Co-Authors: Michael Duren, Matthew Davis, Chet Hosmer

Data hiding is an ever growing threat that is facing investigators today. Vast amounts of technology are available in the wild to help cyber criminals hide crucial data from investigators and to covertly communicate. As an investigator, it is important to understand the difference between true data hiding, or steganography, and digital watermarking.

A common misconception in the marketplace is that digital watermarking tools should be classified as steganography applications. However, careful considerations need to be taken when classifying programs as steganography vs. digital watermarking. Let’s examine what characteristics truly make up a steganography program. The main purpose of any steganography application is to hide the mere presence of data whether at rest (stored on a hard drive or other media) or in motion (attachments to e-mails, postings to a blog or in VOIP traffic). Steganography programs allow users to select a carrier file or transport (this will serve as the cover) and a payload (the data, programs, images etc that you wish to conceal). Finally, most steganography programs will both compress and encrypt the payload before hiding them within the carrier.

Digital Watermarking embeds information within the signal of the digital carrier such that when the digital image, audio file, or movie is copied the embedded information persists. Depending upon the robustness of the watermark, the information will persist even if the digital carrier is processed. For example, within a digital image a robust watermark would persist even when the image is cropped, or contrast, brightness, or even sharpening filters are applied. These markers must be easily identified in order to maintain the copyright protection they afford. When applying watermarks to a digital carrier, the user will have limited control over the content of the watermark. For example, the user may be able to specify identifying numbers, short phrases or logos. They will not have the ability to choose arbitrary files or payloads to embed in the signal.

It is important to contrast steganography and digital watermarking in terms of the relationship between data that is embedded and a data carrier. In steganography, there is no meaningful relationship between a carrier file and a payload beyond the intent to hide information. Thus, the only requirement of a carrier file is that it must be suitable for the intended purpose (i.e. it must be large enough to hold a payload) for hiding. In watermarking, the specific purpose is to embed information that pertains directly to the content in which the data is placed. Copyrights, security information, or media tracking information are examples of information that is suitable for placing in a watermark. Steganography does not limit what types of information can be hidden or embedded (with the exception of the aforementioned size of the payload).

At WetStone Technologies, we do extensive research before classifying software as a steganography application in our malicious software dataset. Comprehensive testing is conducted to verify that a supposed steganography application meets the criteria for being classified as a true steganography program. That is, the application provides the capability of allowing a user defined object to be hidden in a carrier file in a manner that is completely indiscernible to the raw human senses.

Investigators must be careful when using other steganography datasets to investigate for the presence of steganography applications on a suspect drive. Some other steganography investigation datasets incorrectly classify benign watermarking programs as steganography applications. This can greatly hinder an investigation as an investigator may spend needless time searching for stegnography when infact none exists.

Steganography and digital watermarking are two vastly different technologies that have unique intent and capabilities. It is important to understand this difference in any investigation that is being conducted.

Chet Hosmer is the Chief Scientist at WetStone and would like to hear your comments and feedback to his opinions.