>> Although steganography content can be hidden in text files, html webpages, executable files,
even file systems, the most popular types of carriers are digital images and audio files.
Let's look at the steganography techniques used in digital audio and video carrier files
first.
A wav file is a digital audio file format identified by a file name extension of wav.
It is a list of uncompressed samples after digitalizing an analog soundwave.
Each 16-bit sample value represents an amplitude value of the analog message.
Based on Nyquist-Shannon sampling theorem, if each sample is collected at a frequency
of 44.1 Khz or 44.1K times per second the digitalized analog audio will sound similar
to the original analog soundwave so digital wav files are commonly large.
MP3 is another popular audio coding format for digital audio.
It uses a form of data compression to reduce file sizes, typically by the factor of 10
to 14 in comparison with a wav file without noticeably
affecting the sound quality for most listeners.
Unlike wav files MP3 is encoded in Modified Discrete Cosine Transformation coefficients
not amplitude value.
When using least significant bits to hide payloads in a wav file the raw sample
or amplitudes, LSBs will change slightly but humans are insensitive to these insignificant
changes.
A steganography tool called S-tools can hide payloads in wav files.
When applying LSB encoding to MP3 audio and MP4 video files it changes the carrier's
coefficients' LSBs to hide a payload.
MP3stego will hide information in MP3 files during the compression process
by modifying the MP3 encoding algorithm to insert data.
The data is first compressed, encrypted and then hidden in the MP3 coefficients.
MP4stego hides data in MP4 video files.
Steganography in digital audios and videos is dangerous since it has the potential
to conceal a great quantity of information in large-sized carrier files.
In addition, people often exchange audio and video files to play them in YouTube,
MP3 and MP4 players and smart phones.
Detecting steganography files from a large number of audio and video
files is difficult.
How are steganography technologies applied to digital images?
Digital images are made up of pixels.
We will look at three types of images based on how they present color digitally.
In palette images each pixel is represented by 8-bit binary data.
Each 8-bit is mapped to one predefined color out of 2 to the 8th power or 256 colors.
Since each pixel holds one color and there are only 256 different colors to choose
from the palette images are small and low resolution files.
A gif file is an example of a palette image.
In true color images each pixel holds a color triplet of red,
green and blue representing the color intensity with 8 bits for each color.
Therefore the total combination of possible colors is 2
to the 8th times 2 to the 8th times 2 to the 8th.
This ends over 16 million possible colors.
People also call this type of image 24-bit true color.
Although true color images are more accurate than palette images their file size is much
larger.
Both Bitmap and PNG are true color images.
To reduce image file size people have tried to compress digital images.
After the lossy compression process some insignificant information is discarded therefore
the original image is no longer fully recoverable.
Jpeg images are lossy compressed images.
More specifically, jpeg images do not store individual color value for each pixel.
Instead, the jpeg compression algorithm uses Discrete Cosine Transformations
or DCTs to transform every 8 by 8 pixel blocks of image into 8
by 8 DCT coefficients therefore jpeg reduced image size.
Although some information is lost during the compression process human eyes cannot see
noticeable differences.
When applying least significant bit encoding to true color images there are only subtle
changes to each pixel of the original image therefore
the change is undetectable through visual inspection.
S-tools used in wav file steganography can also take true color images such as bitmap
and PNG images as carrier files to hide other images or files.
The resulting covert image using S-tools is the same size of the carrier image.
To convince you that human eyes are not sensitive enough
to detect the color differences we generate the six different colors using Dreamweaver.
Can you see the difference in color, although multiple least significant bits were changed?
When applying least significant bit encoding to the lossy compressed images
like jpeg images LSB modifications are made to the coefficients
of the DCT prior to the compressed stage.
The popular tool JP Hide and Seek, also known as JPHS is an example using this approach.
Even though JPHS uses a substitute steganography method the size
of the covert message is usually smaller than the original carrier jpeg image due
to an additional compression process.
Another artifact of using JPHS is that the header information
of the covert jpeg image is usually stripped while the carrier image has the jpeg
header information.
Gif-it-Up steganography software is a free program that allows you to hide information
in a palette image such as gif images.
It first sorts the 256 colors in the palette so that the closest colors fall next to each
other.
Similar colors are paired up, one color that presents digit 1 while the other in the
pair represents zero.
For example we put two close red colors together.
R zero represents zero and R1 represents 1.
The hiding process starts by using the closest sets of colors.
Assuming I need to hide a zero bit in a red pixel, if the pixel is currently R zero
which represents that correct bit, it remains untouched.
Otherwise if the pixel is currently R1 we change it to R zero.
Since R zero and R1 are a pair with a similar color this change is not noticeable
to human eyes.
The main advantage of this type of tool is its simplicity.
Also since palette-based images are usually low
in quality any minor changes may not be detected.
However this method does not allow us to hide large amounts of data.
To detect this type of tool investigators should check for similar colors.
Having pairs of close colors is an indication of using this type of steganography tool.
So far we have introduced four free steganography tools.
Knowing which carrier files each tool supports helps investigators narrow
down the suspicious images for investigation.
For example, if an investigator detects S-tools installed on a suspect machine he
or she should pay more attention to gif, bitmap and wav files for possible steganography content
since S-tools use these three types of images as carrier files.
In a summary, S-tools uses gif, bitmap and wav files as carrier files.
Gif-it-Up only uses the gif image as its carrier file.
JP Hide and Seek only uses jpeg image files as their carrier files
and a camouflage can use any types of carrier.
Although I only introduced a few there are many free
and commercial steganography tools available for use.
Some tools are like Open Puff can combine several files together
as a carrier file to hide payload.
With the wide use of smart phones a set of new steganography apps have emerged.
These new apps run on Android, iOS and Windows Mobile Platforms.
Most of them use stego-technologies similar to what we saw in this video.
For example the iPhonesteg2 SPYPIX uses LSB to hide stego-contents.
In the next video I will show you how to use S-tools JP Hide and Seek
in a camouflage to hide all unhide data.
Steganography Tool Demo
>> Steganography tools not only encrypt your data, but also hide data
in innocent looking digital pictures, sound files, all web pages.
In this video, I will demonstrate a couple of free steganography tools to hide a message
or even an image inside another image, which is a carrier file.
Let's test our eyes to see whether we can tell any differences
between the original image and the covert image.
Now, first, let's look at a commercial tool called Invisible Secrets.
The latest version is Invisible Secrets 4, Version 4.
And it supports carrier files of JPEG, PNG, HTML, bitmap and a WAV.
Now, nicely, they also offer a free addition, which is Invisible Secrets Version 2.1.
You can download this free version from the website here,
www.invisiblesecrets.com version tool.
Now, for this version tool, they give you a taste and a try for only two carriers.
So the carrier file can be JPEG or bitmap.
Now, let's try it.
Okay, let me open.
I have installed Invisible Secret 2.1.
Open it up.
So if you click on option and it shows you what kind of algorithms,
encryption algorithm it supports for this version,
certainly for the commercial 4.0 version they support many more algorithms.
And then carrier files for this version, they only allow to have those two carrier files,
JPEG and bitmap would remember that.
So now let's look.
There are two options, certainly.
One is encrypt and the first encrypt, then hide files into a carrier file.
And then the second option is if you have the encrypted file
and then you have the steganography file and then you want to extract the hidden information.
So first we will try encrypt and hide.
So this is the first option.
Now, into the carrier file, so you need to have a carrier file to hide information.
There are only two options.
One is bitmap and JPEG.
Let's try JPEG.
All right, so I just pick and choose from something
from the Windows sample pictures, all right?
So let's browse it.
This is my documents.
Pictures. Sample.
Okay, let's pick a sunset, all right?
So you can view it.
So this is the picture.
This is the image.
I will carry another one to hide another message or image.
So let's move on.
Now, it says which file do you want to encrypt and hide?
So then I can add file.
So let's add, again, add another image.
Let's try it.
If it's too large, it will complain.
It means your human eyes probably can even detect, can see the difference.
So I try a temperature.
Let's try and see if it works out now.
Brewhills.jpeg.
And once again, what is that?
I picked this one, Brew Hills.
So the sunset is the original image.
And I want to hide the Brew Hills image into it.
So we said, and they asked, do you want to compress?
Yes. We'll just leave it as default.
Now, specify the password.
Because we're doing the encryption first, right?
If it's a text and then this is so important because I don't want the people can detect,
but they still don't get what is the meaning.
So I just simply put a very simple password in the real case certainly I want
to put more difficult on and then prevent people to [inaudible] the password.
And then again, this is the algorithm.
I don't have many choice for this version.
All right, if you want to skip the encryption, that's also fine.
You can pick, and I only need to hide, I don't want to encrypt.
Specify the name of the result.
So finally, the covert message, what do I want?
Less's put into desktop, okay?
And we call it invisible.
Invisible.jpeg.
Because that too is a JPEG image, all right?
So let's say okay.
It's done.
It's very quick, all right?
So it's here, invisible.
It's invisible here.
And then now I can pick a finish, or nicely it says if you want to e-mail that.
Now, in the class, I will not call that as a carrier file anymore
because the carrier file I distinguished as original file I will call the covert file.
So here it means e-mailed covert file, the one I just created.
So you e-mail to your friend, and actually has information has secret hide into that.
And you can also post it on YouTube and post it on a website for people to get it.
And they can send by FTP connection as well.
So this tool is nicely built in, there's even communication channels for you to send.
So I said finish, okay?
So now I want to decrypt it.
So I say extract.
If you're using the Invisible Secrets for hiding,
and definitely you can use same tool to extract, all right?
So let's say you send to your friend.
And your friend knows you are using invisible, and your friend has to know the password
to be able to extract the message.
Okay, so I said extract.
And where is the file?
So I locate.
That's on desktop.
And then this invisible, okay?
Open. All right, carrier file type.
And then next.
So I need to give a password.
So those steps, just think about, if you are forensics investigator,
what kind of difficulty you have.
First, you don't know which program,
which steganography tool is used for hiding the evidence.
Now, you can make a guess.
Because if you see Invisible Secrets tools from the image, then you can guess this person,
the suspect may use Invisible Secrets, then you can try it.
But again, you have to know the password.
Without knowing it, the password, you still have to try or brew force it, okay?
So here I put in, type in the password.
So it says what do I want, what do you want to put the-- extract the message?
By default, that is in a decrypt, and certainly you can browse it.
Now, very nicely, it's already identified, okay?
It's a brewhills.jpeg, because we are using Invisible Secrets, extract into hide the data,
and certainly it knows how to get those data out.
And you can even say keep original pass.
It knows where is the pass.
So this is the original pass, all right?
Now, let's compare these two images to see whether we can identify any differences.
So the first one is called invisible, and I open it here.
So this one is the sunset picture hiding another picture, Brew Hills, inside.
And then this one is the original sunset, which does not have any hidden images in it.
So I am not sure from my eyes, and I really cannot tell the difference.
And you can practice that by yourself.
So this is sunset.jpeg, and this is invisible, which the one I saved on desktop.
There are many free steganography tools online for you to try.
Just be very cautious about the location you download and whether the site is a safe site,
and the tools you download were not harmful to you.
So I will show you a couple of them.
One is S tools, which is one of the earliest steganography tool.
It takes GIF file, bitmap and a WAV file as a carrier file.
So I'm not able to use JPEG as my carrier file anymore.
Let me find some images.
So GIF file.
I'll dump one in.
It's very easy to use.
And I dump one image.
This is a carrier file.
Currently, I haven't had anything yet.
And then let me find our original Windows image to hide.
So I just dump one on top of here.
If it's too large, it will complain, okay?
So if I just put this Brew Hills image on top of this image,
now it asks me about-- it says, what is the password?
And again, you can choose encryption.
Here, there are four algorithm, different algorithms for encryption.
You can choose-- I just use the default one and put in the password.
Say okay. Now, it says, it attempts a color reduction because a simple image hide
under another image, so that I said, okay, just do it.
Now, this is the hidden one.
Even though it says color reduction,
and then I'm not sure whether your eyes can tell the difference.
For me, I certainly cannot.
But I'm really nearsighted, so I don't know.
So this is the hidden one.
And then this is the original, okay?
And then you can save it.
Just right-click and save as, okay?
You can save as.
And you can reveal.
So now, for example, if I have this hidden data
and then I could e-mail all whatever other ways to send to your friend.
And once your friend gets this image, because it knows this is from S tools,
it is supposed to know the password as well.
So all we need to dump in this hidden data and then right-click, say reveal.
Okay, again, then you have to know which password and which algorithm you use.
So if you know the password and then say okay.
All right, so S tools say here, this is the JPEG,
brewhills.jpeg, image, it's the hidden one.
Then you can reveal.
That's revealed.
That's a revealed archives.
So it's very similar to Invisible Secret, okay?
Now, there are other ones.
So certainly I will now save it.
The other one is JPHideandSeek.
This is also a very famous one.
For JPHideandSeek, you can only hide images to JPEG.
That's why it originally said open JPEG.
So this is the carrier file.
And now once you open JPEG and then it allows you to hide, here you don't see it,
you can choose the option to hide, and then you can send along, save it, send along.
And then the receiver receives this, can load and seek.
In the lecture, I also mention about a very simple tool called camouflage.
Now, camouflage works by starting from the payload.
So if I know which message, which file to hide, and you only need to simply click, right-click,
and if you installed camouflage and then the camouflage option will show up here.
And you open, and it knows, it says this is the hidden file.
And where do you want to hide this hidden payload in?
Now, you can choose the carrier file.
Any file can be carrier.
Because for this method, it simply pairs the payload at the end of the carrier file.
So it can choose the carrier file.
Now, you have to be clear, this method is not secure at all.
Because if I use, simply use a hexed view, and then you find the original file,
find the end of file and carve out anything after the end of file, that's the payload.
So you cannot use this one to hide really secret, okay?
The secret information will be revealed and easy to detect and easy to recover the hidden file.
The other one I mention about that is the spammimic.
So this is the website, spammimic.
You can encode and you can decode, and there's options.
Very simple.
It's not a secure way to hide anything.
Let's say I want to hide, encode a text, test.
Now, you can encode it with password or other stuff.
And you encode.
It generates spam.
And then you send the spam to your friend.
Your friend will copy this spam into the spammimic and the decode.
That's all, okay?
So if your friend copied over the code, and it will get the hidden message.
So it's very simple.
All right, so one more thing I want to show you is besides Invisible Secrets,
that's from the legitimate website, there's another one you can try.
It's OpenStack, okay?
OpenStack, they have a website for OpenStack.
It's free.
It is a Java program.
Now, if you run Java, there's a Java file, and if you run Java,
then you will see this very nice interface.
When we interface, you can specify which message you want to hide,
and then what are the carrier files?
Actually, this version, it accepts multiple carriers.
So you can hide messages into multiple carrier files, which is secure, okay?
It's a more secure way.
And they even provide a password.
Because to be able to recover, you have to know all those multiple files
to be able to recover this hidden data.
It's a very nice tool, and it's safe.
You can download from its website, all right?
I tried it on my sift machine because it's a Java, right?
S-I-F-T, the sift system we used before, it also has Java software installed.
So you can use-- you can run the data SH file once you downloaded this OpenStack,
you can run .sh nicely to show the score, and you can try that by yourself.
Now, for other tools, S tools, JPHideandSeek,
and I don't know which site is really trustworthy.
And I'm not allowed to share my executable with you.
So just use them with caution, okay?
All right, so I will end my video here.