Investigating information hiding

Information hiding is a research domain that covers a wide spectrum of methods that are used to make (secret) data difficult to notice. Due to improvements in network defenses such techniques are recently gaining an increasing attention from actors like cybercriminals, terrorist and state-sponsored groups as they allow to store data or to conceal communication in a way that is not easily discoverable.  Information-hiding techniques are used to hide the confidential or illegal data into innocent-looking material, for example, digital pictures.

Steganography is a well-known subfield of information hiding that aims is to cloak secret data in a suitable carrier. The use of covert techniques grew significantly during the two World Wars, in which the military developed several methods to hide information in innocent-looking objects.

Modern information-hiding techniques can be divided based on their application into two broad groups: covert data storage and covert data communication 

Covert data storage allows the application of data-hiding techniques to conceal secret information in such a way that no one besides the involved persons will know where the information is stored or how to extract it. Digital media steganography and file/file system/mass storage steganography are the most prominent classes belonging to this group.

Covert data communication methods focus on hiding the fact that any communication process took place and were initially described as channels that were not foreseen for communication. This means that involved parties can participate in a covert communication and, in principle, a third-party observer would be unaware of it. The most important classes belonging to this group include out-of-band covert channels, network steganography (also known as network covert channels), as well as local covert channels (that are limited in communication range to the single device).

Digital media steganography incorporates techniques to hide information within digital images, audio files, and digital videos.

Network steganography deals with the concealment of information within network transmissions. This means that network data that appears to be innocent is actually carrying hidden data.

Steganalysis is the technology that attempts to defeat steganography--by detecting the hidden information and extracting or destroying it.

Detecting hidden information

Steganography tools can create stego-images in which the change or distortion in the carrier is not obvious to the human eye. However, this distortion when detected can lead to the tools used for steganography. Let us look at a few examples:

1. Images: A lot of image steganography tools use least significant bit (LSB) modification to hide information. In low resolution images with 8 bit color, the modification of LSB can cause a noticeable shift in the color palette making it possible to detect hidden content. Another sign to the presence of hidden information is padding or cropping of an image. The Hide-and-Seek tool can only produce images of fixed sizes. If an image does not fit into one of these sizes it is cropped or padded with black spaces. StegoDos has a similar problem.
2. Disks: Unused areas on a disk that can be used to hide information. Tools like EnCase and ILook Investigator look for hidden information in unused clusters or partitions in storage devices.
3. TCP/IP Packets: TCP/IP packets have unused space in the packet headers. The TCP packet header has six reserved or unused bits, and the IP packet header has two reserved bits. Information can be hidden in these unused bits. Thousands of packets are transmitted with each communication channel, which provide an excellent way to communicate secretly. Filters can be applied, on firewalls for example, to detect TCP/IP packets that contain hidden information in places supposed to be unused.

Steganalysis methods

There are various methods of analysis depending on what information is available:

1. Stego-only attack: Only the stego-object is available for analysis.
2. Known cover attack: The stego-object as well as the original medium is available. The stego-object is compared with the original cover object to detect any hidden information.
3. Known message attack: The hidden message and the corresponding stego-image are known. The analysis of patterns that correspond to the hidden information could help decipher such messages in future.
4. Known stego attack:The steganography algorithm is known and both the original and stego-object are available.
5. Chosen stego attack:The steganography algorithm and stego-object are known.
6. Chosen message attack:The steganalyst generates a stego-object from some steganography tool or algorithm of a chosen message. The goal in this attack is to determine patterns in the stego-object that may point to the use of specific steganography tools or algorithms.