StegoToolkit

Steganography Analyzer

Detect and analyze steganographic content in images. Chi-Square, RS Analysis, Sample Pairs, Primary Sets. Bit plane viewer. Forensic report. No upload.

No Upload
Forensic Report
4 Detection Methods
Read our guides & tutorials

How to Detect Steganography (4 steps)

  1. Upload the suspicious image (PNG, BMP, JPEG, GIF, or WebP)
  2. Four statistical tests run automatically — Chi-Square, RS Analysis, Sample Pairs, Primary Sets
  3. Review the Suspicion Score (0–100) with per-method breakdown and payload estimate
  4. Download the forensic JSON report for documentation
🔒
Your files never leave your browser.

Most online steganalysis tools (including Aperi'Solve) upload your files to their servers. This tool runs entirely on your device using Canvas API, Web Crypto API, and WebWorkers. For forensic evidence, corporate secrets, or sensitive content — this matters.

🔒 No Upload — Zero Server Contact🧾 No Logs🔐 SHA-256 On Device

How to Detect Hidden Data in an Image (5 steps)

  1. Upload the suspicious image (PNG, BMP, JPEG, GIF, or WebP)
  2. Four statistical tests run automatically in your browser — no upload
  3. Review the Suspicion Score (0–100) with per-method breakdown
  4. Examine bit planes visually for LSB noise patterns
  5. Download the forensic JSON report for chain-of-custody documentation

Four Statistical Detection Methods — Comparison

MethodBest ForPayload Estimate?Accuracy
Chi-Square AttackSequential LSB❌ Probability onlyHigh (2000)
RS AnalysisAny LSB — PNG/BMP✅ bpp estimateVery High (2001)
Sample PairsRandomized LSB✅ bpp estimateHigh (2003)
Primary SetsLow-rate embedding❌ Probability onlyMedium (2002)
Fusion (all 4)Any LSB method✅ Combined estimateHighest (StegExpose)

Frequently Asked Questions

Does this tool upload my files to any server?

No. All analysis runs entirely in your browser using Canvas API for pixel extraction, Web Crypto API for SHA-256 hashing, and WebWorkers for parallel computation. The network tab will show zero file upload requests. This is the only browser steganalysis tool with this guarantee.

What does the Suspicion Score mean?

The score (0–100) combines four statistical tests using the StegExpose fusion methodology. A score above 70 indicates steganography is statistically likely. Note: results are probabilistic — a HIGH score does not guarantee steganographic content. False positive rate is approximately 5% at score 70+.

How accurate is the payload estimate?

RS Analysis and Sample Pairs both provide independent payload estimates in bits-per-pixel (bpp). The tool averages these and applies ±15% confidence bounds. For lossless formats (PNG, BMP), estimates are typically within 20% of the actual payload size. JPEG estimates are less reliable due to lossy compression.

Why is chi-square less reliable for JPEG?

Chi-square attack was designed for lossless steganography (PNG/BMP LSB replacement). JPEG's lossy compression quantizes pixel values, which disrupts the PoV pair statistics the test relies on. For JPEG files, RS analysis is more appropriate. The tool warns you when a JPEG is submitted.

What is the Bit Plane Viewer showing?

Each color channel (Red, Green, Blue) has 8 bit planes — one per bit. The LSB (Bit 0) plane is most important for steganalysis. In clean images, the LSB plane shows a structured, smooth noise pattern. In stego images, the LSB plane appears more random due to data being embedded in those bits.

What is the difference between this tool and Aperi'Solve?

Aperi'Solve runs zsteg, steghide, binwalk, and exiftool on their servers — your file is uploaded to a third-party service. This tool runs entirely in your browser; your file never leaves your device. Critical for forensic evidence (chain of custody), corporate security (confidential files), and legal material (attorney-client privilege).

What does 'EOF trailing data' mean?

Some steganography methods append data after the image's official end marker (JPEG FF D9, PNG IEND chunk). The EOF check detects this. Trailing data is a strong indicator of appended payload. Try the File Hider Extractor to attempt extraction.

Can this tool detect all types of steganography?

The four statistical methods reliably detect LSB steganography — the most common technique. Adaptive methods (HILL, WOW, UNIWARD) and DCT-domain methods (JSteg, F5) may not be detected because they preserve statistical properties. Deep learning models (Aletheia) handle those — but require GPU and Python. This tool covers the practical 90% of real-world LSB cases.

How does batch analysis work?

Drop up to 50 files and click Analyze. Files are processed in parallel using a WebWorker pool (up to 8 concurrent workers, based on your CPU core count). Results are sorted by suspicion score so the most suspicious files appear first. Export a batch JSON report or SIEM-compatible CSV for Splunk, IBM QRadar, or Microsoft Sentinel.

Is the SHA-256 hash suitable for forensic documentation?

Yes. The SHA-256 hash is computed on your device using the Web Crypto API before analysis begins. It appears in the forensic JSON report alongside the timestamp. This provides chain-of-custody documentation: you can prove the file you analyzed had that exact hash at that time.