forensics – Detecting steganography in images

Please note that my comment below is regarding LSB (Least Significant Bit) steganography and not jpeg (DCT) or appended data steganography.

Steganography doesn’t modify the file size significantly” this is incorrect. If I take a jpeg compressed image and apply LSB steganography then the resultant image size on disk will increase ‘significantly’ since images using LSB steganography MUST be saved in a lossless format such as bmp tiff or png. I have written software that takes any image format (such as jpeg) and hides data within it and saves out to png. It is often the case that I can open a jpeg of size 60Kb and be able to hide over 100Kb of data within it. The resultant png would look identical to the original jpeg but have a file size of 800Kb+

When analyzing images for LSB steganography content you MUST have either the original image for comparison OR have knowledge of the encoding method. Without either of these you will NEVER determine if an image contains hidden LSB data. Consider there there are a multitude of ways to implement LSB steganography and an infinite number of images to choose as a source, it’s no trivial task to determine any steganographic content. That said… ALL images containing LSB steganographic content must be saved lossless (without compression). Therefore they may stand out as larger in size (bytes) than might otherwise be expected. Jpeg is a lossy algorithm (even with 0% compression) which is why images using LSB steganography cannot be saved as jpeg images, therefore your large jpeg image is unlikely to hold LSB steganography, however this does not rule out other steganographic options.