Solved

Detecting information-hiding in JPEG images

Posted on 2010-11-12
15
3,388 Views
Last Modified: 2012-06-27
Hi,

I got a JPEG photo which contains hidden data, any method to detect and extract the hidden information.
0
Comment
Question by:mawingpui
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
15 Comments
 
LVL 26

Expert Comment

by:akahan
ID: 34126224
0
 

Author Comment

by:mawingpui
ID: 34126253
The result is
C:\stegdetect>stegdetect xxxxx.jpg
Corrupt JPEG data: premature end of data segment
c:\xxxxx.jpg : negative

Open in new window

p.s. I can open up the image using windows default image viewer...
0
 
LVL 63

Expert Comment

by:btan
ID: 34126273
This site has a list, specifically you can try out the following

@ http://members.cox.net/ebmmd/stego/stego/info.html#Steganalysis

a) Stegdetect which looks for signs of steganography in JPEG files, can be employed. Previous posting has shared. Also in the download pack, there is Stegbreak, a companion tool to Stegdetect, works to decrypt possible messages encoded in a suspected steganographic file, should that be the path you wish to take once the stego has been detected.

b) Stegspy which detect commonly used hiding tool such as Hiderman, JPHideandSeek, Masker, JPegX, Invisible Secrets
@ http://www.spy-hunter.com/stegspydownload.htm

0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 63

Expert Comment

by:btan
ID: 34126325
Strange...can try other image viewer as well such as
IrfanView @ http://www.irfanview.com/
FastStone ImageViewer http://www.fastsone.org/

Every graphics file type has a "magic number" which indicates the file type (see http://www.astro.keele.ac.uk/~rno/Computing/File_magic.html for more on this.) For JPEGS, that number is FF D8 FF E'X', which represents the first bytes of the header. Note that 'X' = 1 indicates that the image is an exif jpeg, whereas 'X' = 0 indicates jfif format.

You can use TriID to confirm @ http://mark0.net/soft-trid-e.html

If recovery need to be consider, can check out this commercial software: http://www.hketech.com/JPEG-recovery/index.php
The 15 day trial is fully functional, except you can't save the photos.

And there is tool to such as PhotoRec to recover jpeg file (assuming there is deleted copy), it check fr validity as well
@ http://www.cgsecurity.org/wiki/PhotoRec#How_PhotoRec_works
0
 
LVL 63

Expert Comment

by:btan
ID: 34126328
There is also JPEGInfo to see what parts of the file contain structural errors. But for information, suggest recovery if all else fail
@ http://www.picturel.com/utils.html
0
 

Author Comment

by:mawingpui
ID: 34126365
Hi breadtan,

Here is the result from TrID,

C:\check\trid>trid xxxxx.jpg

TrID/32 - File Identifier v2.02 - (C) 2003-06 By M.Pontello
Definitions found:  4038
Analyzing...

Collecting data from file: xxxxx.jpg
 50.0% (.JPG) JFIF JPEG Bitmap (4003/3)
 37.4% (.JPG) JPEG Bitmap (3000/1)
 12.4% (.MP3) MP3 audio (1000/1)

C:\check\trid>

Open in new window

0
 
LVL 63

Expert Comment

by:btan
ID: 34126444
Legit image but something within t indeed. Typically if upload online for AV checks, TriID is used and flag with such figures.
E.g.  http://www.virustotal.com/file-scan/report.html?id=c7715008a3d1ff756c972dcf32835be91319ed26f3fdeca298f052a979bf0f47-1277487294

Since stegdetect fail to do so, can see
@ http://lifehacker.com/software/privacy/geek-to-live--hide-data-in-files-with-easy-steganography-tools-230915.php
@ http://www.online-tech-tips.com/computer-tips/hide-file-in-picture/
@ http://www.online-tech-tips.com/free-software-downloads/hide-files-in-jpeg-pictures-the-easy-way/

It would be concat, if the picture is run through a program like WinZIP, WinRAR or 7-Zip, the hidden files may appear.
If it is self hidden, it is not going to be straightforward to extract since it is manual process....
0
 
LVL 63

Expert Comment

by:btan
ID: 34126461
there are more tools but quite a wild chase as it can be encoded in many way and unless we know the method.
@ Retry stegdetect(may be newer) @ http://linux.downloadatoz.com/stegdetect/
@ data stash @ http://www.skyjuicesoftware.com/software/ds_info.html

you may be interested in the wide list for stegno tool - http://www.jjtc.com/Steganography/tools.html
0
 

Author Comment

by:mawingpui
ID: 34126956
Hi Breadtan,

I download and extract the stegdetect-0.6.tar.gz.gz file in Ubuntu OS.
There are a lot of *.c & *.h file, it seems require to compile or build a executables....
Can you tell me how to run it, thanks!
0
 
LVL 63

Expert Comment

by:btan
ID: 34127407
did a check with outpost download site and it has also listed latest at the same version as well - Stegdetect 0 .6 - 2004 - 09- 06.
0
 

Author Comment

by:mawingpui
ID: 34151642
Hi Breadtan,

I have downloaded "Stegdetect 0.6 - Source Code" from the URL below,
http://www.outguess.org/stegdetect-0.6.tar.gz
This is not a "Windows Binary" version as Stegdetect 0.4, can you tell me how to use it under Ubuntu?

Many Thanks!
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 34152636
Another way is can use ready made .DEB file (hardy version preferred since it has latest version), see
@ http://packages.ubuntu.com/hardy/utils/stegdetect

The .DEB need can be installed directly in Ubuntu (not Windows), see http://www.psychocats.net/ubuntu/installingsoftware

Can get the Ubuntu OS @ http://www.ubuntu.com/desktop/get-ubuntu/windows-installer
- for info, dapper is Ubuntu 6.06 LTS while hardy is Ubuntu 8.04 LTS. For upgrades , you can find out more in https://help.ubuntu.com/community/HardyUpgrades#head-e7f287c730b93116f89de7ea7e05efbe95fa6dd1

Others
a) for compiling, cn check out @ https://help.ubuntu.com/community/CompilingEasyHowTo
b) there is also LiveCD called CAINE that has a suite of forensic tool including Stegdetect, but not sure whether it is of latest version though, see http://www.caine-live.net/page5/page5.html. Btw, it has a VMWare version and a .DEB version.
0
 

Author Comment

by:mawingpui
ID: 34155617
Unfortunately, the result is negative, image should be encrypt using some high level tools...

admin@local:~/$ stegdetect -V
Stegdetect Version 0.6
admin@local:~/$ stegdetect xxxxx.jpg 
xxxxx.jpg : negative
admin@local:~/$ 

Open in new window

0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 34163253
Tough one .... I found another advanced tool (but commercial, WetStone Technologies' Gargoyle (formerly StegoDetect) software (WetStone Technologies 2004A) can be used to detect the presence of steganography software.)
@ http://www.logon-int.com/Product.asp?sClassId=FORENSIC&sProdClassCode=WET-P-0004

Ref article: http://www.garykessler.net/library/fsc_stego.html
See figure 12

WetStone Technologies' Stego Watch (WetStone Technologies 2004B) analyzes a set of files and provides a probability about which are steganography media and the likely algorithm used for the hiding (which, in turn, provides clues as to the most likely software employed). The analysis uses a variety of user-selectable statistical tests based on the carrier file characteristics that might be altered by the different steganography methods. Knowing the steganography software that is available on the suspect computer will help the analyst select the most likely statistical tests.

Finding steganography in a file suspected to contain it is relatively easy compared to extracting hidden data. Most steganography software uses passwords for secrecy, randomization, and/or encryption. Stegbreak, a companion program to stegdetect, uses a dictionary attack against JSteg-Shell, JPHide, and OutGuess to find the password of the hidden data but, again, this is only applicable to JPEG files (OutGuess 2003). Similarly, Stego Break is a companion program to WetStone's Stego Watch that uses a dictionary attack on suspect files (WetStone Technologies 2004B). Steganography detection schemes do not directly help in the recovery of the password. Finding appropriate clues is where the rest of the investigation and computer forensics comes into play.

0
 

Author Closing Comment

by:mawingpui
ID: 34264638
no money to purchase professional software...
thanks, anyway! :)!
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question