Talk:Steganalysis

Latest comment: 8 years ago by Breakpoint


Is it possibel to use one algorithm to encode data in an image and use some other algorithm to decode ...?

That is the case in which that even if the data is not 100% decrypted but some some essectial data is leaked out by using some other algorithm?


Arguably, yes. First, recognize that the steganographic encoding and any encryption used are separate steps. I assume your question is therefore more precisely, "Can using the wrong decoder on a suspected steganographic package recover useful information?" Yes, it can. Being unable to tell whether or not a supected package does in fact have a steganographic payload means a message MIGHT have been present. Finding out that the package shows strong signs of steganographic modification means a message PROBABLY was present (though possibly for deceptive reasons). In many cases, the FACT of the communication may be more important than the contents, particularly if it establishes or confirms a relationship not previously proven to exist.

If your question is, instead, "If I suspect a package contains a payload, but have no idea what was used to inject it, can I use whatever I have available to attempt to confirm that suspicion?" then the answer is still yes. Start by analyzing the file using normal tools for analyzing the distribution of signal energy. You can also use steganographic tools somewhat similar to what you suspect was used, provided you are using a decoder that does not absolutely require a header of some known format. This is reasonable, as steganographic techniques generally forego headers to avoid introducing known plaintext into the package. In this case, you will extract a stream of garbage-- which you should then analyze. In other words, you treat the "failed" decode simply as what it is-- a mathematical transform-- and see if it does anything interesting. If piping a wide range of radically different, but benign, images through an LSB-decoder produces output with a particular distribution or other repeatable characteristics, see if passing your suspected file through the same transform produces noticeably different results. If it does, the technique may be in some way similar to your tools, which may provide clues as to how to recover the payload. If you get to a point where you recover more perfectly distributed white noise than the image itself provides in its noise floor, you may have recovered an encrypted payload.

Such analysis is an example of how using encryption prior to steganographic encoding is a double-edged sword. The steganographer must decide which is of greater concern: an increased possibility of detection with a reduced possibility of comprehension, or a reduced possibility of detection but an increased possibility of comprehension if detection does occur. Breakpoint (talk) 13:12, 11 January 2016 (UTC)Reply


Nov. 2. 2015: External links and bib-sources are dead! — Preceding unsigned comment added by 94.18.211.82 (talk) 12:31, 2 November 2015 (UTC)Reply