey a message inside of a
conduit of misrepresentation such that the existence of the message is both hidden and difficult to recover when discovered. The word steganography comes from two roots in the Greek language, Stegos meaning hidden / covered / or roof, and Graphia simply meaning writing.Similar in nature to the slight of hand used in traditional magic,steganography uses the illusion of normality to mask the existence of covert activity. The illusion is manifested through the use of a myriad of forms including written documents, photographs, paintings, music, sounds, physical items, and even the human body. Two parts of the system are required to accomplish the objective, successful masking of the message and keeping the key to its location and/or deciphering a secret. When categorized within one of the two fundamental security mechanisms of computer science (cryptographic protocols and maintaining control of the CPUs instruction pointer), steganography clearly fits within cryptography. It closely mirrors common cryptographic protocols in that the embedded information is revealed in much the same manner as substitution or Bacon cipher mechanisms.This paper will highlight some historical examples, discuss the basic principles of steganography showing how most instances work, identify software that can be used for this purpose, and finally provide an overview of current methods employed to detect and defeat it..
2. HISTORICAL EXAMPLESHiding messages by masking their existence is nothing new. Classical examples include a Roman general that shaved the head of a slave tattooing a message on his scalp. When the slaves hair grew back, the General dispatched the slave to deliver the hidden message to its intended recipient.Ancient Greeks covered tablets with wax and used them to write on. The tablets were composed of wooden slabs. A layer of melted wax
was poured over the wood and allowed to harden as it dried. Hidden messages could be carved into the wood prior to covering the slab. When the melted wax was poured over the slab, the now concealed message was later revealed by the recipient when they re-melted the wax and poured it from the tablet.From the 1st century through World War II invisible inks were often used to conceal hidden messages. At first, the inks were organic substances that oxidized when heated. The heat reaction revealed the hidden message. As time passed, compounds and substances were chosen based on desirable chemical reactions. When the recipient mixed the compounds used to write the invisible message with a reactive agent, the resulting chemical reaction revealed the hidden data. Today, some commonly used compounds are visible when placed under an ultraviolet light.In another form, while Paris was under siege in 1870, messages were sent by carrier pigeon. A Parisian photographer used a microfilm technique to enable each pigeon to carry a higher volume of data. The miniaturization of information also served to deter detection and was a precursor to the invention of the microdot.A microdot is a document or photograph reduced in size until it is as small as a pencil dot (about the size of the period at the end of this sentence). Between World War I and II Germany used microdots for steganographic messaging purposes and later many countries passed these microdot messages through insecure postal channels.With any type of hidden communication, the security of the message often lies in the secrecy of its existence and/or the secrecy of how to decode it. Cryptography often uses only a worst case approach assuming only one of these two conditions holds.
The basics of embedding.
Three different aspects in information-hiding systems contend with each other: capacity, security, and robustness. 4 Capacity refers to the amount of information that can be hidden in the cover medium, security to an eavesdroppers inability to detect hidden information, and robustness to the amount of modification the stego medium can withstand before an adversary can destroy hidden information.Information hiding generally relates to both watermarking and steganography. A watermarking systems primary goal is to achieve a high level of robustness that is, it should be impossible to remove a watermark without degrading the data objects quality. Steganography, on the other hand, strives for high security and capacity,which often entails that the hidden information is fragile.Even trivial modifications to the stego medium can destroy it.A classical steganographic systems security relies on the encoding systems secrecy. An example of this type of system is a Roman general who shaved a slaves head and tattooed a message on it. After the hair grew back, the slave was sent to deliver the now-hidden message.5 Although such a system might work for a time, once it is known, it is simple enough to shave the heads of all the people passing by to check for hidden messagesultimately,such a steganographic system fails.Modern steganography attempts to be detectable only if secret information is knownnamely, a secret key. This is similar to Kerckhoffs Principle in cryptography, which holds that a cryptographic systems security should rely solely on the key material.6 For steganography to remain undetected, the unmodified cover medium must be kept secret,because if it is exposed, a comparison between the cover and stego media immediately reveals the changes.Information theory allows us to be even more specific on what it means for a system to be perfectly secure.Christian Cachin proposed an informationtheoretic model for steganography that considers the security of
steganographic systems against passive eavesdroppers.7 In this model, you assume that the adversary has complete knowledge of the encoding system but does not know the secret key. His or her task is to devise a model for the probability distribution PC of all possible cover media and PS of all possible stego media. The adversary can then use detection theory to decide between hypothesis C (that a message contains no hidden information) and hypothesis S (that a message carries hidden content). A system is perfectly secure if no decision rule exists that can perform better than random guessing. Essentially, steganographic communication senders and receivers agree on a steganographic system and a shared secret key that determines how a message is encoded in the cover medium. To send a hidden message, for example, Alice creates a new image with a digital camera. Alice supplies the steganographic system with her shared secret and her message. The steganographic system uses the shared secret to determine how the hidden message should be encoded in the redundant bits. The result is a stego image that Alice sends to Bob. When Bob receives the image, he uses the shared secret and the agreed on steganographic system to retrieve the hidden message. Figure 1 shows an overview of the encoding step; as mentioned earlier, statistical analysis can reveal the presence of hidden content.
4. Hide and seekAlthough steganography is applicable to all data objects that contain redundancy, in this article, we consider JPEG images only (although the techniques and methods for steganography and steganalysis that we present here apply to other data formats as well). People often transmit digital pictures over email and other Internet communication, and JPEG is one of the most common formats for images. Moreover, steganographic systems for the JPEG format seem more interesting because the systems operate in
a transform space and are not affected by visual attacks.(Visual attacks mean that you can see steganographic messages on the low bit planes of an image because they overwrite visual structures; this usually happens in BMP images.) Neil F. Johnson and Sushil Jajodia, for example, showed that steganographic systems for palette-based images leave easily detected distortions.Lets look at some representative steganographic systems and see how their encoding algorithms change an image in a detectable way. Well compare the different systems and contrast their relative effectiveness.
5. Steganography detection on