Detecting Hidden Data (Steganalysis)

Steganalysis is the science of detecting hidden data the counterpart to steganography. Its goal is not necessarily to read the payload but first to answer a simpler question: does this file contain hidden data at all?

Steganalysis matters for defenders because hidden data evades signature-based tools. A malicious payload smuggled inside an innocent image will pass an antivirus scan and a data-loss-prevention filter the hiding is the whole point.

Detection ranges from trivial (spotting appended files) to extremely hard (statistical detection of well-keyed, fractional-rate embedding).

Steganalysis is classified by what the analyst knows, mirroring cryptanalysis:

• Stego-only only the suspect file is available the hardest and most common case.
• Known-cover the original clean cover is also available; comparing reveals changes instantly.
• Known-message the hidden message is known, used to find the embedding method.
• Chosen-stego the analyst can run the embedding tool to study its signature.

Most real-world detection is stego-only, which is why statistical methods are so important you rarely have the original to compare.