Solved

Detecting information-hiding in JPEG images

Posted on 2010-11-12
15
3,186 Views
Last Modified: 2012-06-27
Hi,

I got a JPEG photo which contains hidden data, any method to detect and extract the hidden information.
0
Comment
Question by:mawingpui
  • 8
  • 6
15 Comments
 
LVL 26

Expert Comment

by:akahan
ID: 34126224
0
 

Author Comment

by:mawingpui
ID: 34126253
The result is
C:\stegdetect>stegdetect xxxxx.jpg
Corrupt JPEG data: premature end of data segment
c:\xxxxx.jpg : negative

Open in new window

p.s. I can open up the image using windows default image viewer...
0
 
LVL 61

Expert Comment

by:btan
ID: 34126273
This site has a list, specifically you can try out the following

@ http://members.cox.net/ebmmd/stego/stego/info.html#Steganalysis

a) Stegdetect which looks for signs of steganography in JPEG files, can be employed. Previous posting has shared. Also in the download pack, there is Stegbreak, a companion tool to Stegdetect, works to decrypt possible messages encoded in a suspected steganographic file, should that be the path you wish to take once the stego has been detected.

b) Stegspy which detect commonly used hiding tool such as Hiderman, JPHideandSeek, Masker, JPegX, Invisible Secrets
@ http://www.spy-hunter.com/stegspydownload.htm

0
 
LVL 61

Expert Comment

by:btan
ID: 34126325
Strange...can try other image viewer as well such as
IrfanView @ http://www.irfanview.com/
FastStone ImageViewer http://www.fastsone.org/

Every graphics file type has a "magic number" which indicates the file type (see http://www.astro.keele.ac.uk/~rno/Computing/File_magic.html for more on this.) For JPEGS, that number is FF D8 FF E'X', which represents the first bytes of the header. Note that 'X' = 1 indicates that the image is an exif jpeg, whereas 'X' = 0 indicates jfif format.

You can use TriID to confirm @ http://mark0.net/soft-trid-e.html

If recovery need to be consider, can check out this commercial software: http://www.hketech.com/JPEG-recovery/index.php
The 15 day trial is fully functional, except you can't save the photos.

And there is tool to such as PhotoRec to recover jpeg file (assuming there is deleted copy), it check fr validity as well
@ http://www.cgsecurity.org/wiki/PhotoRec#How_PhotoRec_works
0
 
LVL 61

Expert Comment

by:btan
ID: 34126328
There is also JPEGInfo to see what parts of the file contain structural errors. But for information, suggest recovery if all else fail
@ http://www.picturel.com/utils.html
0
 

Author Comment

by:mawingpui
ID: 34126365
Hi breadtan,

Here is the result from TrID,

C:\check\trid>trid xxxxx.jpg

TrID/32 - File Identifier v2.02 - (C) 2003-06 By M.Pontello
Definitions found:  4038
Analyzing...

Collecting data from file: xxxxx.jpg
 50.0% (.JPG) JFIF JPEG Bitmap (4003/3)
 37.4% (.JPG) JPEG Bitmap (3000/1)
 12.4% (.MP3) MP3 audio (1000/1)

C:\check\trid>

Open in new window

0
 
LVL 61

Expert Comment

by:btan
ID: 34126444
Legit image but something within t indeed. Typically if upload online for AV checks, TriID is used and flag with such figures.
E.g.  http://www.virustotal.com/file-scan/report.html?id=c7715008a3d1ff756c972dcf32835be91319ed26f3fdeca298f052a979bf0f47-1277487294

Since stegdetect fail to do so, can see
@ http://lifehacker.com/software/privacy/geek-to-live--hide-data-in-files-with-easy-steganography-tools-230915.php
@ http://www.online-tech-tips.com/computer-tips/hide-file-in-picture/
@ http://www.online-tech-tips.com/free-software-downloads/hide-files-in-jpeg-pictures-the-easy-way/

It would be concat, if the picture is run through a program like WinZIP, WinRAR or 7-Zip, the hidden files may appear.
If it is self hidden, it is not going to be straightforward to extract since it is manual process....
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 61

Expert Comment

by:btan
ID: 34126461
there are more tools but quite a wild chase as it can be encoded in many way and unless we know the method.
@ Retry stegdetect(may be newer) @ http://linux.downloadatoz.com/stegdetect/
@ data stash @ http://www.skyjuicesoftware.com/software/ds_info.html

you may be interested in the wide list for stegno tool - http://www.jjtc.com/Steganography/tools.html
0
 

Author Comment

by:mawingpui
ID: 34126956
Hi Breadtan,

I download and extract the stegdetect-0.6.tar.gz.gz file in Ubuntu OS.
There are a lot of *.c & *.h file, it seems require to compile or build a executables....
Can you tell me how to run it, thanks!
0
 
LVL 61

Expert Comment

by:btan
ID: 34127407
did a check with outpost download site and it has also listed latest at the same version as well - Stegdetect 0 .6 - 2004 - 09- 06.
0
 

Author Comment

by:mawingpui
ID: 34151642
Hi Breadtan,

I have downloaded "Stegdetect 0.6 - Source Code" from the URL below,
http://www.outguess.org/stegdetect-0.6.tar.gz
This is not a "Windows Binary" version as Stegdetect 0.4, can you tell me how to use it under Ubuntu?

Many Thanks!
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 34152636
Another way is can use ready made .DEB file (hardy version preferred since it has latest version), see
@ http://packages.ubuntu.com/hardy/utils/stegdetect

The .DEB need can be installed directly in Ubuntu (not Windows), see http://www.psychocats.net/ubuntu/installingsoftware

Can get the Ubuntu OS @ http://www.ubuntu.com/desktop/get-ubuntu/windows-installer
- for info, dapper is Ubuntu 6.06 LTS while hardy is Ubuntu 8.04 LTS. For upgrades , you can find out more in https://help.ubuntu.com/community/HardyUpgrades#head-e7f287c730b93116f89de7ea7e05efbe95fa6dd1

Others
a) for compiling, cn check out @ https://help.ubuntu.com/community/CompilingEasyHowTo
b) there is also LiveCD called CAINE that has a suite of forensic tool including Stegdetect, but not sure whether it is of latest version though, see http://www.caine-live.net/page5/page5.html. Btw, it has a VMWare version and a .DEB version.
0
 

Author Comment

by:mawingpui
ID: 34155617
Unfortunately, the result is negative, image should be encrypt using some high level tools...

admin@local:~/$ stegdetect -V
Stegdetect Version 0.6
admin@local:~/$ stegdetect xxxxx.jpg 
xxxxx.jpg : negative
admin@local:~/$ 

Open in new window

0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 34163253
Tough one .... I found another advanced tool (but commercial, WetStone Technologies' Gargoyle (formerly StegoDetect) software (WetStone Technologies 2004A) can be used to detect the presence of steganography software.)
@ http://www.logon-int.com/Product.asp?sClassId=FORENSIC&sProdClassCode=WET-P-0004

Ref article: http://www.garykessler.net/library/fsc_stego.html
See figure 12

WetStone Technologies' Stego Watch (WetStone Technologies 2004B) analyzes a set of files and provides a probability about which are steganography media and the likely algorithm used for the hiding (which, in turn, provides clues as to the most likely software employed). The analysis uses a variety of user-selectable statistical tests based on the carrier file characteristics that might be altered by the different steganography methods. Knowing the steganography software that is available on the suspect computer will help the analyst select the most likely statistical tests.

Finding steganography in a file suspected to contain it is relatively easy compared to extracting hidden data. Most steganography software uses passwords for secrecy, randomization, and/or encryption. Stegbreak, a companion program to stegdetect, uses a dictionary attack against JSteg-Shell, JPHide, and OutGuess to find the password of the hidden data but, again, this is only applicable to JPEG files (OutGuess 2003). Similarly, Stego Break is a companion program to WetStone's Stego Watch that uses a dictionary attack on suspect files (WetStone Technologies 2004B). Steganography detection schemes do not directly help in the recovery of the password. Finding appropriate clues is where the rest of the investigation and computer forensics comes into play.

0
 

Author Closing Comment

by:mawingpui
ID: 34264638
no money to purchase professional software...
thanks, anyway! :)!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now