Which data hiding technique replaces bits of the host file with other bits of data?

Linguistic Method Forensics

Linguistic data hiding techniques exploit text semantic and syntactic properties to hide data inside it. This book covers the following linguistic text techniques:

Misspellings

Jargon code

Null cipher

Grille cipher

Synonyms

Acronym

Word misspelling

Linguistic techniques can be revealed by using human analysis of the text. Such a technique is not used much these days as it can conceal a small amount of data in the carrier file and it is relatively easy to discover by a common human observer. However, it is still used successfully to cheat automated monitoring tools that search for specific keywords that exist within text to capture.

We can use automated tools or specialized websites in order to simplify our investigation of the concealed data using text linguistic steganography. Some of these websites are:

Acronyms List (http://www.acronymslist.com) lists more than 40,000 acronyms and abbreviations in different specialized categories. You’re able to browse in alphabetical order or by selecting the category that fits your search. Find out the meanings of acronyms, abbreviations, initials, lingo, jargon, or slang and what they stand for.

Thesaurus (http://www.thesaurus.com) is a database that keeps track of thousands of synonyms and antonyms. It also gives you word origin, history, and example sentences.

txtn.us (http://txtn.us/anti-monitoringPag) has many tools for changing word spelling to conceal data and avoid detection. You can use this website to check how any suspected words can be written by changing their spelling to avoid detection (see Fig. 6.3).

The Jargon code hiding technique (which is a language that is only meaningful for a group of people) can be detected by analyzing suspicious word meanings using the following websites:

Urbandictionary: https://www.urbandictionary.com

Wiktionary: https://en.wiktionary.org/wiki/Wiktionary:Main_Page

Word Spy: http://www.wordspy.com

6.1.3 Challenges

Among various data hiding techniques, the reversible ones for the JPEG domain are still only a few and there is a huge margin for improvement in both the stego image quality and the capacity. For the purpose of making the influence caused by data hiding as small as possible, the selection of embedding positions should be carefully considered. As Huang et al. [5] said, traditional data hiding techniques tended to choose the midfrequency DCT coefficients in the DCT transform domain. However, when considering the quantization stage, things may be different. Thus, the earlier techniques might affect the researchers' choice on embedding positions in the JPEG-compressed domain. Most existing lossless data hiding techniques increase the file size after embedding the secret data, which negates the advantages of the lossless data hiding scheme. Lossless data hiding with file size preservation is now a new important research subarea. Embedding data into the JPEG bitstream, which is one of the open compression standards, has two limitations of weak security and fragility [6]. The JPEG bitstream must be viewable by normal viewers, and it is also available for the third party. Attackers may reencode the JPEG image to erase the embedded data or replace it using the open algorithm.

Embedding data into JPEG2000 images has some differences from embedding data into other types of images. The differences will lead to some difficulties. As a compressed image, the redundancy of a JPEG2000 image is smaller than that of an uncompressed image such as a BMP image. So the space for data hiding is limited. This will increase the difficulty of data hiding. In addition, the encoding process of JPEG2000 is more complex. Some encoding operations such as quantization and bitstream layering probably destroy the hidden data. It requires that data hiding should be coordinated with the encoding process of JPEG2000. So selecting a suitable embedding position is important and difficult.

2.5.1 Lossless Bit-Plane Compression in the Spatial Domain

Fridrich's group produced profound research on lossless data hiding techniques and developed a number of algorithms. This group proposed two techniques in this area [6]. The first technique, based on robust spatial additive watermarks, utilizes the modulo addition to embed the hash of the original image. The second technique uses the JBIG Lossless Compression Scheme [49] for losslessly compressing the bit-planes to make room for data embedding. To provide sufficient room for data embedding for the second technique, it is usual to compress the high level bit-plane. This mostly leads to visual quality degradation. Since the method aims at authentication, the amount of embedded data is limited.

Introduction

It has long been rumored that al-Qaeda uses data hiding techniques to covertly exchange documents related to terrorist plots. Over the last 10 years, al-Qaeda manuals have been found to contain techniques for covert communications using steganography programs and techniques. On May 16th, 2011, an Austrian named Maqsood Lodin was questioned by police in Berlin, Germany. Hidden in his underpants were a digital storage device and memory cards. The memory card contained files including a video. After thorough analysis, German investigators determined that over 100 files had been hidden in the video using steganographic techniques and protected with a password. Upon cracking the password, the files were determined to include terrorist training manuals and future plots to seize cruise ships and attacks on Europe.1

In today’s digital world, data hiding has reinvented itself for use in digital covert communications with one common goal—avoiding detection. And knowing the anti-forensic techniques for avoiding detection ensures that weak data hiding techniques are avoided. This knowledge provides the basis for refining a methodology for using data hiding with greater confidence in the most critical of situations. This chapter is intended to provide additional Forensic and Anti-Forensic techniques for data hiding not covered in the preceding chapters, but will not include techniques for hiding digital storage devices and memory cards in underpants.

Abstract

This is the last chapter in the book, and covers the following future trends in the data hiding techniques domain:

Future of encryption techniques: As computing power advances, more robust encryption techniques are going to emerge. We list three modern encryption techniques that are predicted to dominate the market in the future.

Data stored in cloud computing: As more people use mobile devices to conduct their daily online activities, it is predicted that most of these people are going to use cloud storage providers to store their private data. We discuss the dangers of cloud storage and suggest encrypting our data before uploading it to the cloud.

Virtualization technology: Using virtual machines in enterprises is not something new. Studies predict that most companies will shift toward virtualization technology to reduce hardware costs. This will open possibilities for data hiding techniques and make investigating it more difficult for law enforcement.

Data hiding in enterprise networks: There are different solutions already deployed to monitor companies' networks to prevent data leakage; however, future network devices are expected to become more intelligent regarding this issue. Modern solutions also suggest storing all company data in an encrypted format and only decrypting it when needed by a user.

Streaming protocols: As more people use the Internet to watch movies, play games, and listen to music, future streaming protocols are expected to have a development boost to simplify these processes. This opens endless possibilities for concealing data in such protocols.

Data hiding in mobile devices: The number of mobile device users is expected to increase rapidly in the near future. As more people are willing to use such devices to browse the Internet and send emails, more steganographic tools will be developed for use on mobile devices. In addition to this, Internet speed and the computation power of mobile devices are expected to increase in the future, allowing future mobile devices to use steganographic tools that use more secure algorithms.

Anonymous networks: TOR is still considered as the most used anonymous network currently available; however, research is continually going on to create more secure anonymizing networks like HORNET and Vuvuzela.

I. INTRODUCTION

The past few years have seen an explosion in the use of digital media. Industry is making significant investments to deliver digital audio, image, and video information to consumers and customers. A new infrastructure of digital audio, image, and video recorders and players, on-line services, and electronic commerce is rapidly being deployed. At the same time, major corporations are converting their audio, image, and video archives to an electronic form.

Digital media offer several distinct advantages over analog media: the quality of digital audio, image, and video signals is higher than that of their analog counterparts. Editing is easy because one can access the exact discrete locations that should be changed. Copying is simple with no loss of fidelity. A copy of a digital media is identical to the original. Digital audio, image, and videos are easily transmitted over networked information systems.

These advantages have opened up many new possibilities. In particular, it is possible to hide data (information) within digital audio, image, and video files. The information is hidden in the sense that it is perceptually and statistically undetectable. With many schemes, the hidden information can still be recovered if the host signal is compressed, edited, or converted from digital to analog format and back.

As we shall see in Section II, pure analog data-hiding techniques had been developed in the past. However, these techniques are not as robust as most of the digital data hiding techniques that we review in this paper. Furthermore, they cannot embed as much data in a host signal as the digital approaches.

Digital data embedding has many applications. Foremost is passive and active copyright protection. Many of the inherent advantages of digital signals increase problems associated with copyright enforcement. For this reason, creators and distributors of digital data are hesitant to provide access to their intellectual property. Digital watermarking has been proposed as a means to identify the owner or distributor of digital data.

Data embedding also provides a mechanism for embedding important control, descriptive, or reference information in a given signal. This information can be used for tracking the use of a particular clip, e.g., for pay-per-use applications, including billing for commercials and video and audio broadcast, as well as Internet electronic commerce of digital media. It can be used to track audio or visual object creation, manipulation, and modification history within a given signal without the overhead associated with creating a separate header or history file. It can also be used to track access to a given signal. This information is important in rights-management applications.

Data embedding is also ideally suited for covert communications. Data embedding can securely hide large amounts of potentially encrypted information in audio, image, and video data.

A most interesting application of data embedding is providing different access levels to the data. For example, the amount of detail that can be seen in a given image can be controlled. A person with a high access level can see details that another person with a lower access level would not see. Similarly, data embedding allows users to tailor a video to their needs, e.g., by watching a movie broadcast over a single channel in a particular rating or in a given language. In this case, data embedding is used to embed extra scenes and multilingual tracks in a given version of the movie that is broadcast [84]. In a sense, data embedding then provides some of the capability of digital video disc (DVD) in a broadcast environment with no extra bandwidth or storage requirements.

Most data-embedding algorithms can extract the hidden data from the host signal with no reference to the original signal. In some scenarios, an original is available to the detection algorithm. Typically, data-embedding algorithms that use the original signal during detection are robust to a larger assortment of distortions. The detection algorithm may “subtract off” the original signal from the received signal prior to data detection. Registration may also be used by receivers to compare the received signal with the original to correct scaling, rotation, and other distortions prior to data detection. Some data-embedding algorithms require access to the original data to derive parameters, e.g., hash values, that are required during detection. As different data-embedding applications have different requirements, we distinguish between these cases in this review.

Note also that most data-embedding algorithms assume that it is desirable to have secure data-embedding and extraction procedures. Specifically, a secret key typically determines how the data are embedded in the host signal. A user needs to know that key to extract the data. Knowledge of that key and the embedding algorithm would also allow the user to overwrite or erase the embedded information. In some applications, e.g., copy control in DVD or fraud detection by a recipient of the signal, it is desirable to give all users access to the embedded data without enabling them to change or remove that data. This problem has been addressed in cryptography. However, the solutions developed in cryptography cannot be applied directly in the watermarking or data-hiding context. In fact, to date, no satisfactory solution to that problem has been proposed within the data-embedding or watermarking literature. Some pioneering work in that area is described in [33].

The goal of this paper is to present an overview of the challenges and issues that need to be addressed by successful watermarking and data-embedding techniques and the current state of the art. Data-embedding and watermarking research builds on ideas and concepts developed in cryptography, communications theory, algorithm design, and signal processing. The data-embedding problem is inherently more difficult than any of the problems that have traditionally been addressed in these fields. All data-embedding algorithms combine and extend in a sense many of the solutions developed in these areas. Most of the published work on data embedding that has appeared in technical journals and conferences focuses on image and video data. On the other hand, most of the published work on audio data embedding has appeared in the patent literature. The coverage of this review in the audio, image, and video areas is basically proportional to the existing journal and conference literature in these three fields.

In the next section, a brief historical overview of the field is given. In particular, we relate some of the techniques that have been proposed recently in the areas of data embedding and watermarking to older steganographical techniques. In Section III, the basic requirements of data embedding and watermarking are addressed. We discuss the different security and robustness requirements of data-embedding applications. We also review the deadlock problem that arises in ownership identification and describe two solutions. Data embedding and watermarking in digital media are possible because of the limitations of the human auditory and visual systems. We review some properties of human auditory and visual perception in Section IV. Following this review, we describe the principles that underlie current data-embedding approaches. We provide examples to illustrate the capability of today's technology. Sections V–VII present image, audio, and video data-embedding techniques, respectively. We conclude the paper with a brief overview of visible watermarking approaches.

1 Introduction

The evolution in computer and communications technologies has been advancing rapidly in recent years. Such advances have facilitated the exchange and transmission of information via vulnerable insecure public networks. On the other hand, and despite all of these appealing advantages, the security of the transmitted information can be violated easily and consequently may lead to the illegal disclosure of private information. Therefore providing security services such as confidentiality, authenticity, integrity, protection, and safe transmission of transmitted information has become a vital and an essential task.

This chapter focuses on providing security for transmitted medical images because of their important and crucial role in telehealth medical applications. The intra- and interhospital exchange of medical images and the ease of making digital copies, editing, and distributing these images via unsecured public networks have brought about the essentiality of securing transmitted medical images [1,2]. Indeed, medical images are sensitive to any manipulation that may threaten the lives of patients, and at the same time disrupt the credibility of medical institutions.

In recent years it has become a fact that any powerful scheme developed for securing transmitted medical images must be based on two techniques: cryptography to achieve confidentiality and digital watermarking to achieve authenticity and integrity. Encryption plays the role of a preprotection tool since it becomes ineffective when the image is decrypted, and consequently its integrity and authenticity become hard to validate. These are the benefits of watermarking, which acts as an a posteriori control tool allowing the image content to be still available for interpretation while the remainder is protected. Accordingly, any security scheme that combines cryptography and digital watermarking will efficiently secure medical images while being encrypted or decrypted.

As a consequence, because of the sensitive nature of medical images they cannot tolerate any distortion that may lead to privacy violation or severe complications due to misdiagnosis. Therefore reversible data hiding (RDH) techniques that operate on encrypted images need to be developed to provide the required security. RDH offers exact and perfect recovery of the original image after the embedded data have been extracted. This reversibility is considered an attractive and valuable feature from which medical images can benefit to attain security while being transmitted. In RDH schemes the embedded data are made fragile so that any tampering or modification of the watermarked image results in an authentication error. Moreover, because of the security vulnerabilities discussed earlier, medical images are often transmitted and stored in encrypted form to protect their contents, and thus there is always a need to provide security for encrypted medical images.

Most existing RDH schemes operate on plain images. These schemes exploit the redundancy inherently available in plain images to provide the required reversibility. Extending these RDH schemes to operate on encrypted images is not straightforward. This is because encryption algorithms, which are used to encrypt the plain image, minimize the existing redundancy in the image, thus preventing the RDH algorithm from making use of the redundancy it needs to operate normally.

In this chapter, an effective joint watermarking encryption algorithm is developed and evaluated. The proposed algorithm uses dual watermark embedding in the frequency and encrypted domains. The algorithm embeds dual watermarks: the encrypted domain watermark and the frequency domain watermark. The two watermarks are embedded in different frequency sub-bands to avoid any mutual interference and to allow for direct and independent access to each watermark. Partial encryption is used to encrypt one of the sub-bands by means of a permutation-based encryption algorithm.

The proposed algorithm benefits from the advantages offered by the frequency domain. One major benefit is the high embedding capacity the frequency domain offers. Another benefit is the high imperceptibility that the watermarked image exhibits because it operates on the coefficient level, not the pixel level. That is, by virtue of embedding in the coefficients of the frequency transforms, any distortion caused by the watermarking process is distributed irregularly over the entire image, making illegal detection of the watermark more difficult. Moreover, the proposed algorithm is separable, which allows for the watermark extraction to be independent from the decryption of the watermarked image. A direct result of separability is that the authenticity and integrity of the medical image can be verified while preserving the privacy of the original content of that image. This can be achieved by virtue of the multiple keys used by the algorithm to control access to the medical images at different stages.

The remainder of the chapter is organized as follows. In Section 2 a brief overview of a number of related works in RDH schemes for encrypted images is given. Section 3 describes the two functions responsible for providing reversibility to the proposed algorithm. A detailed description of the proposed algorithm is given in Section 4. Section 5 gives an in-depth analysis of the experiments conducted to prove the effectiveness of the proposed algorithm. In addition, Section 5 presents performance evaluation results and compares these results with a number of recent state-of-the-art studies. Finally, in Section 6, concluding remarks and future work directions are outlined.

Mobile Device Data Hiding Applications

In David Kahn’s famous book The Code Breakers, he relays the account of Demaratus who was alleged to have been exiled in Persia. While there, Demaratus learned of a planned attack on Greece by the Persians. As the story goes, Demaratus determined that he must deliver a secret message to the Spartans to warn them. The writing instrument of the day was a wax tablet, as we look at the wax tablet it is quite similar to iPad tablet today, minus the Lithium Ion battery of course (see Figures 6.1 and 6.2.

Demaratus in his day removed the wax from the tablet and then using a sharp object he carved the warning in the wood and then covered the carving with a new coat of wax. This would allow the tablet to make its way through the guards and sentries of the day and hopefully arrive in time to warn Greece. The tablet eventually reached Cleomenes and he somehow knew to remove the wax and recovered the warning. Having done so, she provided the message to the Spartans allowing them time to prepare and fortify their positions. I wonder if the message will reach the Spartans in time the next time an invasion is imminent (see Figures 6.3 and 6.4).

In addition, unless otherwise noted, we will use the following string when hiding textual data within carrier files:

“This is a test of the emergency broadcast system, this is only a test.”

For the examples in this chapter we are using an iPad 1 and associated data hiding applications. All apps have been downloaded directly, without modification, from the Apple iTunes site and the iPad has not been Jailbroken or compromised in anyway.

Many data hiding applications exist on the iPhone, iPad, and related devices and in examining the techniques and characteristics of each, we have selected just a few to include in this chapter that demonstrate unique data hiding techniques. They include:

Spy Pix.

InvisiLetter.

Stego Sec.

Spy Pix Analysis

Spy Pix Details
Application Name	Spy Pix
Seller	Juicy bits
Image format	True color PNG
Last release	December 2009

Like most iPad applications, Spy Pix offers a simple to use application for data hiding. This app employs a hiding method that allows the user to hide a photo within another photo with varying degrees of quality. The resulting data hiding operations reduce the quality of both the carrier and the hidden image, but are still quite difficult to detect.

Once you launch Spy Pix you are presented with the following screen shot (see Figure 6.5).

Figure 6.5. Spy Pix Image Selection Screenshot

You must supply two images. The first image is the image you wish to hide (in other words the secret). The second image is the decoy or cover image.

When you select the image to hide selection box, the screen in Figure 6.6 appears.

Figure 6.6. Spy Pix Photo Source Selection

The application allows the user to either take an immediate picture or to select any existing image from the photo album. We selected the standard gun with bullets image as you can see in the following snapshot (see Figure 6.7).

Figure 6.7. Spy Pix Gun and Bullet Selection

The process is repeated for the decoy or cover image, shown in the snapshot in Figure 6.8.

Figure 6.8. Spy Pix with Selected Hidden and Decoy Image Selected

At this point, you now can now experiment by combining the two images. The slider at the bottom of the screen, shown in Figure 6.9, provides the user with the ability to determine the level of hiding that will take place. As you can see in Figures 6.9 and 6.10, by varying the combination selection from low to high you can find the right level. If the level is too low, the photo of the gun and bullets will bleed through the decoy image, but if you select a higher level, as in Figure 6.10, the decoy successfully obscures the hidden image.

Figure 6.9. Gun and Bullets Bleed Through

Figure 6.10. Gun and Bullets are Obscured

The Spy Pix concept is quite simple—overlay the two images and hide the most significant bits of the image to hide into the least significant bits of the decoy image. Based on how many bits of the hidden picture you wish to preserve, the quality of the resulting image will be reduced.

Data Hiding Method Analysis

Operationally Spy Pix first converts both images to 24 bit true color images in order to normalize the formats. The app then allows the user to specify or experiment with the number of pixels that will be replaced in the cover image—you can choose 0–7 bits. If you choose zero, the entire cover image would be replaced with the hidden image thus destroying the original image. If you were to select seven, only the most significant bit (MSB) of the RGB values of the secret image would replace the least significant bit (LSB) of the cover image.

In Figure 6.11 we selected a data hiding level of 5. This causes bits 7, 6, and 5 of each RGB value of the secret or hidden image to replace the three LSB bits 0, 1, and 2 of the decoy image. As you can see in the illustration, bits 0–4 of the secret image are discarded, thus reducing the resolution of the secret image from 24 bit color image to a 9 bit color image. With 8 bits of color for Red, Green, and Blue = 24, and 5 bits of color removed from each color plane 5 × 3 = 15, therefore 24 − 15 = 9.

Figure 6.11. Spy Pix Data Hiding Diagram

At first glance one might think that this is pretty easy to detect visually. However, by rendering the image it looks quite good even if you replace as many as 2 or 3 bits. In order to reveal the hidden information, we must render the image differently, one method is to render and examine only the LSB values.

We do this by utilizing Stego Analyst, a steganography analysis application by WetStone. Stego Analyst allows the rendering of specific LSB values. See the Snapshot below.

By specifying exactly which bits of the LSB we wish to see and for which colors, we can control the image rendering. In Figure 6.13, we have chosen to display two images side by side. The image on the left is the decoy image with bullets in gun hidden displayed with normal rendering. The image on the right is the same decoy image rendered with only the selected LSB and colors that were specified in Figure 6.12. This gives us the ability to view the images side by side. This reveals the reduced resolution image that was hidden inside the snow owl. Since only the three MSB values of the secret image were hidden, the data loss is evident, but you can certainly still make out the image of the gun and bullets.

Figure 6.12. Stego Analyst LSB Bit Mask Selection

Figure 6.13. Side by Side Comparison of the Decoy Rendered Normally (on Left) Rendered with Selected LSB Values (on the Right)

Based on the 9 of 24 bits replaced in the original image, one would think this would be trivial to detect algorithmically. However, the general rule of thumb for LSB detection algorithms is to perform statistical analysis of the LSB values. Many of the predecessors to this approach first compressed then encrypted the desired payload and then modified the LSB values which created randomness in the LSB values of the decoy image. In this case, the data hidden has very little randomization, since the MSB values of the secret image vary much less than even the LSB value of an image, and significantly less than compressed or random data. In order to accommodate this type of detection, new comparison models and neural net training approaches were necessary to detect the anomalies implemented by this simple data hiding method.

The basic approach for developing such a detector is to create a large set of examples using this method along with the original cover images and develop statistical measurements that can distinguish variance within LSB values of “normal” images compared against images that contain variable length replacement of LSB values. The process of training the neural net or other heuristic models is continued until you achieve maximum accurate detection while reducing false positives. For those readers wishing to investigate advanced blind detection methods and neural network approaches, this detail is beyond the scope of this book. However, many good technical papers and resources are available to aid in this scientific research. A good place to start would be research papers by Dr. Jessica Fridrich, http://ws2.binghamton.edu/fridrich/publications.html#Steganography

Stego Sec Analysis

Stego Sec Details
Application Name	Stego Sec
Seller	Raffaele De Lorenzo
Image format	JPEG
Last release	February 2011

The Stego Sec iPhone/iPad app provides the ability to hide text inside a photograph that is either immediately taken or retrieved from previously saved images. The snapshot below reveals the apps navigation panel. We are going to focus our attention on the Crypt Image processing, in other words the creation of the data hiding objects (see Figure 6.14).

Figure 6.14. Stego Sec Application Navigation Panel

As with most mobile apps, Stego Sec allows you to select either images that already exist on your camera roll or you can take an immediate photograph. For consistency, we will select the standard snow owl image that is saved in the camera roll (see Figure 6.15).

Figure 6.15. Stego Sec Snow Owl Image Selection

The app next prompts us for text that is to be hidden inside the selected image. For this, we typed in the following standard message “This is a test of the emergency broadcast system, this is only a test,” a 70 character (byte) message string (see Figure 6.16).

Figure 6.16. Stego Sec Hidden Message String

Stego Sec claims to encrypt the text message prior to hiding information in the message. To support this function, we must provide a password. On this same panel we need to supply the file name where the new image will be stored (see Figure 6.17).

Figure 6.17. Stego Sec Password and File Name Specification

We confirm by pressing Go and the hidden image is created (see Figure 6.18).

Figure 6.18. Stego Sec Successful Completion

At this point, we can either reveal the hidden message or more importantly send the message to the intended recipient. Stego Sec provides the ability to E-mail or MMS the file containing the hidden information (see Figures 6.19 and 6.20).

Figure 6.19. Secret Message Distribution

Figure 6.20. Send as E-Mail Selection

Data Hiding Method Analysis

As mentioned earlier Stego Sec hides information in a resulting JPEG file type. Since we have all the pieces of the puzzle:

1.

The original JPEG image.

2.

The JPEG with the hidden content.

3.

The message content and length of 70 characters.

4.

The password we used to encrypt the data.

We can now interrogate the before and after image and attempt to determine at least the method used to hide the information.

Again we turn to Stego Analyst to assist us in the examination of the resulting images to deduce the hiding methods employed. In Figure 6.21, the image on the left is the original unmodified image of the snow owl. The image on the right is the image created by Stego Sec that contains the hidden emergency broadcast message.

Figure 6.21. Side by Side Comparison of the Original and Stego’d Image

We have labeled this file Stego Sec Hidden Short Message because we will also need to compare messages of differing lengths to confirm the hiding method. In Figure 6.22 we notice is a dramatic difference in the size of the before and after messages:

Figure 6.22. Stego Analyst Comparison of the Image Details, Short Message vs. Long Message

Original Carrier: 109,562 bytes. Short Hidden Message: 11,525 bytes.

What we can immediately deduce is that it is likely that hiding method involves re-encoding the JPEG and this further suggests that quantized DCT values inside the JPEG have been altered or there would be no reason to re-encode the image. We have also verified that no stray comment fields, data appending or prepending appears to be present in the JPEG. We have also determined that no other structural anomalies are present. From this we will run another experiment that will help us verify our hypothesis that the hiding method involves altering the quantized DCT values. To assist us with this, we have embedded a second text message using Stego Sec. This one contains a payload length of 350 vs. 70 bytes in the short message and we utilized the same password in order to only modify a single vector (the length of the message).

In Figure 6.23 we compare the two images.

Figure 6.23. Quantized DCT Coefficients Comparison, Short vs. Long Messages

As you can see the size difference between the Short and Long messages hidden inside the JPEG is quite small:

Long Message Image Size:	11,579
Short Message Image Size:	11,525
A difference of only	54 bytes

However the difference in payload size is 350 − 70 = 280 bytes. This supports our hypothesis that the hidden data is not simply being added or inserted into non-image areas of the JPEG. In order to more closely examine the changes between the short message and long message data hiding, we will need to directly examine the quantized DCT values of each image, side by side. As you can see in Figure 6.23, the general histogram of the DC coefficients of the quantized DCT appear similar. This is simply displaying the number of occurrences found in the image for each DC value extracted from the quantization table. Figure 6.24 depicts a quantized DCT with what we refer to as the DC coefficient value.

Figure 6.24. Quantized DCT Table Showing the DC or Average Value

In order to determine the discrete differences between the quantized values, we must take a closer look at a smaller set of individual histogram values. This examination reveals slight changes in the DC values of the coefficient histogram. As you can see in Figure 6.25, the highlighted values represent slight changes in the DC values caused by modification differences between the short and long message strings. Since we started with the same original image, we utilized the same password, and the only change was message length, we can deduce that the hiding method modified DC coefficients with the quantized DCT values. Therefore, the Stego Sec hiding method involves direct modification of the JPEG Lossy values.

Figure 6.25. Short vs. Long Message Highlighted DC Histogram Changes.

Since the message sizes are relatively small (a few hundred bytes), the ability to statistically detect these anomalies without human analysis is quite difficult making Stego Sec a viable data hiding solution for at least small text based messages.

Another very important note regarding Stego Sec, when we originally analyzed the previous version of the app, the hidden data was actually stored in a header area of the JPEG making detection and recovery quite simple. Figure 6.26 depicts a hex dumped taken from an image stego’d in the previous version of Stego Sec. The plaintext message in this version was embedded in this version within the EXIF JPEG header.

Figure 6.26. Stego Sec Previous Version Simplified Hiding Method

As we move forward, we expect to see additional updates and improvements to these apps, not only for ease of use, but also for the improvement in the quality of the hiding mechanisms employed.

InvisiLetter Analysis

InvisiLetter DetailsX
Application Name	InvisiLetter
Seller	Hideaki Tamori
Image format	True color PNG
Last release	July 2010

InvisiLetter is yet another interesting application for the iPhone/iPad. The App operates similarly to other iPhone/iPad apps but offers a bit of a twist. As you can see in Figure 6.27, when the app launches you can either embed or extract a secret image.

Figure 6.27. InvisiLetter App Navigation Panel

Our interest, of course, is data hiding so we will choose Embedding Secret Image. Once we do this, the image in Figure 6.28 is displayed and we are prompted first to select a cover image, as shown in Figure 6.29.

Figure 6.28. InvisiLetter Cover Image Selection

Figure 6.29. InvisiLetter Cover Image Selection

As you would suspect, you can either take a photo directly with the camera or you can retrieve an image already stored in the Photo Album.

As you can see in Figures 6.30 and 6.31, once you have selected a cover image the app allows you to draw with your finger or other suitable stylus the hidden message directly on the image. For this example, we need to create both a simple message and a slightly more complex message to illustrate the data hiding method.

Figure 6.30. InvisiLetter Simple Message

Figure 6.31. InvisiLetter Complex Message

Data Hiding Method Analysis

The analysis of this method is going to require a slightly different analytic process. Since the resulting image is a PNG image that contains the hidden drawing inside, we would first look at the differences in the two images. As we did when analyzing Stego Sec, we modify only the hidden message. In Figure 6.32 we examine the basics of both the simple drawing (on the left) and the more complex drawing (on the right).

Figure 6.32. InvisiLetter Simple vs. Complex Embedding

At first glance there are two notable differences between the simple and complex images:

1.

The file carrying the simple image is smaller in size by 6744 bytes. This is not too surprising when we consider the additional information that needed to be hidden to record the additional words and drawing elements. The IDAT chunks of PNG images are compressed; however, and any modification to the true color RGB values prior to compression will alter the compressibility.

2.

Consistent with the files size increase and more telling are the number of used colors found in the complex image. 55,833 vs. 47,606. Whenever we see this type of increase in used colors (for the same carrier image) it implies modification to the LSB values as this modification would increase the number of unique colors found in the uncompressed complex image.

Visually, through normal rendering the images look identical and we don’t immediately see any noticeable distortion or artifacts. This image is zoomed at 400% creating some jagged edges, but this is true for the original image, the simple image, and the complex image.

In order to see the difference between the simple and complex images and draw out the changes caused by the data hiding, we need to render the image in a different manner. In Figure 6.33, we have chosen to render the Hue of each image.

Figure 6.33. Stego Analyst InvisiLetter Simple vs. Complex Hue Rendering

The difference is now apparent, as we add more and more hidden data to the image (simple vs. complex) we see the Hue of the image begin to degrade. This is a telltale sign of data hiding that is embedded directly into the RGB values of the image. Examining the image itself, we also verified all the other structural elements have not been modified or altered, thus confirming the embedding is taking place directly into the RGB values of the true color images.