Steganography methods for digital media can be broadly classified as operating in the image domain or transform domain. Image domain tools hide the message in the carrier by some sort of bit-by-bit manipulation, such as least significant bit insertion. Transform domain tools manipulate the steganography algorithm and the actual transformations employed in hiding the information, such as the discrete cosine transforms coefficients in JPEG images (Johnson and Jajodia 1998B).
A computer forensics examiner looking at evidence in a criminal case probably has no reason to alter any evidence files. However, an examination that is part of an ongoing terrorist surveillance might well want to disrupt the hidden information even if it cannot be recovered. Hidden content, such as steganography and digital watermarks, can be attacked in several ways so that it can be removed or altered (Hernandez Martin and Kutter 2001; Voloshynovskiy et al. 2001), and there is software specifically designed to attack digital watermarks. Such attacks have one of two possible effectsthey either reduce the steganography carrying capacity of the carrier (necessary to avoid the attack) or fully disable the capability of the carrier as a steganography medium.
The example below illustrates how digital watermarking can hide information in a totally invisible way. The original image is on the left; the watermarked image is on the right and contains the name of the author.
Digital video watermarking can be achieved by either applying still image technology to each film frame or using dedicated methods that exploit inherent features of the video sequence. For more information, click .
The first applications that came to mind were related to copyright protection of digital media. In the past, duplicating artwork was quite complicated and required a high level of expertise for the counterfeit to look like the original. However, in the digital world, this is not true. Today, it is possible for almost anyone to duplicate or manipulate digital data, while not losing data quality. Similar to a painter's signature or monogram, today's artists can copyright their work by hiding their name within the image. Hence, the embedded watermark allows identification of the owner of the work. It is clear that this concept is also applicable to other media, such as digital video and audio. Currently, the unauthorized distribution of digital audio and video over the Internet is a big problem. In this scenario, digital watermarking may be useful to set up controlled audio distribution and to provide efficient means for copyright protection, usually in collaboration with international registration bodies.
Voloshynovskiy, S., Pereira, S., Pun, T., Eggers, J. J., and Su, J. K. Attacks on digital watermarks: Classification, estimation-based attacks, and benchmarks, (2001) 39(8):118-126.
Fridrich, J., Goljan, M., and Du, R. Steganalysis based on JPEG compatibility. In: , Special Session on Theoretical and Practical Issues in Digital Watermarking and Data Hiding, vol. 4518. International Society for Optical Engineering, Denver, Colorado, August 21-22, 2001, pp. 275-280. Also available: .
Indeed, many digital forensics examiners consider the search for steganography tools and/or steganography media to be a routine part of every examination (Security Focus 2003). But what appears to be lacking is a set of guidelines providing a systematic approach to steganography detection. Even the U.S. Department of Justice search and seizure guidelines for digital evidence barely mention steganography (U.S. Department of Justice 2001; U.S. Department of Justice 2002). Steganalysis will only be one part of an investigation; however, and an investigator might need clues from other aspects of the case to point them in the right direction. A computer forensics examiner might suspect the use of steganography because of the nature of the crime, books in the suspect's library, the type of hardware or software discovered, large sets of seemingly duplicate images, statements made by the suspect or witnesses, or other factors. A Website might be suspect by the nature of its content or the population that it serves. These same items might give the examiner clues to passwords, as well. And searching for steganography is not only necessary in criminal investigations and intelligence gathering operations. Forensic accounting investigators are realizing the need to search for steganography as this becomes a viable way to hide financial records (Hosmer and Hyde 2003; Seward 2003).
Although this subject is also beyond the scope of this paper, one interesting example of steganography disruption software can be used to close this discussion. 2Mosaic by Fabien Petitcolas employs a so-called "presentation attack" primarily against images on a Website. 2Mosaic attacks a digital watermarking system by chopping an image into smaller subimages. On the Website, the series of small images are positioned next to each other and appear the same as the original large image (Petitcolas 2003).
In a pure steganography model, William knows nothing about the steganography method employed by Alice and Bob. This is a poor assumption on Alice and Bob's part since security through obscurity rarely works and is particularly disastrous when applied to cryptography. This is, however, often the model of the digital forensics analyst searching a Website or hard drive for the possible use of steganography.
Many common digital steganography techniques employ graphical images or audio files as the carrier medium. It is instructive, then, to review image and audio encoding before discussing how steganography and steganalysis works with these carriers.
Steganography provides some very useful and commercially important functions in the digital world, most notably digital watermarking. In this application, an author can embed a hidden message in a file so that ownership of intellectual property can later be asserted and/or to ensure the integrity of the content. An artist, for example, could post original artwork on a Website. If someone else steals the file and claims the work as his or her own, the artist can later prove ownership because only he/she can recover the watermark (Arnold et al. 2003; Barni et al. 2001; Kwok 2003). Although conceptually similar to steganography, digital watermarking usually has different technical goals. Generally only a small amount of repetitive information is inserted into the carrier, it is not necessary to hide the watermarking information, and it is useful for the watermark to be able to be removed while maintaining the integrity of the carrier.