Main Menu  |  Self-Test Quiz  Previous Section  |  Next Section


Steganalysis is a relatively new research discipline with few articles appearing before the late-1990s. Steganalysis is "the process of detecting steganography by looking at variances between bit patterns and unusually large file sizes" [18]. It is the art of discovering and rendering useless covert messages.


What is the goal?

The goal of steganalysis is to identify suspected information streams, determine whether or not they have hidden messages encoded into them, and, if possible, recover the hidden information.


The challenge of steganalysis is that:

Unlike cryptanalysis, where it is evident that intercepted encrypted data contains a message, steganalysis generally starts with several suspect information streams but uncertainty whether any of these contain hidden message. The steganalyst starts by reducing the set of suspect information streams to a subset of most likely altered information streams. This is usually done with statistical analysis using advanced statistics techniques.

Types of Attacks

Attacks and analysis on hidden information may take several forms: detecting, extracting, and disabling or destroying hidden information. An attack approach is dependent on what information is available to the steganalyst (the person who is attempting to detect steganography-based information streams).

Where can information be hidden?

Almost anywhere on the Internet.

For example, there are several places on a webpage to hide information:

Steganalysis Techniques

Hiding information within an electronic medium cause alterations of the medium properties that can result in some form of degradation or unusual characteristics.

Unusual patterns

Unusual patterns in a stego image are suspicious. For example, there are some disk analysis utilities that can filter hidden information in unused partitions in storage devices. Filters can also be used to identify TCP/IP packets that contain hidden or invalid information in the packet headers. TCP/IP packets used to transport information across the Internet have unused or reserved space in the packet headers. Packet headers are seldom read by humans and thus makes an ideal place to hide data. The disadvantage of using this method is that firewalls can be configured to filter out packets that contain inappropriate data in the reserved fields. In addition, hiding information in packet headers is unreliable because it is possible that TCP/IP headers, and the reserved bits, are overwritten in the routing process, thus defeating the steganographic transmission.

Visual detection

Analyzing repetitive patterns may reveal the identification of a steganography tool or hidden information. To inspect these patterns an approach is to compare the original cover image with the stego image and note visible differences. This is called a known-carrier attack. By comparing numerous images it is possible that patterns emerge as signatures to a steganography tool.

If the cover images are not available for comparison, the derived known signatures are sufficient to imply the existence of a hidden message and identify the tool used to embed the message. Detection of these signatures can be automated into tools for detecting steganography. Stegodetect takes advantage of palette patterns and signatures, and analyzes pixels that stands out from the other pixels in its area.

Another visual clue to the presence of hidden information is padding or cropping of an image. With some stego tools if an image does not fit into a fixed size it is cropped or padded with black spaces. There may also be a difference in the file size between the stego-image and the cover image. Another indicator is a large increase or decrease in the number of unique colors, or colors in a palette which increase incrementally rather than randomly (except gray scale images).

Tools to detect steganography

The disabling or removal of hidden information in images is dependent on the image processing techniques. For example, with LSB methods of inserting data, simply compressing the image using lossy compression is enough to disable or remove the hidden message.

There are several available steganographic detection tools such as EnCase by Guidance Software Inc., ILook Investigator by Electronic Crimes Program, Washington DC, various MD5 hashing utilities, etc. For information on available steganographic and steganalysis tools, visit the Computer Forensics, Cybercrime and Steganography Resources website at

Stegdetect, provided by Niels Provos, is a popular automated tool for detecting steganographic content in images. Provos is the author of the steganography program called OutGuess. Stegdetect is a program that detects data hidden in JPEG images using certain steganography-based applications. The detectable schemes include JSteg, JPHide (unix and windows), Invisible Secrets, OutGuess 01.3b, F5 (header analysis), AppendX and Camouflage. Note that OutGuess 0.2 is undetectable by statistical analysis.

Example of a Stegdetect output:

            	$ stegdetect *.jpg
                dscf0001.jpg : outguess(old)(***) jphide(*)
               	dscf0002.jpg : negative
               	dscf0003.jpg : jsteg(***)
               	wonder-5.jpg : jphide(**)
Certain types of images are more likely to show up as false positives, such as, drawings, paintings, and images with monotone backgrounds.

StegBreak is a brute force attack tool for determining the passphase assigned to the cover file embedded with a hidden message. StegBreak is used to launch dictionary attacks against images to determine if content was hidden with JSteg-Shell, JPHide or OutGuess 0.13b. Steganographic systems embed header information in front of a hidden message. The header contains information such as the length of the message and compression methods. Stegbreak chooses a key from a dictionary and uses it to retrieve header information. If the header makes sense the guessed key is a candidate.

The Stegdetect tool can be downloaded from

Main Menu  |  Self-Test Quiz  Previous Section  |  Next Section