Steganography Tool & Steganography Detection Tool - Presentation


Published on

This project figure out the pattern of the bytes in the stego file and how steganalysis tool can identify the bytes appended to the truck file by steganography tool. This analysis is based on basic theory of steganography and steganalysis, and using a hex editor in order to check what kind of bytes that the steganography tool appends to the truck file.
Please contact to lailiaidi at for download request

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Steganography Tool & Steganography Detection Tool - Presentation

  1. 1. Analyzing the file hidden by the steganography tool and how the steganography detection tool detects it Group 6 Ahmet Aydin - Arman Güngör - Laili Aidi
  2. 2. Background Steganography is hiding secret message into cover media, no one suspects from the presence of hidden message. Steganalysis is the art of revealing hidden message in a cover media. Keywords: Stego file, truck file (cover media)
  3. 3. Goal Figuring out the pattern of the bytes in the stego file. How steganalysis tool (Stegspy) identify the bytes appended to the cover media. Comparing steganography tools: Hiderman and Masker
  4. 4. Limitation of Study The analysis is only done with the text and JPEG files, not with audio or video file. There are parts of the stego files that cannot be analyzed yet, because the encryption that is used in the steganography process make these bytes complicated to be analyzed.
  5. 5. Steganography Type Robust steganography: involves embedding information into a file, cannot easily be destroyed.  Fingerprinting  Watermarking Fragile steganography: involves embedding information into cover media, destroyed if that media is modified.
  6. 6. Steganography Technique Binary File Techniques Plaintext Steganography Techniques Still imagery Steganography Techniques Audio and Video Steganography IP datagram steganography / Network Covert Channel / Network steganography
  7. 7. Steganalysis Technique Based on unusual pattern in the media or visual detection of the same. This can be done because the properties of electronic media are changed after it is used to hide any object, result degradation in terms of quality or unusual characteristics of the media.
  8. 8. Steganography Attacks Known carrier attack Steganography only attack Known message attack Known steganography attack
  9. 9. Tools Steganography tools:  Hiderman version 3.0  Masker version 7.5 Steganalysis tool: Stegspy version 2.0 Hex Editor: Hex Editor Neo 4.95
  10. 10. Hiderman Analysis1. The truckfile content, which is unencrypted2. 10 bytes data with unknown function, which the value depends on the password.3. The length of the hidden file name, which is unencrypted.4. The name of the hidden file, which is encrypted.5. The hidden file content, which is presented using this algorithm: For every 4 bytes data, the first 2 bytes are unencrypted, and the last 2 bytes are encrypted
  11. 11. Hiderman Analysis ( contd. )6. 8 bytes data, which is almost same for every file. If it is changed / removed, then Hiderman will not authenticate user to recover the stego file, even tough the given password is correct.7. Stream of unknown bytes, which the length is not same for each file.8. The last 3 bytes (Hex value 43 44 4e) are the Hiderman signature.
  12. 12. Masker Analysis
  13. 13. Masker Analysis1. The truckfile content, which is unencrypted.2. The length of the hidden file content, which is unencrypted, presented twice, followed by blank character (Hex value 20), with total length 13 bytes.3. The hidden file content, which is encrypted. After the encrypted bytes of the file content, there is stream of 0 character (Hex value 30) followed by 12 blank characters and 0 character followed by 12 blank characters again. This pattern possible shows the end of the file content.4. Stream of unknown bytes, which is possible contain the password and encryption algorithm used for steganography process. The length of this part depends on the length of the password.5. The last 77 bytes are the Masker signature.
  14. 14. Stegspy’s Steganalysis Hiderman:Detecting the last 3 bytes of the stego file as Hiderman’s signature Masker: Stegspy cannot identify the stego file.  According to documentation, Stegspy claims it can identify Masker’s stego file!  It is possible to detect Masker by looking at last 77 bytes of stego file. It is Masker’s fingerprint and always same for every file.
  15. 15. Comparison Hiderman vs Masker Comparison Hiderman MaskerEncryption algorithm Predictable encryption algorithm. Standard encryption algorithm: Blowfish, DES, Cast5, Serpent-256, Rijndael-256, TripleDES, TWOFISHStaganography recovery •Truck file and hidden file can be •Hidden file can be recovered recovered. •Truck file cannot be recovered. •Although sometimes some of the bytes change in the truckfile after recovery process.Staganoganalysis •Stegspy and Hiderman use last 3 bytes •Stegspy cannot identify the stego file. of the stego file. •Masker can identify the stego file even some part of the last 77 bytes signature is missing or changed.
  16. 16. Conclusion Hiderman and Masker can be classified as robust steganography type and use Binary File steganography techniques. Hiderman and Masker use encryption, but Masker’s encryption is stronger than Hiderman’s : Hiderman’s result is predictable compared to Masker’s. Masker provides various encryption algorithms. Hiderman and Masker leave signature in the stego file and it can be detected. Stegspy can recognize Hiderman’s stego but not Masker’s, and it just searches for the signature of
  17. 17. Future Work It is possible to make deeper analysis in order to understand the steganography process of Hiderman and Masker. The research can be expanded by doing analysis of steganography process of the other tools in the audio and video media file. Analysis of the other steganography-steganalysis techniques and tools.