Keywords

1 Introduction

A more comprehensive approach is required to conduct digital forensic investigations adequately when it comes to examining content for possible concealment through steganography.

Steganography is used as a means for communicating covertly in plain sight without arousing suspicion. This technique entails concealing a message inside an inconspicuous object in such a way that a casual observer is not able to differentiate between the original object (referred to as a cover object), and the object with the hidden message (also known as the stego image or steganogram). In the digital world, this cover object could be in the form of media, such as an image file, a video file, or even a music file [1].

Conversely, steganalysis refers to the complementary operation of detecting messages that have been hidden using steganography. During this process, the steganalysis algorithm is executed with the aim of interrogating the properties of an object which may be serving as the cover for hidden content with the aim of searching for any anomalies that could be deemed suspicious.

For digital forensics investigators, steganalysis is not without challenges. The existence of numerous steganography techniques (which can be dependent on the cover object file type), and the inability to extract the hidden message embedded in the first place can end up successfully frustrating steganalysis efforts.

In this paper, we propose the implementation of a more encompassing steganalysis tool that employs a greater variety of techniques to establish with greater certainty, whether a suspected file is a steganogram or simply a clean object. For the study, we will focus specifically on messages embedded into Portable Network Graphic (PNG) files. Our prototype will thus implement a series of Least Significant Bit (LSB) steganalysis techniques from varying domains to counter anti-detection attempts.

The rest of the paper is organized as follows: Sect. 2 briefly reviews some of the LSB steganalysis techniques to establish the different domains of LSB steganalysis techniques that exist. Section 3 then outlines a model of our more encompassing steganalysis solution. Section 4 presents the implementation details, along with the results of our prototype in Sect. 5, concluding the paper in Sect. 6.

2 Literature Review

2.1 Pairs of Values (Chi-Squared Attack)

This technique detects LSB embedding by using the histogram representation of the image. In a cover image, the gradient of the bars of the histogram can be noticeably smoother with bar heights varying throughout. In contrast, the bars on the histogram of a steganogram have neighbors that are roughly of equal height, producing a more rigid pattern [2]. Such an observation can be explained by how changes are applied within value pairs, resulting in an even distribution of 0 s and 1 s for each [2].

The success of histogram attacks on LSB steganography however relies on a fully-embedded image (where every single LSB is utilized to store a message).

2.2 Sample Pairs Analysis

When the image is only partially embedded along a pseudo-random path, examiners are no longer able to rely solely on a histogram of pixels while ignoring the dependency among neighboring pixels in natural images. For this reason, a more accurate and reliable method of detection that considers the spatial correlation within the image is used.

2.3 RS Analysis

RS Steganalysis relies on how LSB embedding operations work to determine whether an image contains a hidden message, as well as what the length of that image may be. This is achieved by identifying the presence of an imbalance in the cover file to establish the existence of hidden data [3, 4].

3 Model

Although the previous section has described several statistical techniques that could be employed for uncovering the presence of steganography, the use of just one domain area, such as statistical steganalysis, may not yield sufficiently thorough results. To address the shortcomings of a single steganalysis approach, we consider the application of several analysis models, which when used in conjunction with each other, provide a complementary set of techniques to test for most characteristics that reveal the presence of hidden messages.

3.1 Visual Models

LSB Amplification. This model aims to enhance the luminosity of the image in a manner that will end up removing all the parts of the image that is blocking the message. The human eye will then be able to distinguish whether there is a hidden message present in this message [5].

Difference and Neighborhood Histogram. Whilst this model may technically fall under a statistical method, it has been included as a visual one as it involves the production of a visual representation of the histogram which the user should ideally interpret. The neighboring bars in the histogram of a steganogram, for example, will exhibit similar heights [6].

3.2 Statistical Models

Chi-Square Attack. The approach to this form of steganalysis is to compare the expected frequency distribution in suspected stego images with a sample distribution observed in the possibly changed carrier image. Such an approach will however require an expected frequency distribution of the original cover image. Realistically, it would not be feasible to have a database of every possible image out there.

This shortcoming can however be addressed by estimating the theoretical expected frequency distribution [5].

Sample Pairs Analysis. This approach focuses on the analysis of transitions (such as slight color changes) in adjacent vertical or horizontal pixel pairs that are often imperceptible to the human eye [7]. An example is changing a pixel which is white (represented by FF FF FF) to FF FF FE.

3.3 Forensic Models

The model behind this attack is a custom one based on how LSB steganography works, reverse-engineering the process to extract the embedded message. The model aims to iterate through pixels in the domain search space and extract the least significant bit for that image. These values are then collected and concatenated in the end to produce a byte stream. This byte stream will be cast into a string value and then the result will be presented to the user.

4 Experimentation and Results

4.1 Preparation of Image Files

Images from the VOC 2005 Database: Dataset 1, as provided by the University of Oxford, were used for assessing our prototype implementation. The set contains 1578 images of categories motorbikes, bicycles, people, and cars in arbitrary poses [8]. From these, 26 images were selected and each processed to produce three different versions of the file. Details of the three versions are presented in Table 1.

Table 1 Preparation for each of the 26 images used for the experiment
Full size table

4.2 Steganographic Process

To embed the images with the medium- and long-length text messages described in Table 1, a LSB steganographic program developed for a separate, previous project was used. This program was tested extensively and verified as functioning correctly.

For each of the 26 images processed by the LSB steganographic program, two additional files with embedded messages were created.

4.3 Testing of Statistics Methods

The implementation of the statistical algorithms incorporated in the model (Chi-Squared Attack, Sample Pairs Analysis, and RS Analysis) was assessed first. All 78 images prepared were run through the three statistical steganalysis techniques to obtain output in the form of percentages that suggested the possibility of steganography being embedded in the image. As seen in the results displayed in Figs. 1, 2 and 3, an additional threshold field was added to aggregate the results from the three statistical algorithms and reach a consensus-based outcome.

Fig. 1
figure 1

Results of statistical algorithms against cover images

Full size image
Fig. 2
figure 2

Results of statistical algorithms against stego images (medium-length text)

Full size image
Fig. 3
figure 3

Results of statistical algorithms against stego images (long-length text)

Full size image

While the statistical algorithms were mostly accurate, it struggled to produce the correct result for several instances where the hidden message embedded was of medium-length.

4.4 Testing of Visual Methods

Since visual methods require the input of a visual confirmation from a human user, the setup of our tests centered on LSB Amplification, Neighborhood Histogram, (and later the Forensic Steganalysis) are modified to focus on a single image set instead. Table 2 below shows the file sizes of each of the images.

Table 2 File sizes of select image set used for experiment
Full size table

4.5 Testing of Forensic Method

Because the clean images would have nothing to extract, this test focuses on recovering the hidden text from the stego images that were embedded with the medium- and long-length messages. By applying the algorithm described in Sect. 3.3, we were able to recover the original text, as seen in Fig. 4.

Fig. 4
figure 4

Results of text recovered from the two stego images using forensic steganalysis

Full size image

5 Discussion of Results

5.1 Statistical Techniques

Medium-length messages hidden in stego images could at times result in the incorrect consensus that it was clean. A threshold was chosen such that any steganalyses producing probabilities higher than 20% would lead to the assumption that the image quite likely hides a message.

Images Embedded with Long-Length Messages. When it comes to images embedded with long-length messages, Chi-Squared tests perform incredibly well with the average certainty probability of the image containing steganography sitting at 99%. In contrast, both Sample Pairs and RS Analysis averaged at a probability of 55% and 54% respectively. Since the threshold is set at 20%, both algorithms can be seen to still yield positive, accurate results.

Images Embedded with Medium-Length Messages. As in the case with long-length embedded messages, Sample Pairs and RS Analysis performed similarly, detecting at an average of 19% and 18.6% respectively.

Seeing as the threshold value was 20%, these algorithms would have incorrectly classified many of the images as being clean, suggesting that such techniques do not perform well. In comparison, Chi-Squared tests yielded an average of 34.6%. Although this probability is also relatively low, the Chi-Squared test would still correctly classify the images due to the 20% threshold.

Such results serve to validate the appropriateness of the threshold level.

Clean Images. Once again, Sample Pairs and RS Analysis perform similarly. The average for steganography being present in clean images was around 2% for both. This average value is even lower at 1% using the Chi-Squared test. Overall, all 3 algorithms performed well as they did not incorrectly classify an image as being a stego object.

5.2 LSB Amplification

Clean Image. When using LSB Amplification on a clean image, the result is an image that resembles an old television set which is not tuned to a channel due to the completely random distribution of information. If this was the only image to sample as an observer, there would be little reason to doubt that there is anything suspicious about this image.

Image Embedded with Medium-Length Message. Because the image has been manipulated to embed a message, a definite pattern can be seen starting from the top left of the image, noticeable to the human eye. In the case of our selected image and embedded image, we noticed that this pattern persisted for roughly the first 25% of the image’s LSB enhancement (as seen in Fig. 5).

Fig. 5
figure 5

LSB Amplification with medium-length message

Full size image

This observation can be attributed to the fact that given 397/523 * 100 = 75.9% (where the original file size is 397 kb while the medium length stego image is 523 kb), we have established how approximately 25% of the stego file contains hidden data.

Image Embedded with Long-Length Message. As noticed in the image embedded with a medium-length message, the extent at which noise is present in LSB Amplification in an image embedded with a message is dependent on the size of the message being hidden.

The noise level of the same image embedded with the longer Alice in Wonderland text is therefore much more pronounced. In such a case, a person asked to assess whether the image is embedded with a hidden message will have little reason to doubt that the image is indeed suspicious.

5.3 Neighborhood Histogram

Clean Image. As indicated by Westfeld, neighborhood histograms of images devoid of steganography generally have between 8 and 10 neighborhood colors [4]. In our test image, the neighborhood histogram produced 10 neighborhood colors, with all the bars of varying length.

Image Embedded with Medium-Length Message. As established earlier in the LSB Amplification discussion, the embedded medium-length message takes up around 25% of the total file space. This observation accounts for the frequency of the neighborhood colors starting off very high and gradually lowering over time. The lower end of the histogram, which reflects typical behavior present in clean images, is the normal part of the image that does not contain any part of the concealed medium-length message.

Image Embedded with Long-Length Message. Due to the size of the message taking up almost the entire cover file space, the intensity of the frequency of neighborhood colors is consistently strong throughout the histogram. In this example (as seen in Fig. 6), most of the neighboring bars (as opposed to only some in the Medium-Length Message) are also of a similar height, making it easy for a human to visually discern that there is steganography embedded in the image.

Fig. 6
figure 6

Neighborhood histogram with long-length message

Full size image

6 Conclusion

Based on the experiments conducted, the following conclusions can be drawn:

  • No one single statistical method can provide a solid and 100% detection rate— sometimes, the Chi-Square test will yield a better result than RS Analysis and sometimes, the opposite will be true.

  • Combining results of the statistical methods leads to conclusions that are almost always accurate—this is especially true when a series of statistical techniques are combined, and a weighted average is used to draw the conclusion regarding the presence of steganography.

  • Assessing each image for steganography using a combination of statistical methods is computationally taxing. On their own, each statistical test is already quite computationally expensive. This can be overcome by finding a mean of all the results to improve scanning time significantly. Specifically, the tool could start off with the tests known to be more accurate such as Chi-square and RS analysis. If both return good results, the steganalysis tool should not waste further resources by pursuing Primary Set and Sample Pairs Analysis.

  • Employing visual techniques is a very strong way to identify suspicious images. However, this will need to be done on an image by image basis, which would ultimately prove non-feasible for investigators requiring results on a bulk set of images. For such purposes, investigators should revert to statistical steganalysis.

  • The neighborhood histogram visual technique provided another very accurate approach to detecting steganography. The main concern here is that investigators employing this technique would need to have the knowledge to correctly interpret the result. It is however possible to programmatically develop the rules so that the interpretation of the histogram can be carried out by the computer instead.

  • The initial results of the message extraction technique employed in the prototype proved to be positive, demonstrating how messages can be recovered from an image for forensic steganalysis purposes.

For further work, we anticipate testing our message recovery technique against other embedding techniques (other than LSB) to assess its validity.

Additional areas that will be focused on include the implementation of the programmatic interpretation of histograms and automating the decision-making concerning the optimal deployment of appropriate statistical methods for testing images for the presence of steganography.