Steganography: What It Is and How It Works

Steganography is a technique used to hide data inside a digital file. It's a powerful tool for keeping sensitive information away from prying eyes, and it works across all kinds of media — images, audio, video.

Overview

Introduction to Digital Forensics (original): Introduction to Digital Forensics

Steganography is a technique used to hide data inside a digital file. It’s a powerful tool for keeping sensitive information away from prying eyes. Data can be hidden inside all kinds of media, such as images, audio files, or video.

Steganography is used in several applications, such as copyright protection, secure communication, and data archiving. It’s also used in digital forensics to uncover hidden evidence.

Breaking down the concepts behind steganography, we can highlight three key elements: Secret, Carrier, and Carrier’.

Secret: this is the element that needs to be hidden inside the carrier. The secret can be anything (a string, an image, audio, a PDF, etc.); the only constraint is that it has to be shorter, in bytes, than the carrier.

Carrier: this is the element that will store our secret. In the simplest scenario it could be an image or an audio file. The Carrier must be longer, in bytes, than the Secret.

Carrier’: the Carrier’ is the Carrier with the Secret encoded inside it.

Image by Wikimedia

Uses of Steganography

Offense

Steganography is a powerful technique that attackers can use to pass data and messages between servers. It’s particularly handy for running botnets from a Command and Control (C&C/C2) center: by hiding commands inside images, audio files, and other kinds of data, an attacker can easily communicate with other servers without being noticed.

Steganography is also a versatile tool that can be used for a wide range of purposes, from espionage to cybercrime.

For example, steganography can be used to hide sensitive information, such as passwords (though personally I wouldn’t recommend it) and financial data, from prying eyes. Steganographic techniques can also be used to evade detection by security systems, which is exactly why they’re a popular choice among cybercriminals.

Defense

Steganography isn’t only used for offensive purposes, but for defensive ones too. A technique that’s becoming increasingly popular for protecting sensitive information is so-called defensive steganography. It involves embedding false information inside digital files to mislead attackers who might try to extract valuable data. Defensive steganography can be used to create “decoy” information designed to confuse attackers while keeping the real information safe.

It’s worth noting, though, that if the goal is to actually hide something, the information hidden via steganography should also be encrypted to guarantee confidentiality.

Another use case is digital watermarking, a technique used to protect ownership of digital media. By embedding a unique identifier into digital media, such as images or video, the owner can prove ownership and protect themselves from copyright infringement. Digital watermarking is commonly used in the music and film industry to guard against piracy and unauthorized distribution. Using steganography for digital watermarking ensures the identifier stays hidden and can’t easily be removed without damaging the content.

Historical references

2018 – Twitter malware botnet

In 2018, malware surfaced whose technique fundamentally relied on a legitimate service, Twitter, to distribute commands to a botnet. The attacker crafted specific images with the command encoded inside them, then spread those images through a Twitter account.

https://www.trendmicro.com/en_us/research/18/l/cybercriminals-use-malicious-memes-that-communicate-with-malware.html

Steganography has been used in military, diplomatic, and intelligence contexts; the subject is closely tied to cryptography, which has been around for a long time as well, since it provides security for communications that might otherwise fall into the wrong hands.

Whitening

Image by Wikimedia

This is a data obfuscation layer that enhances security.

The whitening technique is used to better disperse the message that needs to be hidden — this boosts security by adding a “noisy” layer. Basically, this technique uses white noise — random bits, white-noise audio, or really any information that adds entropy to the secret data — to hide messages more effectively.

As you can see in the image above, the original string of information HJKN gets spread across two rows, and there’s often one or two “white-noise characters” inserted between the original characters, so HJKN becomes H#JK##N, where # marks the noise.

Tools

In this article I’m not going to cover a specific piece of software or technology, because I wanted to approach the topic from a purely theoretical angle.

If you want to read about steghide, a steganography tool, check out this article by Matt Kmety: Steganography on Kali Using Steghide

Useful references

Hack the Box:

On Hack the Box you’ll find plenty of VMs to practice steganography techniques on — this article is a walkthrough of the “Da Vinci” machine: Da Vinci Stenography Challenge Solution!

A few other Hack the Box machines you can use to practice steganography:

  • Beatles
  • Forest

Steghide

From the steghide manual:

Steghide is a steganography program that can hide data in various kinds of image and audio files. Color and sample frequencies aren’t modified, which makes the embedding resistant to first-order statistical tests.

Features include compression of the embedded data, encryption of the embedded data, and automatic integrity checking via a checksum. JPEG, BMP, and WAV file formats are supported as cover files. There are no restrictions on the format of the secret data.

Steghide uses a graph-theoretic approach to steganography. You don’t need to know graph theory to use steghide, and you can safely skip the rest of this paragraph if you’re not interested in the technical details.

Theoretical approach:

The embedding algorithm works roughly like this: first, the secret data is compressed and encrypted, then a sequence of pixel positions inside the cover file is generated based on a pseudo-random number generator seeded with the passphrase (the secret data will be embedded into the pixels at those positions). Among those positions, the ones that don’t need to be changed (because they already happen to hold the correct value) are filtered out. Then a graph-theoretic matching algorithm finds pairs of positions such that swapping their values has the effect of embedding the corresponding part of the secret data.

Stay safe!