Steganography differs from cryptography in that cryptography is less interested in hiding the existence of a message than in composing a message with a formula that makes the message unintelligible to all but the intended recipient, who knows the formula for interpreting the message. Steganography, on the other hand, is primarily interested in hiding the fact that there is even a message to be found. This article briefly describes the concept behind most digital data-hiding techniques used in popular computer software. The evolutionary process in software development is likely to make the detection of steganographically embedded information very difficult. Computer crime investigators must be trained to look for the clues common to steganography in general, rather than the features of steganographic software in particular. By approaching each case with a standard investigative technique, investigators can improve their discovery or exclusion of hidden digital evidence. The technique involves "awareness, analysis, education, inspection, examination, recovery." "Awareness" involves approaching every investigation under the assumption that the suspect could benefit from steganography in some way. "Analysis" consists of determining how the suspect could possibly benefit from the use of steganography and what cover files are most conducive to the suspect's purpose in using steganography. "Education" involves being knowledgeable about steganography software currently available. A search on the Internet can provide current information about programs in use. "Inspection" entails using one's steganography software knowledge in detecting the suspect's possession of steganography software on his or her computer. Knowing that a certain type of software is in use on a computer guides efforts to recover the hidden data. "Examination," often the most time-consuming process, requires a search of each file on the computer as a potential cover for the evidence being sought. There are several commercial programs that adequately automate the task of steganalysis. "Recovery" is the outcome of the investigation, i.e., the revelation and seizure of the incriminating evidence the suspect has attempted to hide.