Once I read about how some spies were saving messages in pictures. Cool. So I thought I’d try it just for fun.
Steganography
It was a lot different from invisible ink we played with as kids. 🙂
First I looked at an article on StackOverflow
In the article I found:
…
You can concatenate a gif and a zip (the information you want to hide) into one file. Gifs are read from the start of the file, while zips are read from the end of the file.
To create such a file in linux: cat file1.gif >> outfile.gif cat file2.zip >> outfile.gif or in Windows: copy /b "file1.gif"+"file2.zip" "outfile.gif"
…
Try it:
In cygwin:
$ zip Sometext.zip Sometext.txt
adding: Sometext.txt (stored 0%)
ls -1
DDR3.JPG
Sometext.txt
Sometext.zip
cat DDR3.JPG > DDR3_zip.jpg
cat Sometext.zip >> DDR3_zip.jpg
ls -l
35604 Jan 4 10:33 7zip_Cat.jpg
111118 Nov 1 14:51 DDR3.JPG
111295 Jan 4 10:35 DDR3_zip.jpg
21 Jan 4 10:34 Sometext.txt
177 Jan 4 10:35 Sometext.zip
Sure enough, if you use Windows Explorer, and open the file that’s been appended, you get the same image. Cool.
To extract the text, I found it with 7Zip.
Then, I did some analysis using a few commands in cygwin.
$ file *
7zip_Cat.jpg: JPEG image data, JFIF standard 1.01
DDR3.JPG: JPEG image data, JFIF standard 1.01
DDR3_zip.jpg: JPEG image data, JFIF standard 1.01
Sometext.txt: ASCII text, with CRLF line terminators
Sometext.zip: Zip archive data, at least v1.0 to extract
strings DDR3_zip.jpg | tail
…
(‘Yj7
bo=2\
[T$L
Sometext.txtUT
UNZUx
This is some text
[T$L
Sometext.txtUT
WNZUx
So, the fact that the file has been modified is easily found after all.
———
Steganotool:
More from the Stackoverflow thread:
Here is an opensouce Steganography software called steganotool This project is an open source steganography tool that can be used to hide and extract text to/ from Bitmap images.
Downloaded if from
https://github.com/PanagiotisDrakatos/steganotool
Use the file: Steganography.exe
Use the Steganography tool to add to the file JackA.bmp:
This is some text.
And create the file: Jack_Steno.bmp
ls -l 3,728 JackA.bmp 4,814 Jack_Steno.bmp
The resulting file is 1086 bytes bigger.
file *
JackA.bmp: PC bitmap data, Windows 3.x format, 35 x 34 x 24
Jack_Steno.bmp: PC bitmap data, Windows 3.x format, 35 x 34 x 32
strings Jack_Steno.bmp
– nothing at all, very interesting.
However, the cat command shows some interesting differences:
cat JackA.bmp
cat Jack_Steno.bmp
It turns out that Steganography only works with BMP files. Not a common file format these days. If you hid some info in a BMP file, someone might be curious.
find /cygdrive/c -type f -iname "*.bmp" 2> /dev/null | wc 610 2189 58228 find /cygdrive/c -type f -iname "*.jpg" 2> /dev/null | wc 7855 17536 900006
——
Clotho:
I tried Clotho, downloaded from here.
Using the most basic setting
$ file *
DDR3.JPG: JPEG image data, JFIF standard 1.01
DDR3_cloth1.JPG: JPEG image data, JFIF standard 1.01
SomeText.txt: ASCII text, with CRLF line terminators
clotho_basic.jpg: JPEG image data, JFIF standard 1.01
RL@AcerP633V /cygdrive/c/temp/Steganography2/clotho
$ strings DDR3_cloth1.JPG | tail
&`gi
O|wX
F4r
('Yj7
bo=2\
RQNX-CLOTHO:256: <------
ga}.
H/U*
``dg
this is some text <------
So, the Linux strings command works again.
Try the obfuscation feature.
Again, the strings command can indication something.
$ strings DDR3_cloth2.JPG | tail
J}rNcerP633V /cygdrive/c/temp/Steganography2/clotho
LOX(
&`gi
O|wX
F4r
('Yj7
bo=2\
RQNX-CLOTHO:256: <------
ga}.
:|=c
And the strings command still works.
And, interestingly enough, I see something in Windows 7 explorer:
Every file touched by clotho, has a little padlock in the icon. Hmm.
——————-
Try SteganoGifPaletteOrder:
Downloaded from:
http://users.skynet.be/glu/sgpo.htm
http://users.skynet.be/glu/sgpo.zip
Requires that you have and know java.
cd C:\Utils\SteganoGifPaletteOrder\ java SteganoGifPaletteOrder
Only works with GIF files.
Does not have functionality to specify where to save resulting file.
In the same directory as the .class files, it just creates a file:
out.gif
No possibility to give it a particular file name, which is pretty fundamental.
Reject.
—-
Autopsy:
On this blog, I found a comment,
Dale Jackaman comments: Open source forensics tools such as Autopsy or commercial tools such as X-Ways Forensics will find all these hidden file types.
So I Download Autopsy
http://www.sleuthkit.org/autopsy/
http://www.sleuthkit.org/autopsy/download.php
487 mb!
And take it for a test drive. You have to make a case first.
It finds the zip files.
Looking at a file that I modified: DDR3_2_zip.jpg, nothing seems to be flagged.
But if you use the tab, Indexed Test, it give the same results as the cygwin/linux strings command
So, you can use Autopsy to find issues. But, in my case, you would need to know what you are looking for.
Looks like a big program, that does many things.
—–
Michael Raggo’s StegSpy 2.1:
I downloaded Michael Raggo’s StegSpy 2.1 from here.
Turns out that it says: Copyright 2003, 2004
Over 1 1/2 decades ago.
And, it’s a very simple program. Only one button!
Then, tried it on the file I modified, DDR3_2_zip.jpg, but it didn’t detect anything.
——
SSuite Picsel Security:
Eventually, I found SSuite Picsel Security
To encypt:
Open original image. Here, use the supplied, Athena.bmp
Make a file with the message, link it to the Message button
Encrypt Image
Save image
$ ls -l 21 Jan 4 10:34 Sometext.txt 11238 Jan 3 15:49 athena.bmp 85186 Jan 4 13:41 athenaAfterEncrpt.bmp
Makes the resulting file size much bigger
Images looks the same.
But cat command shows differences:
Original:
cat athena.bmp
Resulting Encrypted File
cat athenaAfterEncrpt.bmp
You can encrypt with a JPG file too. However, the resulting file created is a BMP.
ls -l 111118 Nov 1 14:51 DDR3.JPG 1920054 Jan 4 13:54 DDR3AfterEncrpt.bmp ls -lh 109K Nov 1 14:51 DDR3.JPG 1.9M Jan 4 13:54 DDR3AfterEncrpt.bmp
And the resulting BMP is much bigger than the original JPG.
To Decrypt
Open Original IMage: DDR3.jpg
Hit Decrypt button.
Open Encrypted Image file:
DDR3AfterEncrpt.bmp
Decrypt image: Yes
—–
Closing Thoughts:
That’s enough exploring for a day or two.  It was a lot different from invisible ink we played with as kids. 🙂
Steganography looks like a big field. There are lots of other software packages out there. See the links below.
Some of the software I tried is quite old. Using the linux commands, it was easy to detect a modification.
What bothers me, is how unsophisticated so many of them were.
SSuite Picsel Security was the best that I tried. I’ll be looking at more of their many free software packages.
Does anyone know of some really good Steganography software? If so, please comment, and send the links.
—-
Useful Links:
HACKER LEXICON: WHAT IS STEGANOGRAPHY?
https://www.wired.com/story/steganography-hacker-lexicon/
How can you hide information inside a jpg or gif photo?
https://stackoverflow.com/questions/1216156/how-can-you-hide-information-inside-a-jpg-or-gif-photo
5 ways to Secretly Hide a File or Message Inside Another File
https://www.raymond.cc/blog/hide-your-secret-files-by-embedding-it-to-another-safe-source/
35 Best Free Steganography Software For Windows
http://listoffreeware.com/list-of-best-free-steganography-software-for-windows/
Easily Breaking a very weak steganography software: Camouflage
http://www.guillermito2.net/stegano/camouflage/index.html
Analyzing steganography softwares (for the fun of learning about it)
http://www.guillermito2.net/stegano/index.html
Michael Raggo on steganography
http://www.spy-hunter.com/stegintro.htm
Michael Raggo’s StegSpy 2.1
http://www.spy-hunter.com/stegspydownload.htm
——
PS: Hopefully the formatting looks ok. WordPress always continues to surprise, and make the simple, complex and difficult.
Rodger's Notes 
You must be logged in to post a comment.