Steganography Principles and Common Carrier Formats

All steganographic methods exploit perceptual redundancy: carrier data that the human sensory system cannot distinguish from slightly modified versions. Three core techniques dominate practical steganography tools, and each exploits a different type of redundancy.

LSB substitution is the simplest. A digital image stores each pixel as a set of integer values for each colour channel, typically 8 bits per channel (0 to 255). The lowest-order bit of each value contributes only 0.4 percent of the total intensity range. Replacing it with a message bit shifts the value by at most 1, which is below the just-noticeable difference threshold. For a 24-bit RGB image, each pixel can carry 3 message bits, one per channel. The embedding capacity of a 1024x768 image is therefore 1024 x 768 x 3 = 2,359,296 bits, or roughly 288 kilobytes, at one bit per channel. Increasing to two or three bits per channel raises capacity but also increases perceptual and statistical distortion.

Spread-spectrum embedding borrows from radio communications. The message is XOR-combined with a pseudo-random noise sequence (generated from a key) and the resulting signal is added to the carrier at very low amplitude across many samples. No individual sample is detectably changed, but the aggregate energy of the message can be recovered by correlating the received signal with the same pseudo-random sequence. Spread-spectrum is used in durable watermarking for copyright protection, where the hidden data must survive image compression, cropping, and colour adjustment.

Palette-based methods apply to indexed-colour images (GIF and some PNG variants) that store colour values in a lookup table rather than directly in each pixel. The pixel data contains only index values into this palette. A steganographic tool can reorder palette entries so that specific index values encode message bits, without changing any pixel value directly. The visible image is identical, but the palette order carries data. Palette manipulation also includes colour-table expansion, adding entries that map to the same colour as an existing entry but serve as encoding signals.

PNG uses lossless DEFLATE compression, which means pixel values are preserved exactly through the compression and decompression cycle. This makes PNG the simplest carrier for LSB steganography: the encoder changes pixel values, saves the file, and the receiver reads out exactly those changed values. No information is lost in transit. OpenStego, SilentEye, and many other freely available tools default to PNG for this reason.

The forensic consequence is that LSB stego in PNG leaves clear statistical traces. In a natural unmodified image, the distribution of least-significant bits is not perfectly uniform: it follows the local pixel value distribution, which tends to cluster around certain values for sky regions, skin tones, and other natural textures. LSB substitution disrupts these natural dependencies and makes the LSB plane artificially uniform. This is what chi-squared analysis measures. The test counts the observed frequency of each pixel value pair (even, even+1) against the expected frequency if the LSBs were random. A significant deviation from expected frequencies is evidence of LSB embedding.

GIF images are indexed-colour: each pixel stores an 8-bit index into a 256-entry colour palette. Because modifying pixel index values changes the displayed colour (not just by 1 unit but potentially to a completely different colour), naive LSB substitution does not work directly. Instead, tools use palette reordering or colour pair encoding, grouping palette entries into pairs that differ only in one bit and using the choice between the pair to encode data. An analyst examining a GIF for steganography should inspect the colour palette for unusual ordering (natural images typically have palettes sorted by frequency of use or by luminance) and look for palette entries that map to visually identical or near-identical colours.

JPEG compression converts 8x8 pixel blocks to frequency components using the discrete cosine transform, then quantises those components (discarding small high-frequency values) before entropy coding. If a steganographic tool modifies pixel values and saves as JPEG, the compression step destroys the LSB changes. The stego object arrives at the receiver containing different pixel values than the encoder intended, and the hidden message cannot be extracted.

JPEG steganography tools therefore embed in the quantised DCT coefficients, operating after the compression step. The JSteg algorithm, one of the earliest and best-known, replaces the LSBs of non-zero DCT coefficients with message bits. F5, developed by Andreas Westfeld, uses matrix coding to reduce the number of coefficient changes needed per message bit, lowering the statistical footprint. OutGuess embeds in DCT coefficients but also adjusts non-embedding coefficients to preserve the global histogram, making chi-squared analysis less effective.

For steganalysis of JPEG files, analysts use DCT coefficient histograms. A natural JPEG image has a characteristic bell-shaped coefficient distribution centred at zero. JSteg embedding shifts this distribution toward uniformity in the lower non-zero coefficients. F5 produces a shrinkage in the histogram because some non-zero coefficients become zero after decrement, leaving a detectable deficit. Calibration-based steganalysis, developed by Fridrich, Goljan, and Du, estimates the clean coefficient histogram by re-compressing the image at a slightly different quality setting, then compares it to the observed histogram. Deviations indicate embedding.

Uncompressed WAV audio stores each sample as a 16-bit or 24-bit integer. Like pixel values in PNG, these integers can accept LSB substitution without perceptible change. A 16-bit sample at 44,100 Hz stereo has 88,200 sample values per second. At one bit per sample, a 60-second WAV file can carry 88,200 x 60 = 5,292,000 bits, roughly 643 kilobytes, of hidden data. The resulting audio file sounds identical to the original: the amplitude change from flipping one bit in a 16-bit sample is 0.003 percent of the dynamic range.

Echo hiding is an alternative audio steganography technique that encodes data by introducing short echoes of the audio signal at controlled delays. One echo delay encodes a 0, another encodes a 1. The echoes are at amplitudes below the hearing threshold in most listening conditions. The technique is more perceptually resistant than LSB embedding but requires careful tuning to the specific audio content, and the embedded echoes can be detected by analysis of the cepstrum of the signal.

MP3 and AAC use lossy compression similar in structure to JPEG: the encoder applies a psychoacoustic model that discards frequency components below the masking threshold, then entropy codes the result. Pixel-level LSB changes are destroyed by encoding, so MP3 steganography tools embed in the Huffman code tables or the bit reservoir of the compressed stream. This is technically more complex and less common than WAV embedding in practice. Analysts who need to test an MP3 file for steganography should first check the header for unusual bit reservoir usage and compare the Huffman code distribution against reference values for clean files encoded at the same bit rate.

MP4 is a container format, not a codec. It wraps a compressed video stream (typically H.264 or H.265), one or more audio tracks (typically AAC), subtitle tracks, and metadata, into a single file using the ISO Base Media File Format box structure. Steganographic embedding in MP4 is possible at multiple layers, and this multiplicity of hiding locations is what makes video carriers forensically challenging.

The container layer offers the simplest hiding location: unused box types, extra atoms, and the moov atom metadata fields can hold arbitrary data without affecting playback. A tool can insert a custom box type (any four-character code not recognised by standard players) containing encoded message data. Standard video players ignore unrecognised boxes and play the file normally. Detection requires parsing the full box structure with a hex editor or forensic parser and flagging any non-standard box types or boxes with anomalous sizes.

Embedding in the video stream itself requires operating at the codec level. H.264 uses inter-frame prediction: P-frames and B-frames store only the difference from a reference frame rather than a complete image. A steganographic tool can modify residual coefficients in P-frames or alter motion vector assignments at low amplitude. The statistical traces are detectable but require specialised analysis of the video bitstream, not standard steganalysis tools designed for still images. Inter-frame analysis tools look for inconsistencies in residual energy distribution that deviate from the patterns expected for the encoding settings.

Steganalysis in a forensic context differs from academic steganalysis in one critical respect: the analyst must preserve evidence integrity throughout. The carrier file must be acquired forensically with a verified hash, all analysis must be performed on a copy, and every tool run must be documented with tool name, version, and settings. If the analysis destroys or modifies data, the result may be challenged in court.

The workflow begins with format identification. Confirm the true file type from the header bytes rather than the extension: a JPEG saved as .png is still a JPEG at the codec level, and applying PNG steganalysis to it produces meaningless results. Next, run signature-based detection. Tools such as StegDetect, StegoHunt, and Steg (from Steghide) attempt to recognise the byte-level signatures of specific steganographic tools in the file. A positive signature match is strong evidence that a specific tool was used, though it does not confirm what data is hidden.

Statistical analysis follows for files that pass signature detection. Chi-squared analysis, RS analysis, and sample pair analysis test for the distributional anomalies caused by LSB substitution. Machine-learning classifiers, trained on large datasets of clean and stego images, can detect low-capacity embedding that evades single-test detection. The Spatial Rich Model from Fridrich's group at SUNY Binghamton and the SRM variants are the current benchmark classifiers for image steganalysis. For JPEG, the J-Rich model and calibrated histogram comparison are standard.

Extraction, if a tool signature is identified, requires the corresponding extraction software and any password or key used during embedding. Many popular tools (OpenStego, Steghide, SilentEye) use a passphrase to seed the embedding sequence. Without the passphrase, extraction is not possible by standard means. Passphrase recovery attempts using known passwords from the suspect's devices are within scope, but brute-force attacks on strong passphrases are not practical. The analyst should document whether extraction was successful and, if so, record the extracted data as a separate evidential exhibit.

Admissibility standards vary by jurisdiction. In the United States, digital evidence including steganalysis results is evaluated under the Daubert standard (Federal Rules of Evidence 702), requiring that the method be scientifically valid, tested, peer-reviewed, and with known error rates. In England and Wales, the Criminal Procedure Rules and CPS Digital Evidence guidelines require documented, repeatable, and validated procedures. Under India's Bharatiya Sakshya Adhiniyam 2023 (which replaced the Indian Evidence Act 1872), electronic records are admissible with a certificate authenticating the device and process, and the integrity of the carrier file and the extraction method must be demonstrated. In the European Union, the e-evidence framework and national procedural rules similarly require documented validation.