Detecting steganography in images
I recently came across an odd JPEG file: Resolution 400x600 and a filesize of 2.9 MB. I got suspicious and suspected that there is some additional information hidden. I tried some straight forward things: open the file with some archive tools; tried to read its content with an editor, but I couldn't locate anything interresting.
Now my questions: What else can I do? Are there any tools available that analyze images for hidden data? Perhaps a tool that scans for known file headers?
I agree that is strange, but keep in mind it might have been encoded with very lax JPEG settings.
@Konrad, I doubt it. Even at three bits per pixel (24-bit color), a basic bitmap would be only approx 720,000 bytes. (400*600*3). I'd bet a trip to the Chinese buffet that there's something there not related to the obvious image. @Chris: Please post your findings, or even the file if you'll part with it.
To detect Steganography it really comes down to statistical analysis (not a subject I know very well).
But here are a few pages that may help you out.
- Steganography Countermeasures and detection - Wikipedia page worth a read to cover the basics.
- An Overview of Steganography for the Computer Forensics Examiner - Has quite a long list of tools and some other useful information.
- Steganography Detection - Some more information about Stegonography.
- Steganography Detection with Stegdetect - Stegdetect is an automated tool for detecting steganographic content in images. It is capable of detecting several different steganographic methods to embed hidden information in JPEG images. Tool hasn't been updated in quite a while but it was the best looking free tool I could find with a quick search.
A small matter of semantics, here: Steganography on its own isn't encryption, it's obfuscation. While the hidden data may in fact be encrypted, it is not a necessary part of steganography for it to be so.
Does Stegdetect still work or is it broken? i'm getting lots of compilation errors on ubuntu 14.04
I'll second the reccomendation for Stegdetect: here's another good source for information http://www.outguess.org/detection.php as well as downloads for stegbreak and XSteg
You can go right to the source for the research on this if you're interested; Neil Provos's page is here http://www.citi.umich.edu/u/provos/stego/
There's some great general references in the other answers here, so I'll just give some input specific to your situation:
When hiding data in pictures without changing the file size, you put it in the low-order bits; this can be detected by opening in an editor with a histogram and looking for jagged edges. But this sounds like a concantenation of a file to the image; *chan denizens often use this technique for distributing illicit files. Looking for file signatures after the first one--say, using 'grep -a' with a list of known filetype magic numbers--should reveal this technique. The combination of encryption and steganography is beyond the scope of this comment :D
Please note that my comment below is regarding LSB (Least Significant Bit) steganography and not jpeg (DCT) or appended data steganography.
"Steganography doesn't modify the file size significantly" this is incorrect. If I take a jpeg compressed image and apply LSB steganography then the resultant image size on disk will increase 'significantly' since images using LSB steganography MUST be saved in a lossless format such as bmp tiff or png. I have written software that takes any image format (such as jpeg) and hides data within it and saves out to png. It is often the case that I can open a jpeg of size 60Kb and be able to hide over 100Kb of data within it. The resultant png would look identical to the original jpeg but have a file size of 800Kb+
When analyzing images for LSB steganography content you MUST have either the original image for comparison OR have knowledge of the encoding method. Without either of these you will NEVER determine if an image contains hidden LSB data. Consider there there are a multitude of ways to implement LSB steganography and an infinite number of images to choose as a source, it's no trivial task to determine any steganographic content. That said... ALL images containing LSB steganographic content must be saved lossless (without compression). Therefore they may stand out as larger in size (bytes) than might otherwise be expected. Jpeg is a lossy algorithm (even with 0% compression) which is why images using LSB steganography cannot be saved as jpeg images, therefore your large jpeg image is unlikely to hold LSB steganography, however this does not rule out other steganographic options.
You can detect LSB steganography through statistical analysis if you know the LSB pattern typical of the image source. For example, if the image is a cartoon with large areas of solid color, you know something's up if the LSB varies from pixel to pixel. Similarly, if the image is from a camera with a bias in its pixel values, a uniform distribution of LSB values is an indication of steganography.