Digital steganography: Programs and other implementation methods

 

Digital steganography: Programs and other implementation methods

By Kozhuh 
spy-soft.net
15 min
April 29, 2015

Digital steganography

The ability to hide some data inside others can allow an attacker to stealthily steal a lot of confidential information.

The problem of hiding data has worried humanity since ancient times. Ciphers are usually used to protect information. Their reliability may vary, but by the time the enemy manages to hack it, the information will already be old.

In the era of digital technology, the situation has changed somewhat: the computing capabilities of computers are constantly increasing, and, in addition, a huge number of communication channels have appeared through which information can be transmitted. At the same time, stealing data has become much easier.

If previously a not entirely honest employee had to hide a paper copy in order to take out some secret drawing or document, then in the era of digital technology it has become much easier to take out secrets. The encrypted file can be sent over the network, or it can be dropped onto removable media, a flash drive, and hidden in a pocket.

In the first case, everything is relatively simple; there are many solutions for traffic control. To combat copying to flash drives, there are also DLP (Data Leak Prevention) intrusion prevention tools. In general, most DLP solutions control all data leakage channels on a computer, both network and peripheral. So, a properly configured data leak prevention system can not only create problems for an attacker when stealing information, but will also enable administrators to control all his actions, thereby identifying what secrets he is interested in and what means and methods he uses to steal information.

The next obvious step in this “competition between armor and projectile” would be encryption of the transmitted information with further transmission through the channels described above. But the very attempt to transfer a file outside that cannot be read should arouse serious suspicion among security guards and be blocked by appropriate software. But you can try to hide encrypted data inside other content. So we smoothly approach the main topic of this article - steganography.

Steganography, not shorthand

The Wikipedia article tells us that steganography (literally translated from Greek as “secret writing”) is the science of secretly transmitting information by keeping the very fact of transmission secret. Unlike cryptography, which hides the contents of a secret message, steganography hides the very fact of its existence. Although usually these two technologies are used together.

Steganography is used for all sorts of purposes. Often it is used not for theft, but to fight kidnappers. For example, when protecting copyright, when a certain hidden bookmark is hidden in a document, which allows you to determine who owns a given copy of the file. If such a mark is then found somewhere on torrents, copyright holders will be able to find who exactly posted it and present appropriate claims to him.

But in the article I will describe the use of steganography specifically as a means of data theft. Let's start by looking at some theoretical issues. I’ll make a reservation right away that when talking about technical methods for implementing steganography, I will only touch on digital steganography, that is, hiding information inside other digital data. At the same time, I will not touch upon methods based on the use of reserved partitions of a hard or floppy disk by various file systems, or techniques related to the peculiarities of the functioning of various hardware platforms and operating systems. In this article we will be interested only in files of various formats and the possibilitiesof creating caches in them.

Steganography in theory

First of all, I propose to consider the main algorithms that are used for steganography.

Methods like LSB (Least Significiant Bit, least significant bit) and similar. Their essence is to replace the last significant bits in the container (image, audio or video recording) with bits of the hidden message. Let's take a graphic file as an example. Visually, it looks like this: we change the least significant bits in the pixel color code in the picture. If we assume that the color code has a 32-bit value, then replacing 0 with 1 or vice versa will not lead to any significant distortion of the picture, noticeable to the human sensory organs. Meanwhile, you can hide something in these big picture bits.

Let's look at a small example. Let's say we have an 8-bit grayscale image. 00h (00000000b) means black, FFh (11111111b) means white. There are a total of 256 gradations ( ). Also assume that the message consists of 1 byte - for example, 01101011b. By using the least significant two bits in the pixel descriptions, we need 4 pixels. Let's say they are black. Then the pixels containing the hidden message will look like this: 00000001 00000010 00000010 00000011. Then the color of the pixels will change: the first - by 1/255, the second and third - by 2/255, and the fourth - by 3/255. Such gradations, not only are invisible to humans, may not be displayed at all when using low-quality output devices.

Digital steganography
Digital steganography

It is worth noting that LSB methods are unstable to various types of “noise”. For example, if any “garbage” bits are superimposed on the transmitted content, this distorts both the original content and (which is especially important for us) the hidden message. Sometimes it even becomes unreadable. A similar technique is used for other formats.

Another method is the so-called soldering of hidden information. In this case, the hidden image (sound, sometimes text) is superimposed on top of the original. The simplest example is white writing on a white background in a PDF document. Attackers usually do not use this method due to the relative ease of detection by automatic methods. However, this method is often used when creating “watermarks” to protect the authorship of content. In this case, these signs, as a rule, are not hidden.

And the third method is to use the features of file formats. For example, this could be recording information in the metadata used by a given file format, or in various other unused reserved fields. For example, this could be a Microsoft Word document, inside of which information will be hidden that is not displayed in any way when opening this document.

Audio steganography

Another method of hiding information is applicable only to audio files - this is the echo method. It uses irregular spaces between echoes to encode a sequence of values. In general, it is possible to create conditions under which these signals will be invisible to human perception. The echo signal is characterized by three parameters: initial amplitude, degree of attenuation and delay. When a certain threshold is reached between the signal and the echo, they mix. At this point, the human ear can no longer distinguish between these two signals. Two different delays are used to indicate logic zero and one. They should both be less than the listener's ear sensitivity threshold to the received echo.

However, in practice, this method is also not very reliable, since it is not always possible to accurately determine when a zero was transmitted and when a one was transmitted, and as a result, there is a high probability of distortion of hidden data.

Another use case for steganography in audio files is phase coding. The original sound element is replaced by a relative phase, which is the secret message. The phase of successive elements must be added in such a way as to maintain the relative phase between the original elements, otherwise distortion will occur that is noticeable to the human ear.

Today, phase coding is one of the most effective methods of hiding information.

Steganography programs

At this point, I think, we can finish with the theory and we need to move on to the practical aspects of implementing steganography. I will not describe commercial solutions, but will limit myself to talking about small free utilities that an attacker can easily use, even without administrative rights in the system.

As a data storage file, I used a 1680x1050 image saved in various formats: BMP, PNG, JPEG. The hidden document was a text file about 40 KB in size. All the programs described coped with the task: the text file was successfully saved and then extracted from the source file. At the same time, no noticeable distortion of the picture was detected. The utilities presented below can be downloaded from the website.

The author of all programs discussed in this review is Alexander Myasnikov.

ImageSpyer G2

A utility for hiding information in graphic files using cryptography. At the same time, about 30 encryption algorithms and 25 hash functions are supported for container encryption. Hides a volume equal to the number of pixels in the image. Compression of hidden data is optionally available.

ImageSpyer steganography program
ImageSpyer steganography program

The utility is compatible with Windows 8. BMP, JPEG, WMF, EMF, TIFF formats can be used as source graphic files.

This is one of the ancient utilities, once written by Alexander Myasnikov and now found only in the vastness of file dumps. Even if she once had an official website, it has not been working for a long time. However, the program is worthy of attention.

ImageSpyer hides secret files only in images and even allows you to set a password to encrypt the data before embedding. The program supports about 30 encryption algorithms for embedded information and 25 hash functions for signing to ensure that the file embedded in the image is not damaged during transmission.

A big plus is the presence of a graphical interface with clear explanations and many settings. There are only two output formats: BMP and TIFF.

Пос­мотрим, нас­коль­ко силь­но уве­личил­ся объ­ем фотог­рафии.

Left is after processing, right is before

As you can see, from a small cat with a size of 59.6 KB we made a fat cat with a size of 1530 KB. The result is not bad, and ImageSpyer works quickly, so we confidently recommend its use.

You can download ImageSpyer G2 for free using this link.

RedJPEG

The interface of this program, as the name suggests, is made in red style. This easy-to-use utility is designed to hide any JPEG data in an image (photo, picture) using a proprietary steganographic method. Uses open encryption algorithms, stream cipher AMPRNG and Cartman II DDP4 in hash function mode, LZMA compression.

RedJPEG steganography program

The professional extended version of RedJPEG XT is complemented by masking the fact of embedding and an enhanced procedure for initializing a stream cipher based on image characteristics. Includes x86 and x86-64 builds.

Нас­трой­ки RedJPEG
Нас­трой­ки RedJPEG

And what do we have in terms of volume after packing the text into an image?

The impressions are extremely positive. The program allows you to hide and encrypt any necessary information well. Suitable for permanent use.

There is also a RedJPEG XT for TC WCX Total Comander plugin, which has similar functionality.

You can download RedJPEG for free using this link.

DarkCryptTC ​​and Project Zarya

This program can be called the most powerful steganographic solution. It supports more than a hundred different symmetric and asymmetric cryptographic algorithms. Includes support for a proprietary plugin system designed for block ciphers (BlockAPI), text, audio and image steganography (including real JPEG steganography), a powerful password generator and a system for destroying information and keys.

DarkCryptTC ​​and Project Zarya
DarkCryptTC ​​and Project Zarya

The list of supported formats is really impressive: *.txt, *.html, *.xml, *.docx, *. odt, *.bmp, *jpg, *.tiff, *.png, *.jp2, *.psd, tga, *.mng, *.wav, *.exe, *.dll.

The set of programs for steganography is not very large, but it is quite sufficient to effectively hide information in files of various formats.

You can download DarkCryptTC ​​for free using this link.

OpenStego

The OpenStego project is implemented in Java, has support for AES encryption, and is extremely popular among those who want to get acquainted with steganography. Supports plugins so you can implement some kind of steganographic algorithm yourself. There are versions for both Windows and Linux.

Program for hiding information in an image OpenStego
Program for hiding information in an image OpenStego

Like ImageSpyer, OpenStego significantly inflates file sizes, although not as much. There is also only one packaging method supported, but this can be easily fixed with plugins. Output files can only be in PNG format, but this cannot be called a very big disadvantage, especially since almost any format can be supplied as input.

There is also an interesting feature that I did not find in competitors - Digital Watermarking. It allows you to secretly tag a photo to easily find the thief. To do this, the program embeds an invisible identifier into the picture, which can later be retrieved and checked who took the picture without asking.

The program does not require installation, but is launched by a batch file.

File comparisons

The output file turned out to be much thicker than it was - the size increased by almost 800 KB.

Compared to ImageSpyer, OpenStego is still richer in features, which I liked.

Download OpenStego from GitHub

SilentEye

SilentEye is cross-platform software with a simple interface. It has many plugins and a nice GUI. Uses modern steganography and masking algorithms.

Program for hiding information in a picture SilentEye
Program for hiding information in a picture SilentEye

Among the obvious advantages, I note entering masked text directly in the program window instead of loading text files from a third-party editor. Seriously, the feature is simple, and no one has thought of this before. Output image file formats are BMP, JPEG, PNG, GIF, TIFF, sound files are WAV only.

SilentEye
SilentEye

You can adjust the quality of the output image - it determines how much loss there will be when encoding to JPEG.

AES is used to encrypt embedded data, but there are many more settings than OpenStego.

SilentEye settings
SilentEye settings

When checking the increase in volume, I had to use another picture as the original one, but it is clear that the volume has hardly changed, that is, the program works effectively.

The file size of the image has increased by only 13.5 KB - a very good result!

The utility can easily replace the old OpenStego. It works a little slower than its competitors, but this is often uncritical. I also recommend it.

ImageJS

ImageJS is a Linux utility that is not really designed to hide information from people. Instead, it helps to deceive browsers, which quite reasonably assume that there should be nothing foreign in valid images.

ImageJS allows you to create images that are also real JS scripts. This is needed to make it easier to carry out more dangerous XSS attacks, which sometimes require loading a script from the attacked domain. This is where the ability to upload an avatar, which simultaneously contains a JavaScript payload for further attack, comes to the rescue. The program supports embedding into BMP, GIF, WEBP, PNG and PDF formats.

To build, you need the build-essential and cmake packages. Then everything is simple:

Let's create a script.js with the following code and then package it into an image.gif:

The output will be a file with a double extension, but this is not a problem.

Now we will check everything in action! Create an HTML page with the following code and save it next to our loaded image.

Save and open. It should look like the screenshot.

The size of the picture almost does not change, which is very beneficial for us.

Hide information in an image using ImageJS

The program is great, although it is only applicable for very specific purposes.

Download ImageJS from GitHub

StegoTC G2 TC

The steganographic archiver plugin (wcx) for Total Comander allows you to hide data in any image, while the BMP, TIFF and PNG formats are supported.

You can download StegoTC G2 for free using this link.

DIY steganography

For those who are well acquainted with programming, in particular, with Visual Studio and C#, I can also recommend a rather interesting site, in where you can find the source texts of steganographic utilities for various data formats: for working with graphic formats and for hiding information, for example, in ZIP archives. The general principle of this conversion is to use the headers of the archived files. A source code fragment for working with ZIP archives looks like this:

On this site you can find many examples of source codes of any complexity, so studying practical implementations of steganography will not be difficult for those interested. a>

Conclusion

It is difficult to replace the cross-platform and feature-rich OpenStego, but it is possible if desired. SilentEye would be a good choice, but I also recommend trying Alexander Myasnikov’s utilities if you have Windows. If you are a fan of the console or are making some kind of automated system, then one of the options written in Python may be useful to you.

Also, on our website there are other materials related to Steganography. To find all programs and books, search for the word “Steganography”.


Hiding files in pictures: seven steganographic utilities for Windows

xakep.ru
18 min
January 23, 2017

Encryption helps keep data secret, but at the same time attracts unnecessary attention. If the file cannot be easily opened, it means that there is probably something valuable in it. Therefore, it can be important to hide the very presence of secret information. The easiest way to do this is to dissolve confidential data inside some harmless file. This problem is solved using steganographic utilities, which we will test.
Bring Anubis to Javu!
Bring Anubis to Javu!

From the pharaohs to the present day

If we assume that history develops in a spiral, then modern life seems to have reached the same turn as Ancient Egypt. People are worshiping cats again and keeping their images everywhere. At the same time, the cult of secret knowledge is being revived - some are hiding information, others are looking for ways to get it. So the ideal way to hide sensitive data is to mix it with trivial content like photos of cats.

According to one version, cryptography originated in Ancient Egypt. Its daughter, steganography, or “secret writing,” appeared closer to the heyday of the Roman Empire. Certain techniques of secret writing were practiced even before our era, but steganography became an independent applied discipline only by the 16th century.

Modern steganography - digital and computer. The latter can be divided into three large areas. The first is the secret writing itself, or methods of hiding some files (which are usually called a message) inside others (“container”). After filling with a message, the container changes its appearance imperceptibly and completely retains its functionality.

The second direction studies methods of adding hidden or steganographic marks (stegomarks) to a message. These are marks that are invisible without special processing and are identical for all files of one person or device. For example, such stegomarks are recorded in digital photographs so that their authorship can be proven. Crackers sometimes leave marks in license keys. They are protected at the level of the generation algorithm, and therefore are saved when you try to change the keygen interface and pass it off as your own.

The third direction is the introduction of digital fingerprints into messages. Unlike stitch marks, these hidden marks are unique to each message. They serve primarily to protect the interests of copyright holders by allowing the distribution of content to be tracked. For example, many online stores are embedding digital imprints into the books and music they sell. They encode information about the date of sale and the account of the buyer (name, IP address, etc.). If purchased files later appear among torrents or on file hosting sites, then copyright holders will be able to identify the distributor of illegal content. To do this, it will be enough to read the embedded digital fingerprint from the counterfeit file.

Does your favorite online quilting service use tagging? This is easy to check. It is enough to buy two copies of the same work from different accounts and do a byte-by-byte comparison of the files. The difference between them will reveal hidden marks. If the downloaded files are identical (and their hashes completely match), then there are no stegomarks inside.

Many books and articles have been written about each of these areas, but there is still no uniform terminology. Some authors split the listed branches into dozens of smaller ones, while others do not see a fundamental difference between the large ones. For some, there is a fine line between hidden storage and hidden transfer of data, but for others it is just details.

Let’s not get into polemics; it’s much more interesting to try steganography in action. First, let's take a closer look at its main application - data hiding. Out of fifty utilities for disguising some files inside others, we selected only seven. The review included only those that are guaranteed to work on Windows 10.

For the test, we will take a picture with desktop wallpaper. You can fit a lot of interesting things behind this vegetation.

Anubis

https://sourceforge.net/projects/anubisstegano/files/latest/download

Anubis is the superhero of the ancient Egyptians. The Jackal Man, after whom a free program was named six thousand years later. Its first and, unfortunately, last version was written in 2014 in Java. Therefore, the utility turned out to be cross-platform, but requiring installation of the JRE, as well as (in the case of Windows 10) a DOS virtual machine - NTVDM.

The main program window looks as ascetic as possible. Click Encrypt and in the tab that opens, indicate the necessary actions: which file to put inside which and where to save the result. Only hiding text files inside BMP format images is guaranteed to work. Several of these already exist in Windows 10 - these are user icons. It would be interesting to hide a list of passwords or some other confidential information in user.bmp. It has long been noted that the best hiding places are in a visible place.

Hiding TXT in BMP
Hiding TXT in BMP

Additionally, you can protect the resulting file with a PIN code - then it will be needed for the reverse conversion. The utility incorrectly processes the line indicating the location of the resulting file. It can be saved at a level higher than the specified one or even in the original directory.

As can be seen from the byte-by-byte comparison of the original BMP file with the one containing hidden text, the program works in a very primitive way. It simply appends data to the end of the file. The data is encrypted, but provided with characteristic indicators: limiter1limiter2inserted length begins. By simply searching for files containing such strings, it is easy to find all stegocontainers. This utility can be used to illustrate the simplest steganography method, but it is completely unsuitable for serious tasks.

DeEgger Embedder

http://www.softpedia.com/get/Security/Encrypting/DeEgger-Embedder.shtml#download

DeEgger Embedder is another small steganography program. It already implements a larger set of functions, but its use requires installation of the .NET Framework 3.5. In addition to BMP images, which are rarely used today, the program supports PNG, JPG, AVI video files and MP3 music files as containers. The utility keeps a detailed log of its actions, which is displayed directly in the main window.

Let's make Easter eggs!
Let's make Easter eggs!

The algorithm launch button is called Combine, not Encrypt, which more accurately reflects the file embedding process. Hidden files (stego messages) are extracted from multimedia containers by pressing a single Extract button. There is no PIN code protection here.

Harvester and extract

But the program can process several files at once. You can put multiple messages in one container or one in different containers.

We write several files into one container
We write several files into one container

After processing in DeEgger, image comparison utilities consider the source and destination BMP files to be identical. In reality, this is an empty and filled container in steganography terminology.

Imaginary identity

Let's do a byte-by-byte comparison. Is this a familiar picture? Just like Anubis, the DeEgger Embedder utility added a stego message to the end of the container file. There are many solid-colored areas in the user.bmp image, so this appendix looks especially noticeable.

The same Easter eggs, view in code

At first glance, there are no obvious pointers that can be used to search for files containing a specific string. However, let's take a closer look. To do this, we will create another container with a different message and compare the two already filled containers with each other.

Finding the embedded file pointer

Here is the same section in hexadecimal: 24 23 26 29 2A 40 26 28 23 5E 2A 00 D1 8B 87 8B FF.

As you can see, despite supporting more formats, DeEgger is not far behind Anubis. Hidden files are also written to the end of the container file and have a characteristic appearance that makes them easy to detect.

DeepSound

http://jpinsoft.net/DeepSound/Overview.aspx

The latest version of this program was released in November 2015. Unlike previous utilities in this review, it hides data inside sound files. DeepSound can use WAV (uncompressed, PCM only), as well as MP3, CDA, WMA, APE and FLAC as containers. DeepSound can embed files of any type and automatically calculates the space available for them depending on the container size and audio quality settings.

When using MP3, the available space for the stego message is shown to be larger than the container itself, but this is an illusion. Regardless of the original file format, the new container is created in only one of the uncompressed formats: WAV, APE or FLAC. Therefore, the size of the initial container does not matter. As a result, the message will take up a certain percentage of the volume of the new (uncompressed) audio file.

Large capacity for any files

The program can simply place any file inside a music file, or pre-encrypt it using the AES algorithm with a key length of 256 bits. It was experimentally determined that the maximum password length is only 32 characters. My regular passwords were longer and resulted in an unhandled exception.

AES encryption

You can place any number of files in one container until the free space counter is full. Its quantity depends on the degree of quality (that is, the distortion introduced into the audio file). There are three settings available: high, normal and low quality. Each of them doubles the useful volume of the container. However, I recommend not to be greedy and always use the maximum quality - this will make it more difficult to detect a hidden file.

The stego message is retrieved after manually selecting the corresponding container. If encryption was used, then without entering a password the program will not even show the name of the hidden file. Cyrillic characters in file names are not supported. When extracted, they are replaced with XXXX, but this does not affect the contents of the file in any way.

DeepSound can convert MP3 and CDA, so we can easily convert the source file from MP3 to WAV and compare two containers: empty and full.

PDF is smeared inside WAV

A pleasant surprise awaits us here: the file sizes are identical, but their contents differ immediately after the header. The bytes differ almost everywhere by one, and by small values. Most likely, this is an implementation of the LSB (Least Significant Bit) algorithm. Its essence is that the hidden file is encoded as changes in the least significant bits in individual bytes of the container. This leads to slight distortions (changes in pixel hue in BMP and audio frequency in WAV), which humans usually do not perceive. The larger the container in relation to the hidden file, the less likely it is to detect the latter. This algorithm does not leave explicit indicators of the presence of an embedded file. Only statistical analysis of noise (acoustic, brightness, color and others) can suggest its presence, but this is a completely different level of steganalysis.

DeepSound is already quite suitable for hiding important information (except state secrets, of course). You can also use built-in encryption, but no one knows how well it is implemented, because the program did not have an open audit. Therefore, it would be safer to first place the secret files in some reliable crypto container (for example, TrueCrypt or VeraCrypt), and then hide it inside the audio file. If you use unique audio files (for example, your own recordings) as containers, then there will be nothing to compare them to byte-by-byte and hardly anyone will be able to find your “matryoshka”. Just record a few gigabytes of warm, uncompressed audio into the same directory for better masking.

Hallucinate

http://sourceforge.net/projects/hallucinate/

The latest version of the Hallucinate program (v. 1.2) was released in November 2015. This compact (only 34 KB) utility is written in Java and does not require installation. As a container, it supports BMP and PNG formats, which makes it much more convenient than Anubis. PNG images are used much more often today than BMP images. There are plenty of them even in the temporary directories of the browser, so such a container will definitely not lie as a lonely and very noticeable file on the disk.

Hallucinations with meaning

Hallucinate's interface is simple and functional. You need to select a container, specify the file to be hidden in it and the desired level of quality of the final image. Eight options are available. The more coarsened the original image is, the more you can hide in it, but the more noticeable the artifacts become. Let's select the best quality in the settings and illustrate this difference by repeating the operation with the BMP file.

Do you see the differences? And they exist!

Visually, the pictures on the left and right are no different. However, Beyond Compare shows the difference between them in the center frame. The text file is encoded as changes in the brightness of individual pixels, evenly distributed throughout the frame. Only in the darkest and lightest areas do they cluster tightly.

When comparing files byte by byte, the same difference in hexadecimal format looks familiar: the same LSB algorithm as DeepSound. Graphic file or sound file - in this case it does not matter. Both formats introduce minimal distortion, indistinguishable without special comparison methods. Detecting them without the source file (with only the container on hand) is quite difficult. It does not contain any explicit pointers to the introduction of a stego message. Only frequency analysis produces a hidden file, but this method works well only for detecting large “nesting dolls”. A small file in a large picture remains almost invisible.

A hidden file is extracted in just two clicks. Just select a container (HAL-file in the terminology of the program author), click Decode and specify the location to save the file.

Undressing the matryoshka

JHide

https://sourceforge.net/projects/jhideapp/

JHide (not to be confused with Jihad) is another similar program in Java. You can't call it compact; it takes up almost three megabytes. However, unlike Hallucinate, in addition to BMP and PNG, it supports TIFF and also allows the use of password protection.

jHide Interface
jHide Interface

A comparison with Beyond Compare shows subtle differences. In the first second they are not visible at all. You need to turn up the brightness and look closely to see evenly scattered dark blue dots on a black background.

The result of jHide

A comparison in hex codes shows the same LSB algorithm, but its implementation here is more successful. The changed pixels are not grouped in large blocks from the beginning of the file, but are evenly scattered throughout the container. This makes it much more difficult to detect the hidden message in the picture. Given the small size of the stego message, this is almost impossible to do without having the original (an empty container) for comparison.

Correct LSB

The program itself tries to compress the hidden file as much as possible before placing it in the container. Therefore, it is always extracted in ZIP format, and the hidden file is already inside this archive. Password protection must be deactivated manually before unpacking - jHide itself will not indicate whether it needs to be entered. This is also a plus, since it eliminates the possibility of using a utility to check images for hidden files.

Unpacking a container in jHide
Unpacking a container in jHide

The utility sometimes ignores the entered file name and extracts it with a template name stego_%name%.bmp, but this shortcoming can be forgiven. The contents of the file are read by it without distortion.

OpenPuff

http://download.cnet.com/windows/openpuff-team/3260-20_4-10146585-1.html

The most complex utility in this review is OpenPuff. Its latest version (4.00) supports not only hiding some files inside others, but also working with stegomarks of any format. It can even be allocated several processor cores if there is a large amount of work to do.

OpenPuff main window
OpenPuff main window

Unlike other utilities that support password protection of hidden messages, OpenPuff can use a cryptographically secure pseudorandom number generator (CSPRNG - Cryptographically secure pseudorandom number generator) for encryption. If a simple password is not enough, then check the boxes next to the B and C fields, and then enter three different passwords in them, ranging from 8 to 32 characters in length. Based on them, CSPRNG will generate a unique key with which the message will be encrypted.

Using CSPRNG

Small files can be stored in pictures and audio recordings, and large ones (for example, crypto containers) are more convenient to hide in video recordings - OpenPuff supports MP4, MPG, VOB and many other formats. The maximum size of a hidden file is 256 MB.

OpenPuff result

Using CSPRNG on small files greatly increases the final size of the stego message. Therefore, the difference between an empty and a filled container becomes all too obvious. We again see that the modified pixels are mostly evenly distributed, but they form large blocks in the lightest and darkest areas. If there were no such blocks, the result would be more similar to the artifacts obtained when compressing using JPEG.

Byte-by-byte comparison also gives a very characteristic picture. Despite the small size of the hidden file, the values ​​of most pixels in the container have been changed. While jHide needed 330 bytes to write a stego message, OpenPuff used more than 170 KB for the same task.

The changes affected most pixels

On the one hand, this is a plus: there is no direct correlation between the message size and the number of changed pixels. The analysis of such a container becomes significantly more complicated. On the other hand, creating a container requires additional effort, which can put off an inexperienced user.

Another mode of operation of the program is recording and reading stitch marks. These are hidden strings of up to 32 characters that can be used for copyright protection. For example, hide copyright in a photograph, music file or document.

This function works extremely simply. You write an arbitrary label at the top of the window and indicate below the files to which it should be added. The original files will remain untouched, and their copies with a label will be saved in the directory you specified.

Working with stegomarks in OpenPuff

When any legal dispute arises, you simply launch OpenPuff and show your astonished opponent the previously embedded label.

Even a frog can tell who took its photo

Difficulties arise if the file has been modified. Even simply converting to another format erases the stamp. It cannot be read even if the file has been converted back to its original format. Permanent stegomarks exist, but only certain programs can implement them. As a rule, they are tied to some specific equipment (for example, camera model).

The stego mark disappeared after converting the file

OpenStego

http://www.openstego.com/

The latest version of OpenStego (0.61) was released in 2014. The program runs on Windows and Linux. It supports BMP, PNG, JPG, GIF and WBMP. The filled container is always saved in PNG format.

OpenStego takes up only 203 KB, but after getting to know Hallucinate, this is no longer impressive. Formally, the utility requires installation, although it can be easily converted into a portable version. OpenStego is attractive because it supports password protection and can also implement stego tags (however, this function is still in beta status).

The interface is OpenStego

After adding a small text file to the selected image, there is practically no visual difference between an empty and a filled container.

Find ten differences

However, the file size increased by one megabyte, and due to the conversion to PNG with a different compression ratio, it became just another file. When performing a byte-by-byte comparison with the original, the differences will be in all values ​​immediately after the header.

OpenStego: hex-comparison

Interestingly, the program does not in any way check the correctness of the entered password when extracting the stego message from the container. It honestly tries to collect the extracted file in any case and always reports that the operation was successful. In reality, the hidden file will be retrieved only after entering the correct password. In other cases, an error will occur and the file will not be written. This approach slightly complicates the use of classic password brute force methods, in which the next combination is substituted after the previous one has failed. However, there is still a marker for successful extraction. It is enough to specify an empty directory as the directory and try passwords until a file appears in it. It would be better to record any extraction result as a file - this would increase the level of security.

The introduction of stitch marks in this program is not like in others. First, a signature is generated and saved in a separate file with the SIG extension. It is impossible to write any meaningful information in it - it is just a unique bit set, like a private key.

Creating a “watermark”

After embedding the stegomark, a new and visually identical image file is created in which it “dissolves.” The verification process boils down to checking the presence of the specified signature inside the file. If it is completely preserved, then the match will be one hundred percent. If the file has been modified, the stego mark may be partially lost. The method was intended as an attempt to implement persistent watermarks, but in its current implementation it is practically useless. The program shows a zero percentage of compliance after only a small cropping of the image and resaving in PNG with high compression.

Watermarks evaporate after a little processing

RARJPEG

You can hide some files inside others without any steganographic utilities. Of course, this will not be a neat “dissolution” using the LSB algorithm, but a simple merger, however, this method, known in narrow circles, also has its advantages. Firstly, it is available without additional tools. Secondly, it makes it easy to transfer any file by uploading it as a graphic to some site (for example, image hosting or, more often, an imageboard).

The meaning of the method is that graphic files (in particular, JPEG) begin to be interpreted immediately from the header, while archives are read only from the start mark of the archive. The label itself can be located anywhere inside the file, since, in addition to regular archives, there are multi-volume and self-extracting ones.

As an experiment, let's pack all the programs from today's review into a ZIP archive and add this archive to the Wallpaper.jpg file, creating a new image: Wallpaper-x.jpg. Let's just launch the Windows console and write:

type Wallpaper.jpg Steg.zip > wallpaper-x.jpg
Adding ZIP to JPG
Adding ZIP to JPG

The output will be a combined file wallpaper-x.jpg. It can be viewed as a picture or opened with any archiver that supports the ZIP format. If you change the file extension to ZIP, it will open as a directory in the file manager. You can even do without renaming and immediately use the archive plugin through the quick unpacking command (for example, {ALT}+{F9} in Total Commander). All files from such a “picture” will be extracted without problems.

The described trick has been known for a long time and also works with some other file formats (both graphic and archive), but the combination RAR + JPEG has gained the most popularity.

The beginning of the ZIP archive inside the image and the name of the first archive file

conclusions

So, we looked at seven utilities that are identical in their purpose. While some can be safely recommended, I cited others to illustrate typical mistakes.

True steganography utilities do not change the size of the container file. They “dissolve” the hidden message using an LSB or more advanced algorithm, aiming to make the distribution of modified bytes indistinguishable from the overlay of random noise. Advanced utilities can use encryption, but you can add it yourself - for example, using VeraCrypt or the same RAR.

Many programs have been discovered that seem to promise protection, but in fact have a very indirect relationship to steganography. They simply append the hidden file to the end of the original one, use recognizable pointers and weak encryption.

Steganography is most effectively used not instead of cryptography, but together with it. This combination allows you to hide both the information itself and the fact of its storage or transmission.


Steganography

Hornbeam
5 min

On the hub we have already written several times about steganography, in particular a recent post about LSB steganography (which, unfortunately, was moved by the author to drafts) awakened in me a desire to share my knowledge and thoughts on this topic.

Let's assume that you are a spy and (like any self-respecting spy) you have a lot of secret information on your hard drive. You need to hide it so that no one finds it. Moreover, if you are caught, your computer will be sent for examination and whoever looks for this information will be 99% sure that such information is on the hard drive.

So what ways to hide information are at our disposal...

Method 1 - Trivial


The easiest way is to rename the file. For example, you have a picture that needs to be hidden. You simply rename the file extension and the image is no longer recognized by the system as an image. But, of course, this is foolproof. If you, for example, rename a JPG file to RAR, then such a RAR archive cannot be opened, WinRar will complain that this archive is broken, which will cause suspicion and a deeper study of this file.

Method 2 - Trivial, advanced


Another simple method, but still more advanced, is to merge two different files into one. The simplest example: adding a RAR archive to the end of a JPEG image. Such an image will open without problems in any program for viewing/editing pictures, and will also open in WinRar. The fact is that almost all programs for working with archives are designed for the fact that the archive does not start from the beginning of the file, since it is possible that the archive is enclosed in a self-extracting shell. But the disadvantages of this method are that such gluing can be easily noticed. For example, if a picture has a size of 200x200 and weighs 2 megabytes, then suspicions immediately arise. In addition, all formats (containers) usually have a clear structure and if suddenly there is some kind of redundant information in the file, it is easy to detect.

Therefore, we need a way to hide information that does not violate the structure of the file of the selected format.

Method 3 - LSB


As already written earlier, this method is very simple to implement, while it does not violate the rules of the container and the file does not store redundant information. But this method also has quite a few disadvantages. Firstly, it only applies to a small number of containers. For example, it cannot be applied to JPG, MP3 or AVI format. But as a rule, files of precisely these formats are stored in hundreds on our computers, and this is where it is most convenient to hide information. Personally, I would immediately suspect something was wrong if I found a large library of pictures in BMP format on my computer. This method also fails in images with a uniform surface. Try applying this method to an MP3 file. Changing just one bit every 2 or even more bytes will lead to inevitable damage to audio data.

For those who want to play around with this method, I can offera plugin for Total Commander'a which allows you to hide data in some image containers, as well as in WAV (provided that the audio data is encoded using the PCM codec).

There are also more advanced algorithms, for example the Koch-Zhao algorithm, which hides data only in pictures. Its difference is that it encodes one bit of information in 8x8 pixel blocks. Unfortunately, due to the small amount of information about this algorithm on the Internet, I cannot tell you anything more about it.

Method 4 - Meta Data


Many formats can store certain metadata. The advantage of this method is that it also does not violate the file format, and working with this metadata is usually well documented and there are ready-made libraries that allow you to quickly write a program to store your data in these files. Almost all media formats have metadata support. However, it is not always possible to store data there so that it is not visible. So where can you try to store secret data:
MP3

Only recently a post appeared on HabréHide text in MP3 which describes the PHP implementation of storing your information in the ID3v1 tag. But the fact is that the ID3v1 tag has very strict restrictions and a lot of information cannot be stored there. In addition, in any normal media player, all your data is visible at a glance. The ID3v2.4 tag is a completely different matter, which allows you to store much larger data, and also allows you to save any non-standard data. For example, some programs store volume and normalization settings there for each individual file. Media players usually don't display options they don't know about.
Since we are talking about MP3, it is worth mentioning the little-known Lyrics3 tag, which was created to store song lyrics in a file, as well as an extension of the ID3v1 tag (for example, it allowed saving a longer song title), but the release of the ID3v2 tag standard prevented the Lyrics3 tag from becoming widespread. But strangely enough, a large number of MP3 files that can now be found on the Internet contain this tag (although nothing else is stored there except the name of the song).
JPEG

The JPEG format has support for the EXIF ​​tag. The data in this tag is stored in key=value pairs. In theory, there is no problem adding some non-standard key containing your encrypted data there. A program working with this tag, having stumbled upon this key, will most likely simply ignore it and not display it.
AVI

Not many people know that AVI files also have support for metadata, and you can store a lot of things there. As in MP3 and JPEG, you can create your own key, which will simply be ignored by programs working with metadata. I can recommend a good program for viewing metadata of AVI files: abcAvi Tag Editor

The disadvantage of storing secret data in the file's metadata is obvious; there are many programs that display their entire contents, including non-standard and private values.

Method 5


And finally, I want to tell you about one wonderful way to store secret data in MP3 files. It is implemented in the programMP3Stego. Unfortunately, the author of this program has not updated the project since 2006. The idea is that the data is first encrypted and then, at the heart of the encoding process, the MP3 file (from the WAV) is mixed into the final result. The result is a regular MP3 file, without noticeable distortion, but containing encoded data.
Просмотры:

Коментарі

Популярні публікації