[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3834
  • Last Modified:

Detecting information-hiding in JPEG images

Hi,

I got a JPEG photo which contains hidden data, any method to detect and extract the hidden information.
0
mawingpui
Asked:
mawingpui
  • 8
  • 6
2 Solutions
 
akahanCommented:
0
 
mawingpuiAuthor Commented:
The result is
C:\stegdetect>stegdetect xxxxx.jpg
Corrupt JPEG data: premature end of data segment
c:\xxxxx.jpg : negative

Open in new window

p.s. I can open up the image using windows default image viewer...
0
 
btanExec ConsultantCommented:
This site has a list, specifically you can try out the following

@ http://members.cox.net/ebmmd/stego/stego/info.html#Steganalysis

a) Stegdetect which looks for signs of steganography in JPEG files, can be employed. Previous posting has shared. Also in the download pack, there is Stegbreak, a companion tool to Stegdetect, works to decrypt possible messages encoded in a suspected steganographic file, should that be the path you wish to take once the stego has been detected.

b) Stegspy which detect commonly used hiding tool such as Hiderman, JPHideandSeek, Masker, JPegX, Invisible Secrets
@ http://www.spy-hunter.com/stegspydownload.htm

0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
btanExec ConsultantCommented:
Strange...can try other image viewer as well such as
IrfanView @ http://www.irfanview.com/
FastStone ImageViewer http://www.fastsone.org/

Every graphics file type has a "magic number" which indicates the file type (see http://www.astro.keele.ac.uk/~rno/Computing/File_magic.html for more on this.) For JPEGS, that number is FF D8 FF E'X', which represents the first bytes of the header. Note that 'X' = 1 indicates that the image is an exif jpeg, whereas 'X' = 0 indicates jfif format.

You can use TriID to confirm @ http://mark0.net/soft-trid-e.html

If recovery need to be consider, can check out this commercial software: http://www.hketech.com/JPEG-recovery/index.php
The 15 day trial is fully functional, except you can't save the photos.

And there is tool to such as PhotoRec to recover jpeg file (assuming there is deleted copy), it check fr validity as well
@ http://www.cgsecurity.org/wiki/PhotoRec#How_PhotoRec_works
0
 
btanExec ConsultantCommented:
There is also JPEGInfo to see what parts of the file contain structural errors. But for information, suggest recovery if all else fail
@ http://www.picturel.com/utils.html
0
 
mawingpuiAuthor Commented:
Hi breadtan,

Here is the result from TrID,

C:\check\trid>trid xxxxx.jpg

TrID/32 - File Identifier v2.02 - (C) 2003-06 By M.Pontello
Definitions found:  4038
Analyzing...

Collecting data from file: xxxxx.jpg
 50.0% (.JPG) JFIF JPEG Bitmap (4003/3)
 37.4% (.JPG) JPEG Bitmap (3000/1)
 12.4% (.MP3) MP3 audio (1000/1)

C:\check\trid>

Open in new window

0
 
btanExec ConsultantCommented:
Legit image but something within t indeed. Typically if upload online for AV checks, TriID is used and flag with such figures.
E.g.  http://www.virustotal.com/file-scan/report.html?id=c7715008a3d1ff756c972dcf32835be91319ed26f3fdeca298f052a979bf0f47-1277487294

Since stegdetect fail to do so, can see
@ http://lifehacker.com/software/privacy/geek-to-live--hide-data-in-files-with-easy-steganography-tools-230915.php
@ http://www.online-tech-tips.com/computer-tips/hide-file-in-picture/
@ http://www.online-tech-tips.com/free-software-downloads/hide-files-in-jpeg-pictures-the-easy-way/

It would be concat, if the picture is run through a program like WinZIP, WinRAR or 7-Zip, the hidden files may appear.
If it is self hidden, it is not going to be straightforward to extract since it is manual process....
0
 
btanExec ConsultantCommented:
there are more tools but quite a wild chase as it can be encoded in many way and unless we know the method.
@ Retry stegdetect(may be newer) @ http://linux.downloadatoz.com/stegdetect/
@ data stash @ http://www.skyjuicesoftware.com/software/ds_info.html

you may be interested in the wide list for stegno tool - http://www.jjtc.com/Steganography/tools.html
0
 
mawingpuiAuthor Commented:
Hi Breadtan,

I download and extract the stegdetect-0.6.tar.gz.gz file in Ubuntu OS.
There are a lot of *.c & *.h file, it seems require to compile or build a executables....
Can you tell me how to run it, thanks!
0
 
btanExec ConsultantCommented:
did a check with outpost download site and it has also listed latest at the same version as well - Stegdetect 0 .6 - 2004 - 09- 06.
0
 
mawingpuiAuthor Commented:
Hi Breadtan,

I have downloaded "Stegdetect 0.6 - Source Code" from the URL below,
http://www.outguess.org/stegdetect-0.6.tar.gz
This is not a "Windows Binary" version as Stegdetect 0.4, can you tell me how to use it under Ubuntu?

Many Thanks!
0
 
btanExec ConsultantCommented:
Another way is can use ready made .DEB file (hardy version preferred since it has latest version), see
@ http://packages.ubuntu.com/hardy/utils/stegdetect

The .DEB need can be installed directly in Ubuntu (not Windows), see http://www.psychocats.net/ubuntu/installingsoftware

Can get the Ubuntu OS @ http://www.ubuntu.com/desktop/get-ubuntu/windows-installer
- for info, dapper is Ubuntu 6.06 LTS while hardy is Ubuntu 8.04 LTS. For upgrades , you can find out more in https://help.ubuntu.com/community/HardyUpgrades#head-e7f287c730b93116f89de7ea7e05efbe95fa6dd1

Others
a) for compiling, cn check out @ https://help.ubuntu.com/community/CompilingEasyHowTo
b) there is also LiveCD called CAINE that has a suite of forensic tool including Stegdetect, but not sure whether it is of latest version though, see http://www.caine-live.net/page5/page5.html. Btw, it has a VMWare version and a .DEB version.
0
 
mawingpuiAuthor Commented:
Unfortunately, the result is negative, image should be encrypt using some high level tools...

admin@local:~/$ stegdetect -V
Stegdetect Version 0.6
admin@local:~/$ stegdetect xxxxx.jpg 
xxxxx.jpg : negative
admin@local:~/$ 

Open in new window

0
 
btanExec ConsultantCommented:
Tough one .... I found another advanced tool (but commercial, WetStone Technologies' Gargoyle (formerly StegoDetect) software (WetStone Technologies 2004A) can be used to detect the presence of steganography software.)
@ http://www.logon-int.com/Product.asp?sClassId=FORENSIC&sProdClassCode=WET-P-0004

Ref article: http://www.garykessler.net/library/fsc_stego.html
See figure 12

WetStone Technologies' Stego Watch (WetStone Technologies 2004B) analyzes a set of files and provides a probability about which are steganography media and the likely algorithm used for the hiding (which, in turn, provides clues as to the most likely software employed). The analysis uses a variety of user-selectable statistical tests based on the carrier file characteristics that might be altered by the different steganography methods. Knowing the steganography software that is available on the suspect computer will help the analyst select the most likely statistical tests.

Finding steganography in a file suspected to contain it is relatively easy compared to extracting hidden data. Most steganography software uses passwords for secrecy, randomization, and/or encryption. Stegbreak, a companion program to stegdetect, uses a dictionary attack against JSteg-Shell, JPHide, and OutGuess to find the password of the hidden data but, again, this is only applicable to JPEG files (OutGuess 2003). Similarly, Stego Break is a companion program to WetStone's Stego Watch that uses a dictionary attack on suspect files (WetStone Technologies 2004B). Steganography detection schemes do not directly help in the recovery of the password. Finding appropriate clues is where the rest of the investigation and computer forensics comes into play.

0
 
mawingpuiAuthor Commented:
no money to purchase professional software...
thanks, anyway! :)!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now