StegoToolkit
Steganography

How to Detect Steganography in Any File Online (Free Steganalysis)

Learn how to detect steganography in images, audio, and other files using free online steganalysis tools. Covers chi-square attack, RS analysis, and bit-plane inspection.

6 min readOpen tool
detect steganography onlinesteganalysis tool onlinesteganalysis freesteganography detectioncheck file for steganography

Someone sends you a file. It could be a normal image — or it could be carrying a hidden payload you're not meant to see. Whether you're a security analyst, a CTF player, or just suspicious, detecting steganography requires a specific class of technique called steganalysis.

The StegoToolkit Steganography Analyzer runs four statistical tests on any uploaded file entirely in your browser. It gives you a suspicion score, per-test results, and a bit-plane viewer — no upload to any server, no software required.

This guide explains what's happening under the hood and how to interpret what you find.

What Is Steganalysis?#

Steganalysis is the detection side of steganography — the science of determining whether a file contains hidden data. Unlike simply decoding a stego file (which requires knowing the method and usually a password), steganalysis can flag suspicious files without knowing how they were encoded.

There are two main approaches:

  • Blind steganalysis — statistical tests that look for anomalies caused by the encoding process. These work without knowing the steganography method used.
  • Targeted steganalysis — tests designed for specific tools (e.g., detecting StegHide specifically). More accurate but requires a hypothesis.

The Steganography Analyzer uses blind statistical methods that work across encoding tools.

The Four Tests the Analyzer Runs#

1. Chi-Square Attack#

The chi-square attack exploits a statistical property of LSB steganography. In a normal unmodified image, pixel values are distributed somewhat randomly. But when LSB steganography modifies pixels to encode data, pairs of values that differ only in their last bit (called "PoVs" — pairs of values) become statistically equalised.

The chi-square test measures how close pixel value distributions are to this equalised state. A p-value close to 1.0 strongly suggests LSB steganography has been applied. A value near 0 suggests a clean image.

This test was first described by Westfeld and Pfitzmann in 2000 and remains one of the most reliable detectors for basic LSB steganography.

2. RS Analysis (Regular-Singular Analysis)#

RS analysis uses a more sophisticated model that groups pixels into "regular" and "singular" sets based on how their LSBs respond to a flipping function. In a clean image, these groups have a predictable ratio. LSB embedding disrupts this ratio in a mathematically consistent way.

RS analysis is harder to defeat than chi-square because it doesn't rely on value-pair equalisation — it detects the disturbance in spatial pixel relationships. It also provides an estimate of the hidden payload size (what percentage of the image capacity is used).

3. Sample Pairs Analysis#

Sample pairs (SP) analysis examines adjacent pixel pairs and measures how many pairs change their ordering relationship when LSBs are flipped. This count follows a specific mathematical model in natural images and deviates predictably when embedding is present.

SP analysis is particularly effective on images with smooth gradients and is robust against some countermeasures that fool chi-square.

4. Primary Sets Analysis#

The primary sets test looks at the distribution of pixel values in their binary representation, specifically how often the last two bits match. Natural images show a characteristic distribution; embedding disrupts it. This test can detect steganography even at low embedding rates where chi-square might give uncertain results.

How to Run Steganalysis Online#

→ Open the Steganography Analyzer

  1. Upload your file — drag and drop any PNG, BMP, JPEG, or audio file
  2. Wait for analysis — all four tests run in a Web Worker (typically 2–10 seconds depending on file size)
  3. Read the suspicion score — a combined score from 0 to 100% based on all four tests
  4. Review per-test results — each test shows its individual assessment and confidence level
  5. Inspect bit planes — switch to the Bit Plane viewer to visually inspect each channel and bit depth for hidden patterns

Interpreting the Results#

| Suspicion Score | Likely Interpretation | | --------------- | -------------------------------------------------------------------------------- | | 0–20% | Clean file — no statistical indicators of steganography | | 20–50% | Ambiguous — some noise in results, could be a compressed image or false positive | | 50–75% | Suspicious — at least one test showing strong signal | | 75–100% | Very likely encoded — multiple tests agree on steganography presence |

A high suspicion score doesn't tell you what is hidden or how to extract it — only that something is statistically anomalous. For extraction, use the Image Steganography Extractor with different bit-depth and channel settings.

What Steganalysis Cannot Detect#

Statistical tests have known blind spots:

  • Encrypted steganography — if the payload is encrypted before embedding, the data looks more random, which can actually reduce false positive rates in chi-square tests. Encrypted stego may show lower suspicion scores.
  • F5 and adaptive steganography algorithms — advanced tools use content-aware embedding that matches the statistical model of the original image. Blind statistical tests may fail.
  • Palette-based steganography — techniques that hide data in colour lookup tables rather than pixel values bypass most pixel-level statistical tests.
  • Non-LSB techniques — DCT coefficient manipulation (common in JPEG steganography), spread-spectrum embedding, and phase coding are not detected by LSB-specific tests.

Practical Uses for Steganalysis#

Malware forensics. Malware operators increasingly use steganographic techniques to exfiltrate data or receive C2 commands hidden in innocent-looking image files. Steganalysis is part of a forensic workflow when analysing suspicious image downloads from compromised systems. See SVG Steganography in Malware for a specific example.

CTF challenges. Before trying extraction tools, running steganalysis confirms whether an image actually contains hidden data — saving time on challenges that use other techniques entirely.

Content moderation. Detecting whether images being shared through a platform contain hidden payloads is an active research problem. Statistical steganalysis is one layer of the detection pipeline.

Insider threat investigation. If a suspected insider is exfiltrating data via images shared on company platforms, steganalysis can flag suspicious files for deeper forensic investigation.

Run Steganalysis on Your Files#

The Steganography Analyzer runs everything in your browser. Files never leave your device, which matters when analysing potentially sensitive files.

→ Analyse a file for steganography now

For the full extraction workflow once you've confirmed something is hidden, see the CTF Steganography Guide.

Free browser-based tool

Try steganography analyzer

No install. No upload. Your files never leave your device.

Open tool

Topics

detect steganography onlinesteganalysis tool onlinesteganalysis freesteganography detectioncheck file for steganography

Related articles

6 min read

CTF Steganography: How to Find Hidden Flags in Images

6 min read

How to Hide Text in an Image Online (Free, No Install)

7 min read

How to Decode Hidden Messages in Audio Files Online

← All Steganography articles