Background of Steganography
Steganography is the process of hiding information in digital media, such as images, sound files and text files. The information is hidden covertly and solely the sender and recipient know how to retrieve access. This technique permits the sender and receiver to communicate secretly while a third party will not be aware. The file in which the data will be hidden is generally called the covert/stego image or host file. Similarly, the covert data refers to the data that has been hidden in the covert image. Individuals who use steganography may be harmless users, however they may also be cybercriminals or terrorists who are using it to communicate secretly. During any criminal investigation, it is vital to gather as much evidence as possible, especially digital evidence. A digital forensics investigator who works under law enforcement is generally responsible for analyzing digital media and retrieving as much evidence as possible in a case. When dealing with digital media, digital forensic investigators use a process called Steganalysis, the process of detecting and finding information hidden by steganography techniques.
In a digital forensic investigation, one of the most important parts is trying to attain as much forensic evidence as possible. I believe that steganography has been getting easier today with the availability of free steganography applications. These applications make it easier for a potential criminal to hide information from a third party. This type of information could be the source of evidence in a forensic investigation to prove that the suspect is indeed guilty and is using such techniques in an aid for cyberterrorism. Pictures can be suspicious in nature, whether there are multiple images of the same picture or the content itself. These images should be used for further mobile forensic analysis with the potential of retrieving forensic evidence.
I will be attempting to retrieve hidden information from an Android smartphone with stego images. The stego images will be created using a free android application from the Google play store, called Steganography Master. I chose Steganography Master because it was the number one search result for Android steganography applications.
The tools I will be using to retrieve the information are open source steganalysis and forensic tools: pngchecker, exiftool, stegoveritas, binwalk, stegdetect, strings, zsteg, stegano-lsb, stegoveritas
The Purpose of this experiment is to take a deeper dive into a mobile forensic investigation, to analyze the images in a seized smartphone device with the attempt to retrieve hidden information on top of a normal file system extraction of the device. My hypothesis for this experiment is I will be able to tell if the image is a stego image, however I will not be able to retrieve the hidden content without having to use the same application. As the availability of mobile steganography applications are increasing, there should be an availability of more open source steganalysis tools to aid investigators in a forensic investigation. If I am successful in extracting the hidden information, it will provide the forensic community a way to retrieve hidden information from stego images created using the application, Steganography Master. If I am not successful, I will raise awareness for more forensic and steganalysis tools to be created to assist forensic investigators in being able to retrieve hidden information.
Steganography Master is an application for Android where you can encode a message in a picture and then save it or send it to a friend. The message can only be decoded using the same app, and if you want to ensure that only the intended receiver can read the message, you can also provide a password.
A demonstration of how to encode and decode text in Steganography Master is shown below. The message I decided to encode is "This is a secret message."
Encode Text Process:
Decode Text Process:
To begin my Steganalysis, I performed a live Android file system aquisition using ADB and DD on my device (Samsung Galaxy Note 8). Once I got access to all the files from the file system aquisition, I navigated to my gallery to locate the stego image I created with Steganography Master. Once I downloaded the image to my computer, I also downloaded all the tools to conduct stegnalaysis. Below is a screenshot of every application and program used, and its results.
pngcheck verifies the integrity of PNG, JNG and MNG files, by checking the internal 32-bit checksums and decompressing the image data.
Pngcheck provides a detailed list of attritubutes of the .png stego image.
Exiftool is a command-line application for reading, writing, and editing meta information in a wide variety of file formats (JPG, TIFF, PNG, PDF, RAW)
Exiftool provides the file times, types, and details, however nothing to conclude that it is stego image.
Binwalk is a tool designed for identifying files and code embedded inside of firmware images.
Binwalk was able to detect compressed data within the stego image, revealing that there is information embedded. This evidence may suggest that there is hidden information in the image.
Stegdetect is an automated tool for detecting steganographic content in images.
Stegdetect did not detect anything because it is not compatible with a .png image file. Based on the results, it can be inferred that stegdetect is compatible with .jpeg files.
Strings scans the file you pass it for UNICODE strings of a default length of three or more UNICODE characters.
Strings represents the data in a UNICODE format, however no evidence can be found supporting that it is a stego image.
zsteg detects stegano-hidden data in PNG and BMP
zsteg was able to identify that there is embedded or hidden text, however it appears that the text is encrypted. The identified text in the file is "eYae_QuS" and "VieQoUQs"
stegano is a Least-Significant-Bit tool for steganography
Stegano was unable to detect a message in the stego image.
stegoveritas is an automatic image steganography analysis tool.
StegVeritas did not give any forensic evidence to determine that it is a stego image.
In conclusion, a stego image created with Steganography Master could not be decoded with the top open source steganalysis tools. However, it can be determined that it is indeed a stego image or image with embedded text using the tools zsteg and binwalk. These two applications provided enough evidence that the image does have embedded or hidden information. Binwalk was able to detect compressed data within the stego image, revealing that there is information embedded. Zsteg was able to identify that there is embedded or hidden text, however it appears that the text is encrypted. The identified text in the file was "eYae_QuS" and "VieQoUQs". This evidence may suggest that there is hidden information in the image.
After determining a list of stego images on a suspect's device, the next step would be to further analyze the images with more professional steganalysis and forensic tools. If purely the use of open source tools can determine whether there is embedded information in an image, it is probable that with the use of more professional and commercial tools, more forensic evidence may be extracted. Most importantly, it can be concluded that Steganography Master is a very efficient mobile application used to hide information in images, and the digital forensic community should be aware of this. More open source steganalysis and forensic tools should be created to assist examiners in being able to retrieve hidden information from stego images.
Although the secret message could not be extracted with the list of the open source tools, it still served a purpose of determining each tools' advantages and disadvantages. An alternative approach to decoding the images created on Steganography Master may be to shift the focus purely on the application. Steganography Master was used to encode text into images, therefore using the same application is currently the only way to decode the image and acquire the hidden information. Hypothetically in a mobile forensics case, there is a possibility that a suspect may have deleted the use of steganography applications. The first step in this situation would be to determine which steganography or suspicious applications may have been downloaded and used in the past. A demonstration of how to retrieve the current and previously downloaded applications is shown below for Android devices:
Open the Google Play store application, and in the menu, tap My apps & games. Tap Installed to see a list of all the current downloaded applications and tap Library to see a list of all apps downloaded on any device with the currently logged in Google account.
This simple technique may be useful when determining which applications were previously downloaded to gain insight about a suspect. In the example above, it can be determined that Steganography Master is currently installed. In a potential investigation, once determining which steganography application(s) were previously installed, the next step would be attempting to decipher images found on the device using the identified applications. Generally, a brute force attack is used for applications that require a password. Using this technique, determining the use of an application such as Steganography Master on a suspect's device, can come a long way in a forensic investigation.
Book: Hiding in Plain Sight: Steganography and the Art of Covert Communication by Eric Cole
Prince Patrick Jackson Clement was born on April 20th, 1997 in Madurai, Tamil Nadu. Prince is currently attending George Mason University and is doing his Masters in Digital Forensics and Cyber Analysis. Prince is currently working as an IT Support Analyst at MyEyeDr. His career aspiration after graduating college is working at Amazon as a Cloud Solutions Architect.