In this article we are going to talk about how to identify the steganography scheme that has been used to hide information. To do this, we will use the Aletheia steganalysis tool.
Options to consider
Many times we can have suspicions that a specific steganography scheme has been used, which makes the analysis much easier. But many others we will have to identify what scheme has been used, if any has been used.
To do this, we will use the Aletheia stegoanalysis tool, so we will rely on the detection methods that this tool implements. That is, we will not attempt to identify steganography schemes for which we do not have detection methods.
On the other hand, we will assume that trivial steganography methods such as file concatenation, allowed by some file formats, drawing letters using hard-to-see colors, data in a fully transparent alpha channel, and similar tricks have already been verified.
It should be noted that what we are going to do is an initial exploration, and that therefore, it only helps us to get a first idea about which steganography methods are most likely to be used. Normally, it will be necessary to continue with a more in-depth analysis, such as that shown in other articles:
- Practical attack on Steghide.
- Practical attack on F5.
- Practical attack on LSB replacement: OpenStego and OpenPuff.
Since steganography techniques tend to be very different depending on whether we are dealing with a JPEG image or an uncompressed image (PNG, TIF, BMP, etc.), we are going to perform the analysis separately.
JPEG images
The best detection methods Aletheia has for JPEG images are based on deep learning models, which are the ones used by the auto command. Therefore, for JPEG images, our best option is to use this command.
Let’s look at an example where the most likely scheme appears to be Steghide.
./aletheia.py auto actors/A2
Outguess Steghide nsF5 J-UNIWARD *
-----------------------------------------------------------
2.jpg [1.0] [1.0] [0.9] 0.3
4.jpg [1.0] [1.0] [0.7] 0.3
10.jpg 0.0 [1.0] 0.3 0.2
6.jpg 0.0 [1.0] 0.1 0.0
7.jpg [1.0] [1.0] 0.3 0.1
8.jpg 0.0 [1.0] 0.1 0.2
9.jpg [0.8] [1.0] [0.7] 0.1
1.jpg [1.0] [1.0] [0.8] 0.1
3.jpg [1.0] [1.0] [1.0] 0.3
5.jpg 0.0 0.1 [0.7] [0.6]
Let’s now look at another example where the most likely scheme appears to be nsF5:
./aletheia.py auto actors/A3
Outguess Steghide nsF5 J-UNIWARD *
-----------------------------------------------------------
2.jpg 0.0 0.0 [1.0] [1.0]
4.jpg 0.0 0.0 [0.6] 0.3
10.jpg 0.0 0.0 0.1 0.3
6.jpg 0.0 0.0 [0.9] [1.0]
7.jpg 0.0 0.0 [0.6] 0.5
8.jpg 0.0 0.0 [0.9] 0.4
9.jpg 0.0 [1.0] [0.9] 0.4
1.jpg 0.0 0.0 [0.6] [0.5]
3.jpg 0.0 0.0 [0.5] 0.1
5.jpg 0.0 0.0 [0.9] 0.2
* Probability of steganographic content using the indicated method.
And finally, let’s see an example for Outguess:
./aletheia.py auto actors/A5
Outguess Steghide nsF5 J-UNIWARD *
-----------------------------------------------------------
2.jpg [1.0] [1.0] [0.7] [1.0]
4.jpg [1.0] [1.0] 0.4 [0.8]
10.jpg [1.0] [1.0] 0.3 [1.0]
6.jpg [1.0] [1.0] 0.4 [1.0]
7.jpg [1.0] 0.0 [0.8] [1.0]
8.jpg [1.0] [1.0] [1.0] [1.0]
9.jpg [1.0] [1.0] 0.4 [0.7]
1.jpg [1.0] [1.0] [1.0] [0.9]
3.jpg [1.0] [1.0] [0.9] [1.0]
5.jpg [1.0] [1.0] [0.8] [1.0]
* Probability of steganographic content using the indicated method.
Although in the latter case it is a bit more complicated to know which method is used, since other models detect it quite reliably.
Uncompressed images
In uncompressed images, there is a possibility that the LSB replacement technique was used. For this technique there is a family of very reliable attacks, known as structural attacks. Therefore, it is a good idea to start with a couple of structural attacks.
Let’s look at an example where we find hidden information:
$ ./aletheia.py spa sample_images/lena_lsbr.png
Hidden data found in channel R 0.09308090623358549
Hidden data found in channel G 0.09238585295279302
Hidden data found in channel B 0.11546638236749293
$ ./aletheia.py ws sample_images/lena_lsbr.png
Hidden data found in channel R 0.10590840834668327
Hidden data found in channel G 0.07463418193363092
Hidden data found in channel B 0.07968467118722876
Although we might not have found anything:
$ ./aletheia.py spa sample_images/lena.png
No hidden data found
$ ./aletheia.py ws sample_images/lena.png
No hidden data found
If we can’t find hidden data, it’s time to try deep learning models, using the
auto command. However, for a reliable steganalysis using deep learning
we need more images, due to the CSM problem, which we describe in more detail
in other articles:
- Practical attack on Steghide.
- Practical attack on F5.
- Practical attack on LSB replacement: OpenStego and OpenPuff.
Let’s see an example in which we detect different steganography schemes:
$ ./aletheia.py auto sample_images/alaska2
LSBR LSBM SteganoGAN HILL *
---------------------------------------------------------
25422.png 0.0 0.0 0.0 0.0
27693_steganogan.png [0.9] [1.0] [1.0] [0.9]
74051_hill.png 0.0 0.0 0.0 [0.9]
36466_steganogan.png [0.9] [1.0] [1.0] [1.0]
04686.png 0.0 0.0 0.0 0.0
37831_lsbm.png [1.0] [1.0] 0.0 [0.7]
34962_hill.png 0.0 0.0 0.0 [0.5]
00839_hill.png 0.0 [0.8] 0.0 [1.0]
74648_lsbm.png [1.0] [1.0] 0.0 [0.6]
74664.png 0.0 0.0 0.0 0.0
55453_lsbm.png [0.6] [0.9] 0.0 [0.9]
67104_steganogan.png [0.9] [0.9] [1.0] [0.8]
* Probability of steganographic content using the indicated method.
There are currently no comments on this article.
Add a Comment