Computer Forensics: Is Steganography out there?

Every week, possibly every day, it appears that there is a new article about steganography (obviously there is a least one new one today)

  • Stego is out there, but its being missed!
  • Terrorist are exchanging pictures with messages in them!
  • Peadophiles are hiding child abuse pictures in adult porn!

So the story goes .

The stories on stegonography generally come in two forms: Scare stories and technical documents

The Scare Stories

Scare stories from the press. These are stories from every major news organsiation, talking about the “issue” of information hiding. Exmaples include

Technical Documents

There are lots of technical documents on Steganogaphy as well, they include:

  • Documents explaining how files are encrypted and then hidden.
  • Document explaining how to break Steganography
  • Documents discussing about how to detect Steganography

Most of these documents are well written, intelligent, and interesting. Nearly all are published by, or hint at, a vendor of  stego tools.

Powerful Combination

The mass of press articles, both in the technical and mainstream media, combined with the technical reports, creates a belief that steganography is  here, is being used, and is a real problem. In one of Chet Hosmer’s articles on DFI news he states that:

The risk and threat posed by steganography has been argued vigorously for over a decade. Whether you believe that this elusive cyber threat poses an imminent danger, or has been effectively utilized to conceal incriminating information, covertly communicate between operatives, or is utilized to exfiltrate vital information

Chet Hosmer writes very well, and clearly knows more about stegongraphy than this author will ever know, and Wetstone (his company) produce some fantastic products. But, in this article he does not mention another part of the argument about  steganography –  some commentators and researchers believe that stego is not a problem.

It is too often  assumed that steganography is a problem. But is it?

The other side of the argument

Are criminals and nerdowels using steganography? Are police coming aross cases with steganography?

It appears not.

There is no reported case about the police, or any law enforcement genuinely finding  steganography in a live enviroment [If somebody can provide information to this site, relating to live cases of steganography then this article will be re-written].

The fantastic site, British and Irish Legal Information Insitute, a database of UK cases does not have a single case reporting steganography.

BBC, CNN, and ABC have lots of stories about steganography, but not a single genuine story could be found relating to arrests of individuals using steganograph, let alone convictions. Similar searches were done across the internet, and no substantiated case of steganography being used, in a live  criminal enviroment, could be found.

The argument will be that its because its not been found.

But cryptography is found in cases, and this can effectively hide information from forensic tools. Sadly in some forensics labs, data is often processed through an almost conveyor belt of forensics, using keyword searches, pre-defined hash sets and scripts, simply for economic purposes.  Despite this high volume/low cost approach to computer forensics cryptography is still detected. But steganography is not.  Is it because its not there?

Is absence of evidence, evidence of absence?

Other, more intelligent people than this author, have looked at the issue of steganography, and they get the same results as me using  Google. Nothing.

  • Millions of pictures from ebay were searched for Steganography, by researcher Niels Provos, at the University of Michigan.  None where found.
  • Research looking for steganography stumbled upon a normal PC, during normal use of the internet has been conducted, and no steganography was found.
  • The Register conducted a search of several hundred Gulf War images. Nothing conclusive was found

In fact, the FBI have gone a step further. It was reported that “Before now, the FBI has complained that the perpetrators of the 11 September attacks did little to hide their electronic tracks.”

i.e. in the most famous, most dramatic, of terrorist attacks ever exectued, the people involved in were too lazy to use encryption, let alone cryptography.

Perhaps the stego detections tools are not sensative enough? Unfortunately they are overly sensative, with anything between a 2% and 10% false positive rate (but a 0% false negative rate; from testing known files)

What do we know?

Steganography is interesting. Its cool. Its geeky. It also makes money and there are lots of PR articles on it. Finding a confirmed confirmed cases of steganography being used is difficult, and research into steganography implies that its not common out there.

Is steganography used? Probably. But how often. 1 in 6 billion people? 1 in 1 billion? 1 in 100 million? And out of these people how many are criminals? We don’t know, but what we do know is that it doesn’t appear common.

Related article: Steganography and Electronic Discovery


3 Responses to “Computer Forensics: Is Steganography out there?”

  1. Tomasz Says:

    ..why doesn’t appear common? I do not agree 😉
    DRM is not popular jet but maybe it will be in the future?
    To be more popular it should offer MORE than only to prohibit access or identifies the end user. What does MORE mean? Let’s see at YouTube:


  2. buzzmaxwell Says:

    of course steganography doesn’t appear common! isn’t that the whole idea? i think there may be an overlooked fact or two in this story..mainly that the author is a m..r…n hmm something missing here too..

    • 585 Says:

      Strange – there is no evidence of it, despite numerous tools looking for it. There is no evidence of it despite hundreds, if not thousands of people looking for it….but we should believe is still a problem because….of marketing?

      Church of the flying spaghetti monster anyone?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: