75

I recently came across an odd JPEG file: Resolution 400x600 and a filesize of 2.9 MB. I got suspicious and suspected that there is some additional information hidden. I tried some straight forward things: open the file with some archive tools; tried to read its content with an editor, but I couldn't locate anything interresting.

Now my questions: What else can I do? Are there any tools available that analyze images for hidden data? Perhaps a tool that scans for known file headers?

Chris
  • 905
  • 1
  • 6
  • 8
  • 2
    I agree that is strange, but keep in mind it might have been encoded with very lax JPEG settings. – Konrad Feb 14 '11 at 15:59
  • 2
    Not an answer to the asked question, but to the actual situation you had: It might not be hidden data, but hidden binary code, e.g. [GIFAR](http://riosec.com/how-to-create-a-gifar). See also [http://security.stackexchange.com/q/600/33](http://security.stackexchange.com/q/600/33). – AviD Feb 14 '11 at 19:15
  • 2
    @Konrad, I doubt it. Even at three bits per pixel (24-bit color), a basic bitmap would be only approx 720,000 bytes. (400*600*3). I'd bet a trip to the Chinese buffet that there's something there not related to the obvious image. @Chris: Please post your findings, or even the file if you'll part with it. – pboin Feb 15 '11 at 20:57

5 Answers5

53

To detect Steganography it really comes down to statistical analysis (not a subject I know very well).
But here are a few pages that may help you out.

Mark Davidson
  • 9,427
  • 6
  • 45
  • 61
15

I'll second the reccomendation for Stegdetect: here's another good source for information http://www.outguess.org/detection.php as well as downloads for stegbreak and XSteg

You can go right to the source for the research on this if you're interested; Neil Provos's page is here http://www.citi.umich.edu/u/provos/stego/

iivel
  • 1,593
  • 10
  • 13
12

There's some great general references in the other answers here, so I'll just give some input specific to your situation:

When hiding data in pictures without changing the file size, you put it in the low-order bits; this can be detected by opening in an editor with a histogram and looking for jagged edges. But this sounds like a concantenation of a file to the image; *chan denizens often use this technique for distributing illicit files. Looking for file signatures after the first one--say, using 'grep -a' with a list of known filetype magic numbers--should reveal this technique. The combination of encryption and steganography is beyond the scope of this comment :D

user502
  • 3,301
  • 1
  • 23
  • 18
  • encryption and steganography are not really required to hide from this kind of search. one could compress all stuff into `*.tar.gz` archive for example, then remove its header (the part which doesn't contain any information which is really needed to decompress it back). – Display Name Oct 06 '15 at 12:22
6

It's probably just a file appended to the end of the JPEG. Look for the EOF or the start of a known header such as PK RAR PE etc

Steven
  • 257
  • 2
  • 4
4

Please note that my comment below is regarding LSB (Least Significant Bit) steganography and not jpeg (DCT) or appended data steganography.

"Steganography doesn't modify the file size significantly" this is incorrect. If I take a jpeg compressed image and apply LSB steganography then the resultant image size on disk will increase 'significantly' since images using LSB steganography MUST be saved in a lossless format such as bmp tiff or png. I have written software that takes any image format (such as jpeg) and hides data within it and saves out to png. It is often the case that I can open a jpeg of size 60Kb and be able to hide over 100Kb of data within it. The resultant png would look identical to the original jpeg but have a file size of 800Kb+

When analyzing images for LSB steganography content you MUST have either the original image for comparison OR have knowledge of the encoding method. Without either of these you will NEVER determine if an image contains hidden LSB data. Consider there there are a multitude of ways to implement LSB steganography and an infinite number of images to choose as a source, it's no trivial task to determine any steganographic content. That said... ALL images containing LSB steganographic content must be saved lossless (without compression). Therefore they may stand out as larger in size (bytes) than might otherwise be expected. Jpeg is a lossy algorithm (even with 0% compression) which is why images using LSB steganography cannot be saved as jpeg images, therefore your large jpeg image is unlikely to hold LSB steganography, however this does not rule out other steganographic options.

  • 2
    You can detect LSB steganography through statistical analysis if you know the LSB pattern typical of the image source. For example, if the image is a cartoon with large areas of solid color, you know something's up if the LSB varies from pixel to pixel. Similarly, if the image is from a camera with a bias in its pixel values, a uniform distribution of LSB values is an indication of steganography. – Mark Aug 21 '14 at 01:44
  • 3
    this is wrong. one may encode secrets directly in DCT coefficients of JPEG, and pack the result as usual – Display Name Jul 01 '17 at 06:00