Steganography in Computer Forensics

Chris Dare🔥
3 min readFeb 23, 2017
Concept: Secret code in Mona Lisa Image. Image obtained from FlipBboard

Report on Paper: Steganalysis in Computer Forensics by Ahmed Ibrahim (2007)

The paper discusses steganography and its use, outlines some tools used in steganalysis and suggests better solutions to steganalysis. But more specifically, it focusses on image/graphic steganography.


Steganography is the art of concealing a message within another message. It originates from the greek words Steganos (meaning “covered”) and Graphia (meaning “writing”). It is an art that dates back years in the past. Y’all remember invisible ink right? Steganography has been known to be used to maintain secrecy in covert communication. It is used in protecting intellectual property by embedding copyright information in an owner’s file(s) e.g. media files.
Steganography might be a better alternative to encryption. While encryption hides the meaning of a message, steganography hides the message itself. Encryption says “here’s the file. But try as you may, you will not understand what it truly means.” Steganography says, “File? I’ve never heard of such thing, ever.” Steganography has been reported to be used in terrorist communication as well as spilling trade secrets in corporate espionage.

How it works

There are many methods to steganography. However the most common ones employ the use of concealing the message as noise and then smart compressions. By concealing the message as noise, the information can be stored in the Least Significant Bit (LSB) via bitwise methods. This causes small variations unnoticeable to the human eye. However, if the image to host the secret message has very little noise, then it’ll obviously look suspicious. Also, being able to successfully conceal a message depends on the kind of compression applied on the image. Compression basically reduces the noise in the image file. One needs to be careful to make sure that the message to be concealed is not lost to compression.

Steganalysis Techniques

Identifying the message is very difficult. It is almost impossible to do so without knowing the tool used to conceal the message. It is done by analyzing the files in question, checking and comparing file properties of both the original image(s) and the steganographic image(s) as well as statistical analysis of the least significant bit.


Patterns cannot always be detected. Even so, one will hardly have both the original cover image and the steganographic image available for comparison. In some cases the LSB of the cover image is almost untouched which makes it even more difficult to realize the changes.
It would appear that steganalysis tools are not competent enough to combat modern threats. There are many claims but few proofs of the use of steganography over the internet. This also suggest that the publicly known internet is not being patronized for distribution of steganographic images.

Evaluation of Steganographic Tools

Steganograhic tools include Steghide and Digital Invisible toolkit.

Evaluation must be done in a forensically sound environment to ensure that findings are valid: The tools must be obtained and verified to ensure that they do what they claim to do. Steganalysis should be applied on cover image(s) and the hashes generated from the image(s) be taken note of. The same must also be done for the generated steganographic image.