Steganography Part 2 – Detection and Research Introduction to Steganalysis What is steganalysis? The art of detecting messages hidden by steganography Alternatively, detection of Steganography by a third party Research and analysis of steganography tools to develop detection methods Introduction to Steganalysis Why is it important to Computer Forensics? Steganography allows a person to hide information in a non-obvious way, so potentially tough to find evidence. Harder to spot steganography than encryption. Steganography is tough to detect. You need a tool to help you. Time intensive to check images etc for steganography. Need help to narrow down the search Detection Methods Human Methods Manually look at the file Extremely hard to detect steg with sight or hearing Looking for anomalies in image or with sound Only possible when the hidden message is large compared to the carrier. Look for anomalies in file size etc All human methods are very time intensive and not reliable. Detection Methods Computer Forensic Methods We can use CF techniques to help find evidence of steg usage Search for evidence of steganography tools Use a tool like EnCase to look for deleted programs Look in start menu's Look for remnants of steg tools in registry If we can find a tool then we know what steganalysis to run Detection is typically different for each steg tool so we want to reduce the number of steg tools we scan for in our images, mp3s, etc. Detection Programs Use a specialized tool Much like a virus scanner Scans disk looking at files for steg “signatures” Can search based on for a specific tool's signature Freeware/Opensource tool Stegdetect Can detect and crack various JPEG based steg tools Such as JPHide, Outguess, F5, etc Commerical Products StegoSuite by Wetstone StegAnalyzer by SARC Demo of Stegdetect Command line tool Usage: stegdetect <options> <files> Options -q only report images that have steg content -s <number> change the sensitivity of detection -t <tools> select which tools to search for Any combination of j, o, p, i. j = JSteg, o = OutGuess, p = JPHide, i = Invisible Secrets Example: stegdetect -q -t jp *.jpg Search all jpeg's in current directory for usage of Jsteg and JPHide and report only those that do have steg. Detection Tools Blind Steganography Detection When you don't know the steg tool used. Might even be a steg tool thats not widely known about Involves statistical techniques Expected values of image compared to actual File size, noise levels Chi-Square tests on distribution of DCT values DCT values in a non-steg match a distribution curve Modified DCT values don't fit this curve May give false positives, or false negatives Some steg tools purposely avoid these statistical detection techniques by adjusting other values to fool the Chi-Square test. Detection Tools Blind Steganography Detection Con't Once a file is flagged as being steg'd we need to extract the hidden message. May need to break a password or encryption JPHide uses a password to control how it modifies the JPEG, therefore we need to know the password in order to extract the image. Contained message may be encrypted. Might have to use brute force to break Can be extremely time consuming for complex passwords. Steganography Research Finding new ways of detecting steg Improving blind detection methods Genetic algorithms Self modifying algorithm Adapts to find optimal solution In this case, optimal detection of steg Artificial intelligence Support Vector Machines Consists of classifying an image, steg or non-steg Composed of a feature vector Specific sections or statistics of an image to look at SVM is trained on a series of steg and non-steg images along with its feature vector and learns how to detect steg to a high percentage. Steganography Research Also finding new ways of steg'ing files MPEG, PNG, etc Tells us if we need to be concerned with steg in certain files Important in order to adapt our practices of what or what not to search for in an investigation. Steganography Research URI Steganography Research Group Received a NIJ grant to create a steg detection tool Combines own SVM along with commercial detection software Provides a single toolchain to analyze, break, and report. Gives a single interface to forensic examiners Easily extendable to new tools, new file formats without examiner having to learn new tool/technique. Allows examiner to submit files to be checked and allows them to continue their examination.