Steganalysis

Steganalysis is the art and science of detecting messages hidden using steganography; this is comparable to cryptanalysis applied to cryptography.

The goal of steganalysis is to identify suspected packages, determine whether or not they have a payload encoded into them, and, if possible, recover that payload. It is complicated primarily by four things:

• The suspect files may or may not have any data encoded into them in the first place.
• The payloads, if any, may have been encrypted before being encoded into the carriers.
• Some of the suspect files may have had noise or irrelevant data encoded into them (which reduces stealth but can make analysis very time-consuming).
• Unless you can completely recover, decrypt, and inspect the payload, you often can't be sure whether you really have a file used for transport or not-- all you have is a probability.

Unlike cryptanalysis, where it is obvious that intercepted data contains a message (though that message is encrypted), steganalysis generally starts with a pile of suspect data files, but little information about which of the files, if any, contain a payload. The steganalyst is usually something of a forensic statistician, and must start by reducing this set of data files (which is often quite large; in many cases, it may be the entire set of files on a computer) to the subset most likely to have been altered.

The problem is generally handled with statistical analysis. A set of unmodified files of the same type, and ideally from the same source (for example, the same model of digital camera, or if possible, the same digital camera; digital audio from a CD MP3 files have been "ripped" from; etc.) as the set being inspected, are analyzed for various statistics. Some of these are as simple as spectrum analysis, but since most image and audio files these days are compressed with lossy compression algorithms, such as JPEG and MP3, they also attempt to look for inconsistencies in the way this data has been compressed. For example, a common artifact in JPEG compression is "edge ringing", where high-frequency components (such as the high-contrast edges of black text on a white background) distort neighboring pixels. This distortion is predictable, and simple steganographic encoding algorithms will produce artifacts that are detectably unlikely.

One case where detection of suspect files is straightforward is when the original, unmodified carrier is available for comparison. Comparing the package against the original file will yield the differences caused by encoding the payload-- and, thus, the payload can be extracted.

However, this is only part of the problem, as the payload has often been encrypted first. Encrypting the payload is not always done solely to make recovery of the payload more difficult. Many encryption techniques have the desirable property of making the payload appear much more like well-distributed noise, which can make detection efforts more difficult, and save the steganogphic encoding technique the trouble of having to distribute the signal energy evenly.

If inspection of a storage device is considered very likely, the steganographer may attempt to barrage a potential analyst with, effectively, misinformation. This may be a large set of files encoded with anything from random data, to white noise, to meaningless drivel, to deliberately misleading information. The encoding density on these files may be slightly higher than the "real" ones to try and fool the steganalyst into checking them first, potentially wasting significant time and computing resources. The downside to this technique is it makes it much more obvious that steganographic software was available, and was used.

Obtaining a warrant or taking other action based solely on steganalytic evidence is a very dicey proposition unless a payload has been completely recovered and decrypted, because otherwise all the analyst has is a statistic indicating that a file may have been modified, and that modification may have been the result of steganographic encoding. Because this is likely to frequently be the case, steganalytic suspicions will often have to be backed up with other investigative techniques.

In the end, sometimes all you have for your trouble is a hunch.

See also

• Covert channel
• Cryptography
• Data compression
• Computer forensics

External links

• Cyber warfare: steganography vs. steganalysis (http://www.acmqueue.com/modules.php?name=Content&pa=showpage&pid=241) For every clever method and tool being developed to hide information in multimedia data, an equal number of clever methods and tools are being developed to detect and reveal its secrets.
• Research Group (http://isis.poly.edu/projects/stego/). Ongoing research in Steganalysis.