Steganography is the science of embedding data in other data in a way that is undetectable to the human eye. Last night, I was watching one of my favorite shows “Elementary”. Holmes discovered family photos that were exceedingly large in size. For example, he noted a simple JPG as being over 1 GB in size. This is significantly larger than a normal JPG file and aroused Holmes’s suspicions. He performed some forensic analysis on the photos and discovered some incriminated videos embedded in the picture files that later led to the arrest of some Russian spies! It is an excellent show if you haven’t seen it already. After the episode ended, I decided to do a little research on the topic and write up a little article to help those in the Forensics world.
Here is a clip of Season 1 Episode 11 Dirty Laundry from one of my favorite shows Elementary. Sherlock eloquently and concisely explains Steganography to Watson.
I have only been researching the science of Stenography for the past 12 hours, so this is by no means a all-inclusive review or explanation.
Consider these Wikipedia articles for some like reading and brief overview of the science and tools you can use. http://en.wikipedia.org/wiki/Steganography
I call Steganography a science when arguably it could be considered an art. For clarity’s sake, I will refer to it as a science because there are methods to its madness, and it is completely repeatable. I will attempt to illustrate its repeatably in this article, and I will also present ideas and a brief instruction for you to repeat this research if desired.
Here is an example analysis of two pictures that look the same. However, one PNG has an embedded Secret.txt file containing an example message from your’s truly.
The above screenshot shows two identical PNGs. They are exactly the same resolution and bit depth. They are however, different sizes and hash differently. This signals that the two files are different even though they appear to use to be identical. They have different sizes, however a 100 KB difference is hardly suspicious if you did not have these files size by side in comparison. 232 KB is most reasonable for a PNG this size. The Secret.txt file small, and could contain a link or URL or instructions for obtaining secret data or something else (be creative).
This Steganograph was created using a brilliantly simple program for windows call “OpenPuff” and can be found here http://embeddedsw.net/OpenPuff_Steganography_Home.html as well as linked to the Wikipedia tools link at the beginning of this article. It is not the most intuitive program, nor is it the most simple. But it does a lot of the heavy lifting for you. OpenPuff has some advanced cryptography capabilities as well as spreading a secret across multiple files and types. It is also seemingly opensource and free as in beer and speech so long as site the author and copyright owner “Eng. Cosimo Oliboni” and link to his site http://embeddedsw.net. Fair enough! Sadly it’s windows only.
Next you want to “hide” a message in a file. Click Hide.
The above screenshot shows the various parts of the program for hiding “data” in “carriers”. My Steganographs will always been encoded with only the A setting and password “t3chkommie” for examples. You may want to analyse some of the photos in this post for secrets!
To pull a secret out of a file, you can use OpenPuff and select “unhide”. Add the carrier photo you think contains a secret, input passwords and click unhide. Any secret found will be ripped out and saved to your PC for further analysis.
Hopfully this is a crash course on Steganography that helps, at the very least, whet the appitite of forensic professionals to get a little more hands on and praticle applications for such a technology.
At the time, it seems quite difficult to discover these hidden messages. Except in the event someone embeds a huge about of data in a typically small file type, the secrets are likely to go unnoticed. I will be working with more forensic software that analyses media types for strange patters signifying Steganography. I will review and post on those as type permits.