Professional Documents
Culture Documents
com
Section Sponsor
e-Alerts
Home
Sign Up for Free
News for Cops e-mail
Most Read Most E-mailed E-mail Article Print Article
Notifications
Jobs Central
Home > Law Enforcement Technology
Officer Forums
✔ Promo
Offers
Resources What You See Is Not Always What You
Job Updates
Get
✔
Directory
✔
Daily News
Shop/Products
From the January 2006 Issue
✔
Officer
Magazines Down
By Douglas Page
Services Enter Email
The leader of a Toronto terrorist cell puts a different Persian rug for sale on eBay
Advertise every Monday morning and posts a corresponding photograph. Bids commence, Click to Go
money is collected and items are shipped. So far, so good.
Link/Bookmark
Contact But, on Tuesdays at 4 p.m., the photo is swapped for a version that contains a
hidden message. By prearrangement, the cell members know when to download
the image, and the weekly message is delivered.
While this scenario is fictitious, the stealth itself is real enough. It even has a
name. The practice of hiding information by embedding messages within other,
seemingly harmless, messages is called steganography.
In the digital age, steganography allows someone to hide any type of binary file
inside any other binary file. Image and audio files are the most common carriers.
Steganography is not encryption, because encryption relies on ciphers or codes to
scramble a message.
Steganography provides some legitimate uses in the digital world, most notably
digital watermarking, wherein an author can embed a hidden message in a file so
that ownership of intellectual property can later be substantiated.
There is also suspicion that the technology is exploited by organized crime and
those engaged in corporate espionage. It gets worse.
Johnson says investigators must now look beyond file systems and recovered files
to consider what may be hidden on computers. "Steganography goes beyond the
difficulties of encrypted data in that an investigator must now determine whether
hidden data exists," he says.
Investigators should become familiar with the steganographic tools and the impact
they have on computer systems, as well as the media that contains the hidden
information, Johnson says.
First clue
The principal forensic problem is not enough computer forensic examiners have the
first clue what steganography is, how it works, or how to detect or disarm it.
"Stego is well under the radar of a lot of forensic examiners," says Gary Kessler,
an associate professor in the Computer and Digital Forensics Program at
Champlain College in Burlington, Vermont. "Many examiners don't take it seriously
because they've never 'seen' it in use." Kessler also maintains that those
examiners that do "look" for steganography often use the wrong tools.
To address this issue, Kessler published a 12-page paper in the July 2004, issue of
"Forensic Science Communication," offering a high-level, technical overview of
steganography for those unfamiliar with the field.
"At a high level, all a computer forensic examiner really needs is stego awareness,
which means to look for stego clues at the scene and on the suspect computer,"
Kessler says.
At the scene, for example, examiners should consider the technical sophistication
of the computer owner. What books, articles, magazines and software manuals are
found in the suspect's library? Then, are there clues on the computer in the form
of steganography programs, hex editors or a large number of potential carrier files,
particularly where there are apparent duplicates, he says.
Kessler recommends examiners add special equipment to their own arsenal in the
form of steganographic detection software, such as WetStone Technologies' Stego
Suite, as mentioned in the paper.
"The tools to build stego files are not the same tools you need to search for stego
files," he cautions.
Ticket to hide
In the aftermath of 9/11, several attempts were made to determine whether and
to what extent steganographic images were present on the Internet.
One well-known study searched more than 2 million eBay images. Using special
detection programs, researchers at the University of Michigan were unable to find
a single hidden message. Another group examined several hundred thousand
random images from various Web sites with similar negative results.
Although these projects provide a framework for searching a Web site for
steganography images, no conclusions can be drawn from them about
steganography images on the Internet. Absence of evidence is not evidence of
absence.
"One problem is programs like Stegdetect only look at JPEG images," Kessler says.
"Other image types were never examined. In the other study, only a limited
number of Web sites were examined, far too few to make any definitive
statements about the Internet as a whole."
"One reason for federal interest is that stego tools have been found in the forensic
analysis of computers belonging to some criminals and terrorists," says Hany
Farid, a computer science professor at Dartmouth College, located in Hanover,
New Hampshire.
There are few hard statistics, however, about the frequency with which
steganography software or media are discovered by law enforcement officials in
the course of computer forensics analysis.
"Forget trying to find the needle in the haystack just turn the needle into a piece of
straw by adding to each image a low-level noise pattern," he says. "The noise will
be imperceptible to the user but will destroy the stego message, which, unlike
digital watermarks, are highly sensitive to even the simplest attack."
Farid's Dartmouth lab has developed a steganographic tool for use in less
controlled environments. He admits, though, that while tools like these will become
increasingly necessary in the future, it will always be possible to hide messages in
images in ways that are imperceptible.
"As detection algorithms get better, stego embedding programs will respond by
simply embedding smaller amounts of information," Farid says. "At some point it
will be nearly impossible to detect small amounts of hidden data," Still, a growing
number of digital forensics examiners now consider the search for steganographic
tools and/or media to be a routine part of every examination.
While it is impossible to know how widespread the current use of steganography is,
it may not matter. Kessler believes it is safe to assume the worst.
"The use of steganography is certain to increase and will be a growing hurdle for
law enforcement and counterterrorism activities," Kessler predicts.
Submit a comment
Submit a Comment
Name: *
Subject:
City, State:
Comment:
*
For verifcation purposes, please enter the characters you see in the image below
Submit Comment
* = required
(comments will appear after this article, as well as on our Readers Respond Page