Steganography - History

The following article is something I wrote while studying computer forensics in 2010. Although technology has moved on since then, the methods and techniques still have some relevance today. Increased storage capacity and the fact that data and storage devices are now integrated into almost every aspect of our life and almost every device we own, means hiding information is so much easier and in turn harder to detect. I find this subject fascinating as it has been around for such a long time (440BC Greek wooden tablet covered with wax). The possibilities are almost endless today and it is probably easier to look for other forms of evidence rather than rely on intercepting messages.

At present, mobile phones are probably one the best places to look for evidence as, even if wiped clean (Data may still exist in the cloud or be recoverable using forensic tools), a phone can show a timeline of movement and interactions from the information a cell phone provider captures. 

Below is the complete article I wrote in 2010:

Steganography

Some may think it strange to talk about terrorists, the ancient Greek Demarutus and paedophiles within the same subject, but there is common thread which links them all: steganography. Steganography, “[t]he art of secret writing” (OED, 2009), is derived from the Greek stego meaning cover and graphy meaning writing, which literally translates into “covered writing”.

Throughout the ages steganography has been used to keep communication secret during times of conflict, oppression, deceit, betrayal and love. The first known examples date back to the Greeks around 440BC.  The Greek historian Herodotus documented an example where Demarutus wrote a message on a wooden tablet before covering it with wax in order to conceal his message. It is believed he did this to warn the Greeks of an attack by the Persian emperor Xerxes while ensuring his message was not intercepted. (Whitman & Mattord, 2008:381) and (Kipper, 2003:17)

By its nature steganography is very difficult to detect and hence it is impossible to date its first use accurately.  It has been said that some hieroglyphics were stylised in such a way that only people who knew what to look for would be able to understand the real message. This would date steganography back to around 2000BC.

The modern term steganography is thought to have come into usage as a result of the book, Steganographia written circa 1498 by the German monk Johannes Trithemius. This book was written in three volumes and appeared to be a trilogy about magic. Only once the key to the first two books was discovered were they found to have been concerned with steganography and cryptography. (Spice, 1998)

Steganography should not be confused with cryptography.  Steganography is the hiding of information in order to keep it secret while cryptography uses encryption to make information unreadable without a key to decode it. Steganography and cryptography is often used today in conjunction when hiding information but can be used independently.

Trithemius’s third volume was thought to be about magic for more than 500 years before it was discovered that it was actually written as an exercise in steganography and encryption. The encryption used was not particularly complex. It was the fact that he had chosen a subject which allowed him to hide the real message within the many tables of numbers he included in the book that helped keep it secret for so long. It is still very important when using digital steganography to choose a good host file which will not draw the attention of a forensic investigator. (Spice, 1998)

In most cases, steganography has no relationship with the host media. However, in digital watermarking, which is a form of steganography, the information being hidden will contain information about the host file. Digital watermarking’s goal is to make the watermark as robust as possible so it can persist even if the picture, film or music is transformed by adjusting the size, or sample bit-rate. This differs from steganography whose main aim is to keep the information covert. The main purpose of digital watermarking is to protect the copyright of the media rather than hide information.

Many different steganographic methods have been used since its first documented use by the Greeks with wax covered wooden tablets. Table 1 below illustrates some of the forms of steganography used in the past.

Table 1: Past examples of steganography

In today’s world where digital media dominates, there are many computer programs available which will enable anyone to hide information using steganographic methods. These are available either as free-to-use, commercial or open source products. Currently there are well over 100 different steganography programs available.

Steganography tools can be split into categories by the type of host they use and the methods employed. The majority of the tools available use images as the host and the most common method for digital image steganography involves using the Least Significant Bit (LSB) of each pixel in the graphics file.  An 8-bit graphics file for example uses 8 bits to represent 1 pixel with the most significant bits on the left and the least significant bits on the right. This method takes advantage of the fact that altering the LSBs will have a minimal effect on the image (Nelson, et al., 2009: 409). If “10110110” represents the binary form of one pixel, you could replace the last two bits “10” with the data you wish to store, which in this case is “11”.  This would result in the pixel now being represented by “10110111”. This would not have a significant effect on the picture quality. This is the basic method, which is employed by tools using LSB substitution, but many then also add encryption to the content together with other methods like compression and avoiding the use of every pixels LSB. An example of a tool which employs these methods is S-Tools developed by Andy Brown in 1999. (Brown A, n.d.)

When choosing an image to host the stenographic content it is important to consider the complexity of the image. It is harder for the human eye to notice changes to bright colours in pictures or when the picture contains a lot of detail, such as a field of flowers. By contrast, if the image chosen contained large areas of white background, any changes to this portion of the picture would be easily detectable. Programs such as S-Tools have the ability to avoid areas like this making the hidden image harder to detect. (FBI, 2004)

The use of VOIP as a host medium is not very common at present. There are various standard VOIP protocols including SIP, H.323, Skinny and Real Time Protocol (RTP) which could be used as a carrier medium for steganographic content. One tool which uses RTP as the cover medium is SteganRTP. This tool will allow applications like internet chat, file transfer and remote shell access (Uid Dr., n.d.)

Using whitespace in text documents is targeted by a few steganography programs. These programs take advantage of the fact that space at the end of lines in a document is generally not noticed. One program which uses this medium is called Snow (Darkside Technology, n.d.). This program can also use an encryption program called ICE, also produced by the same company, to make messages unreadable in the event of the message being detected. This kind of steganography would not be noticed by the casual observer, but it would be easy to spot if viewed by a program which highlights whitespace.

Another tool which also uses text as the carrier medium, takes advantage of the fact that spam is now so common that most people delete it without even opening the e-mail. Spam Mimic (Spammimic.com, n.d.) takes advantage of this to encode messages into what looks like spam e-mail. This has the advantage of not raising the suspicion of investigators by using e-mail encryption such as PGP.

Other hosts for steganographic content are music files such as mp3, video files like mpeg and avi. It should be possible to hide information in almost any digital format. One other method which is starting to make an appearance is Steganographic File Systems (SFS) which will be discussed later.

The reasons for using steganography today and the people who want to use it have probably not changed since it was first documented. One of the main users in the past was governments and invading forces.

The use of steganography by governments and terrorist organisations would definitely seem plausible. Some reports have appeared in newspapers linking the use of steganography to terrorist groups but there does not seem to be any hard evidence. This could be because it is very difficult to detect, or that any government agency with the ability to detect its use does not want it known that they can detect it. It is clear that the use of steganography for terrorist purposes could be very useful though, and quite likely would be considered as a method of communicating training material, coordinating attacks or passing intelligence.

Steganography could also find a use in corporate espionage. It was reported that an engineer who was suspected of stealing intellectual property was found to have used steganography to hide engineering specifications in other images before sending them via e-mail. (Computerworld, n.d.) Although it is possible to use steganography for this purpose, due to the limited size of the data that can be hidden without increasing the size of the host file substantially, it would seem that an easier option would be to use some sort of flash drive storage. Flash drive storage can easily be acquired with capacities of up to 128GB and are very hard to control due to small size and widespread use as personal storage devices therefore it would be much easier to steal information by copying it to flash drives.

It is possible to find a form of steganography used in large companies by end users adapting existing computer systems. One case which I have observed is where the description field on the product database of a retail company was used to pass information to the sales staff from the buyers that a product would soon be discontinued and should not be recommended for wedding lists. This was done by adding two characters to the beginning of the description e.g. “>> Sony wide screen TV”.  These characters did not mean anything to anyone else and were ignored, thus the message was hidden from anyone who did not know what to look for.

Criminal organisations may consider using steganography for very similar reason to terrorist organisations. Paedophile rings in particular could use steganography to hide images of child abuse behind other images in order to trade pictures with other paedophiles.  A study by Niels Provos and Peter Honeyman at the University of Michigan analysed over 2 million images from internet sites in order to determine if steganography was being used on the internet. They concluded from their findings that steganography was probably not used on the internet. (Nelson, et al., 2009: 411) and (ZDNet, n.d.)

As shown by Provos and Honeyman in their study, it does not look like there is widespread use of steganography on the internet. However, this result could also be because detecting steganographic content is very difficult if the program used to create it is any good. Most forensic investigators do not encounter the use of steganography during investigations and detecting it without knowing what program was used to create it is unreliable. (Philipp et. al., 2009:212) Using a commercial tool such as Stego Suite by Wetstone to detect if any steganographic programs have been installed would be a good practice for a forensic investigator even though it is not commonly encountered in forensic investigations at present. Stego Suite can identify over 500 known steganographic programs as well as detect and crack the steganographic files and extract the content (Wetstone(a), n.d.).

The number of tools available to detect steganographic content is much less than those available to create it. One tool which is available for free is called Stegdetect. This tool claims to be able to detect steganographic files created by seven programs (Provos Niels, n.d.).

As steganography is so hard to detect its future may be boosted by the introduction of the Regulation of Investigatory Powers Act 2000 in 2007. This legislation forces an individual to disclose any password for encrypted content or face up to two years imprisonment (Office of Public Sector Information, n.d.). If a suspect is forced by law to provide passwords to encrypted files which in turn may incriminate them, it is quite plausible that steganography rather than plain encryption would help individuals circumvent this law. The development of SFSs  could be the ideal solution (Wetstone(b), n.d.). SFS would allow the suspect to plausibly deny that anything was in fact hidden on his/her computer by providing a password which would only allow access to the non-incriminating files. There would be no evidence that any other files existed. A SFS currently in development is StegFS (Petter, A.C., n.d.).

Steganography creates the problem that there does not appear to be any evidence to investigate, which poses a problem for the forensic investigator. As we have seen it can be difficult to detect steganographic content. Detection methods therefore rather focus on looking for traces of steganographic tools that were used instead of looking for the covert information. The only flaw with this method is that some tools can be run from external storage devices which would not leave any trace of the program on the computer.

Steganographic methods may have changed through the ages, but for the forensic investigator the complexity of the challenge to discover the hidden message remains. It is thus imperative for the forensic investigator to continue to develop new detection techniques in order to keep apace with ever more sophisticated methods employed by steganographers.

References

Brown, A. (n.d.) S-Tools http://www.packetstormsecurity.org/crypt/stego/s-tools/ (accessed 24-12-2009)

Computerworld (n.d.) Steganography: Hidden Data
http://www.computerworld.com/s/article/71726/Steganography_Hidden_Data (accessed 29 12 2009)

Darkside Technology (n.d) Snow http://www.darkside.com.au/snow/index.html (accessed 30-12-2009)

EFF (n.d.) DocuColor Tracking Dot Decoding Guide http://w2.eff.org/Privacy/printers/docucolor/ (accessed 28-12-2009)

FBI (2004)  An Overview of Steganography for the Computer Forensics Examiner http://www.fbi.gov/hq/lab/fsc/backissu/july2004/research/2004_03_research01.htm (accessed 26-12-2009)

FBI(a) (n.d.) Spy Gadgets in World War II: Microdots

https://www.mi5.gov.uk/output/microdots.html (accessed 28-12-2009)

FBI(b) (n.d.) Invisible Ink

https://www.mi5.gov.uk/output/microdots.html (accessed 28-12-2009)

Kipper, G. (2003) Investigator's Guide to Steganography. 1st ed. Florida: Auerbach Publications.

Nelson, B. Phillips, A. & Steuart, C. (2009) Guide to computer forensics and investigations. 4th ed. Boston: Course Technology.

Office of Public Sector Information (n.d.) Regulation of Investigatory Powers Act 2000: Power to require disclosure http://www.opsi.gov.uk/acts/acts2000/ukpga_20000023_en_8#pt3-pb1 (accessed 19-12-2009)

Oxford English Dictionary (2009) http://www.oed.com/ (accessed 27-12-2009)

Petter, A.C. (n.d.) StegFS

https://albinoloverats.net/stegfs (accessed 28-12-2009)

Philipp, A. Cowen, D. & Davis, C. ( 2009) Hacking Exposed Computer Forensics. 2nd ed. s.l.: McGraw-Hill Osborne

Provos, N. (n.d.) Outguess resources. http://www.outguess.org/detection.php (accessed 2-12-2009)

Spammimic.com (n.d.) Spam Mimic http://www.spammimic.com/index.shtml (accessed 30-12-2009)

Spice, B. (1998) German Monk's 500-year-old Mystery Solved. Post-Gazette. (29 June) http://www.post-gazette.com/healthscience/19980629bspirit1.asp (accessed 29-12-2009)

Uid, Dr. (n.d.) SteganRPT http://sourceforge.net/projects/steganrtp/files/ (accessed 30-12-2009)

Wetstone(a) (n.d.) StegoSuite http://www.wetstonetech.com/cgi-bin/shop.cgi?view,1 (accessed 30-12-2009)

Wetstone(b) (n.d.) File systems due to UK law. http://www.wetstonetech.com/blogs/blog1.php/2009/03/24/u-k-law-serves-as-catalyst-for-new-stega (accessed 26-12-2009)

Whitman, M. E. & Mattord, H. J. (2008) Principles of Information Security. 3rd ed.
New York: Delmar.

ZDNET, (n.d.) Analysis of internet images for sign of steganography.

http://news.zdnet.co.uk/internet/0,1000000097,2096060,00.htm (accessed 29-12-2009)