This project figure out the pattern of the bytes in the stego file and how steganalysis tool can identify the bytes appended to the truck file by steganography tool. This analysis is based on basic theory of steganography and steganalysis, and using a hex editor in order to check what kind of bytes that the steganography tool appends to the truck file. --- Please contact to lailiaidi at gmail.com for download request

1. Analyzing the file hidden by the
steganography tool and how
the steganography detection
tool detects it
Group 6
Ahmet Aydin - Arman Güngör - Laili Aidi

2. Background
 Steganography is hiding secret message into cover
media, no one suspects from the presence of hidden
message.
 Steganalysis is the art of revealing hidden message in
a cover media.
 Keywords: Stego file, truck file (cover media)

3. Goal
 Figuring out the pattern of the bytes in the stego file.
 How steganalysis tool (Stegspy) identify the bytes
appended to the cover media.
 Comparing steganography tools: Hiderman and Masker

4. Limitation of Study
 The analysis is only done with the text and JPEG
files, not with audio or video file.
 There are parts of the stego files that cannot be
analyzed yet, because the encryption that is used in the
steganography process make these bytes complicated
to be analyzed.

5. Steganography Type
 Robust steganography: involves embedding
information into a file, cannot easily be destroyed.
 Fingerprinting
 Watermarking
 Fragile steganography: involves embedding information
into cover media, destroyed if that media is modified.

6. Steganography Technique
 Binary File Techniques
 Plaintext Steganography Techniques
 Still imagery Steganography Techniques
 Audio and Video Steganography
 IP datagram steganography / Network Covert Channel /
Network steganography

7. Steganalysis Technique
 Based on unusual pattern in the media or visual
detection of the same.
 This can be done because the properties of electronic
media are changed after it is used to hide any
object, result degradation in terms of quality or unusual
characteristics of the media.

8. Steganography Attacks
 Known carrier attack
 Steganography only attack
 Known message attack
 Known steganography attack

9. Tools
 Steganography tools:
 Hiderman version 3.0
 Masker version 7.5
 Steganalysis tool: Stegspy version 2.0
 Hex Editor: Hex Editor Neo 4.95

10. Hiderman Analysis
1. The truckfile content, which is unencrypted
2. 10 bytes data with unknown function, which the value depends on the password.
3. The length of the hidden file name, which is unencrypted.
4. The name of the hidden file, which is encrypted.
5. The hidden file content, which is presented using this algorithm: For every 4 bytes
data, the first 2 bytes are unencrypted, and the last 2 bytes are encrypted

11. Hiderman Analysis ( contd. )
6. 8 bytes data, which is almost same for every file. If it is changed /
removed, then Hiderman will not authenticate user to recover the
stego file, even tough the given password is correct.
7. Stream of unknown bytes, which the length is not same for each file.
8. The last 3 bytes (Hex value 43 44 4e) are the Hiderman signature.

12. Masker Analysis

13. Masker Analysis
1. The truckfile content, which is unencrypted.
2. The length of the hidden file content, which is
unencrypted, presented twice, followed by blank character
(Hex value 20), with total length 13 bytes.
3. The hidden file content, which is encrypted. After the
encrypted bytes of the file content, there is stream of 0
character (Hex value 30) followed by 12 blank characters
and 0 character followed by 12 blank characters again.
This pattern possible shows the end of the file content.
4. Stream of unknown bytes, which is possible contain the
password and encryption algorithm used for
steganography process. The length of this part depends on
the length of the password.
5. The last 77 bytes are the Masker signature.

14. Stegspy’s Steganalysis
 Hiderman:Detecting the last 3 bytes of the stego file as
Hiderman’s signature
 Masker: Stegspy cannot identify the stego file.
 According to documentation, Stegspy claims it can
identify Masker’s stego file!
 It is possible to detect Masker by looking at last 77 bytes
of stego file. It is Masker’s fingerprint and always same
for every file.

15. Comparison Hiderman vs
Masker
Comparison Hiderman Masker
Encryption algorithm Predictable encryption algorithm. Standard encryption algorithm:
Blowfish, DES, Cast5, Serpent-256,
Rijndael-256, TripleDES, TWOFISH
Staganography recovery •Truck file and hidden file can be •Hidden file can be recovered
recovered. •Truck file cannot be recovered.
•Although sometimes some of the bytes
change in the truckfile after recovery
process.
Staganoganalysis •Stegspy and Hiderman use last 3 bytes •Stegspy cannot identify the stego file.
of the stego file. •Masker can identify the stego file even
some part of the last 77 bytes signature
is missing or changed.

16. Conclusion
 Hiderman and Masker can be classified as robust
steganography type and use Binary File
steganography techniques.
 Hiderman and Masker use encryption, but
Masker’s encryption is stronger than Hiderman’s
: Hiderman’s result is predictable compared to
Masker’s.
 Masker provides various encryption algorithms.
 Hiderman and Masker leave signature in the
stego file and it can be detected.
 Stegspy can recognize Hiderman’s stego but not
Masker’s, and it just searches for the signature of

17. Future Work
 It is possible to make deeper analysis in order to
understand the steganography process of Hiderman
and Masker.
 The research can be expanded by doing analysis of
steganography process of the other tools in the audio
and video media file.
 Analysis of the other steganography-steganalysis
techniques and tools.