Finding computer files hidden in plain sight

[C1ay]

In the news....

 

Research Shows Image-Based Threat on the Rise

New Purdue University research shows steganography, long considered a minor threat, may be on the rise

 

Until recently, steganography, the stealth technique of hiding text or images within image files, has mostly been considered too complex -- and conspicuous -- to be much of a threat. But some forensics experts now worry that the bad guys are starting to use the tactic more frequently, especially in child pornography and identity theft trafficking.

 

There are an estimated 800 or so steganography tools available online, many of them free and with user-friendly graphical user interfaces and point-and-click features. This broad availability making steganography more accessible and easier to use for hiding and moving stolen or illicit payloads, experts say.

 

Security experts to date have mostly dismissed steganography as a mainstream threat, relegating it to the domain of spooks and the feds. Their skepticism has been well-founded: The few studies that have searched for images hiding steganographic messages have come up empty-handed.

 

But now, preliminary data from a new steganography study underway at Purdue University indicates that some criminals indeed may be using steganography tools, mainly in child pornography and financial fraud cases.

 

More....

[freeztar]

I'd like to play with steganography, but I haven't had much luck finding a good program for XP. The best I've found is S-Tools, but I haven't had any luck decrypting an image that I know for certain has a steganographic message. Does anyone have a suggestion for which program is the most versatile, and free?

[C1ay]

Bump...

[Tolouse]

a nice interesting topic

i haven't heard of this possibility

how would the authorities know which ones hold the code?

 

i'm sure pretty soon, they would find out an easy way though

[C1ay]

Interesting. This thread is more than 4 years old, has seen moves from host to host, server to server across several OSes along the way and even a conversion of the forum software and the integrity of the files in this thread is just as it was when they were posted ;)

[Moontanman]

The Mona Lisa on the right has an image of her naked hidden in it.... :rolleyes:

 

 

 

 

 

 

 

 

Oh look, pwnies

[joekgamer]

Wait.. Don't they need the original image to check? It could be a normal photo taken with a bad camera...

[C1ay]

Wait.. Don't they need the original image to check? It could be a normal photo taken with a bad camera...

 

Not necessarily. Certain statistical analyses can reveal that a secret message is likely contained in a file even if it can't be extracted. Search for steganalysis techniques...

[CraigD]

Wait.. Don't they need the original image to check? It could be a normal photo taken with a bad camera...

As C1ay noted, no.

 

Also as he notes, an unencrypted (or poorly encrypted) steganographic message can be detected using fairly simple statistical analysis - ie: checking various permutation of the suspected message's bits to see if they form a message with a character distribution typical of written language.

 

A very simple way to steganographically embed a message in an image is simply using the least significant bits of each consecutive pixel's color values as consecutive bits of the message. Unless the image is of something sharp-edged and/or monochrome or low color resolution, the message bits will appear to be just ordinary, insignificant (that is, "least significant" ;)), natural color variation.

 

It's important to understand the difference between steganography, and cryptography. A stegaographic message is assumed to be readable by anyone who knows it's there, but not appear to an unsuspecting viewer to be a secret message (eg: look like a picture). A cryptographic message is assumed to be difficult or impossible for anyone who doesn't share a secret with its creator to read, but be obvious to even an unsuspecting viewer that it might be a secret message (eg: not look like data good for anything else).

 

Crypto and Stego can be used together, to make a file that doesn't appear to be a secret message, but even if the viewer knows it is, the easily readable message is cryptographic (ciphertext), so its plaintext cannot be easily read.

 

Stego doesn't need to be of binary data - for example, some of the oldest stegos are simple skip codes, where one takes, say, each 20th letter character from a written message to create another, secret written message.

[joekgamer]

Thanks for clearing that up.

 

But what about regular images? Could they 'trip' the steganographic 'detector', making the user think that there is a message in it, even when there isn't? And how likely is it that a normal, un-tampered-with image to have a message (probably not very likely, but there has to be some chance)?

[C1ay]

Thanks for clearing that up.

 

But what about regular images? Could they 'trip' the steganographic 'detector', making the user think that there is a message in it, even when there isn't? And how likely is it that a normal, un-tampered-with image to have a message (probably not very likely, but there has to be some chance)?

 

In an indirect way that can be used to provide another level of stealth. You could hide a message in one image and then put that image in a gallery of other images which have all had noise added to them so that all of the images in the gallery exhibit the same statistical noise under analysis. In this way all of the images in the gallery would trigger the usual detection techniques.

 

Another method to utilize is to take a small 2 color picture of the message to hide and then hide the image of the message in another image which is much larger with many colors. Distributing image of only a few bytes within an image of a megabyte or more would result in a low statistical noise value and likely pass by most detection methods.

[CraigD]

But what about regular images? Could they 'trip' the steganographic 'detector', making the user think that there is a message in it, even when there isn't? And how likely is it that a normal, un-tampered-with image to have a message (probably not very likely, but there has to be some chance)?

An image written directly from, for example, a camera, is vastly unlikely to have a significant message in it, but, as you note, the probability of that happening isn't zero. We're talking about the million monkey effect here: if you just keep snapping digital photos, eventually one of them will have, stegoed in some simple way like I described, a message like "Help! I'm a prisoner in a reality factory! To prove it, here's an elementary proof of F's LT: ..." The likelyhood, though, is something like 128^-n, where n is the number of characters in the message - which gives an expected value for when "Help! I'm a prisoner in a reality factory!" or, lets say any of 1000000 similar pithy messages, at some ridiculously astronomical value like 10⁸¹ years (I can't resist calling this a tenth of an attogoogol years :)), if everybody on earth takes a 10Mp RGBA picture every second.

 

In an indirect way that can be used to provide another level of stealth. You could hide a message in one image and then put that image in a gallery of other images which have all had noise added to them so that all of the images in the gallery exhibit the same statistical noise under analysis.

You could, but this doesn't seem much worth the bother. Hiding a stegoed image in a larger image increases only to the effort (runtime) of finding it if you know to look in the large image. Almost any even vaguely strong crypto of the message will render it undetectable by any nearly any statistical approach.

 

It helps me to keep in mind a few high-level ideas:

• In any secret message scenario, there are 2 distinct data to consider: If a secret message is actually being sent, and what that message's plaintext is. In many practical scenarios, keeping the fact that you've sent, or would ever have reason to send, a secret message, is more important than the text of a particular message - you can be thrown in the king's dungeon for mere suspicion of being a spy, even if precisely what info you're stealing remains a mystery.
  
• Stego is an unacceptably weak substitute for crypto. If an eavesdropper knows you're sending a secret message, the only thing to prevent vim reading it is an unguessable secret shared by sender and receiver (a cryptographic key), and a strong cryptographic algorithm.
  
• There is such a thing as perfect (that is, unbreakable without its key) cryptographic algorithm: a one-time pad.
  

[Lancewen]

Which of these images contains the U.S. Declaration Of Independence :confused:

 

On quick glance I'll guess the larger file on the right. That was a very nice and detailed post and easy enough for most people to understand. But hiding text is a long way from embedding a virus or worm and then activating it on the target site or computer. If you can tell me how a .jpg file could infect my computer I'd be very impressed, and maybe very worried because I've been collecting .jpg files of all kinds for years. I probably have over a 100,000 of them. I find the majority of viruses I've downloaded in the past have been in compressed files like ZIP's or RAR files and they can't be activated unless the compressed files are uncompressed and the right EXE or COM files are executed. My computer came with the latest Norton virus checker and it's very good at finding viruses while they are still in the compressed file and removing it out of the compressed file.

 

Do you know if the forensics investigators are sharing their information with the major security software companies?

[belovelife]

i know with the nano-fabrication teqnique that i desighned, you could write messages only able to be read with an electron microscope

[C1ay]

On quick glance I'll guess the larger file on the right.

Maybe. Do note that I didn't say anything about the other image. One does contain the Declaration of Independence, both may contain additional data.

 

 

That was a very nice and detailed post and easy enough for most people to understand. But hiding text is a long way from embedding a virus or worm and then activating it on the target site or computer. If you can tell me how a .jpg file could infect my computer I'd be very impressed, and maybe very worried because I've been collecting .jpg files of all kinds for years. I probably have over a 100,000 of them. I find the majority of viruses I've downloaded in the past have been in compressed files like ZIP's or RAR files and they can't be activated unless the compressed files are uncompressed and the right EXE or COM files are executed. My computer came with the latest Norton virus checker and it's very good at finding viruses while they are still in the compressed file and removing it out of the compressed file.

 

IMO jpegs could not be used to host viruses in an executable form since jpegs themselves are not executable. Self extracting ZIP files can carry viruses that can be executed by simply extracting the contents.

 

Do you know if the forensics investigators are sharing their information with the major security software companies?

It would be my guess, and it is just a guess, that forensics investigators hold their cards close without showing them unless there is a compelling reason to do so. I personally am aware of a number of security problems I have detected in various software that I share with no one.

[Lancewen]

 

C1ay

May I ask you which security software you like the best? Over the years I've used about a dozen different programs and found they all have their mix of positive and negative attributes. For my purposes now Norton 360 works just fine, but there was a time about 20 years ago that someone created a virus that had a way of disabling Norton but let it keep running with the appearance that it was working as expected. The only way to fix it was to completely uninstall it (which was a real *****), because the regular system uninstall left to many Norton files still on the system and until you got them all it wouldn't let you reinstall the program. Anyway after that happened about 3 times I **** canned Norton and started exploring many other combinations of security software.

 

 

 

 

 

 

[C1ay]

C1ay

May I ask you which security software you like the best? Over the years I've used about a dozen different programs and found they all have their mix of positive and negative attributes. For my purposes now Norton 360 works just fine, but there was a time about 20 years ago that someone created a virus that had a way of disabling Norton but let it keep running with the appearance that it was working as expected. The only way to fix it was to completely uninstall it (which was a real *****), because the regular system uninstall left to many Norton files still on the system and until you got them all it wouldn't let you reinstall the program. Anyway after that happened about 3 times I **** canned Norton and started exploring many other combinations of security software.

I don't like or use any of them. They are all resource hogs that impede my machine's performance. I've never gotten a virus I didn't click on and I've learned what not to click. I can't say that's a best approach for the average user but it's the only solution for me.