Image Steg Guide

It's "steganography" not "stenography"

Home Tools List Guides Puzzles Blogs

Image Comparison Doc:

---> https://docs.google.com/spreadsheets/d/1R1Lx46fIdX9LeZatuh0L6e-lLuNp4k1dqM4PBmMXQ7E/edit?usp=sharing <---

Intro:

This is a quick intro 'guide' designed for people who are entirely new to steganography and just want a quick "I need to solve this image" solution while explaining the absolute basics. It's mainly focused on catching out the most common types of steg and not an exhaustive guide.

In the most general sense steganography is the practice of hiding messages in something else. It's not restricted to one medium and common examples include images, audio, and text and can be both in physical and digital formats. This will be a summary for detecting and extracting digital payloads in the context of ARGs and puzzles in general. I'll be using cover image to refer to the image hiding the data and the data itself as the payload throughout.

The first thing to note is that different tools (Often even different versions of the same program) are incompatible with each other due to different encoding methods being used. It's the exception rather than the rule to be able to extract data with a different tool than it was encoded with.

The most common method is least significant bit (LSB) steganography which can be applied across a wide range of formats. The idea is to change the last bit (Either 0 or 1) of the samples making up the cover item to encode the message.

An example of this would be for an image where each pixel is made out of 3 bytes, one for each RGB colour value each ranging from 0-255. Changing the lowest bit would only change a pixel's value by 1 which wouldn't be perceptible. This obviously wouldn't work for certain data like text where a +-1 difference would change the letter entirely but the majority of formats will be somewhere in between, where depending on how large or aggressively hidden the payload is then subtle artifacting can be introduced.

But the sky's the limit and depending on the cover file format more specific and in-depth methods can also be used. For example, PNG images use reversible pre-filtering before compression to try and reduce file size. However, we can encode arbitrary data in these filter bytes so long as we apply the opposite effect, resulting in a visibly identical image with our payload. Likewise .zips can lie about file locations or encryption status and NTFS filesystems can store alternate data streams just to name a few. These types of embeds can be harder to detect but by and large are relegated to CTFs while ARGs will stick to more common methods.


Detecting and solving:

Detecting and extracting payloads can be tricky as it's the exact thing steganography is designed to prevent. Usually your best bet would be finding an original copy of the cover item without the payload and looking at the differences. This can be in terms of byte-byte comparison, differences between pixels in an image (e.g. with paint dot net) or even looking at the filesize. However, this isn't always possible and we can instead resort to any kind of fingerprints left behind. These may be as simple as a tool always adding certain metadata, encoding to an 8-bit palette or using a certain JPG quality.

The above document is a summary of these visual fingerprints for images. Keep in mind that simple images with large flat areas will be much easier to spot payloads in than noisy photographs. Finally, note that many steg programs offer password encryption making extraction tricky even while knowing the correct program. These are a case-by-case basis and some programs such as steghide have vulnerabilities allowing the password to be bypassed (stegseek), others have programs allowing wordlists to be attempted and yet others have no companion cracking app at all where the best option will likely be a bash script going through wordlists (About 5-40 pwd/s).


Common pitfalls:

Note that with the majority of methods payloads can be very susceptible to uploading/transcoding, particularly to lossy formats such as JPG so care must be taken when uploading to sites such as Reddit or Imgur. When checking a suspected image for steg make sure to grab the original file or the highest lossless resolution possible if multiple transcodes exist. Copy+pasting images can sometimes ignore colour space/gamma corrections so make sure to download images directly instead. False positives are also quite common and Outguess and zsteg in particular can produce them quite often so don't trust the first thing to pop up.


TL;DR:

A rough flow would look like:

  1. Download highest quality lossless version of suspected image
  2. Check with Aperi'Solve for zsteg + exiftool results. This will cover simple LSB + appended or meta data
  3. Check with stegsolve or difference between original image + payload image for any fingerprints and match up to doc for any known programs
  4. Try zsteg -a -v and any software such as stegseek which might confirm presence of a specific payload
  5. Start looking for specific file format steg
  6. Pray?


Further reading + resources: