1. INTRODUCTION TO STEGANOGRAPHY

The term steganography is derived from the Greek words steganos, which means 'covered', and graphein, which means 'to write' (Singh, 1999). Steganography is the art and science of hiding information. The term steganography can also be used to refer to the hidden information itself. Steganography facilitates secret, undetected communication and refers to hiding information in information (Katzenbeisser and Petitcolas, 2000).

1.1. Steganographic Techniques

Steganography can be hidden within numerous types of files, most commonly image files. The images in which the secret information is hidden are called carrier files or cover images. The resultant files which contain the hidden information are referred to as stegoed files. Various techniques of steganography include LSB (least significant bit) steganography (Wayner, 2002), manipulation of the Discrete Cosine Transform (DCT) function (Acharya and Tsai, 2005), and the append technique (Goudy, 2007). The algorithms which are used for hiding information in the carrier files use different techniques to hide information in different types of files. These algorithms act in known and predictable ways. The embedding action of the algorithms often leaves image artifacts in the cover images ("Stego Suite," 2006).

The artifacts discussed in the first research project are specific only to the images. The term 'file artifact' is used to refer to the evidence left by the steganography-producing software application on the host system that generated the stegoed files and is discussed in the second research project. Image artifacts are observable anomalies in various characteristics of the image which indicate action of steganographic embedding software. Artifacts consist of changes to associated information and are not necessarily detectable by analyzing only the pixilated composition of the image (Wayner, 2002).

Embedding applications employ these steganographic algorithms in various ways and to varying degrees of effectiveness and stealth (Wayner, 2002). Some applications leave signatures, in the images in which they have hidden information. Signatures are means of associating the image with a specific steganographic application in order to identify which steganographic application must be employed for image extraction. Signatures are also detectable by steganalytic software. A detected signature almost always indicates the presence of steganography ("StegAlyzerSS," 2006). Shorter signatures are more likely to be present in non-stegoed images by random chance, thereby producing false positives in signature-based detection software.

1.2 Detection

Various techniques are employed to detect the presence of steganography. Many detection applications are written to detect steganography based on the knowledge of the steganographic application which embedded the information. These are signature-based detection schemes (Jackson, Gunsch, Claypoole, and Lamont, 2003). A signature-based detection scheme uses knowledge of the signatures to identify suspect images. A steganographic embedding application implements an embedding algorithm. The application may leave a signature, however the algorithm may create one or more image artifacts. These artifacts can then be detected in the image regardless of the application which employed the method that the algorithm is written to implement ("Stego Suite," 2006).

2. DESCRIPTION OF THE RESEARCH

The question of concern is whether steganography is being used by criminals? The research targets the population of steganography users with a criminal background (represented by the shaded area in figure 1). The usage of steganography may or may not be made for committing or providing assistance to crime. As shown in figure 2, the research consisted of two projects. The first project consisted of the detection of the presence of steganography in carrier images found on the Web and the second project consisted of detecting if steganographic applications had been installed (and/or used) and whether they left behind file artifacts on computers that were seized during criminal investigations of various types.

2.1. Research Project I: Signature Detection in Carrier Images

This study attempted to determine to what extent steganography may have been used by criminals to communicate information over the Web. This project made the use of the signature (image artifact) detection technique explained in Section 1.

2.1.1. Motivation

Digital steganography represents a particularly significant threat today because of the large number of applications freely available on the Internet that are easy to find, download, install, and use to steal sensitive, classified, or proprietary information and conceal evidence of other types of criminal activity (Backbone Security). On the Web, there is evidence of terrorists using steganography to communicate covertly, "...individuals can use steganography. . .to embed messages into digital photographs or music clips. Posted on publicly available Web sites, the photos or clips are downloaded by collaborators as necessary. (This technique was reportedly used by recently arrested terrorists when they planned to blow up the US Embassy in Paris)" (Homer-Dixon, 2002, p. 54; Kolata, 2001). Terrorists would want to hide information in images which are posted to high traffic sites which have high turnover rates of images (Davidson and Goutam, 2004). Thus, steganography has the potential for harmful and dangerous applications.

2.1.2. Steganographic Web Survey

An attempt to determine the prevalence of steganography in carrier images on the Web was made by the research team in conjunction with Backbone Security, Inc. and law enforcement.

2.1.3. Comparison with related Prior Work: Survey conducted by University of Michigan

The research project described in this paper is distinct from the Web survey conducted by Neils Provos of University of Michigan in 2001. The latter used the tool Stegdetect to analyze over two million images from downloaded only from eBay auction sites. It was a survey of JPEG images only. The University of Michigan concluded that there was no steganography on the Web (Provos and Honeyman, 2002). Provos' survey used signature-based detection tools to detect the possible embedding of steganography only by three possible tools while as this research addresses as many as 16 information hiding tools.

2.1.4. Tools and Validation

The signature-based detection software selected for the survey proposed in this paper was StegAlyzerSS, version 1.1, named StegScan 1.1. The version of the software used to test the suspect images was ported to ANSI C from the proprietary version, and run under Debian LINUX. The version 2.0 of this software was rated effective by the Defense Cyber Crime Institute (DCCI) in tests conducted during October 2006. The tests conducted by the DCCI indicated the Backbone software was able to identify steganography from fourteen different algorithms with 99.6% certainty that steganography existed when an image was detected as containing steganography (Hirsh and Kong, 2006). The Backbone StegAlyzerSS was able to identify steganography embedded by the applications listed in table 1 (CyberScience Laboratory Functional Analysis of StegAlyzerSS Version 1.1, 2005).

2.1.5. Added Software Functionality

While the StegalyzerSS product was used as the processing engine to analyze the Web-based images, that engine needed to be embedded within a larger system capable of crawling the Web in search of those images. The following additional functionality was developed:

* Added capability to run on multiple processing nodes that then aggregated their findings onto a single master node.

* Utilized MD5 hashing to prevent the downloading and analysis of duplicate pages (i.e. the same image file on multiple pages)

* Utilized concept of worksets where a workset is a single URL to be used as a starting point for crawling. All crawling was limited to the Internet domain that the initial URL belongs to.

* Recorded all downloaded files for option of re-analysis later with additional signatures.

2.1.6. Equipment

Web crawling technology was used to find and download images by the research team. The survey was conducted with a variable number of machines as seen in the table 2. One database server was always on line. This database server was the supervisor, and passed each next URL to the crawling nodes (machines which performed the HTTP requests).

The database and file server computer was a Dell Optiplex GX280 Pentium 4 at 2.8GHz with 1 GB of RAM. The crawling nodes were Pentium Ills running at 667 MHz with 512MB RAM. The connection to the Internet was made through a fiber optic connection. The overall system layout of the survey is illustrated in figure 3.

2.1.7. Data Gathering and Analysis

The survey was conducted by crawling selected base URLs recursively until there were no more links in the domain of the base URL to visit. Sites that had URLs different than specified base URLs were not visited. The base URLs of the sites that were surveyed were provided by parties interested in the results of the research as it pertained to their areas of responsibility. These organizations included the National White Collar Crime Center (NW3C) and the Indiana State Police. Heavily trafficked foreign sites figured prominently in the list of sites crawled for steganography. The total also included sites which had less than ten URLs searched. As seen in table 3, the number in parentheses indicates the number of base URLs in the grouping. The total is the total for all of the sites crawled with that grouping of completed URLs.

The crawler application started at the base URL and crawled through all the links from each page to the maximum possible depth from the base URL. All of the items which were contained in a HREF= or IMG SRC= tag in the page source were downloaded, cataloged and then analyzed. The base URL was never traveled away from in the search, i.e., when a link specified a site with a different base URL, that link was not followed. The first recorded result was time-stamped 03/31/2006 at 1552hrs (local, Eastern time) and the final result was recorded on 06/30/2006 at 0444hrs.The image file types discovered in the survey are summarized in table 4.

These images were gathered and analyzed with the help of StegAlyzerSS application. No carrier images were found to contain steganographic signatures. Thus, the project failed to answer the research questions presented in figure 1 and figure 2.

2.1.8. Intermediate Conclusion

The Web crawling survey and signature detection did not find any conclusive evidence that steganography is being used on the Web. There are several possible explanations for this:

* There is no steganography in images on the Web

* The sample size was too small

* There was steganography, however it was not hidden in the file formats that the detection software was able to detect against, or

* There was steganography in the surveyed images; however it was not hidden using the algorithms the detection software was aware of.

2.1.9. Research Redirection

The detection problem in steganography is multivariate. There are over 825 embedding applications which have been available for download from the Internet at various times (J. Goldman, personal communication, May 16, 2007). This number is to be compared to the number of signatures which image analysis software is currently capable of detecting, which is in the neighborhood of 25-35. Not all of these signatures can be detected by a single steganography detection application.

The most likely explanation for the steganography not being detected in the Research Project I is that the steganography used and posted on the public Internet uses hiding techniques and hiding applications which were not being tested by the StegAlyzerSS detection application.

There are many steganography-producing applications that could possibly be used and it is impractical to write signature detection algorithms for all of them. For this reason, some prioritization of effort in developing signature based detection methods must be achieved. To do so there must be a sense of which applications the users of steganography are employing. To study this concept, the following "Stego-Usage Timeline" (table 5) was formed.

In order to produce a hidden message, steganographic software must be acquired and installed. This creates file artifacts on the host system. The file artifacts can take the form of changed registry entries, temporary files, directories created, and shortcuts on the desktop. Stegoed files are then generated. This involves selecting cover data, selecting the message and then embedding the message. These files would presumably be one time use files, and would be deleted at the conclusion of sending the files. The deletion of the data would, if not done securely, also leave evidence on the host machine. Specifically, standard forensic analysis would reveal these files. If the user did not delete the files in any way at the conclusion of the use of the steganography application, these files would provide images for comparison of cover images and provide an easier attack to extract the steganography. At the time the stegoed file is transmitted or posted, it could be observed over the communications channel. It would also be theoretically possible to run detection techniques against all of the data observed during transmission.

Once the suspect files have been detected, further analysis is performed. Knowing the specific steganography- producing application which hid the information would allow for possible extraction. If the message is extracted, then there may be a decryption step if the information was encrypted before it was embedded and sent. The user of the steganography software would then potentially uninstall the software perhaps thinking naively that no trace of his or her activity existed. In fact, because the vast majority of these applications are written with less than professional production values, the artifacts of the existence of that software would still be present on the host system and would be detectable if proper detection methods were used. Artifact detection would be the final step. This step requires the forensic examiner to have access to the host machine and is able to analyze it with the proper software.

Thus, a research redirection from Project I to Project II was introduced in order to address the research question as shown in figure 5. The research was carried out in two subsequent phases where Project II followed Project I and in which the approach taken for addressing the research question was modified based on the conclusions presented in 2.1.8 and the fact that the Project I failed to establish that steganography was used by criminals. Thus, Research Project I provides context for Research Project II. The redirection was based on the concept of 'Stego-Usage Timeline' presented in figure 4. As explained above, steganography-generation process involves many phases and while the time when the signature-based method (as demonstrated in Research Project I) can be used for detection is later in the timeline, the host-file detection method (demonstrated in Research Project II) allows us to traverse back to the earlier stages of steganography-generation and its detection is applicable over a larger span (dotted line in figure 4 marks the end of this span) of the Stego-Usage timeline as compared to that of the former.

Thus, the redirection consists of a focus shift from the analysis of the 'product' of the steganography-producing software; viz. the images, to the 'evidence' left by the steganography-producing software while they are being used to generate steganographic images.

2.2. Research Project II: File Artifact Detection on Criminal Computers

The second phase of the research consisted of scanning computers seized by law enforcement agencies for steganographic file artifacts.

2.2.1. Motivation

A tool which can detect steganographic file artifacts can be used on suspects' machines to determine if certain steganography-producing software was ever present or used and what it may have been. With positive results regarding the use of steganography software on machines seized by law enforcement or the national security apparatus, a sense of which steganography-producing software is popular with which criminal elements can be gained, thereby allowing research in signature detection to be focused in that direction.

It would be useful to require that all imaged hard drives booked into evidence and examined should be examined for host system artifacts with a file artifact detection application. It is critical for efficient use of law enforcement and national security resources to know which applications are being used by criminal and terrorist suspects. With the knowledge of which steganographyproducing software is in use, based on evidence provided from seized computers which exhibit artifacts of that particular steganography software, there will be a more structured focus possible in terms of writing signature based detection tools. These tools would detect against the signatures of steganography-producing applications found to be favored by the groups which are of interest. Thus, a research focus shift to host system artifact detection was indicated by the Stego-Usage Timeline.

2.2.2. Tools and Validation

The product used for performing detection of the steganographic file artifacts was Backbone Security's StegAlyzerAS version 2.1. This software tool enables the investigators to detect the presence of steganography-producing programs as well as the remnants of such programs within a computer's file and registry. The program enables the user to search files, directories, entire drives, and forensic images to locate evidence of data hiding activity on a disk. The program is capable of mounting forensic images in the following formats: EnCase RAW (dd), ISO, and SMART. StegAlyzerAS includes case management features to log all actions performed during an investigation, record detailed information about each case, and manage collected evidence. The application generates reports in HTML format (CyberScience Laboratory, 2008). Version 2.1 of StegAlyzerAS can detect all the file and Windows Registry artifacts associated with 625 digital steganography and information hiding tools (Backbone Security). StegAlyzerAS allows the search of the files by using hash values such as MD5 and SHA-256 which are stored in the Steganography Application Fingerprint Database (SAFDB) and registry entries stored in the Registry Artifact Key Database (RAKDB) distributed with StegAlyzerAS (Backbone Security).

This host artifact detection tool was tested for performance by conducting a study of a test machine on which a variety of steganographic software was installed and deleted or uninstalled. StegAlyzerAS was able to detect that all of those steganography-producing programs were once installed on the test machine. Also, StegAlyzerAS was found to be effective for identifying file and registry artifacts by the Defense Cyber Crime Institute (DCCI) and the CyberScience Laboratory (CSL) (Backbone Security).

2.2.3. Data Collection Process

The product along with its usage instructions was sent to Chicago Police Department (CPD) which scanned the criminal computer disks with the help of StegAlyzerAS. A member of the research team was allowed to carry out the scans of the criminal computers for a day at the CPD. The research team also scanned images provided by the Indiana State Police. The tool was run against the disk images of total 96 computer drives from seized computers and each one was known as a case. This formed the sample set which corresponded to the population of users of steganography with criminal background (n=96).

2.2.4. Data Processing and Analysis

The information from the generated HTML files was extracted into a MS Access database (2002- 2003 format) which consisted the following for each case:

* Description of the case: This consisted of details regarding the seized computer, crime associated with it, agency handling the case and criminal details

* Results obtained after scanning the respective drive: This consisted of information about the artifacts found in the report of each case, the corresponding steganography-producing application which generated it, the location of the artifact and its MD5 hash value.

2.2.5. False Positive Analysis

A large number of artifacts were flagged as likely steganography-producing software artifacts. But these artifacts may or may not have been the indicators that steganographic tools were installed on that machine because certain artifacts that are left behind by the steganography-producing applications can also be left by common and harmless applications; e.g. unwise.exe is a common artifact found bundled with the Wise installer package. Although, StegalyzerAS flags it to be associated with steganography-producing software, a particular instance of the artifact may be left behind by software like MS Word since unwise.exe is used by non-steganographic software too. Therefore, the entire artifact list obtained in the scan results had to be subjected to a false positive analysis.

In order to ensure that a particular artifact was specific to a steganographic application the following false positive treatment was devised. The NIST National Software Reference Library database (NSRL) consists of MD5 hash values of file artifacts left by known, traceable software applications and it also lists the type of application it is. The NIST database was broken down into 3 different classes as follows:

The false positive analysis was carried out by assigning a value to each (artifact, corresponding steganography-producing application) pair based on the comparison of its hash value with those in the NSRL database and depending on the class under which it fell. The values were assigned from the following set:

2.2.6. Results and Analysis

The artifacts and applications were then subjected to analysis as per the value taken by the false positive flag. The obtained results and their implications are enlisted as below:

* The term 'interesting items' refers to the entries flagged with a 'PS' or a 'NF' value because it indicates that either the (application, artifact) pair is confirmed as steganography or it cannot be eliminated as a nonsteganographic instance respectively.

* The total of the 96 cases had 4708 (application, artifact) pairs and not all of them were unique. In terms of artifacts, only 62 unique artifact names were found where 1 1 of them appeared only once. The remaining 51 artifact names accounted for 928 of the 939 total interesting items (98.8%). Thus, a large number of duplicates was found in the (application, artifact) pairs.

* Manual scan results depended on the intelligent judgment of the human who was conducting it. As seen in table 7, in spite of going through the paths of each and every (application, artifact) pair, it was not possible to conclude in any case that an artifact was definitively steganographic in nature from its path name and the location of the folder on the seized criminal computer. Thus, the manual scan failed to produce any positive results for this dataset (MS=O).

The number of occurrences for each of the flag values in the order of its decreasing importance is specified in table 7.

* It can be observed that there is 42.1410 % of confirmed nonsteganographic data which means that in the best possible case there can be 57.8590% of steganography (if all the NF and ID flags were indeed positive in terms of steganography) out of which this research was able to prove and confirm 0.2549%. The other tools that StegAlyzerSS was capable of detecting were either not popular among the criminals or their corresponding artifacts were categorized as NF or ID. And thus the possibility of the usage of those applications by criminals cannot be eliminated.

* Twelve Positive Steganography flags were found. They were distributed over four cases respectively. Table 8 provides the details regarding these findings. It can be seen that the results generated by StegAlyzerAS and the false positive treatment confirmed the use of four different applications for generating steganography; viz. Gif-ItUp, OutGuess, MP3StegoEncoder and wbStego. If these applications are compared with those mentioned in table 1 it is observed that the signature detection tool StegAlyzerSS was only capable of scanning the criminal computers for 16 programs and out of which only one; namely wbStego was used by the criminals and also the version used was different. Thus table 8 demonstrates that steganography had been used by criminals of varied backgrounds and that certain steganographic tools are likely to be popular among criminals that the signature detection tools were not capable of recognizing.

* These results can also contribute in formulating efficient signature detection approach by providing input in the form of a list of popular steganography-producing programs. This is done by introducing prioritization in the process of signature detection as shown in figure 6. As explained in section 2.1.9, the detection software faces limitations in terms of the number of signatures it is capable of detecting. This is because the number of existing steganographyproducing applications is too large to be incorporated into the detection engine and it keeps growing over time. For instance, from the feedback of the analysis provided by table 8, the detection tool should incorporate the capability for detecting the steganographyproducing tools found in file artifact scanning; namely Gif-It-Up, OutGuess, MP3StegoEncoder and the specific versions of wbStego mentioned in the table 8, i.e. it should be aware of the algorithms used by these applications. The applications which are associated with NF and ID flags and which occur over and over again can also be incorporated in the signature detection tool. Since a large number of (artifact, application) duplicate pairs were found in this case, it becomes easier to choose the applications for prioritization.

2.3. Conclusion

The results of the Research Project II demonstrate that evidence pertaining to the usage of steganography by criminals was found and thus a proof of concept of the effectiveness of the new, enhanced procedure proposed for finding steganography was presented. The procedure proposed in Research Project I failed to provide evidence in favor of the argument that 'steganography is being used by criminals'. Thus, the new methodology based on Stego-Usage Timeline is an improvement over the one proposed in Research Project I and has been able to answer the research questions presented in figure 1 and figure 2 positively. The research also demonstrates the concept of prioritization of the steganography-producing software by providing feedback based on the scanning results for the purpose of designing efficient signature detection algorithms. The following figure summarizes the contribution of the entire research effort.

2.4. Further Research

Although the research was able to present a proof of concept of the proposed Stego-Usage Timeline methodology, the evidence observed was limited and is not statistically significant to analyze the trends the observed in steganography-producing applications and criminal backgrounds associated with it. This can be due to several possible reasons:

* The sample size (number of cases scanned=96) was too small

* Criminals used steganography; however the file artifacts could not be traced down as being steganographic in nature when they were common to many applications (i.e. they fell under NF and ID categories)

* Criminals used steganography; however the file artifact detection software was unaware of the applications used by the criminals to generate steganography and hence was unable to associate the corresponding artifacts to steganography

Thus, further research is being focused towards obtaining more positives by increasing the sample set in order to overcome the first limitation mentioned above. The proof of concept has demonstrated that steganography is being used but further research will help in answering the question 'to what extent steganography is being used'.

Also, a model of a multi-phased approach towards steganography detection is being formulated where the usage of both techniques; viz. artifact detection and signature detection is suggested for the detection of steganography. A more prioritized and focused direction which deals with the artifact detection first and then proceeds to the signature detection with algorithms incorporating the prioritization feedback is proposed. This approach has the potential to be an efficient mechanism in terms of time and effort by overcoming the limitations faced by either of the research projects when carried out independently.