Hiding in plain sight

Steganography is about hiding content inside other content.

At work, bad folk might use it to sneak things outside the company, or just to hide bad things on their machine.

They probably won’t though, because it’s a lot of effort and there are other ways to steal data.

or will they…

This week I needed to look at some sneaky files in the context of digital forensics.

I thought the topic was interesting enough that I should jot down the key points.

Before I do, I should mention that there are much better articles covering the topic in detail. You should try these two if you want to learn a lot more:

  • http://www.garykessler.net/library/steganography.html
  • http://www.garykessler.net/library/fsc_stego.html

The only aim of this post is to capture a practical way to mess about with this stuff for yourself.

I will  just mention one key theory point first though:

When someone is using Steganography to hide something else inside a file, you’d expect that the files would be bigger,. That’s possible, but its often not the case. One common approach (built into free tools) is to take the file you are hiding and distribute the bits among sets of bytes in the host file. (The number of bytes does not change, just some of the bits in collections of bytes). If the bad guy is able to modify the least significant bit of some bytes in a .bmp file, for example, the file will not grow and the difference to the color palette in the image will be barely noticeable if the right image is used.

Step 1: Download S-Tools. Its free and you can find it in lots of other places if downloading it from here seems weird. (I don’t blame you if you don’t trust my download, I wouldn’t trust a random file from a blog either).

Step 2: Find a carrier file and drag it into S-Tools. I chose this cow, no one ever suspects the cow. (note that s-tools tells me how much stuff this cow could stash).

Step 3: Drag the file you need to hide onto the file you are hiding it in (in s-tools). You will be prompted for a passphrase to further protect the secret file.

Step 4: Save the new file (by right clicking on the “hidden data” version and choosing “save as”).

I called mine just_a_cow.bmp when i saved it so that no one would think to examine it more carefully.

(notice the file size – same; also notice the image quality – modifying a few bits inside sets of bytes of the original means that there is no real noticeable difference from the original)

You can download the file containing the secret file from here: just_a_cow.bmp if you’d like to examine it for yourself. The password on the secret file inside the cow is “duck”.

To examine a file like just_a_cow.bmp, you just do the same thing as hiding stuff. Open s-tools, drag in the file, then right click the file to reveal the content. You should find some super secret tips inside that just_a_cow.bmp file if you are interested.

Cheeky buggers.