Development of an efficient steganalysis framework for uncovering hidden data in digital media.

Criminals and terrorists increasingly use data hiding methods (steganography) to conceal incriminating information in seemingly harmless digital media such as images, video, audio, and text files. To carry out a full investigation into criminal and terrorist activities, Law Enforcement Agencies (LEAs) currently use available (commercial) tools to detect such hidden information in collected digital data. However, these tools detect only a limited number of hiding methods, are slow, and offer no indication of confidence. Moreover, many commercial tools lag a decade behind the scientific state-of-the-art.
Driven by end-user needs, UNCOVER's main objective was to fill the gaps in LEAs’ ability for detecting hidden information (steganalysis). Within UNCOVER, the partners were committed to pushing steganalysis research forward and substantially increasing the technological autonomy of LEAs in the field of digital media steganalysis. The developed detection and investigation tools were integrated into a flexible and user-friendly platform. The developed detection and investigation tools were integrated into a flexible and user-friendly platform.
End-users played a key role throughout the project cycle and regular feedback cycles with LEAs, forensics institutes and external stakeholders ensured that the developed solutions could be integrated into the daily criminal investigation pipeline of LEAs. With its consortium of 22 partners including LEAs, forensic institutes, leading universities and research institutions, as well as industrial companies, UNCOVER set out to outperform available steganalysis solutions in terms of performance, usability, operational needs, privacy protection, and chain-of-custody considerations.
Project Objectives
UNCOVER partners aimed to join forces to achieve the following objectives:
1. Advance the scientific state-of-the-art in steganalysis, bridging across the various technical areas of expertise involved.
2. Develop, test and evaluate solutions for real-life LEA problems, based on their end-user requirements and expectations.
3. Analyse and implement proper solutions for any relevant security, ethical, legal and privacy related concerns.
4. Develop and implement interdisciplinary technical capabilities, capacity and community building.
5. Engage and collaborate with any other relevant ongoing projects and initiatives.
Our diligent work has enabled us to successfully complete all project objectives.

Management
In addition to coordination tasks, we produced several guides on security, data management, and impact assessments on personal data along with ethical, social and legal issues.

Collecting and characterising steganographic tools
The most extensive collection of steganographic (stego) tools worldwide was created together with a hash list allowing for an efficient targeted identification of stego tools in forensic investigations. Coordinating with LEA partners and forensic institutions involved in the project, we shortlisted a number of steganographic tools for in-depth analysis, providing crucial insights for building robust detectors.. New methods based on Bag of Words and Large Language Models were developed for the automated identification of unknown steganographic software using available source code.

Extraction and generation of information dedicated to aiding steganalysis
We developed preprocessing tools to extract relevant information to significantly improve the steganalysis process. A dataset for different media types has also been created to support the development and evaluation of the forensic and steganalysis tools.

Development of an operational steganalysis toolbox
We developed efficient automatic steganalysis detectors with small false positive rates. They can be used by LEAs as standalone tools or within the platform developed in the project. We also constructed the next building blocks of operational steganalysis over 5 years. The CSM problem was investigated in details enabling us to identify the different processes creating it and to develop methods to mitigate it.

Platform development and tools integration
We designed and implemented a platform for automated steganalysis with high computational and detection capabilities. The platform is modular, based on a micro-service architecture, which allows the integration of various tools and detectors for steganalysis. Through well-defined interfaces, we have combined different tools to create analysis workflows, enabling faster and more accurate results. Additionally, we have implemented a chain-of-custody proof system to provide end-users and LEAs with detailed traceability of the operations conducted on the platform. This feature ensures a robust record for legal authorities if needed.

Validation, Testing and Evaluation
We created test cases, scenarios and a full methodology for the evaluation of the standalone tools and of the platform.

Dissemination, Exploitation and Training
The project developed a flexible communication strategy to engage its audience and address potential challenges. Key activities included a web information hub, social media campaigns, printed and digital materials and project identity kit, scientific publications, and press releases. Workshops, collaborations with other projects, and a steganalysis contest were held to raise awareness and promote results.

Progress and results
Our collection of steganographic tools and hash list extends well beyond the known state-of-the-art. The innovative methods we developed represent a significant advance in the state of the art for classifying unknown tools as steganographic tools.
The retrieval of forensic information and the construction of databases markedly improve the performance in steganalysis. The information gathered through the in-depth analysis of steganographic tools led to the development of forensic detectors and pre-processors as well as automatic detectors with small false positive rates, improving the LEAs’ capability to detect steganography in real cases.
The platform is likely the first cloud-native framework able to operate a workflow of steganalysis tools as well as chain-of-custody.

Impact
The information we gathered and the numerous tools we developed will increase European sovereignty in steganalysis and will improve European LEAs' capabilities to detect steganography and prevent/reduce criminal and terrorist threats. Some of the concepts and tools we developed can also be applied to other scenarios and issues, strengthening companies’ knowledge and portfolio.
We raised awareness to the need to create ethics, legal, and privacy related requirements and practices, and the benefits of an “automated all digital” chain-of-custody. Our results on the chain-of-custody may help create and promote a secure, tamper-resistant and court-proof digital evidence processing framework that can be trusted and relied upon by any party participating in the overall judicial process.