Avatar of mawingpui
mawingpuiFlag for Hong Kong asked on

Detecting information-hiding in JPEG images

Hi,

I got a JPEG photo which contains hidden data, any method to detect and extract the hidden information.
Digital Forensics

Avatar of undefined
Last Comment
mawingpui

8/22/2022 - Mon
akahan

ASKER
mawingpui

The result is
C:\stegdetect>stegdetect xxxxx.jpg
Corrupt JPEG data: premature end of data segment
c:\xxxxx.jpg : negative

Open in new window

p.s. I can open up the image using windows default image viewer...
btan

This site has a list, specifically you can try out the following

@ http://members.cox.net/ebmmd/stego/stego/info.html#Steganalysis

a) Stegdetect which looks for signs of steganography in JPEG files, can be employed. Previous posting has shared. Also in the download pack, there is Stegbreak, a companion tool to Stegdetect, works to decrypt possible messages encoded in a suspected steganographic file, should that be the path you wish to take once the stego has been detected.

b) Stegspy which detect commonly used hiding tool such as Hiderman, JPHideandSeek, Masker, JPegX, Invisible Secrets
@ http://www.spy-hunter.com/stegspydownload.htm

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
btan

Strange...can try other image viewer as well such as
IrfanView @ http://www.irfanview.com/
FastStone ImageViewer http://www.fastsone.org/

Every graphics file type has a "magic number" which indicates the file type (see http://www.astro.keele.ac.uk/~rno/Computing/File_magic.html for more on this.) For JPEGS, that number is FF D8 FF E'X', which represents the first bytes of the header. Note that 'X' = 1 indicates that the image is an exif jpeg, whereas 'X' = 0 indicates jfif format.

You can use TriID to confirm @ http://mark0.net/soft-trid-e.html

If recovery need to be consider, can check out this commercial software: http://www.hketech.com/JPEG-recovery/index.php
The 15 day trial is fully functional, except you can't save the photos.

And there is tool to such as PhotoRec to recover jpeg file (assuming there is deleted copy), it check fr validity as well
@ http://www.cgsecurity.org/wiki/PhotoRec#How_PhotoRec_works
btan

There is also JPEGInfo to see what parts of the file contain structural errors. But for information, suggest recovery if all else fail
@ http://www.picturel.com/utils.html
ASKER
mawingpui

Hi breadtan,

Here is the result from TrID,

C:\check\trid>trid xxxxx.jpg

TrID/32 - File Identifier v2.02 - (C) 2003-06 By M.Pontello
Definitions found:  4038
Analyzing...

Collecting data from file: xxxxx.jpg
 50.0% (.JPG) JFIF JPEG Bitmap (4003/3)
 37.4% (.JPG) JPEG Bitmap (3000/1)
 12.4% (.MP3) MP3 audio (1000/1)

C:\check\trid>

Open in new window

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
btan

Legit image but something within t indeed. Typically if upload online for AV checks, TriID is used and flag with such figures.
E.g.  http://www.virustotal.com/file-scan/report.html?id=c7715008a3d1ff756c972dcf32835be91319ed26f3fdeca298f052a979bf0f47-1277487294

Since stegdetect fail to do so, can see
@ http://lifehacker.com/software/privacy/geek-to-live--hide-data-in-files-with-easy-steganography-tools-230915.php
@ http://www.online-tech-tips.com/computer-tips/hide-file-in-picture/
@ http://www.online-tech-tips.com/free-software-downloads/hide-files-in-jpeg-pictures-the-easy-way/

It would be concat, if the picture is run through a program like WinZIP, WinRAR or 7-Zip, the hidden files may appear.
If it is self hidden, it is not going to be straightforward to extract since it is manual process....
btan

there are more tools but quite a wild chase as it can be encoded in many way and unless we know the method.
@ Retry stegdetect(may be newer) @ http://linux.downloadatoz.com/stegdetect/
@ data stash @ http://www.skyjuicesoftware.com/software/ds_info.html

you may be interested in the wide list for stegno tool - http://www.jjtc.com/Steganography/tools.html
ASKER
mawingpui

Hi Breadtan,

I download and extract the stegdetect-0.6.tar.gz.gz file in Ubuntu OS.
There are a lot of *.c & *.h file, it seems require to compile or build a executables....
Can you tell me how to run it, thanks!
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
btan

did a check with outpost download site and it has also listed latest at the same version as well - Stegdetect 0 .6 - 2004 - 09- 06.
ASKER
mawingpui

Hi Breadtan,

I have downloaded "Stegdetect 0.6 - Source Code" from the URL below,
http://www.outguess.org/stegdetect-0.6.tar.gz
This is not a "Windows Binary" version as Stegdetect 0.4, can you tell me how to use it under Ubuntu?

Many Thanks!
SOLUTION
btan

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
mawingpui

Unfortunately, the result is negative, image should be encrypt using some high level tools...

admin@local:~/$ stegdetect -V
Stegdetect Version 0.6
admin@local:~/$ stegdetect xxxxx.jpg 
xxxxx.jpg : negative
admin@local:~/$ 

Open in new window

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
mawingpui

no money to purchase professional software...
thanks, anyway! :)!