S-Tools  for Windows
Version 2.00 
(c) 1994 Andy Brown


What is steganography ?
-----------------------
Steganography is the ancient art of hiding sensitive information amongst
inconspicuous information. Many years ago people used to use illustrations
to conceal messages. The idea being that one party could send the
illustration to the other in reasonable confidence that if the messenger
was questioned then the illustration would not arouse any interest from his
enemies.

Since the advent of computers there has been a vast dissemination of
information, some of which needs to be kept private, some of which does
not. S-Tools (Steganography Tools) brings you the capability of `hiding'
files within Windows sound files (.WAV), bitmap (.BMP) and CompuServe GIF
files. For BMP's and GIF's you can choose whether you want the graphic
image to look identical after a file has been hidden inside, or whether you
can put up with some degradation of definition in order to gain other
advantages. Files hidden inside WAV's will not sound any different to the
human ear than the original file. The modified sound file will not increase
or decrease in size.

Users of S-Tools can opt to encrypt their information using the strongest
state-of-the-art encryption algorithms currently known (and some others) so
that even an enemy equipped with a copy of S-Tools cannot be sure that a
file is hidden in a graphic unless he has your secret passphrase.

You could use S-Tools to conceal private or confidential information that
you don't want to fall into the wrong hands. You could use it to send
information to another individual via a broadcast network such as Usenet.
By agreeing on a passphrase you can keep the information out of
unauthorised hands. Alternatively you could use S-Tools to verify your
copyright of an image or sound, by storing an encrypted copyright statement
in it and extracting it in the event of a dispute.

In short, S-Tools allows you to place private information in an
inconspicuous 'envelope' that will not arouse suspicion.


Using S-Tools
-------------
Before starting with S-Tools you will probably want to add the programs to
one of your Program Manager groups. I would suggest creating a new group
for S-Tools and adding the files ST-BMP.EXE and ST-WAV.EXE to it. You can
do this from within Program Manager by using the "New" option from under
the "File" menu. You might also like to add the help files ST-BMP.HLP and
ST-WAV.HLP to this group so that you can get quick access to them -- it's
up to you.

Both S-Tools modules come with their own Windows help files that you can
activate by pressing F1 or by selecting the appropriate option from the
Help menu. These help files document every command and option that is
available within the S-Tools modules. As such, there is little point in
duplicating all that information here. Instead I will devote the rest of
this text file to an explanation of what S-Tools does in order to hide a
file.

S-Tools 2.00 is incompatible with version 1.00. If you have hidden files
with version 1.00 then you should extract them and re-hide them with
version 2.00. You will gain additional security by doing so.


Shareware
---------
S-Tools is shareware. That means that if you find it useful and would like
to continue to use it after a reasonable trial period, which I consider to
be about one calendar month, then you should register your copy of the
program with me.

The registration fee for S-Tools is 15 UK pounds sterling. To register
S-Tools, send a cheque drawn against a UK bank, International Money Order,
International Postal Order or Sterling travellers cheques for 15 pounds to
the address below:

Andy Brown
28 Ashburn Drive
Wetherby
West Yorkshire
LS22 5RD                   
United Kingdom

For your registration fee you will receive a printed manual, a personalised
copy of the program, and a copy of the `C' source code.

I can be reached by e-mail at <asb@cs.nott.ac.uk> until June 1994.
                  

                       The WAV module (ST-WAV.EXE)
                       ---------------------------


Recommended system
------------------
You will need a '386 or above to run it, apart from that there is no other
requirement. Generally, if your computer makes Windows run faster then it
will make S-Tools run faster.


How it's done
-------------
Sound samples are, by their very nature, inaccurate estimates of the
correct value of the sound wave at a particular moment in time. The sound
samples in Windows WAV files are stored as either 8 or 16 bit values that
eventually get passed to the DA convertor in your sound board. For 8 bit
samples this means that the values can range between 0 and 255. 16 bit
samples range between 0 and 65535.

All S-Tools does is to `spread' the bit-pattern that corresponds to the
file that you want to hide across the least significant bits of the sound
sample.

For example, suppose that a sound sample had the following eight bytes of
information in it somewhere:

132      134      137       141      121      101      74       38

In binary, this is:

10000100 10000110 10001001 10001101 01111001 01100101 01001010 00100110
       |        |        |        |        |        |        |        |
LSB's -+--------+--------+--------+--------+--------+--------+--------+

Suppose that we want to hide the binary byte 11010101 (213) inside this
sequence. We simply replace the LSB (Least Significant bit) of each sample
byte with the corresponding bit from the byte we are trying to hide. So the
above sequence will change to:

133      135      136       141      120      101      74       39       

In binary, this is:

10000101 10000111 10001000 10001101 01111000 01100101 01001010 00100111
       |        |        |        |        |        |        |        |
LSB's -+--------+--------+--------+--------+--------+--------+--------+

As you can clearly see, the values of the sound samples have changed by, at
most, one value either way. This will be inaudible to the human ear, yet we
have concealed 8 bits of information within the sample. This is how S-Tools
does its job. Actually, S-Tools prepends some extra information on to the
front of the raw file data. 32 bits of time-dependent random garbage is
prepended first. This apparently meaningless step means that two identical
hidden files that are encrypted in CBC, or PCBC mode will never encipher to
the same ciphertext. Secondly, the 32 bit length of the hidden file is
included. This is required for S-Tools to be able to extract the hidden
file. Encryption will conceal this value.

In order to further conceal the presence of a file, S-Tools picks its bits
from the sample based on the output of a random number generator. This is
designed to defeat an attacker who might apply a statistical randomness
test to the lower bits of the sample to determine whether encrypted data is
hidden there (well-encrypted data shows up as pure white noise). The random
number generator used by S-Tools is based on the output of the MD5 message
digest algorithm, and is not easily (if at all) defeatable.


                   The BMP and GIF module (ST-BMP.EXE)
                   -----------------------------------


Recommended system
------------------
Like any graphics program S-Tools requires memory to hold its images. When
quantizing 256 colour images, S-Tools works with it in 24 bits. As an
example, my system has 4Mb RAM and 4Mb swap space and most of it gets
used up when quantizing a 640x480 image. If you've got less total memory
than I have then you really are in trouble.

You need at least a '386 to run S-Tools. After that, well, the faster the
better -- especially during quantization :-)


Sample image
------------
The file HIDDEN.GIF is a test image that I have hidden a secret text
message inside (unencrypted). You might like to try out S-Tools by
extracting and viewing this hidden message -- you might be pleasantly
surprised by the amount of information that you can conceal in an image.


IMPORTANT NOTE
--------------
Either my graphics card driver is knackered (quite likely) or there is a
bug in the Microsoft DIBAPI library (very likely) that causes palettes to
be displayed rather erratically. I note from experiment that a
Microsoft-supplied example application exhibits the same strange behaviour,
but others such as Corel PhotoPaint do not, so don't panic if things look a
little screwy on screen. Try copying the altered image into the Windows
clipboard and using the Clipboard Viewer program to have a look at it.
Saving and viewing with a DOS based viewer such as Graphics Workshop or
Colorview is another option you can try.


How it's done
-------------
All computer based pictures are composed of an array of dots, called
pixels, that make up a very fine grid. Each one of these pixels has its own
colour, represented internally as separate quantities of red, green and
blue. Within Windows, each of these colour levels may range between 0 (none
of the colour) and 255 (a full amount of the colour). A pixel with an RGB
value of 0 0 0 is black, and one with a value of 255 255 255 is white.

S-Tools works by `spreading' the bit-pattern of the file that you want to
hide across the least-significant bits (LSB's) of the colour levels in the
image.

For a 24 bit image this is simple because 24 bit images are stored
internally as RGB triples, and all we need to do is spread our bits and
save out the new file. The drawback to this is that 24 bit images are
uncommon, and would therefore attract the attention of those whose
attention you are trying to avoid attracting ! They are also very large as
they contain 3 bytes for every pixel (for a 640x480 image this is
640x480x3=921600 bytes).

It is considerably more difficult to hide anything within a 256 colour
image. This is because the image may already have over 200 colours which
our meddling will carry to way over the absolute maximum of 256.

Looking at a little theory it is easy to see that an image with 32 or less
colours will never exceed 256 colours, no matter how much we meddle with
it. To see this, visualise the 3 LSB's of an RGB triple as a 3-bit number.
As we pass through it in our hiding process we can change it to any one of
8 possible values, the binary digits from 000 to 111, one of which is the
original pattern. If one colour can `expand' to up to 8 colours, how many
distinct colours can we have before we are in danger of exceeding the limit
of 256 ? Simple, 256/8=32 colours. There is no guarantee that 32 colours is
our upper limit for every file that you want to hide though. If you're
lucky the file will not change a colour to all of its 8 possible
combinations and then we are able to keep one more of the original colours.
In practice, however, you will often find pictures being reduced to the
minimum of 32 colours.

S-Tools tries to reduce the number of image colours in a manner that
preserves as much of the image detail as possible. It usually makes a very
good job too, I can often not tell the difference between a 256 colour
scanned image and one reduced to 32. The caveat is speed. Highly accurate
colour quantization takes time -- Anybody wanna give me a DEC Alpha ? No ?
Didn't think so.

S-Tools prepends some extra information on to the front of the raw file
data before hiding. 32 bits of time-dependent random garbage is prepended
first. This apparently meaningless step means that two identical hidden
files that are encrypted in CBC or PCBC mode will never encipher to the
same ciphertext. Secondly, the 32 bit length of the hidden file is
included. This is required for S-Tools to be able to extract the hidden
file. Encryption will conceal this value.

In order to further conceal the presence of a file, S-Tools picks its bits
from the image based on the output of a random number generator. This is
designed to defeat an attacker who might apply a statistical randomness
test to the lower bits of the image to determine whether encrypted data is
hidden there (well-encrypted data shows up as pure white noise). The random
number generator used by S-Tools is based on the output of the MD5 message
digest algorithm, and is not easily (if at all) defeatable.


A few final words (you mean you're still reading this !)
--------------------------------------------------------
Please do take the time to read the help files, there are some useful hints
amongst the rather dry command descriptions that you may benefit from. If
you decide to encrypt your files then don't feel safe just because the
algorithm used is immune to attack. An enemy will attack the weakest link
in the chain; and that is you. Use "good" passphrases that don't appear in
any books or literature. A nonsense phrase that's a combination of two or
more meaningful phrases is one such possibility. Oh yeah, don't go leaving
the file that you've just hidden sitting around on your hard disk. Use a
utility that erases it *properly* (ie. overwrites the actual information
multiple times) to get rid of it.


Have fun,

Andy

+---------------------------+----------------------------------------------+
| Andy <asb@cs.nott.ac.uk>  | PGP key fingerprint: EC 80 9C 96 54 63 CC 97 |
|    finger for PGP key     |                    : FF 7D C5 69 0B 55 23 63 |
+---------------------------+----------------------------------------------+