Forensics Journal - Stevenson University 2013 | Page 32

FORENSICS JOURNAL

Another benefit to a carrier file with a significantly larger size is that
once the file size increases due to the payload, the new size won’t be as
noticeable.

ematical method of determining the authenticity of a digital message
or document. All software has its own unique digital signature therefore a forensics tool performing a signature scan may be able to detect
the carrier files if the signature list is current. In addition to signature
detection, some programs can detect steganography, although doing
so is difficult. The first step in detection is to locate files with hidden text, which can be done by analyzing patterns in the images and
changes to the color palette. (Graves) To combat forensic detection
of steganography, author Stephen Lau writes:

TRADITIONAL DETECTION OF STEGANOGRAPHY
“Steganography relies on the fact that the human senses are inadequate when compared to analysis performed by machines or even in
fact the senses of other animals of the earth.” (McGill) Most people
who choose to send information covertly across a digital medium
such as the Internet use some form of cryptography. Cryptography is
defined as the process of creating, communicating in, and deciphering
secret writings or messages. This however can be a signal to anyone
watching that something is happening on that connection. Steganography transfers information across a connection so that anyone
monitoring the link will not be able to detect what is being sent. As
Dr. Cole states, there is no point in hiding data if someone can figure
out how and where the data is hidden. Steganography is designed to
make the hidden data hard to detect by disguising it in such a way
that there is little change to the properties of the hidden file. (Cole)

In recent years, more sophisticated techniques have evolved, specifically to defeat most standard methods of detecting steganography.
These involve analyzing the image prior to embedding the message to
determine its statistical properties. By locating redundant bits of an
image and probabilistically replacing the bits with new information,
one can defeat most statistical analyses. In addition, by subsequently
modifying other portions of the image, one can recreate the “statistical” footprint of the original unmodified image that can thwart most
attempts at statistical analysis. (Lau)
Figure 1 illustrates one method by which a forensic analyst would be
able to detect the use of steganography, but only if the original file is
known. Every digital file has a hash value which remains constant as
long as the file remains unchanged. A hash value is a mathematical
representation of the data contained in the file. Generally speaking,
hash values are unique to each file and are difficult to duplicate on
another file. Once a change is made to the file, the hash value will
also change, thus reflecting an alteration to the document. In Figure
1, the hash value in the top field is from the original file and the hash
to compare field is the file that has been altered by steganography.

Steganalysis, the art of detecting the use of steganography, is very
tedious and difficult. The easie