StegoHunt Datasheet (Spanish)
StegoHunt Datasheet (Chinese)
StegoHunt is an industry-leading steganography program discovery tool and steganalysis suite. StegoHunt effectively detects the presence of both data hiding programs and the files in which data may have been hidden (carrier files). It provides digital investigators, corporate auditors, incident response teams, and data loss prevention (DLP) experts with an easy-to-use suite of steganography forensics tools that can identify data hiding programs on a system or forensic image, as well as to detect possible carrier files. A carrier file is used to conceal a digital payload using techniques that make it appear indistinguishable from the original version of the file.
Cyber criminals are becoming increasingly proficient at covering their tracks and hiding incriminating information. There are currently over a thousand known tools for hiding data within images, audio files, digital video, network protocols, and other types of digital carriers. It has never been more important to discover these data hiding methods and the artifacts that data hiding tools can leave behind on a system. Recently, malware developers have been actively integrating data hiding capabilities into malicious code to create a form of advanced persistent threat (APT), known as fileless malware. An analysis performed by McAfee Labs on the malware attack that occurred during the 2018 Pyeongchang Olympics revealed a malicious PowerShell script embedded in an image within a Microsoft Word document. This malicious script began execution when a user opened the Word document containing the image. With StegoHunt, investigators have the ability to identify images that may contain potentially malicious or sensitive information, and leverage WetStone’s steganalysis tools to further investigate the embedded data.
After potential carrier files have been identified by StegoHunt, digital forensic analysts can advance the investigation by leveraging the powerful analytical capabilities of StegoAnalyst to view important characteristics of the carrier file. Steganalysis techniques, such as viewing file attributes, discrete cosine transform (DCT) coefficients and RGB color values provide clues that the investigator can use to identify the data hiding method being employed.
StegoBreak provides digital investigators with a tool to help break the encryption used by many data hiding programs. StegoBreak will launch a dictionary attack against the encryption and, if successful, allow the investigator to view the payload.
Key features of StegoHunt:
- Identify the presence of carrier files on a system through statistical analysis techniques
- Identify the presence of data hiding tools and artifacts on a system
- View data about images, such as the bitmap, and utilize color filters for more information
- Crack and extract payloads from carrier files using encryption by launching a dictionary attack against the data hiding password
Included in this suite of tools:
- Quickly identify if steganography is present in your investigations by scanning for over 1,000 data hiding applications using advanced, fast search methods
- Identify suspect carrier files that otherwise go undetected, including program artifacts, program signatures, and statistical anomalies
- Generate case-specific reports for management or court presentation
- Utilize multiple operational discovery modes, including directory, drive, archives, drive image, and network path
- Steganography analysis tool that provides deep investigation of detected images and audio files
- Utilize the file viewing panel to display the individual file attributes, including image details, discrete cosine transform (DCT) coefficients, and color pairs
- Select from various filter options for further presentation and analysis, such as least significant bit (LSB) of specific colors.
- Quickly and easily crack and extract payloads from many carrier files using a simple point and click interface
- Leverage the popular password dictionaries included in order to execute a dictionary attack
- Easily bring in other dictionaries, as well as create your own, to expand your dictionary attack
- StegoHunt: Your choice of either Electronic Software Download (ESD) or USB Flash Drive (Flash) license type
- StegoAnalyst: Electronic Software Download (ESD) only
- StegoBreak: Electronic Software Download (ESD) only
- Access to monthly Dataset updates
- Customer support portal account
- 1-Year maintenance
StegoHunt is available in both electronic software download and flash licensing types. The electronic software download is an application that is licensed for installation on a single machine, such as a forensic workstation, and the license is non-transferrable. The flash StegoHunt license is a physical USB token that is provisioned to be used on many different systems. The StegoFlash™ token is useful if you have many different machines that you would like to analyze for the presence of data hiding artifacts and carrier files.