Home / News / Technology news /

Finding computer files hidden in plain sight

Keeping computer files private requires only the use of a simple encryption program. For criminals or terrorists wanting to conceal their activities, however, attaching an encrypted file to an e-mail message is sure to raise suspicion with law enforcement or government agents monitoring e-mail traffic.

Posted by C1ay
12 June, 2006 07:06:39

print article
A | A | A

But what if files could be hidden within the complex digital code of a photographic image? A family snapshot, for example, could contain secret information and even a trained eye wouldn't know the difference.

That ability to hide files within another file, called steganography, is here thanks to a number of software programs now on the market. The emerging science of detecting such files - steganalysis - is getting a boost from the Midwest Forensics Resource Center at the U.S. Department of Energy's Ames Laboratory and a pair of Iowa State University researchers.

Electronic images, such as jpeg files, provide the perfect "cover" because they're very common - a single computer can contain thousands of jpeg images and they can be posted on Web sites or e-mailed anywhere. Steganographic, or stego, techniques allow users to embed a secret file, or payload, by shifting the color values just slightly to account for the "bits" of data being hidden. The payload files can be almost anything from illegal financial transactions and the proverbial off-shore account information to sleeper cell communications or child pornography.

"We're taking very simple stego techniques and trying to find statistical measures that we can use to distinguish an innocent image from one that has hidden data," said Clifford Bergman, ISU math professor and researcher on the project. "One of the reasons we're focusing on images is there's lots of 'room' within a digital image to hide data. You can fiddle with them quite a bit and visually a person can't see the difference."

"At the simplest level, consider a black and white photo - each pixel has a grayscale value between zero (black) and 255 (white)," said Jennifer Davidson, ISU math professor and the other investigator on the project. "So the data file for that photo is one long string of those grayscale numbers that represent each pixel."

Encrypted payload files can be represented by a string of zeros and ones. To embed the payload file, the stego program compares the payload file's string of zeros and ones to the string of pixel values in the image file. The stego program then changes the image's pixel values so that an even pixel value represents a zero in the payload string and an odd pixel value represents a one. The person receiving the stego image then looks at the even-odd string of pixel values to reconstruct the payload's data string of zeros and ones, which can then be decrypted to retrieve the secret file.

"Visually, you won't see any difference between the before and after photo," Davidson said, "because the shift in pixel value is so minor. However, it will change the statistical properties of the pixel values of the image and that's what we're studying."

Given the vast number of potential images to review and the variety and complexity of the embedding algorithms used, developing a quick and easy technique to review and detect images that contain hidden files is vital. Bergman and Davidson are utilizing a pattern recognition system called an artificial neural net, or ANN, to distinguish between innocent images and stego images.

Training the ANN involved obtaining a database of 1,300 "clean" original images from a colleague, Ed Delp, at Purdue University. These images were then altered in eight different ways using different stego embedding techniques - involving sophisticated transfer techniques between the spatial and wavelet domains - to create a database of over 10,000 images.

Once trained, the ANN can then apply its rules to new candidate images and classify them as either innocent or stego images.

"The ANN establishes kind of a threshold value," Bergman said. "If it falls above the threshold, it's suspicious. "If you can detect there's something there, and better yet, what method was used to embed it, you could extract the encrypted data," Bergman continued. "But then you're faced with a whole new problem of decrypting the data and there are ciphers out there that are essentially impossible to solve using current methods."

In preliminary tests, the ANN was able to identify 92 percent of the stego images and flagged only 10 percent of the innocent images, and the researchers hope those results will get even better. An investigator with the Iowa Department of Criminal Investigation is currently field-testing the program to help evaluate its usefulness and a graphical user interface is being developed to make the program more user friendly.

"Hopefully we can come up with algorithms that are strong enough and the statistics are convincing enough for forensic scientists to use in a court of law," Bergman said, "so they can say, 'There's clearly something suspicious here,' similar to the way they use DNA evidence to establish a link between the defendant and the crime."

The project is funded by the Midwest Forensics Resource Center. The MFRC, operated by Ames Laboratory, provides research and support services to crime laboratories and forensic scientists throughout the Midwest.

Ames Laboratory is operated for the Department of Energy by Iowa State University. The Lab conducts research into various areas of national concern, including energy resources, high-speed computer design, environmental cleanup and restoration, and the synthesis and study of new materials.

###

Source: Ames Laboratory

Comments (20 posted):

C1ay on 12 June, 2006 12:08:15

Which of these images contains the U.S. Declaration Of Independence :)

Qfwfq on 12 June, 2006 12:38:52

I bet it's the one named monalisa.jpg and not the one named joconde.jpg. ;) It's bigger too!

Jay-qu on 12 June, 2006 01:14:20

Im gonna have to go with the one on the left ;)

Turtle on 13 June, 2006 12:49:19

I propose introducing additional file information steganographically, pertinent or not, to all digital image files. That way all files must get checked; or no files.:shrug: :doh:

C1ay on 13 June, 2006 12:52:15

I propose introducing additional file information steganographically, pertinent or not, to all digital image files. That way all files must get checked; or no files.:shrug: :doh: Good observation. Do notice, while I said one of the images contains the Declaration Of Independence, I did not say anything about the other file :)

pgrmdave on 13 June, 2006 01:03:54

There's an idea - send your information encrypted within a picture, along with hundreds of other pictures, all with useless information in them.

Jay-qu on 13 June, 2006 01:11:14

you could send heaps with useless info, or you could take of photo of a written message :hihi: probably go unoticed

CerebralEcstasy on 13 June, 2006 07:02:46

Nevermind that they've discovered a way to do this.........tell us HOW TO!!!! How else am I going to hide all those sordid love letters from prying eyes?

C1ay on 13 June, 2006 12:00:32

The images above were processed with a free jpeg steganography utility. No encryption was used. The hunt to find the hidden file(s) should be easy from here :)

Jay-qu on 13 June, 2006 12:09:21

Steganography - from the greek word stegein, meaning to hide :) I am in the process of looking for one of these said 'free steganography utilities' edit: ah found one ;) its called steghide This could be a fun game, what if I was to tell you that one of the pictures in our gallery has a hidden msg in it and the first one to get back to me with it wins a prize - treasure hunt anyone? :D No I havent done it yet, its just an idea.

C1ay on 13 June, 2006 12:11:20

I found that I couldn't use the gallery because of the forum software. That's why I attached the images above....

Boerseun on 14 June, 2006 08:08:33

These guys alter the colour odd/even values of a successive string of pixels. So how about altering every, say, tenth pixel's value? Or there could be a simple irrational number like pi, for instance, where the digits are the spaces between the pixels that have been changed. Like 22/7, and then the altered pixel will be the third one, then one normal pixel, another altered one, then four normal pixels, then another altered one, etc. And the 22/7 would then be the 'key' needed to decrypt. There would also be a 'master' key, being the point at which the encryption started, and the 22/7 would be applied from that point forwards. Or backwards. This is a nasty can of worms!

C1ay on 14 June, 2006 10:27:02

I am in the process of looking for one of these said 'free steganography utilities' edit: ah found one ;) its called steghide JpegX is much smaller and has no dependencies :)

C1ay on 15 June, 2006 01:13:47

C1ay on 06 August, 2007 04:48:59

Bump...

Tormod on 06 August, 2007 06:19:51

Man I thought you were joking until now. I tried a JpegX decrypter but it found nothing in either image. Another decryption tool kept asking for passwords! But I found it now! :)

C1ay on 19 October, 2007 04:36:05

In the news.... Research Shows Image-Based Threat on the Rise New Purdue University research shows steganography, long considered a minor threat, may be on the rise Until recently, steganography, the stealth technique of hiding text or images within image files, has mostly been considered too complex -- and conspicuous -- to be much of a threat. But some forensics experts now worry that the bad guys are starting to use the tactic more frequently, especially in child pornography and identity theft trafficking. There are an estimated 800 or so steganography tools available online, many of them free and with user-friendly graphical user interfaces and point-and-click features. This broad availability making steganography more accessible and easier to use for hiding and moving stolen or illicit payloads, experts say. Security experts to date have mostly dismissed steganography as a mainstream threat, relegating it to the domain of spooks and the feds. Their skepticism has been well-founded: The few studies that have searched for images hiding steganographic messages have come up empty-handed. But now, preliminary data from a new steganography study underway at Purdue University indicates that some criminals indeed may be using steganography tools, mainly in child pornography and financial fraud cases. More....

freeztar on 04 April, 2008 12:58:10

I'd like to play with steganography, but I haven't had much luck finding a good program for XP. The best I've found is S-Tools, but I haven't had any luck decrypting an image that I know for certain has a steganographic message. Does anyone have a suggestion for which program is the most versatile, and free?

C1ay on 05 April, 2008 04:30:49

Bump...

Tolouse on 05 April, 2008 04:54:44

a nice interesting topic i haven't heard of this possibility how would the authorities know which ones hold the code? i'm sure pretty soon, they would find out an easy way though