Investigators Guide to Steganography

In all methods of steganography, something is done to conceal a message; naturally, these actions or techniques can be separated and analyzed to learn what is happening during the whole process. The six categories of steganography are:

  1. Substitution system techniques

  2. Transform domain techniques

  3. Spread spectrum techniques

  4. Statistical method techniques

  5. Distortion techniques

  6. Cover generation techniques

Substitution System

Substitution system steganography replaces redundant or unneeded bits of a cover with the bits from the secret message. Several steganography tools that are available use the Least-Significant Bit (LSB) method of encoding the secret message. LSB works like this: In a digital cover (picture, audio, or video file), there is a tremendous amount of wasted or redundant space; it is this space that the steganography program will take advantage of and use to hide another message, on the bit level, within the digital cover.

For example, the following string of bytes represents part of a cover, a picture:

10000100 10000110 100001001 10001101 01111001 01100101 01001010 00100110

Each byte is comprised of eight bits; these bits make up a color value in our picture, a shade of red, or blue, etc. Now, the bits that make up the byte go from left to right in order of importance to the color value they are representing. For example, changing the first bit in our first string from a 1 (10000100) to a 0 (00000100) will drastically change the color, as opposed to changing the last number from a 0 (10000100) to a 1 (10000101). It is that last bit that is considered the least significant, because changing its value has little effect on the information the byte is representing.

Take a look at how a substitution system in steganography can be used to hide a message. Using our string of bytes

10000100 10000110 10001001 10001101 01111001 01100101 01001010 00100110

we will introduce our hidden message, which is the number of a locker in a bus terminal, locker number 213:

213 represented as a binary number is 11010101.

Now, using the least-significant bit method, the 213 message will be blended into our cover. We will do this one byte at a time.

Of the eight bytes of information, only five have been altered, and our message has been embedded. Now, while this example deals with only 8 bytes of data, imagine the amount of redundant information in a cover image that is 500 kilobytes or 1 megabyte. Within all those 1s and 0s are a lot of least-significant bits that can be changed with little or no noticeable difference to the cover image.

The LSB technique is commonly used in steganography applications because the algorithm is quick and easy to use; LSB also works well with gray-scale as well as color images.

The LSB technique does have its drawbacks, though. Sometimes, depending on the pixel, adjusting the LSB can dramatically affect the pixel's properties, making it look out of place in the picture, and therefore subject to detection. This problem can limit the amount of substituted bits, and therefore the size of the secret message. Another problem with this method of message hiding is the picture's resistance to changes. If the picture is cropped or rotated, the algorithm will not be able to find which least-significant bits are part of the message and which ones are just supposed to be there.

Transform Domain Techniques

This technique is also very effective and a little trickier to explain. Basically, transform domain techniques hide message data in the "transform space" of a signal. (If you are saying "Huh?" to yourself, hold on, I will explain.) Every day on the Internet, people send pictures back and forth, and most often they use a JPEG format. JPEGs are interesting in that they compress themselves when they close. In order for this to take place, they have to get rid of excess data, excess bits that would otherwise prevent them from compressing. During compression, a JPEG will make an approximation of itself to become smaller; that change, that approximation, is transform space, and that change can be used to hide information.

Spread-Spectrum Techniques

Direct Sequence

In direct sequence spread spectrum, the stream of information to be transmitted is divided into small pieces. Each of the pieces is allocated to a frequency channel of the spectrum. The data signal, at the point of transmission, is combined with a higher data-rate bit sequence that divides the data according to a predetermined spread ratio. Redundant data-rate bit sequence code helps the signal resist interference and enables the original data to be recovered if any of the data bits are damaged during the transmission.

Frequency Hopping

This technique divides a broad slice of the bandwidth spectrum into many possible broadcast frequencies. In general, frequency-hopping devices use less power and are cheaper, but the performance of direct sequence spread-spectrum systems is usually better and more reliable.

Statistical Methods

Statistical methods use what is called a "1-bit" steganographic scheme. This scheme embeds one bit of information only in a digital carrier, and thus creates a statistical change, even if it is only a slight one.

A statistical change in the cover indicates a "1," a cover left unchanged indicates a "0." This system works based on the receiver's ability to distinguish between modified and unmodified covers.

Distortion Techniques

This method of steganography creates a change in a cover object to hide information. The secret message is recovered when the algorithm compares the changed, distorted cover with the original.

Cover Generation Methods

Cover generation methods are probably the most unique of the six types. Typically, a cover object is chosen to hide a message in, but that is not the case here. A cover generation method actually creates a cover for the sole purpose of hiding information. Spam Mimic is an excellent example of a cover generation method.

Категории