Hiding in plain sight: Examining support for steganographically hidden content on the internet Author: Vivek Kaushik Fraud Management and Digital Forensics COE Enterprise Security and Risk Management, TCS
1. Introduction Steganography is the practice of hiding a message or a file within another file so that only the sender and receiver know of its existence. It may also involve the use of cryptography, where the secret message/file is encrypted before being hidden. The objective is to ensure that transmission of secret data remains unsuspected and undetectable. Unlike encrypted files, steganographically hidden messages do not attract attention or arouse suspicion. Steganography is both an art and a science. As a science it has evolved with advancement in technology, hiding techniques & tools, and as an art it has evolved with ingenuity of man. This advancement has made it easy for anyone to practice it from anywhere on the planet. There are useful applications of steganography like digital In October 2011, the New York watermarking for copyright protection, however, it is an Times published an article equally potent tool for unlawful activities. It can be suggesting that Al-Qaeda had used instrumental in communicating information and instructions steganography and instructed its from handlers to terrorists, in siphoning out confidential terrorists that all their information without detection, and so on. On the other hand, communications were to be made what is important for digital forensic examiner is, to identify through pictures posted on the suspected tool, technique and algorithm used for hiding the Internet. data, determine whether or not any payload has been encoded in it, and to, recover that payload to the extent possible. This is popularly called Steganalysis. The internet presents countless avenues to upload, share, host, and download files that could be potentially used as carriers of secret messages. This could be a nightmare for law enforcement, security agencies and forensic experts across the world. This article presents an approach to examine whether a website allows support for steganographically hidden content by evaluating a varied mix of social media sites, image hosting sites, media sites and a few easily available steganography tools. 2. Requirements for hiding data Apart from the data to be hidden, other requirements to steganographically hide data are: 1. A carrier file/ cover channel (which is a non-secret file that does not arouse suspicion) 2. Hidden file/ information of size less than carrier file ( depends upon the algorithm) 3. An algorithm to hide the data in the carrier file 4. A means to transfer the file to the recipient
2.1. Carrier file and secret data: There could be various possible combinations of secret data hidden inside a carrier file, some typical examples could be: 1. Hiding a text message in an image file (.bmp,.gif,.jpg) 2. Hiding a text file (.txt) in an image file 3. Hiding an image file inside another image file 4. Hiding a text message, txt file or image file inside an audio file (.mp3,.wav) 5. Hiding a text message inside a video file (.3gp,.mp4) This article, examines text message,.txt files and.jpg files as hidden messages inside image, audio and video files 2.2. Steganography tool: There are several steganography tools available on the internet such as Quick Crypto, Invisible Secrets 4, StegoMagic, MP3Stego, MobiStego, Stegais etc. This article, examines Quick Crypto, Invisible Secrets 4 and Stego Magic as Steganography tools 2.3. Transmission medium: The internet can be used as a very effective medium of transmission. There are several websites that allow uploading digital content like pictures, audio files and video files. Some websites even allow unregistered uploads and downloads. This article, examines facebook, youtube, soundcloud, tinypic, postimage, imgur, okcupid, clownbasket, and picosong websites 3. Approach to examine support for steganographically hidden data The approach mentioned in this section is a general approach that can be undertaken to examine whether a website supports steganographically hidden data. For the purpose of illustration, only a few representative websites and tools have been chosen in this article, however, other tools and websites and can be evaluated using the same approach. Select a website to be examined, and select a carrier file that can be uploaded on the target website Create a secret message / txt file / image file to be hidden inside the carrier file Use a steganography tool and hide the secret data inside the carrier file Upload the loaded carrier file on the website Download the file (preferably from another account or anonymously) and try to recover hidden data
If the hidden message / file is recovered back then it can be inferfed that the website does not validate / edit/ strip the uploaded content and can be used for transmitting hidden data steganographically. 4. Examining support for steganographically hidden data 4.1. Image based websites There are numerous websites that allow uploading of images which can be downloaded by others. This article examines the following websites: Facebook.com Postimage.org Imgur.com Okcupid.com Tinypic.com 4.1.1. Selecting a website, tool and carrier file: For the purpose of illustration, shown below is the tool InvisibleSecrets 4 and website tinypic.com. The carrier file chosen is a jpg image of female fireflies called jugni.jpg 4.1.2. Secret message / file to be hidden: A text file called secret.txt with a secret hidden message is chosen to be hidden.
4.1.3. Hiding the secret data in the carrier file: Secret.txt is hidden in jugni.jpg using InvisibleSecrets 4. It is encrypted before being hidden and the password provided is jugni 4.1.4. Uploading the loaded carrier file on the website: The file is uploaded on tinypic.com. The website provides a unique address for every image uploaded, which can be used to view / download it.
4.1.5. Downloading and recovery of hidden data: The file was downloaded from its address and InvisibleSecrets 4 was used to recover the secret.txt from the jpg file. The hidden file was successfully recovered and the message was read. 4.1.6. Analyzing the results: It was found that tinypic.com and postimage.org support steganographed content, whereas Facebook, imgur and okcupid perform certain validations / modifications /striping where the carrier files is changed and the hidden message couldn t be recovered from the downloaded carrier file. Tinypic and postimage can also be accessed from TOR browser to maintain anonimity. However, there is a dependency involved in downloading content from both these website. The dependency is that there is a link created for every image uploaded and that link has to be shared with anyone who wants to download the image. These uploaded pics cannot be readily searched by anyone. Hidden content type /recovery status Facebook imgur okcupid tinypic postimage text no no no yes yes text file (.txt) no no no yes yes image file (.img) no no no yes yes
4.2. Audio based websites There are numerous websites that allow uploading of audio content which can be downloaded by others. This article examines the following websites: Soundcloud.com Clownbasket.com Picosong.com 4.2.1. Selecting a website, tool and carrier file: For the purpose of illustration, shown below is the tool quick crypto and website clownbasket.com. The carrier file chosen is an mp3 file called qc mp3 with m.mp3 4.2.2. Secret message / file to be hidden: A secret hidden message was chosen to be hidden inside the mp3 file. 4.2.3. Hiding the secret data in the carrier file: The secret message is hidden inside qc mp3 with m.mp3 using quick crypto.
4.2.4. Uploading the loaded carrier file on the website: The file is uploaded on clownbasket.com. The website requires registration prior to allowing uploading and downloading of content on the website. A band was created by the name of dj dd1 and the file title was given as dj dd1 qc mp3 4.2.5. Downloading and recovery of hidden data: The mp3 file was downloaded from its address and quick crypto was used to recover the secret message hidden in the mp3 file. The hidden file was successfully recovered and read.
4.2.6. Analyzing the results: It was found that it was not possible to recover the hidden message from content posted on soundcloud and picosong, however, clownbasket supported content with steganographic content and the hidden message could be successfully recovered. Clownbasket.com is accessible from a TOR browser, anyone can register on it with a false name and address and it allows anyone to search a song by its name or its band name and download it from anywhere on the internet. Hidden content type /recovery status soundcloud picosong clownbasket text no Yes Yes text file (.txt) no Yes Yes image file (.img) no yes Yes
4.3. Video based websites There are several websites that allow uploading of video content which can be downloaded by others. This article examines one such famous website called Youtube.com 4.3.1. Selecting a website, tool and carrier file: For the purpose of illustration, shown below is the tool StegoMagic and website Youtube.com. The carrier file chosen is a 3gp file called evolution of steganography.3gp 4.3.2. Secret message / file to be hidden: A secret text file is chosen for hiding inside the 3gp file. 4.3.3. Hiding the secret data in the carrier file: The secret txt file is hidden inside evolution of steganography.3gp using StegoMagic. The loaded carrier file is called sv.3gp 4.3.4. Uploading the loaded carrier file on the website: The file is uploaded on youtube.com. This uploaded file can be searched by name by any user and can be downloading using popular youtube downloading tools. One such tool youtube audio and video downloader addon for firefox was used to download the uploaded video in the same format and quality.
4.3.5. Downloading and recovery of hidden data: The 3gp file was downloaded in the same format and quality but the hidden text file could not be extracted successfully from the downloaded 3gp file. 4.3.6. Analyzing the results: It was found that it was not possible to recover the hidden file successfully from content posted on youtube.com
5. Conclusion Various websites were examined and some were found to allow steganographically hidden content to be hosted and downloaded. It was also found that all such websites are available on TOR making access anonymous and tracing difficult. Though law enforcement, security agencies and forensic experts worldwide are aware of this method of communication and have cutting edge Steganalysis tools and techniques to detect hidden content across websites, they have to keep evolving and upgrading their methods of detection and monitoring with the advent of new steganography tools and techniques. Equal attention needs to be paid to the countless new websites coming up every-day providing avenues for hosting steganographic content.