Investigating steganography in audio stream for network forensic investigations: detection & extraction

Lu, Yao
Cusack, Brian
Item type
Degree name
Master of Forensic Information Technology
Journal Title
Journal ISSN
Volume Title
Auckland University of Technology

There are more than 200 steganography tools have been developed by software developers for use in digital media. Multimedia technologies are readily available in the steganography field. They have complex encoding algorithms and compression methods to hide information. Audio is a common multimedia format that is widely used in the Internet. The uploading, downloading and transmission of audio files through the Internet is done through many different audio streams. Audio steganography activities could happen in any of those audio streams. The possibility puts challenges to traditional digital forensic investigation. In order to investigate audio streaming steganography, several steganography detection tools and network stream capture tools need to be involved and evaluated. The current academic literature has little support in this topic area for forensic investigation knowledge. Therefore, the main focus of the research project is to investigate steganography in audio streams as a forensic investigation.

The research asked the question; What are the procedures and challenges when conducting digital forensic investigations for audio steganography?

Five testing phases were designed. In phase 1, three audio steganography tools and two steganography detection tools were tested in order to determine suitable tools for conducting case scenario testing. Openpuff and StegAlyzerAS were found to be the best audio steganography embedding tool and detection tool respectively. WireShark was tested to evaluate audio streaming capture capability as well as packets analysis capability. Phase two involved conducting the case scenario simulating a criminal activity using audio steganography in which Openpuff was used to create four audio steganography files containing evidence. Phase 3 and phase 4 then used combinations of digital forensic tools and steganalysis tools to detect and extract the secret contents from audio streams using standard forensic procedures.

The research findings showed that Openpuff was better than Mp3Stegz and S-Tools both in audio steganography embedding processes and audio steganography extraction processes. StegAlyzerAS was capable of detecting audio steganography tools after scanning while StegAlyzerSS was incapable of detection audio steganography contents during scanning. Additionally, WireShark successfully captured audio streaming packets. The analysis on these captured packets indicated that WireShark would not identify any steganography activities but the analysis could show information such as the type of files in the packet. This information was then used to reduce the scope of the forensic investigation and to better target audio steganography on a suspect’s hard drive. After comparative analysis on original evidence and extracted evidence, the extraction rate of audio steganography achieved 75% in the case simulation.

The research has provided knowledge on audio steganography investigation methods and indicates that current forensic tools could cause problems for investigation unless correctly applied. Current steganalysis tools are designed for looking at particular algorithms in steganography but there are other algorithms that are used in audio steganography. This is the challenge for forensic investigators. Therefore, a possible design of an audio steganography tool within a logical flow chart diagram was proposed for future research (see Figure 6.1).

Audio steganography , Network forensic
Publisher's version
Rights statement