This article can also be found in the Premium Editorial Download "Information Security magazine: Symantec 2.0: Evaluating their recent acquisitions."
Download it now to read this article plus other related content.
Seeing the Unseen
Stego is hard to detect. As is frequently the case with criminal activity, malicious insiders are often caught not because of great detective work or superior technology, but because of mistakes they make—they become too greedy or brag. The real problem is that there's no good way to screen for stego globally. However, if you suspect stego is being used, there are forensic techniques to help you investigate.
The easiest—but least effective—methods involve looking for general indications of stego use on a computer. One way is to look for apparently identical files with different binary compositions; stego programs keep the original and make a copy with the hidden data, and the stego user may forget or choose not to delete the duplicate file. Open-source programs like diff or commercial products like Tripwire can be used to determine if the files are really identical. diff is primarily an investigative tool: It yields information on which parts of the file are different, but can be run only on a single system. Tripwire, on the other hand, can be run across an enterprise, but will only tell you the files are different with no additional details.
Of course, finding a copy of S-Tools or Invisible Secrets on a computer is also a pretty good clue. The more advanced investigative technique is to look for indications of stego use within a file. These methods are time-consuming, require specific expertise to create and use detection programs.
One approach is to look for characteristics of the stego technology used. Each tool manipulates a file in a certain way to hide the data. By carefully examining how a given technique works, you can find characteristics that determine whether data has been hidden. For example, S-Tools manipulates the color table in an image. A normal .bmp file has a low number of duplicate colors in its table, so look for a high number of duplicate colors.
Or, you can look for characteristics that are not typical of a particular file type. For example, the actual data in .jpg files is compressed, so any attempts to hide data in this area it would be lost by the compression; therefore, to hide data, you would have to manipulate the compression algorithm itself. So, check for changes to the algorithm.
In an ideal world, there would be a universal way to detect stego, regardless of file format or method used; a single algorithm could be developed and used to scan a system. While this is yet to be done, researchers have achieved about 70 percent accuracy using statistical processing techniques such as wavelets and Fourier transforms.
If your aim is simply to stop, rather than detect, stego, the easiest thing to do is to convert file formats. For example, a proxy gateway could run a program that converts image formats (e.g., .jpg to .bmp back to .jpg), which would remove any hidden information. For text, you could convert the message from English to Spanish, then back to English. However, translation programs aren't completely accurate, which could result in some mangled messages.
This was first published in November 2006