Hiding in Plain Sight: Steganography Tricks and Tips


What do dinosaurs have in common with cryptography? Well Greek, apparently, and a lot of time. 150 million years ago, there roamed a dinosaur covered with bony plates. The paleontologists used the Greek word steganós and sauros to mean “covered lizard”. In much more recent times, lets say about 500 years ago, steganós and graphia were combined to mean “covered writing”.

If this sounds a little like cryptography, you are on the right track. There is a security principle you will probably hear a lot about, “security through obscurity”. This means trying to hide what you are doing in plain sight. In a modern sense, steganography is used by cyber criminals to smuggle data out of or into a network passing as regular files.

There are a few methods of steganography I want to talk about. The first, is hiding data in an image file, within the image itself. In most pictures there are more pixels than can be displayed on the screen. By overwriting these pixels with data, and scattering that data throughout the file in a reversible way, you can effectively hide data without increasing the file size or altering the image significantly. It is like spray painting the side of a dinosaur, who is going to notice?

To reverse this, you have to know what program they used to scatter the bits, or what algorithm was used. One of the most common is called OpenStego. Some other ones you might run into include OutGuess, StegHide, and Digital Ink Invisible Toolkit (DIIT). There are a few tools that can help to detect steganography in a file, such as StegDetect. Sometimes the data file is just XOR’d with another file.

Steg does not just live in pictures. More exotic schemes use audio files, video files, PDF files, and even file systems. The thing I don’t like about this type of steganography is that they all require tools! Some people like to dig through their tools to find the right one. To me, it is time consuming and your success is dependent on what you have in the tool bag. However, there are ways of hiding data in pictures and files that do not require any tools at all.

The most common of these is the picture-in-a-picture. Kind of like hiding a dinosaur behind a larger dinosaur. Basically, you combine two files into one. As a program reads the file, it looks for key patterns that tell it what the data in the file is. These “magic bytes” have a start and end sequence. For example, FF D9 is the end of file marker for a .jpeg file. When the file is opened, it starts reading at the magic byte that says to start and stops at the magic bit that marks the end. All the rest of the file is ignored, even if there is a start bit that marks the beginning of another file.

This can be done with all kinds of file types, including .zip, .png, and .jpg. Sometimes, simply by changing the filename, you can find the other file. Sometimes, however, you need to separate the files to read them. That is where my favorite tool, binwalk, comes into play. I don’t like to, but I can also use dd to separate files out. It is a little more tricky as you need to know the exact byte count to begin cutting at. Knowing your magic bytes helps immensely!

The last type is very interesting, and difficult to detect. It involves hiding data in the channels of file. For example, it could be in the exif metadata. It could be a string hidden in the file (hint: use the strings tool). It could be hidden in the transparency alpha channel, or it could be in the white and dark space, only discoverable by adjusting the gamma levels, brightness, and contrast. I have even found the edges of a photo containing binary information.

For some practice, I recommend you check out some online competitions, like #AE27FF, and my favorite, Hacky Easter.

Thank you for reading! Now that you have the know-how, go unearth some secrets!

“Mako” McGill

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.