Sunday, January 20, 2013

Backtrack Forensics: Steganoghraphy

Menu: Forensics -> Forensic Analysis Tools
Directory: /usr/local/bin/

stegdecect is a tool to detect steganography in image files, it supports different methods, which used to hide content. Currently, the detectable schemes are: jsteg, jphide (unix and windows), invisible secrets, outguess 01.3b, F5 (header analysis), appendX and camouflage. Stegbreak is used to launch dictionary attacks against JSteg-Shell, JPHide and OutGuess 0.13b.

Before we start to use the tools we need an image, which has some hidden content. Let's review a few hiding apps before using stegdetect. As I didn't found any preinstalled in BT, so I installed steghide for first, which can hide content in jpeg, bmp, wav, au files.

Using steghide:

apt-get install steghide - installation
steghide --info IMG_4422.JPG - get info from the image (how much data can be hidden)
steghide --embed -ef mysecret.txt -cf IMG_4422.JPG -sf steg.jpg -p mypass -Z - hide mysecret.txt with password "mypass", and create a new file, where the file is hidden, and don't compress data
steghide --embed -ef mysecret.txt -cf IMG_4422.JPG -sf steg.jpg -p mypass - same as the previous but w/ compression
steghide --extract -xf mysecret2.txt -sf steg2.jpg -p mypass - extract the file

The bad news is that stegdetect won't detect steghide algorithm. Despite the fact, I tried it to ses what happens.

Using stegdetect:

stegdetect -t [list of tests] steg.jpg - where tests can be (by default jopifa enabled):
  • j - Tests if information has been embedded with jsteg.
  • o - Tests if information has been embedded with outguess.
  • p - Tests if information has been embedded with jphide.
  • i - Tests if information has been hidden with invisible secrets.
  • f - Tests if information has been hidden with F5.
  • F - Tests if information has been hidden with F5 using a more sophisticated but fairly slow detection algorithm.
  • a - Tests if information has been added at the end of file, for example by camouflage or appendX.
stegdetect -s[number] steg.jpg - setting sensitivity

Actually setgdetect found jphide for the original and the created image as well, so it's clearly false positive.

I tried to see what stegbreak can do, and created a list of password where I put only one line, the correct password.

stegbreak -f passlist.txt steg.jpg

I got the following error: "stegbreak: fopen: /usr/local/share/stegbreak/rules.ini: No such file or directory"

I downloaded the source and placed the ini file in the said location, but you can also download it from here.

After that I got a "Segmentation fault" error. I couldn't find a working solution for this problem, however it's a known bug.

Second I tried outguess, which can hide info in jpeg files.

apt-get install outguess
outguess -k "mypass" -d index.html IMG_4422.JPG out2.jpg - hides index.html in IMG_4422.JPG

Unfortunately stegdetect doesn't detect the hidden file (probably because I used outguess v2), even if increasing the sensitivity, as you can see:

My last try was with jphide, I used the windows version, as had no luck with installing the one for Linux. It can be downloaded from here.

As you can see stegdetect can detect it, when increasing sensitivity, but as it claims the same thing for the original image, so...

stegcompare can compare the original and the image which stores information, but I couldn't figure out what the output means.

stegdeimage - not sure about what it should do, also gives the following error:
"/home/stego_analysis/compress/dscf0033.jpg : error: No such file or directory"

looking at the source code:

   73 if (jpg_open("/home/stego_analysis/compress/dscf0033.jpg") == -1)
   74 return;
it is clear that it will never run, unless you have such an image.

Overall I'm not really convinced by the stegdetect toolset, it's buggy, and doesn't really find steganography correctly.

Official website for steghide:
Official website for stegdetect and outguess:
Official website for jphide:

1 comment:

leonardo vilchis said...

im doing a test for a exam in security, is there a way to extract the file without the passphrase or to crack it?