A Group of Cyber Security Specialists
Header

Steganography Analysis

StegAlyzerAS  (Steganography Analyzer Artifact Scanner)

StegAlyzerAS is a steganalysis tool designed to extend the scope of traditional computer forensic examinations by allowing the examiner to scan suspect media or forensic images of suspect media for known artifacts of over 1,200steganography applications.

Artifacts may be identified by scanning the file system as well as the registry on a Microsoft Windows system. StegAlyzerAS allows for identification of files by using CRC-32, MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 hash values stored in the Steganography Application Fingerprint Database (SAFDB). SAFDB is the largest commercially available steganography hash set. Known registry keys are identified by using the Registry Artifact Key Database (RAKDB). RAKDB is the only commercially available steganography registry key database.

StegAlyzerAS was found to be effective for identifying file and registry artifacts by the Defense Cyber Crime Institute (DCCI) and the CyberScience Laboratory (CSL).

Product highlights in StegAlyzerAS:

  • Versions available for both 32-bit and 64-bit forensic workstations
  • Case generation and management
  • Mount and scan forensic images of storage media in EnCase, ISO, RAW (dd), SMART, SafeBack, Paraben Forensic Replicator, and Paraben Forensic Storage formats
  • Automated scanning of an entire file system, individual directories, or individual files on suspect media for the presence of steganography application file artifacts
  • Automated scanning of the Microsoft Windows Registry for the presence of registry artifacts associated with particular steganography applications
  • File and registry artifact evidence viewers allow the examiner to view evidence according to the percentage of artifacts that were discovered for each steganography application detected
  • Scan summary viewer allows the examiner to quickly view a statistical summary of any previous scan performed during a particular examination
  • Extensive report generation in HTML format
  • Automated logging of key events and information of potential evidentiary value
  • Integrated help feature to explain specific features and functions

StegAlyzerSS (Steganography Analyzer Signature Scanner)

StegAlyzerSS is a steganalysis tool designed to extend the scope of traditional computer forensic examinations by allowing the examiner to scan suspect media or forensic images of suspect media for over 55 uniquely identifiable byte patterns, or known signatures, left inside files when particular steganography applications are used to embed hidden information within them. Automated extraction algorithms unique to StegAlyzerSS can be used to recover hidden information.

StegAlyzerSS extends the signature scanning capability by also allowing the examiner to use more traditional blind detection techniques for detecting whether information may be hidden within potential carrier files.

StegAlyzerSS was found to be effective for identifying files that contain hidden steganographic data by the Defense Cyber Crime Institute (DCCI) and the CyberScience Laboratory (CSL).

Product highlights in StegAlyzerSS:

  • Versions available for both 32-bit and 64-bit forensic workstations
  • Case generation and management
  • Mount and scan forensic images of storage media in EnCase, ISO, RAW (dd), SMART, SafeBack, Paraben Forensic Replicator, and Paraben Forensic Storage formats
  • Automated scanning of an entire file system, individual directories, or individual files on suspect media for the presence of steganography application signatures
  • Identify files that have information appended beyond a file’s end-of-file marker with the Append Analysis feature and analyze the files in a hex editor view to determine the nature of the hidden information
  • Identify files that have information embedded using Least Significant Bit (LSB) image encoding with the LSB Analysis feature and extract and rearrange the LSBs for analysis in a hex editor view to detect hidden information
  • Exclusive Automated Extraction Algorithm functionality for selected steganography applications gives examiners a “point-click-and-extract” interface to easily extract hidden information from suspect files
  • Extensive report generation in HTML format
  • Automated logging of key events and information of potential evidentiary value
  • Export session activity and evidence logs in comma separated value (.csv) format
  • Integrated help feature to explain specific features and functions

StegAlyzerFS (Steganography Analyzer Field Scanner)

StegAlyzerFS is a steganalysis tool designed to perform rapid field triage on suspect media on computers to detect the use of steganography to conceal information. Often it is necessary to quickly identify potential evidence of concealed information while at the scene. If the information was hidden with a steganography application, currently deployed computer forensic triage tools will not detect it.

A suspect computer can be booted from the StegAlyzerFS device and results can be obtained in a matter of minutes. StegAlyzerFS detects any of the files associated with over 1,200 applications in the Steganography Application Fingerprint Database (SAFDB). SAFDB is the largest commercially available steganography hash set. In addition, StegAlyzerFS detects over 55 uniquely identifiable byte patterns, or known signatures, left inside files when particular steganography applications are used to embed hidden information within them.

Product highlights in StegAlyzerFS:

  • Software executes from single USB device
  • Requires no installation or configuration
  • Does not change target storage media, preserving its forensic integrity
  • Automated scanning of entire devices
  • Scan popular file systems such as ext2, ext3, ReiserFS, XFS, FAT, FAT32, NTFS, ISO and others supported by Linux kernel 2.6.32
  • Automated decompression/extraction of the following archive and compressed file types: zip, iso, tar, gz, gz2, bz, bz2, rar, cab, pax, cpio, xar, lha, ar, mtree
  • Extensive report generation in HTML format
  • Automated logging of key events and information of potential evidentiary value