On This Page

Malicious Steganography: Implementation and Detection

John Ortiz | March 24-25


Tired of the NSA reading your personal emails? Want to keep pictures of your ex on your computer? Need to exfiltrate data innocuously? Want to detect the guy exfiltrating data? Want to find data hidden in images and learn how malware has effectively used steganography? Then this course is for you! We will explore steganography well beyond the common Least Significant Bit techniques you may hear about in the news. Want to learn about jpeg hiding? We'll hide it many ways using tools provided. Want to listen to a CD with megabytes of other data? We do the wave with you - executables, video, and bitmaps too. We'll learn about and apply steganalysis to demonstrate detection as well.

This course introduces you to the concepts required for comprehending steganography such as data compression, information theory and entropy, human perception, digital imaging and audializaiton, and basic least significant bit hiding/detection techniques. Then it showcases more advanced steganographic and steganalytic techniques such as bit-plane complexity segmentation, high-capacity jpeg hiding, F5, and statistical hiding in audio and video along with corresponding detection techniques and malware applications. Emphasis is on practical applications and implementation rather than "theory" using a variety of tools provided. We will explore what the casual observer can look for too! Visual Cryptography is demonstrated as well. Scattered throughout are hands-on exercises with custom steganographic and steganalytic programs (including source code) that illustrate the various techniques and effectiveness of detection. YOU can decide the effectiveness for yourself. Can you see it? Can you hear it? We shall see...or maybe not!

Who Should Take this Course

Security researchers, forensic analysts, malware analysts, and anyone that wants to learn more about how audio and images can be (and have been) exploited.

Student Requirements

Students should have basic knowledge about using a command line interface. Programming experience is a plus, but not required.

What Students Should Bring

A laptop with Windows XP or greater, or the ability to run a Windows virtual machine with XP or greater.

What Students Will Be Provided With

Students will be provided with a physical copy of the slides, plus various free utilities and course specific programs.


John Ortiz is currently a senior computer engineering consultant for Harris IT Services doing reverse engineering of malicious applications. For two years, he provided cyber security services to the U.S. Air Force researching innovative network security protection techniques. Prior to working at Harris, he spent five years at SRA International and five years at General Dynamics developing various defense related software, researching data hiding techniques, and analyzing malware.

In a second role, Mr. Ortiz developed and teaches a Steganography course for the University of Texas at San Antonio (UTSA). It covers a broad spectrum of data hiding techniques in both the spatial and transform domains including least significant bit, discrete cosine transform, hiding in executables, and hiding in network protocols. For the course, Mr. Ortiz developed several steganographic programs for testing and analysis.

Mr. Ortiz has taught the Steganography course for 10 years at UTSA and various times for Black Hat and other venues. He has also presented at Black Hat and the Cyber Crime Conference on numerous occasions.

Mr. Ortiz holds two masters degrees from the Air Force Institute of Technology, one in Electrical Engineering and one in Computer Engineering and a BSEE from Rose-Hulman Institute of Technology.