Share thisToday criminals covertly communicate, secretly exchange information, and conceal incriminating contraband (i.e. child pornography) using a variety of methods. Forensic investigators must keep abreast of the latest techniques in order to thoroughly investigate the seen and unseen.
The purpose of steganography is not to simply keep information private, but rather to hide the mere existence of such information or communications while also keeping them private. If you hope to detect this hidden data, it is important to understand the types of carrier files that exist and how they are used.
True Color Image (example using a 24 Bit BMP File)
True color images represent the simplest carrier type to both explain and to hide information in. A true color image is made up of rows and columns of pixels, where each of these pixels contains 3 color values that define the color of the pixel. R=Red, B=Blue, and G=Green. In 24 bit true color images the intensity of each RGB triplet contains 3 bytes that correlate to the intensity of each color—1 byte for red, green, and blue. The value then can have values ranging from 00 = No Intensity to FF (255) = High Intensity. Figure xx depicts the range of values for a RED only pixel.
The combination of R,G, and B values determines the actual color of the pixel producing:
28 x 28 x 28= 16,777,216 colors per pixel
In true color images the steganography is applied by altering the least significant bit or LSB (in more aggressive methods bits) of each color to encode the hidden information. Using this method has no effect on the size of the image as bits are merely altered and not added or replaced. Furthermore using this method one can calculate the maximum payload size in 8 bit bytes that a true color image can hold (assuming alteration of all LSB’s). The formula is:
(Pixels x 3) / 8
For a 1024 x 768 pixel image the result is:
(1024 x 768 x 3) / 8 = 294,912 bytes of hidden space
| | |__ 3 values per pixel
| |__ Rows
|__ Columns
The actual amount of data storage can be increased if the original payload to be stored is compressed.
