Computer Crime Problems Research Center

A Novice Tries Steganography

(By Jack Karp)

Steganography is the process of hiding one message or file inside another message or file. "CyberCrime" finds out just how easy or difficult the process is.

With the war on terrorism and the hunt for those responsible for the September 11 attacks mounting, steganography is increasingly in the news. Some experts theorize the al Qaeda terrorists used the Internet to plan the attacks, possibly using steganography to keep their intentions secret.

Steganography is the process of hiding one message or file inside another message or file. For instance, steganographers can hide an image inside another image, an audio file, or a video file, or they can hide an audio or video file inside another media file or even inside a large graphic file. Steganography differs from cryptography in that while cryptography works to mask the content of a message, steganography works to mask the very existence of the message.

In preparing this week's episode about steganography, "CyberCrime" wanted to find out just how easy or difficult the process is. We decided to try to hide a video file inside a graphic file and then email that file to someone who would then extract and watch the video. Accomplishing this task fell to "CyberCrime" associate producer Kendall Parkhurst and myself. At the time, we could hide everything we knew about steganography inside a pea. We documented the process as we went along, and this is what we learned:

Choosing a data file

The first step in the steganography process is choosing the file you wish to hide, known as the data file. We chose to hide a video file -- a brief clip of "CyberCrime" co-host Alex Wellen explaining steganography. Once our camera crew finished filming the video, Kendall and I took the tape and digitized it to create a computer video file. Any film-editing software can be used to accomplish this; we used Final Cut Pro.

While the actual process of digitizing the video into a computer file is relatively simple, we found that creating a video clip small enough to hide is significantly more difficult. After initially digitizing our video clip, we found ourselves with a video file that took up several megabytes of memory -- way too large for our purposes. So we experimented with various image sizes and resolutions, finally creating a video clip that was physically smaller than the original and had less than ideal sound and visual resolution. But it took up only 710KB of memory. We decided to go with it.

Choosing a carrier file

The second step in the steganography process is choosing the file that will serve as the hiding place. This file is known as a carrier file, or vessel. Kendall and I decided to use a graphic file of the "CyberCrime" logo as our carrier file, but the version we hoped to use, at 106KB, was far too small (remember, our data file is 710KB). According to most of the steganography programs we looked at, the carrier file must be approximately eight times as large as the data file in order for the encryption to work. So, with a 710KB data file, we would need a graphic that was at least 5,600KB.

Since we had already shrunk our data file, the only option left was to enlarge our carrier file. We managed to do this using PhotoShop to increase both the physical size of the image and its resolution, thus increasing the amount of memory used by the graphic. We had to experiment with several graphics before we created one large enough to be used as a carrier file but still small enough to be viewable when emailed. After trying several images, the largest of which choked our email system at 20MB, we settled on a 4MB version of the "CyberCrime" logo.

Choosing a steganography program

The third step in the steganography process is to choose a steganography program. There are many steganography programs on the Internet for free and for pay, and each works a little differently. Some use .jpeg files as carriers; some use media files as carriers. Some require you to provide a carrier file; some will search your computer for appropriate carrier files. Some offer password protection on encrypted files; some don't.

We needed to find a program capable of hiding a video file inside a graphic file, and we wanted to find a program that was relatively simple to use given our inexperience. We tried several such programs before settling on one called Steganos 3 Security Suite. The program, created by the German company Steganos, will hide almost any data file inside a graphic file and will then destroy the original data file. It will also search your computer for files large enough to use as carrier files, and it provides the option of attaching a password to the hidden file. The program is available for PCs running Windows 95, 98, Me, NT 4.0, or Windows 2000 and costs $49.95, although you can download a free trial version of the software for 30 days. This is what we did.

Encrypting the file

Once we had chosen our data and carrier files and our steganography software, the actual process of hiding our video file was relatively easy. All we had to do was select the file we wanted to hide, select a carrier file (if we didn't have a specific file in mind, the program would find one for us), and give the new file a password. The password we chose was, of course, "cybercrime." The program even evaluated our password's vulnerability.

The only drawback of using the Steganos program is that it will only use bitmap graphic files as carriers. We had to convert the .jpeg of our "CyberCrime" graphic to a bitmap file in order to use it. Easy enough.

Emailing and decrypting the hidden message

The fifth and final step in the steganography process is to send the hidden file to someone who will then decrypt it. We sent our file to Chet Hosmer, president and CEO of Wetstone Technologies, a company that focuses on information security technologies. But since our final file -- the 4MB graphic file plus the 710KB video file hidden inside it -- was over 4MB in size, many email programs choked on the message. After having several attempted emails returned to us, we used WinZip to zip the file to a size small enough to email. When he received the message, Chet had to unzip the file before decrypting it.

Once he had received and unzipped the file, Chet was ready to complete the steganography process by decrypting the message we had sent him. He used the same Steganos 3 Security Suite along with the password -- "cybercrime" -- we had provided him. Once the software had extracted the video file from the graphic file, he could watch the video. The process was a success.

The actual process of hiding one file inside another was relatively simple. But the preparation that went into the process -- shrinking the video, enlarging the graphic, researching steganography programs -- was more time-consuming than we had expected, largely because of the size constraints involved in hiding a video file inside a graphic file. Hiding a graphic file inside another graphic file or inside a video file would have been considerably easier, however. And hiding a video file inside a graphic file can be done by even the most inexperienced of users, as Kendall and I proved.

Unfortunately, if we could do it, so can terrorists. While steganography may offer a valuable solution to the privacy concerns that plague the Internet, it may also offer an easy way for criminals to plan their crimes and hide their intentions. It remains to be seen just what kind of role steganography will play in the world of cybercriminals and in America's new war on terrorism. And whatever role it does play, it also remains to be seen what the government will do about it.

Home | What's New | Articles | Links
Library | Staff | Contact Us

Copyright Computer Crime Research Center, 2001-2002 All Rights Reserved.
Contact the CCRC Office at +38 061 220 12 83