The MP4 file has become the most used video media file available, and will mostly likely remain at the top for some time to come, making the MP4 file an interesting candidate for steganography. With its size and structure, it offers a challenge to steganography developers. While some attempts have been made to create a truly covert file, few are as successful as Martin Fiedler’s TCSteg. TCSteg allows users to hide a TrueCrypt hidden volume in an MP4 file, and the structure of the file makes it difficult to identify that a volume exists. In our analysis of TCSteg, we will show how Fielder’s code works and how we may be able to detect the existence of steganography. We will then implement these methods in hope that additional steganography analysis can use them to determine if an MP4 file is a carrier file. Finally, we will address the future of MP4 steganography.
Steganography is the act of concealing the existence of data. This can be seen as an alternative to cryptography, where the goal is to obscure the meaning of data. Steganography can be as simple as invisible ink on paper, or as complex as digital images with hidden data embedded in them. In both of these scenarios, we have information we want to remain hidden, our covert message, a medium that appears innocent, our overt file, and a method used to hide the existence of the covert message into the overt file.
There are three methods that can be used to hide data: generation, substitution, and insertion. The generation method uses the covert file to create an overt file. The substitution method requires replacing some of the data from the overt file with the covert file. The insertion method inserts the covert data in a location that will not affect how the overt data is processed.
The MPEG-4 file type has become one of the most popular video file formats because of its size, format, and playback support from most media players. It is the recommended file format for YouTube. Its versatility has made it the most common video format found on the internet, surpassing other formats like AVI, FLV, and MOV. MP4 has universal support from mobile devices and web browsers.
MP4’s universal support makes it a perfect candidate for use as a steganography carrier file as its popularity makes it an unsuspecting file. Its file size can vary larger than other common carrier files, making it suitable for more covert content. In addition, the MP4 file format is very unrestrictive, making it perfect for the development of new stenographic tools.
With this is in mind, MP4 still offers plenty of challenges. The media data in an MP4 container varies from file to file, as there exists many codecs used for audio and video, both lossless and lossy. In addition, the file format’s unrestrictive nature means the container does not adhere to a standard format, which can be challenging.
While some tools have been created to hide data in MP4 files, most of these tools use end of file insertion techniques, making them an easy target for detection. For our purpose, we wanted to find a tool that not only made it difficult detect the existence of covert data, but one that would also leave the file seemingly unaltered when played using a media player. What we discovered was Martin Fiedler’s TCSteg. TCSteg allows the user to insert a TrueCrypt hidden volume into any MP4 file. If used correctly, TCSteg is very difficult to detect. TCSteg uses the full functionality and plausible deniability of TrueCrypt, making it a simple method to hide encrypted data in an MP4 that can be played with any media player after modification has been completed.
Our goal is to show that with analysis, it is possible to detect the presence of steganography in a TCSteg MP4 file. Using several techniques for analysis, we will show there are some consistent details that may indicate the existence of a TrueCrypt hidden volume. We hope future steganography analysis will use these techniques to analyze MP4 files, as it is more than likely future methods of hiding data will be detectable using the same methodologies we followed.
MPEG-4 The MP4 file format was developed by the Moving Pictures Experts Group and is derived from the QuickTime file structure developed by Apple. This file format has become one of the most popular video formats because of how well it compresses. An MP4 file maintains great quality at a relatively small size which allows online video sharing to become faster and more efficient. The ability to store video, music, images and text allows for advanced context such as 3D graphics and menus to incorporate as part of the file. In general, video formats are considered to be good carrier files due to their larger size which allows more potential to hide data without raising suspicion based on size.
Main atoms The structure of an MP4 file consist of data units called atoms. Atoms work in a hierarchy where sub-atoms can be contained within an atom for organizational purposes. There are three main atoms required for an MP4 file and are abbreviated as ‘ftyp,’ ‘moov,’ and ‘mdat.’ The only requirement for these atoms is that ‘ftyp’ must come before ‘moov’ or ‘mdat.’ The position of ‘moov’ or ‘mdat’ can be interchanged.
TCSteg TCSteg is a python script developed by Martin Fiedler and later updated by Vladimir Ivanov. The script essentially performs a VeraCrypt and MP4 merge. To work, the VeraCrypt container must have an outer and inner hidden volume. TCSteg then rearranges the atoms in the MP4 file to ensure that ‘mdat’ comes before ‘moov.’ Next, the outer volume is stripped off and the hidden volume is merged into the MP4 at the start of the 65,536 offset byte. The ‘mdat’ is then moved to the end of the VeraCrypt volume and a new ‘mdat’ that spans the volume and the real ‘mdat’ is created. Fake ‘mdat’ data that resembles the real ‘mdat’ is placed before the volume header. Last, the chunk offset tables are changed to adjust to the new locations of the media samples referenced in ‘stco.’
Analysis Our goal analysis is to be able to examine any MP4 file, and say to some degree of certainty that specific traits of a file indicate the use of TCSteg. While it is almost impossible to say with one hundred percent certainty that any file is a true positive or negative for steganography, we hope to shed some light on techniques that could help in future analysis.
For our analysis of TCSteg, we had to consider the type of steganography being used by this tool. In this case, TCSteg uses an insertion technique to hide data within the MP4 carrier file. We know the constraints TCSteg must follow for the embedding process to take place. In addition to access to the TCSteg source code, we also have access to the overt, covert, and steganography file .
Besides the use of VeraCrypt, Python, and Fiedler/Ivanov’s TCSteg, we used several additional tools for analysis. Unfortunately, there are not many tools designed for MP4 steganography analysis, and this forced us to improvise on the tools we could use. In addition to the previously listed tools, we used MediaInfo, ISO Viewer, and the hex editor WinHex.
We determined that while TCSteg is difficult to detect, our methods of detection can make an assessment on the existence of the hidden volume. We also concluded that while there are not many tools for MP4 steganography analysis on the market, some existing applications can be used for this purpose. We feel in the future it is likely that other insertion techniques for MP4 steganography will be developed. As the MP4 file is still being explored, it will be interesting to see what other locations data can be hidden.