Second of three parts
Currently, not enough computer forensic examiners have the first clue what steganography is or how it works, much less how to detect or disable it.
"Stego is well under the radar of a lot of forensic examiners," says Gary C. Kessler, an associate professor in the Computer and Digital Forensics Program at Champlain College. "Many examiners don't take it seriously because they've never actually seen it in use."
Kessler also maintains that even those examiners that are aware of steganography often use the wrong tools to find it. Those forensic examiners needing an introductory short course might consult the July 2004 issue of Forensic Science Communication, which contains a 12-page high-level overview of the craft and cunning of steganography, written by Kessler. The paper is directed primarily at computer forensic examiners who need a practical understanding of steganography without detouring too far into the mathematical bits and bytes involved. The paper's emphasis is on digital applications, focusing on hiding information in online image or audio files.
The paper also presents examples of software tools that employ steganography to hide data inside of other files, as well as software to detect such hidden files.
Detection begins with awareness. Forensic examiners need to start looking for steganography clues at the scene and on the suspect computer, Kessler says.
At the crime scene examiners should attempt to gauge the technical sophistication of the owner of the computer, by looking at the types of books, magazines, and software manuals that exist in the suspect's library. Kessler says investigators should then look for clues on the computer in the form of steganography programs, hex editors, or large numbers of potential carrier files, particularly where there are apparent duplicates.
Kessler recommends examiners add special stenographic detection software to their own detection arsenal, such as the WetStone suite (www.wetstonetech.com). However, the tools to build stego files are not the same tools needed to search for stego files, he cautions. Free steganographic detection programs (such as 'stegdetect' and 'stegbreak') are available at www.outguess.org.
New detection software techniques continue to evolve. Some address the deficiencies in the somewhat blind detection approach taken by the few tools currently available on the market, taking an entirely new approach to stego detection and extraction. Backbone Security claims to have gotten out of the box of blind detection by taking an analytical approach to the problem that offers higher probability of being able to determine which carrier files may contain hidden information and then extracting that information.
James E. Wingate, director of Backbone's Steganography Analysis and Research Center, says Backbone is working on a signature scanning tool that provides a "point, click, and extract" capability.
"We know how critical it is for law enforcement computer forensic examiners to be able to not only detect hidden information but to extract it as well so they have to have something of evidentiary value to present to the prosecutor," he says.
Next week: Ticket to hide
Part one: When it comes to digital photos, what you see may not be what you get
