Avatar of mawingpui
mawingpuiFlag for Hong Kong asked on

Detecting information-hiding in JPEG images


I got a JPEG photo which contains hidden data, any method to detect and extract the hidden information.
Digital Forensics

Avatar of undefined
Last Comment

8/22/2022 - Mon


The result is
C:\stegdetect>stegdetect xxxxx.jpg
Corrupt JPEG data: premature end of data segment
c:\xxxxx.jpg : negative

Open in new window

p.s. I can open up the image using windows default image viewer...

This site has a list, specifically you can try out the following

@ http://members.cox.net/ebmmd/stego/stego/info.html#Steganalysis

a) Stegdetect which looks for signs of steganography in JPEG files, can be employed. Previous posting has shared. Also in the download pack, there is Stegbreak, a companion tool to Stegdetect, works to decrypt possible messages encoded in a suspected steganographic file, should that be the path you wish to take once the stego has been detected.

b) Stegspy which detect commonly used hiding tool such as Hiderman, JPHideandSeek, Masker, JPegX, Invisible Secrets
@ http://www.spy-hunter.com/stegspydownload.htm

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

Strange...can try other image viewer as well such as
IrfanView @ http://www.irfanview.com/
FastStone ImageViewer http://www.fastsone.org/

Every graphics file type has a "magic number" which indicates the file type (see http://www.astro.keele.ac.uk/~rno/Computing/File_magic.html for more on this.) For JPEGS, that number is FF D8 FF E'X', which represents the first bytes of the header. Note that 'X' = 1 indicates that the image is an exif jpeg, whereas 'X' = 0 indicates jfif format.

You can use TriID to confirm @ http://mark0.net/soft-trid-e.html

If recovery need to be consider, can check out this commercial software: http://www.hketech.com/JPEG-recovery/index.php
The 15 day trial is fully functional, except you can't save the photos.

And there is tool to such as PhotoRec to recover jpeg file (assuming there is deleted copy), it check fr validity as well
@ http://www.cgsecurity.org/wiki/PhotoRec#How_PhotoRec_works

There is also JPEGInfo to see what parts of the file contain structural errors. But for information, suggest recovery if all else fail
@ http://www.picturel.com/utils.html

Hi breadtan,

Here is the result from TrID,

C:\check\trid>trid xxxxx.jpg

TrID/32 - File Identifier v2.02 - (C) 2003-06 By M.Pontello
Definitions found:  4038

Collecting data from file: xxxxx.jpg
 50.0% (.JPG) JFIF JPEG Bitmap (4003/3)
 37.4% (.JPG) JPEG Bitmap (3000/1)
 12.4% (.MP3) MP3 audio (1000/1)


Open in new window

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

Legit image but something within t indeed. Typically if upload online for AV checks, TriID is used and flag with such figures.
E.g.  http://www.virustotal.com/file-scan/report.html?id=c7715008a3d1ff756c972dcf32835be91319ed26f3fdeca298f052a979bf0f47-1277487294

Since stegdetect fail to do so, can see
@ http://lifehacker.com/software/privacy/geek-to-live--hide-data-in-files-with-easy-steganography-tools-230915.php
@ http://www.online-tech-tips.com/computer-tips/hide-file-in-picture/
@ http://www.online-tech-tips.com/free-software-downloads/hide-files-in-jpeg-pictures-the-easy-way/

It would be concat, if the picture is run through a program like WinZIP, WinRAR or 7-Zip, the hidden files may appear.
If it is self hidden, it is not going to be straightforward to extract since it is manual process....

there are more tools but quite a wild chase as it can be encoded in many way and unless we know the method.
@ Retry stegdetect(may be newer) @ http://linux.downloadatoz.com/stegdetect/
@ data stash @ http://www.skyjuicesoftware.com/software/ds_info.html

you may be interested in the wide list for stegno tool - http://www.jjtc.com/Steganography/tools.html

Hi Breadtan,

I download and extract the stegdetect-0.6.tar.gz.gz file in Ubuntu OS.
There are a lot of *.c & *.h file, it seems require to compile or build a executables....
Can you tell me how to run it, thanks!
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy

did a check with outpost download site and it has also listed latest at the same version as well - Stegdetect 0 .6 - 2004 - 09- 06.

Hi Breadtan,

I have downloaded "Stegdetect 0.6 - Source Code" from the URL below,
This is not a "Windows Binary" version as Stegdetect 0.4, can you tell me how to use it under Ubuntu?

Many Thanks!

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

Unfortunately, the result is negative, image should be encrypt using some high level tools...

admin@local:~/$ stegdetect -V
Stegdetect Version 0.6
admin@local:~/$ stegdetect xxxxx.jpg 
xxxxx.jpg : negative

Open in new window

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

no money to purchase professional software...
thanks, anyway! :)!