Hidden data retrieval has always been a major part of Computer Forensics. Many cases have been solved after analyzing files that seemed of no interest for a case but had important evidence hidden in them. Data hiding in an information system can be performed for various reasons including potential malware attacks, hiding data for later use in a compromised environment by an attacker or exchanging secret information via the Internet. Steganography has always been a popular method of exchanging information in plain sight especially through the internet. Its popularity grew along with new techniques of hiding information in different carrier files with image files being the most popular amongst them. With the rapid growth of steganography on image files came the great need for Forensic investigators to analyze large volumes of images in order to detect possible hidden evidence. Different tools have been developed to computerize the process of locating suspect carrier files of different file types using visual, protocol compatibility or statistic analysis attacks. Most of these techniques concentrate and actually work against specific steganography algorithms/tools and are usually time consuming. In order to speed up the process of Steganalysis without sacrificing high detection rates, we are going to present a universal technique of detecting image steganography carrier files. Our method concentrates on reconstructing (Nosratinia, 2001) an ‘original’ image in order to use it as a comparison measure against the original possibly stego-carrier file. Our work concentrates on:
Benford’s Law, and the reasons why choosing this kind of metric as a detection schema.
The presentation of the process of creating a reconstructed image, resembling the data structure of the original image file before embedding any hidden data in it.
The design and usage of a custom, lightweight forensic tool utilizing the above mentioned technique to blindly detect image carrier files.
Hit ratio results along with time analysis of the detection process compared with other image steganalysis tools.
The contribution of this paper to the forensics community concentrates on the presentation of a lightweight steganalytic technique/ tool that minimizes computation time by implementing a well known statistical analysis method (Benford, 1938). This tool can be extended in order to be applicable to other image file types while complying with the known computer forensic standards.
In our work we are going to distinguish four image file types: