Part 2, Steganography; Hiding from eDiscovery in plain sight

In my last blog I described a unique way of hiding incriminating data from eDiscovery queries in plain sight. In the example, I was able to hide obviously responsive information in a QR code attached as part of the signature to an email message.  The point was to show that ESI, especially email, can still be used to communicate with others and remain under the radar of the best eDiscovery search applications.

Now let’s look at another way to hide incriminating ESI from eDiscovery search applications.

The technique is called Steganography. Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message; a form of security through obscurity. The best known Steganography technique hides information in standard graphic images.

Graphic #1: Tree

The above image of a tree includes a steganographically hidden image. The hidden image (the image of the cat below) is revealed by removing all but the two least significant bits of each color component and a subsequent normalization. The hidden image is shown below.

Graphic #2: Cat

You can hide any electronically stored data in any graphic image. As in the example above, a picture can be hidden in another picture. But the technique is not limited to hiding pictures in pictures. A word document, a schematic, even a sound file can be embedded and hidden in any graphic.

There are several free steganography applications available on the internet. I found and tested two; Invisible Secrets 2.1 and Xiao Steganography. Both use JPEG images as the “carrier” device.

How can this technique be used to pass incriminating information to someone else? Using the email example from my previous blog, let’s look at the example email message below from Bill to Ken.

Email example #1

There is absolutely nothing out of the ordinary in this email and would not trigger an eDiscovery search application to flag it as suspicious. Look closely at the email signature especially the eDiscovery101 graphic. Now look at the email below:

Email example #2

The second email looks exactly the same. Again there would be no reason for an eDiscovery search application to flag it as suspicious. But, hidden in the second email’s eDiscovery101 graphic is the very incriminating Word document shown below:

Graphic #3: Incriminating letter

This raises the question; if you were conducting an eDiscovery investigation, how would you ever suspect that there is additional responsive data included in the in the “eDiscovery101” email signature graphic and if you did suspect hidden data, how could you prove it?

To answer the first question, we need to understand how steganography applications work. For this example I will use the Invisible Secrets 2.1 application.

The application includes a helpful wizard to quickly walk you through the process.

The first step is to decide which graphic file you will use as the “carrier” for the incriminating data. In this case I will use my standard JPEG file for my blog, eDiscovery101.

The next step is to select the source file or in this example the incriminating letter from above.

Next, a password for encryption of the incriminating letter is requested. This will insure the incriminating (hidden) data in the eDiscovery101 graphic cannot not be accessed, even if suspected.

Lastly, you need to give the application a destination file name. In this case I named it something obvious and familiar, eDiscovery101s.jpg, so as not to draw attention to it. At this point, after the “Next” button is pressed, the new graphic file is created and can be inserted into the email signature.

Detecting hidden data via automation is tough if not impossible. As I mentioned before, As far as I know, there is no eDiscovery application which can recognize and flag steganography. To have a chance, you must already suspect a custodian and then manually look for inconsistencies. For this example, the only way to tell if a given graphic contains hidden data is to compare the size of the images. The two eDiscovery101 images have different sizes. The original eDiscovery101 image is a 52KB JPEG file, while the second eDiscovery101 image is a 78KB JPEG file. Another clue to hidden data would be to search for know steganography applications on the custodian’s desktop or laptop (if they didn’t delete it after creating the hidden data). But remember, even if you find a suspicious image, without the encryption password you will never be able to open it.

To protect organizations from this type eDiscovery liability they can put some basic measures in place. Most importantly, include in your email system use policy a definitive statement about using these types of encryption applications on any organization owned assets, and audit custodians for enforcement. You could also forbid placing graphic images within the body of an email but this is not realistic. For example you could insert the same incriminating letter mentioned above into a table within a spreadsheet and convert that table to a JPEG. Below is a spreadsheet converted into a JPEG image file with the same incriminating letter embedded in it.

Spreadsheet #1

Would the above spreadsheet embedded into an email raise suspicions? Probably not… If custodians are determined to hide data in plain sight, they can with little chance of being caught.