In an ideal world we would all be able to openly send encrypted mail or files to each other with no fear of reprisals. However there are often cases when this is not possible, either because you are working for a company that does not allow encrypted email or perhaps the local government does not approve of encrypted communication (a reality in some parts of the world). This is where steganography can come into play.

Steganography simply takes one piece of information and hides it within another. Computer files (images, sounds recordings, even disks) contain unused or insignificant areas of data. Steganography takes advantage of these areas, replacing them with information (encrypted mail, for instance). The files can then be sent or transported without anyone knowing what really lies inside of them. An image of the space shuttle landing might contain a private letter to your lover. A recording of a short sentence might contain your company's plans for a secret new product.

Even though the file is hidden inside something else, it may still be possible for someone else to recover it from that file. Therefore, steganography should not be used as a substitute for strong encryption. You should encrypt the data first with PGP. This also makes it a harder for this other person to determine whether he has really extracted the file you put in the image.

This way, you not only hide the message itself, but also the fact that you are sending this message. You could send a image to someone on a disk, over e-mail. Or better yet post it on a Usenet group and anyone could retrieve it at any time as long as they knew what it was called.

Security By Obscurity
Largely, steganography relies on security-by-obscurity: if people don't know that there is a message hidden, they won't look for it. And with all the data transfers on the Internet, nobody has enough processing power to scan every image and data file transferred across the 'Net.

Plausible Deniability
Additionally, it is much easier for an individual to deny having sent a message that was encrypted and hidden with steganography than it is for an individual to deny having sent an encrypted message. Think about it... isn't it at least marginally possible that that JPG image you sent to your cousin had data hidden in it before you got it? Maybe somebody else hid data in it, and then you found it, liked the image, and forwarded it to your cousin. You may have had no idea that there was data hidden in that image...

JPG GIF BMP WAV VOC GZ TXT

Tools

DOS

Hide and Seek This program can store any type of data inside a GIF image.

StegoDos This picture encoder consists of a group of programs designed to let you capture a picture, encode a message in it, and display it so that it may be captured again into another format with a third-party program, then recapture it and decode the message previously placed inside it.

Windows

S-Tools This MS Windows program can hide data inside GIF, WAV and BMP files, and also on the unused space on floppy disks.

Steganos is a Wizard-style Windows 95 application that can hide and/or encrypt files. It can hide files inside BMP, DIB, VOC, WAV, ASCII, and HTML files.

MandelSteg Allows you to hide arbitrary data in a Mandelbrot image.

Macintosh

There is shortage of good Stego utilties for the Macintosh OS. :(

StirMark removes copyright and stego'd information from files. Like many other programs which break established security mechanisms, these programs are intended to demonstrate the weakness in current algorithms so that companies will be motivated to develop more robust watermarking and steganography technologies.

Further Reading & Resources

Steganography paper - A more extensive introduction to steganography, the principles behind it and how it can be used. Also has a review of numerous stego programs.

Digital Image Steganography and Digital Watermarking Tool Table - Comparison Steganography & Digital Watermarking Web site.