Steganographic techniques on social media: investigation guidelines
Online social networking is available to anyone who wants to sign up to the many sites available. The web-based services allow users to communicate with many media sources and to build relationship networks that have personal meaning. The medium permits open communication and, consequently, the propagation of hidden messages (steganography) and the exchange of images, text, sound files and so on, that may contain hidden information. The purpose of this research is to find out whether or not it is necessary to include steganography as a routine check when conducting digital forensics examinations in relation to online social networking. This is a challenge to digital forensic investigators as the hidden messages will not be found if they are not being searched for.
The research testing was carried out in a laboratory environment under an empirical approach. In the pre-test, five steganographic techniques with different image formats were uploaded on Facebook and Google+ social network websites and then downloaded to identify the techniques that can and cannot be used on Facebook and Google+ for the complete process of covert communication up to the extraction of the hidden messages. Two suitable techniques, JP Hide and Seek and StegHide with common JPEG images were chosen for the experimental case scenarios, based on the pre-test results. The experimental case scenarios were simulated on laboratory computers and digital forensic examinations were undertaken to identify both the uploaded hidden messages in different images and to extract the hidden messages in the uploaded and downloaded image files. Based on the digital forensic examination performed on the experimental case scenarios, a guideline for the steganographic examination process was established.
The findings from the pre-test results showed that steganography is difficult to perform in the Facebook photo upload feature. Here the hidden message cannot be extracted after the image is downloaded from Facebook, but it can be successfully performed through the message file attachment and group file sharing features with a variety of image formats such as JPEG, PNG, BMP, and GIF. On Google+ photo sharing, on the other hand, the complete cycle of steganography communication from embedding up to the extraction of hidden messages was successfully undertaken with JPEG, PNG, BMP or GIF image formats. The results show that steganography can be propagated in social media; therefore it is necessary to include steganographic evaluation in the standard digital investigation procedures.
It was discovered during the research experiment that there is a lack of effective forensic tools in the area of steganographic image analysis or signature detection. The current steganalysis tools are designed for specific signatures but there are very many steganographic tools that are capable of embedding hidden messages using different techniques. This is a challenge for the digital forensic investigator. Therefore, there is an opportunity for further research in this area where the capabilities of detection tools can be further developed with more steganographic signatures.