*Note: This article was originally published by the author on December 31, 2018.
Happy New Year 2019! May the new year bring good tidings to you and yours.
“Steg Challenge_December 2018” was the first steganography challenge I put forth to the community and as such, I gave you all some clues to follow to help you along. I didn’t quite give you all a full month to complete this month’s challenge, but you did get a full 2 weeks was provided from December 16, 2018, when the initial challenge was posted until December 31, 2018. I am confident that many people will not even check back here as it is the last day of the year (i.e., New Year’s Eve) and you may be somewhat indisposed mentally due to your festivities, but rest assured that cybercriminals will not delay their attacks based on the fact that it is the holidays. If anything, they will try to take advantage of such situations when your guard may be down and they know staffing levels are at their lowest. That is the perfect time to pull off an attack. So without further ado…
1. The 1st clue of the challenge should’ve been the 3 images I used in the initial challenge post. While there are several different types of steganography, it is worth noting that the most common form of digital steganography is image steganography. Image steganography is usually performed using Least Significant Bit (LSB) steganography which essentially changes the right-most bit of an 8-bit Byte of data (1 Byte generally equals 8-bits depending on the file system used) by changing the right-most bit from 1 to 0 or vice versa throughout all the Bytes of an image file when encoding the secret or hidden data into the cover medium file (or image file in this case). Changing only the right-most bit using the LSB technique is such a subtle change, only 1-bit out of 8-bits in a single Byte of data, repeated over and over, does not distort the quality of the image and no one would suspect there was a hidden file within the image file’s binary composition. Many steganography applications use the LSB form of image steganography. Check out the diagram below to learn how it works.
So, if you suspected that the hidden file was embedded in an image then you were correct. Hey, I said this was going to be easy the first time around. Now, which image was the hidden file embedded in? To find the answer, you needed to dig a little deeper.
2. The 2nd clue I gave was the Null-Byte Wonder How To article link. If you did your homework and read the article, you might have viewed the embedded video which explains how to use the “Steghide” application to secretly embed data into another file. You’ll find with Digital Forensics & Incident Response (DFIR) that you often have to follow vague leads such as this to turn over stones and investigate where a trail leads. That is just the nature of how this stuff works. Depending on your hacking skills and proficiency with the command prompt, you could’ve used any number of operating systems to download Steghide to detect the presence of steganography. You could’ve also used a different steganalysis tool to attempt to detect the presence of steganography.
3. How I performed the stego-exploit:
-Steg application used & OS: Steghide / VirtualBox running Kali Linux v. 2018.4
-Cover medium image file (pasted below): “1_puCPMhks9Z5SSpVEL1BUHg.jpeg” was encrypted and password-protected using Steghide.
-To embed type: steghide embed -cf coverfilename.jpg -ef stegofile.jpeg (p/w= P@ssw0rd)
-To extract hidden contents: steghide extract -sf 1_puCPMhks9Z5SSpVEL1BUHg.jpeg (enter p/w) and Steghide would write the extracted data to “secret.txt”
-Viewing the image in a text editor such as “Notepad” wouldn’t yield anything but gibberish ciphertext. You would have needed to crack the password using a password-cracking tool to view the embedded file contents in plaintext and be able to make sense of it. Now, are you beginning to get an idea of just how difficult it is to detect steganography, let alone intercept and decode secret messages?
Inspecting the source code of the image above on the original Medium.com “Steg Challenge_December 2018” article we get the following:
Sometimes I like to use the free version of WinHex (X-Ways Forensics hex editor) to examine the file headers and the compression ratio of image files, and in this case, it resulted in the following image. This is also known as Peak Signal-to-Noise Ratio (PSNR). You’re looking for spikes, the higher the number and concentration of spikes the more chances some other data is compressed into the cover file. Because the “secret.txt” file was so small, it did not have a significant effect on the compression ratio of the stego-tweet image file using the LSB steganography technique. The fading color on the left is normal imagery spread-spectrum analysis shading.
-Embedded filename: “secret.txt” which was a simple password-protected text file containing the following text: “Congratulations! You have solved the first Steg Challenge. Challenges will become progressively more difficult from here forth.”
If you solved the puzzle, then I am very impressed as steganalysis is very difficult and somewhat of an obscure tradecraft. I must admit that when I first created this series of challenges, it was partly a quest to find other ‘steg-heads’ like myself. Of course, there are many other methods that could also be used to solve this challenge. Some are easier than others, but this is also a “teachable moment” so I am walking those of you brave enough to follow through some processes. Are there other ways to use steganography? Sure, of course. This is just one particular method, using one particular application.
Check out this short video that describes how steganography is being used primarily by cybercriminals for information hiding:
Lastly, I would like to tell you that detecting steganography is very difficult without knowing what to look for and the proper tools. Even then, it can still be very difficult. So don’t feel discouraged if you were not able to solve the challenge. There’s always next month’s puzzle! For more information on digital steganography and the cyber threats it poses, please check out the following links.