The Netherlands Forensics Institute (NFI) is part of Uncover, a project aiming to help law enforcement agencies track criminal digital messaging.
Since the encrypted communication network EncroChat was dismantled, criminals have been searching for new ways to communicate secretly. One of the means they were already using, but is now expected to increase, according to the European Commission, is steganography.
“This is both the art and science of hidden communication,” said Meike Kombrink, a PhD student at the NFI.
Kombrink’s research project focuses on detecting and deciphering hidden messages on the internet and is part of Uncover, a European project aimed at filling existing gaps in the ability of law enforcement agencies (LEAs) to detect the presence of hidden information (steganalysis).
With its consortium of 22 partners including LEAs, forensic institutes, leading researchers working at universities and research institutions, and industrial companies, Uncover intends to outperform available steganalysis systems in terms of performance, usability, operational needs, privacy protection, and chain-of-custody considerations.
“Steganography can be regarded as art, because it is really creative, but at the same time it is science, because you need to know how to hide messages in digital images, audio, text or video”, said Kombrink. “You have to understand how it works.”
It is believed this technique is not widely used for petty crime because it requires knowledge of digital technology. However, there is software available today that can help users hide messages in digital images.
Steganography, also called “stego”, is not too different from cryptography. “But my friends keep referring to my research as digging into dinos,” jokes Kombrink.
“Crypto hides the contents of the message and stego hides the message altogether,” she explained. By hiding messages in seemingly ordinary images online, criminals can communicate with each other. They would have to know where to look for the messages, though, and know how to decipher them.
Kombrink therefore suspects that many organised criminals use this technique – all the more reason for law enforcement to be able to reveal this kind of communication.
The technique to hide messages is not new – it was already in use in ancient times. “There is this story about a sovereign in about 440 BC who had the head of a slave shaven to apply a tattoo on it with a message for Greece about a planned invasion by Persia,” says Kombrink. “When the slave’s hair grew back, the tattoo and thus the message was hidden, and this person could easily pass defences without anyone being aware of him smuggling a secret message.”
Most people are also familiar with the concept of hidden ink to conceal messages. “This technique is known to people, but they often don’t know it is called steganography,” says Kombrink. Moreover, with cryptography, it is clear that the message is there – it is just indecipherable. With steganography, you wouldn’t see the message if you didn’t know where to look for it.
By using stego, criminals can hide messages in seemingly innocent images, videos, texts or audio files to communicate with each other about the whereabouts of drugs, for example. Or where to find child pornography on a public platform. Allegedly, Al-Qaida used steganography to plan the 9/11 terrorist attacks and Russian spies have been known to use the technique, which was discovered by the FBI. But there is little known about how the security service did so.
Difficult to detect
Not all steganography is used for criminal purposes. The most common application is the watermark in pictures by professional photographers. This makes it easy for them to prove an image is theirs and there has been infringement of their rights if these pictures are used illegally and without consent. “I can even make a hidden grocery list,” says Kombrink, to show stego can be also be used in legal ways.
Encrypted messages are more likely to arouse suspicion as opposed to a seemingly innocent holiday picture. This is the power of stego. There are three different types of steganography, each of which also have variations. The object containing the hidden message is called a cover, and the first method to hide a message is to adjust the binary values of the colours in an image.
“You adjust the colour intensity of a pixel, for example,” says Kombrink. “You add a small drop of red to the colour code, so to speak. You don’t see that when you look at the picture, but the custom binary values in such an image may contain hidden text. When adjusting the binary values of a completely red surface, adjusted pixels will stand out. But when adjusting pixels in a picture of a beach where every grain of sand has a different colour, it is very hard to detect.”
Another way of hiding messages is through transformation – a different display of the image. Compressing an image to be able to save it is effectively a summary of the image. There are multiple ways to summarise images, and the most important values of the image will make it to the summary. “If you know where those are, you could hide a message in there,” says Kombrink. “So the large image does not contain the message – only when you compress it will the message be discoverable.”
The third way is to create images, audio or texts that contain hidden messages with the aid of artificial intelligence (AI), says Kombrink. “Normally, you would adjust an original image to hide a message,” she says. “That means you would have to know how to change it without being obvious, like the example with the red surface or the beach picture.”
The AI method does not have to work with the original content; instead, it uses a neural network to create content with a hidden message already inside.
Tracing and identifying steganography is a challenge. It is a hopeless task trying to dig into random images on the internet. That is why it is important to create tools to recognise stego. This is exactly what Uncover’s efforts are focusing on – to develop automated systems to recognise steganography. The NFI is researching the effectiveness of neural networks to detect hidden messages.
Recently, Mart Keizer, a student at the Eindhoven University of Technology, investigated whether neural networks can detect hidden messages in video files (video steganalysis). For the study, Keizer created a large dataset containing videos that did, or did not, contain hidden messages. By feeding the neural network lots of videos and giving it the information on whether or not there is a hidden message in them, the network was trained and could detect certain patterns.
Although further research is needed, initial results of the trained neural network were promising – the detection rate for the two types of steganography studied was 99.96%.
But just detecting steganography is not enough, says Kombrink, because the technique itself is not illegal. “Like I said, I could use it to communicate my grocery shopping list,” she says. “The only way to determine whether there is something illegal or criminal activity going on is to be aware of the contents of a hidden message.”
Kombrink holds a bachelor’s degree in artificial intelligence and a master’s degree in forensic science. It is her ambition to take her scientific research and develop a practical application for law enforcement agencies. “This is exactly what we are doing with Uncover,” she says. “We are developing a toolkit to help law enforcement agencies in European countries to not only detect, but also decipher hidden messages in digital content.”
The project has a duration of 36 months and will end in April 2024, by which time Kombrink hopes it will have a practical toolbox ready for LEAs. In the Netherlands and Belgium, law enforcement agencies already use Hansken, a digital forensics search engine that was developed by the NFI and provides a service-based approach for fast and efficient processing and investigating multiple terabytes of seized digital material.
The Uncover toolbox could be added to Hansken to enable foreign LEAs to uncover steganography. This all depends on the ultimate toolbox that will be developed, says Kombrink. “Because of the multiple ways stego can be deployed, we have to figure out whether we can build a tool that can cover various methods, or whether we would need to build different tools for different stego deployments,” she says.
Also, developing a toolbox means it contains multiple solutions that all need to be able to integrate with Hansken. “So, ultimately, it depends on the quality of the toolbox and how easy it will be to integrate it,” says Kombrink.
The main challenge with developing tools for the toolkit is detecting which pixels have been tampered with, if any. “It is easier to detect patterns to indicate whether an image has been adjusted than to detect which separate pixels are being used to hide a message,” she says. The NFI has already started training a neural network to be able to do this.
“We have to see what yields and how we can expand this into a working toolbox to help LEAs analyse possible steganography better and faster,” says Kombrink. “Only when the tools are ready will we hopefully be able to tell more about the scale on which stego is applied in the Netherlands. Until then, we need to manually search for it. ”
Kombrink’s PhD project is part of the new Innovation Center for AI (ICAI) AI4forensics lab, which will be established in early November. The lab, part of the ICAI, is a collaboration between the NFI and the University of Amsterdam (UvA). Under the auspices of professors Marcel Worring at the UvA and Zeno Geradts at the NFI, four PhD students and a Postdoc will research how AI can be used to improve forensic processes.
“This is not limited to steganography, but also entails deep fakes, for instance,” says Kombrink. “The purpose of the new lab is very broad, but the common denominator is that we use AI to build forensic applications.”
After finishing her PhD project, Kombrink hopes to be able to continue researching steganography within the NFI. “Especially with the master of forensic science, the NFI is closely linked to the University of Amsterdam,” she says. “A lot of the teachers work with the NFI and so, for most students, working with the Netherlands Forensics Institute is a dream come true.
“So when I noticed an interesting PhD vacancy that was linked to the NFI, I jumped at the opportunity. I am so glad I am able to do my PhD here and hopefully I get to continue my work afterwards, because – as with other crime – stego will always develop.”
Kombrink adds: “It’s like a cat-and-mouse-game. Whenever we discover a way to expose criminals, they will come up with new ways to go about their business. A real step needs to be made in the detection and analysis of steganography.
“We have to manage to keep up with the level of criminals that use it. There are so many different techniques, which are also constantly changing or being combined with other techniques, such as AI. The quest to discover the means criminals use to communicate with each other is always evolving. So I think research into steganography will always continue and I would love to be part of that.”