You are on page 1of 5

What You See Is Not Always What You Get from Law Enforcement Technology at Officer.

com

A Cygnus Business Media Website Officer.com Web Search

NewsAgency SearchWeb DirectoryProductsCareer CenterDiscussionMagazines

Section Sponsor
e-Alerts
Home
Sign Up for Free
News for Cops e-mail
Most Read Most E-mailed E-mail Article Print Article
Notifications
Jobs Central
Home > Law Enforcement Technology
Officer Forums
✔ Promo
Offers
Resources What You See Is Not Always What You
Job Updates
Get

Directory

Daily News
Shop/Products
From the January 2006 Issue

Officer
Magazines Down
By Douglas Page
Services Enter Email
The leader of a Toronto terrorist cell puts a different Persian rug for sale on eBay
Advertise every Monday morning and posts a corresponding photograph. Bids commence, Click to Go
money is collected and items are shipped. So far, so good.
Link/Bookmark
Contact But, on Tuesdays at 4 p.m., the photo is swapped for a version that contains a
hidden message. By prearrangement, the cell members know when to download
the image, and the weekly message is delivered.

While this scenario is fictitious, the stealth itself is real enough. It even has a
name. The practice of hiding information by embedding messages within other,
seemingly harmless, messages is called steganography.

Steganography, from Greek meaning "covered writing," is as old as the Greeks,


who tattooed messages on the shaved heads of messengers. After the hair grew
back, the messenger was dispatched. Invisible inks, written between the lines of
innocuous letters, were a common form of steganography during World War II.

In the digital age, steganography allows someone to hide any type of binary file
inside any other binary file. Image and audio files are the most common carriers.
Steganography is not encryption, because encryption relies on ciphers or codes to
scramble a message.

Steganography provides some legitimate uses in the digital world, most notably
digital watermarking, wherein an author can embed a hidden message in a file so
that ownership of intellectual property can later be substantiated.

Not all applications of steganography are so benign. Steganography is drawing


more forensic attention, not because it's being used by college students passing
around final exam answers embedded in images, but because many people believe
steganography is one of the ways Al Qaeda leaders communicate with terrorists
around the world.

There is also suspicion that the technology is exploited by organized crime and
those engaged in corporate espionage. It gets worse.

http://www.officer.com/publication/article.jsp?pubId=1&id=27989&submit_comment=y (1 of 5)6/27/2009 6:21:12 PM


What You See Is Not Always What You Get from Law Enforcement Technology at Officer.com

"I know of a case where steganography was employed to conceal child


pornography," says steganography expert Neil Johnson, an associate at Booz Allen
Hamilton in McLean, Virginia, and author of several papers investigating
steganography and associated digital forensic considerations. Using patterns
Johnson published in a paper, investigators were able to determine the existence
of hidden images and the steganography tool used to produce them.

Johnson says investigators must now look beyond file systems and recovered files
to consider what may be hidden on computers. "Steganography goes beyond the
difficulties of encrypted data in that an investigator must now determine whether
hidden data exists," he says.

Investigators should become familiar with the steganographic tools and the impact
they have on computer systems, as well as the media that contains the hidden
information, Johnson says.

First clue
The principal forensic problem is not enough computer forensic examiners have the
first clue what steganography is, how it works, or how to detect or disarm it.

"Stego is well under the radar of a lot of forensic examiners," says Gary Kessler,
an associate professor in the Computer and Digital Forensics Program at
Champlain College in Burlington, Vermont. "Many examiners don't take it seriously
because they've never 'seen' it in use." Kessler also maintains that those
examiners that do "look" for steganography often use the wrong tools.

To address this issue, Kessler published a 12-page paper in the July 2004, issue of
"Forensic Science Communication," offering a high-level, technical overview of
steganography for those unfamiliar with the field.

"The paper's emphasis is on digital applications, focusing on hiding information in


online image or audio files," Kessler says. Examples of software tools that employ
steganography to hide data inside of other files, as well as software to detect such
hidden files, are presented.

"At a high level, all a computer forensic examiner really needs is stego awareness,
which means to look for stego clues at the scene and on the suspect computer,"
Kessler says.

At the scene, for example, examiners should consider the technical sophistication
of the computer owner. What books, articles, magazines and software manuals are
found in the suspect's library? Then, are there clues on the computer in the form
of steganography programs, hex editors or a large number of potential carrier files,
particularly where there are apparent duplicates, he says.

Kessler recommends examiners add special equipment to their own arsenal in the
form of steganographic detection software, such as WetStone Technologies' Stego
Suite, as mentioned in the paper.

"The tools to build stego files are not the same tools you need to search for stego
files," he cautions.

Ticket to hide
In the aftermath of 9/11, several attempts were made to determine whether and
to what extent steganographic images were present on the Internet.

One well-known study searched more than 2 million eBay images. Using special
detection programs, researchers at the University of Michigan were unable to find
a single hidden message. Another group examined several hundred thousand
random images from various Web sites with similar negative results.

Although these projects provide a framework for searching a Web site for
steganography images, no conclusions can be drawn from them about
steganography images on the Internet. Absence of evidence is not evidence of

http://www.officer.com/publication/article.jsp?pubId=1&id=27989&submit_comment=y (2 of 5)6/27/2009 6:21:12 PM


What You See Is Not Always What You Get from Law Enforcement Technology at Officer.com

absence.

"One problem is programs like Stegdetect only look at JPEG images," Kessler says.
"Other image types were never examined. In the other study, only a limited
number of Web sites were examined, far too few to make any definitive
statements about the Internet as a whole."

Free steganographic detection programs (such as Stegdetect and Stegbreak) are


available at www.outguess.org.

In case steganography abuse is more pervasive than anyone is presently aware,


federal agencies remain eager to develop solid steganographic detection
techniques.

"One reason for federal interest is that stego tools have been found in the forensic
analysis of computers belonging to some criminals and terrorists," says Hany
Farid, a computer science professor at Dartmouth College, located in Hanover,
New Hampshire.

There are few hard statistics, however, about the frequency with which
steganography software or media are discovered by law enforcement officials in
the course of computer forensics analysis.

"Anecdotal evidence suggests that many computer forensics examiners do not


routinely search for steganography software, and many might not recognize such
tools if they found them," Kessler says. "In addition, the tools that are employed to
detect steganography software are often inadequate, with the examiner frequently
relying solely on hash sets or the steganography tools themselves."

Computer forensic examinations can be a lengthy process. A thorough search for


evidence of steganography on a suspect hard drive containing thousands of
images, audio files and video clips could take several days.

Hide and seek


Finding steganographic messages has been equated to finding a needle in a county
of haystacks. There are millions of images, for instance, on eBay. Farid believes,
however, that disabling steganography in a controlled environment like eBay could
be easy.

"Forget trying to find the needle in the haystack just turn the needle into a piece of
straw by adding to each image a low-level noise pattern," he says. "The noise will
be imperceptible to the user but will destroy the stego message, which, unlike
digital watermarks, are highly sensitive to even the simplest attack."

Farid's Dartmouth lab has developed a steganographic tool for use in less
controlled environments. He admits, though, that while tools like these will become
increasingly necessary in the future, it will always be possible to hide messages in
images in ways that are imperceptible.

"As detection algorithms get better, stego embedding programs will respond by
simply embedding smaller amounts of information," Farid says. "At some point it
will be nearly impossible to detect small amounts of hidden data," Still, a growing
number of digital forensics examiners now consider the search for steganographic
tools and/or media to be a routine part of every examination.

"Searching for steganography is not only necessary in criminal investigations and


intelligence gathering operations, but forensic accounting investigators are
realizing the need to search for steganography as this becomes a viable way to
hide financial records," Kessler says.

While it is impossible to know how widespread the current use of steganography is,
it may not matter. Kessler believes it is safe to assume the worst.

http://www.officer.com/publication/article.jsp?pubId=1&id=27989&submit_comment=y (3 of 5)6/27/2009 6:21:12 PM


What You See Is Not Always What You Get from Law Enforcement Technology at Officer.com

"The use of steganography is certain to increase and will be a growing hurdle for
law enforcement and counterterrorism activities," Kessler predicts.

E-mail Article Printer Friendly

Share your thoughts, advice, opinions, and expertise @ Officer.com

Submit a comment

Submit a Comment
Name: *
Subject:
City, State:
Comment:
*

For verifcation purposes, please enter the characters you see in the image below

Submit Comment

* = required
(comments will appear after this article, as well as on our Readers Respond Page

To purchase single article reprints (minimum 250) for distribution please


contact PARS International at 212-221-9595 x431 or at www.magreprints.
com/quickquote.aspx?ID=cygnus
Product Marketplace Magazines

» Fire Arms & Accessories Law Enforcement


» Electronics & Surveillance Technology
» Books, Videos, Software • Current Issue
» EMS & Safety • Subscribe
» Apparel & Off-Duty Wear • E-Inquiry
» Gifts & Collectibles
Law Enforcement
» Vehicle & Traffic Accessories
Product News
» Duty Gear & Tactical
• Current Issue
• All Products • Subscribe
• E-Inquiry

http://www.officer.com/publication/article.jsp?pubId=1&id=27989&submit_comment=y (4 of 5)6/27/2009 6:21:12 PM


What You See Is Not Always What You Get from Law Enforcement Technology at Officer.com

Forum Web More Jobs


Discussions Gateway Headlines Central

» All » Police » Top »


Discussions Agencies Stories Search
» Public Forums » » Officer Jobs
» For Officers Associations Down »
» Law & Politics » Personal » Internal Browse
» Local Pages Affairs Jobs
Discussions » Supplier » Most » 20
» Equipment & Directory Wanted Newest
Tactical » More » Jobs
» Links Homeland » Career
Communications » Training Defense Forums
Schedule » Funding »
• Register Now & Admin Degree
» Programs
Legislation
» • Kaplan
Industry Criminal
News Justice
» Submit • AIU
News Criminal
Justice

Mountain
State CJ

Advertise on Officer.com | Contact Us | Privacy Statement | User Agreement | Link to Us


Law Enforcement Technology - Law Enforcement Product News - Officer.com e-Alerts
Copyright © 2009 All rights reserved. - Cygnus Interactive, a Division of Cygnus Business Media.

http://www.officer.com/publication/article.jsp?pubId=1&id=27989&submit_comment=y (5 of 5)6/27/2009 6:21:12 PM