--- name: steganography-techniques description: >- Steganography detection and extraction playbook. Use when analyzing images (LSB, PNG chunks, JPEG DCT, EXIF), audio (spectrogram, DTMF), files (polyglots, appended data, ADS), and text (whitespace, zero-width, homoglyphs) for hidden data. --- # SKILL: Steganography Techniques — Expert Analysis Playbook > **AI LOAD INSTRUCTION**: Expert steganography detection and extraction techniques. Covers image steganography (LSB, PNG chunk hiding, JPEG DCT, EXIF metadata, dimension tricks, palette manipulation), audio steganography (spectrogram, LSB, DTMF, morse), file steganography (polyglots, binwalk, NTFS ADS, steghide), and text steganography (whitespace, zero-width Unicode, homoglyphs). Base models miss the systematic file-type-based analysis approach and tool-specific extraction workflows. ## 0. RELATED ROUTING Before going deep, consider loading: - [traffic-analysis-pcap](../traffic-analysis-pcap/SKILL.md) for extracting files from network captures before stego analysis - [memory-forensics-volatility](../memory-forensics-volatility/SKILL.md) for extracting files from memory dumps - [classical-cipher-analysis](../classical-cipher-analysis/SKILL.md) if extracted hidden data is further encrypted/encoded ### Tool Reference Also load [STEGO_TOOLS_GUIDE.md](./STEGO_TOOLS_GUIDE.md) when you need: - Tool installation instructions and dependencies - Detailed command reference for each stego tool - Workflow patterns for specific file types --- ## 1. IMAGE STEGANOGRAPHY ### LSB (Least Significant Bit) LSB embeds data in the least significant bits of pixel color channels. ```bash # zsteg — LSB analysis for PNG/BMP zsteg image.png # auto-detect all LSB patterns zsteg image.png -a # try all known methods zsteg image.png -b 1 # extract bit plane 1 zsteg image.png -E "b1,rgb,lsb,xy" # specific extraction pattern # StegSolve (Java GUI) java -jar StegSolve.jar # Navigate color planes: Red 0, Green 0, Blue 0 → look for hidden image/text # Data Extractor: specify bit planes + byte order # stegoveritas — comprehensive automated analysis stegoveritas image.png # Runs: exiftool, binwalk, zsteg, foremost, color plane extraction ``` ### PNG Specific ```bash # pngcheck — validate structure, find hidden chunks pngcheck -v image.png # Hidden chunks: tEXt, zTXt (compressed text), iTXt (international text) # Custom/private chunks may contain hidden data # CRC vs dimensions trick # If CRC doesn't match declared dimensions → image was cropped # Fix: brute-force correct width/height → reveals hidden rows/columns python3 -c " import struct, zlib with open('image.png','rb') as f: data = f.read() # Check IHDR CRC at offset 29 ihdr = data[12:29] for h in range(1,2000): for w in range(1,2000): new_ihdr = struct.pack('>II',w,h) + ihdr[8:] if zlib.crc32(b'IHDR'+new_ihdr) & 0xffffffff == struct.unpack('>I',data[29:33])[0]: print(f'Width: {w}, Height: {h}') " # APNG (animated PNG) — hidden frames # Use apngdis to extract all frames: apngdis image.png ``` ### JPEG Specific ```bash # steghide — embed/extract from JPEG (DCT coefficient modification) steghide extract -sf image.jpg # extract (no passphrase) steghide extract -sf image.jpg -p PASSWORD # extract with passphrase steghide info image.jpg # check if data is embedded # stegcracker — brute force steghide passphrase stegcracker image.jpg wordlist.txt # jsteg — JPEG LSB steganography jsteg reveal image.jpg output.txt # JPEG structure analysis exiftool -v3 image.jpg # verbose metadata + structure jpegdump image.jpg # raw JPEG marker analysis ``` ### EXIF Metadata ```bash # exiftool — comprehensive metadata extraction exiftool image.jpg exiftool -b -ThumbnailImage image.jpg > thumb.jpg # extract thumbnail exiftool -all= image.jpg # strip all metadata # Hidden data in EXIF fields (comment, artist, copyright, etc.) exiftool -Comment image.jpg exiftool -UserComment image.jpg strings image.jpg | grep -i "flag\|key\|secret" ``` ### Palette-Based (GIF) ```bash # GIF color table manipulation — data in color palette order gifsicle -I image.gif # info gifsicle --color-info image.gif # palette details # Check for animation frames: convert -coalesce image.gif frame_%d.png ``` --- ## 2. AUDIO STEGANOGRAPHY ### Spectrogram Analysis ```bash # Sonic Visualiser — best for spectrogram viewing # Layer → Add Spectrogram → look for visual patterns (text/images) # Audacity # Analyze → Plot Spectrum # Select audio → change view to Spectrogram # sox for command-line spectrogram generation sox audio.wav -n spectrogram -o spectro.png ``` ### Audio LSB ```bash # DeepSound — hide/extract files in audio (Windows) # GUI tool: open audio file → extract hidden files # WavSteg — LSB in WAV files python3 WavSteg.py -r -i audio.wav -o output.txt -n 1 # extract 1 LSB python3 WavSteg.py -r -i audio.wav -o output.txt -n 2 # extract 2 LSBs ``` ### DTMF / Morse Code ```bash # DTMF decoder (phone tones) multimon-ng -t wav -a DTMF audio.wav # Morse code # Audacity → visual inspection of on/off pattern # Online decoder or manual: .- = A, -... = B, etc. # SSTV (Slow-Scan Television) — image in audio qsstv # GUI decoder # Or: RX-SSTV (Windows) ``` ### WAV Header Manipulation ```bash # Check for data appended after WAV audio data # WAV data chunk size vs actual file size python3 -c " import wave w = wave.open('audio.wav','rb') print(f'Frames: {w.getnframes()}, Channels: {w.getnchannels()}, Width: {w.getsampwidth()}') expected = w.getnframes() * w.getnchannels() * w.getsampwidth() + 44 # 44 = WAV header import os actual = os.path.getsize('audio.wav') if actual > expected: print(f'Extra data: {actual - expected} bytes appended') " ``` --- ## 3. FILE STEGANOGRAPHY ### Polyglot Files A single file that is valid in two or more formats simultaneously. ```bash # Detection: check file with multiple tools file suspicious_file xxd suspicious_file | head # check magic bytes binwalk suspicious_file # find embedded files # Common polyglots: PDF+ZIP, JPEG+ZIP, JPEG+RAR, PNG+ZIP # Try unzip on image files: unzip image.jpg -d extracted/ 7z x image.jpg -oextracted/ ``` ### Appended / Embedded Data ```bash # binwalk — scan for embedded files and data binwalk image.png # scan binwalk -e image.png # extract embedded files binwalk --dd='.*' image.png # extract everything # foremost — file carving foremost -i suspicious_file -o output_dir/ # dd — manual extraction # If binwalk shows embedded ZIP at offset 0x1234: dd if=suspicious_file bs=1 skip=$((0x1234)) of=extracted.zip ``` ### NTFS Alternate Data Streams (ADS) ```cmd :: List ADS (Windows) dir /r file.txt Get-Item file.txt -Stream * :: Read hidden stream more < file.txt:hidden_stream Get-Content file.txt -Stream hidden_stream :: Create ADS (for testing) echo "hidden data" > file.txt:secret ``` ### Steghide Brute Force ```bash # stegcracker — wordlist attack on steghide passphrase stegcracker image.jpg /usr/share/wordlists/rockyou.txt # stegseek — faster alternative stegseek image.jpg /usr/share/wordlists/rockyou.txt # stegseek is ~10000x faster than stegcracker ``` --- ## 4. TEXT STEGANOGRAPHY ### Whitespace Encoding ```bash # Tabs and spaces encode binary (tab=1, space=0 or vice versa) # stegsnow — whitespace steganography stegsnow -C message.txt # extract hidden message stegsnow -C -p PASSWORD message.txt # extract with password # Manual detection: cat -A file.txt | head # show tabs (^I) and line endings ($) xxd file.txt | grep "09 20\|20 09" # look for tab/space patterns ``` ### Zero-Width Characters ```bash # Unicode invisible characters used for encoding: # U+200B (Zero-Width Space), U+200C (ZWNJ), U+200D (ZWJ), U+FEFF (BOM) # Detection: python3 -c " text = open('message.txt','r').read() hidden = [c for c in text if ord(c) in [0x200b, 0x200c, 0x200d, 0xfeff]] print(f'Found {len(hidden)} zero-width characters') binary = ''.join('0' if ord(c)==0x200b else '1' for c in hidden) # Convert binary to ASCII " # Online tools: holloway.nz/steg, Unicode Steganography decoders ``` ### Homoglyph Substitution ```bash # Visually identical characters from different Unicode blocks # e.g., Latin 'a' (U+0061) vs Cyrillic 'а' (U+0430) # Detection: python3 -c " text = open('message.txt','r').read() for i, c in enumerate(text): if ord(c) > 127: print(f'Position {i}: char={c} ord={ord(c)} name={__import__(\"unicodedata\").name(c,\"?\")}') " ``` --- ## 5. DECISION TREE ``` Suspect hidden data — what file type? │ ├── Image (PNG/BMP)? │ ├── Check metadata: exiftool (§1 EXIF) │ ├── Check structure: pngcheck, binwalk (§1 PNG) │ ├── LSB analysis: zsteg, StegSolve (§1 LSB) │ ├── Check dimensions vs CRC: height/width brute force (§1 PNG) │ ├── Check for appended data: binwalk -e (§3) │ └── Try as polyglot: unzip/7z (§3) │ ├── Image (JPEG)? │ ├── Check metadata: exiftool (§1 EXIF) │ ├── Try steghide: steghide extract (§1 JPEG) │ │ └── Password protected? → stegseek brute force (§3) │ ├── Try jsteg: jsteg reveal (§1 JPEG) │ ├── Check for appended data: binwalk -e (§3) │ └── Check thumbnail: exiftool -b -ThumbnailImage (§1 EXIF) │ ├── Image (GIF)? │ ├── Check frames: extract all animation frames (§1 Palette) │ ├── Check palette: gifsicle --color-info (§1 Palette) │ └── Check for appended data: binwalk -e (§3) │ ├── Audio (WAV/MP3/FLAC)? │ ├── Spectrogram: Sonic Visualiser / Audacity (§2) │ ├── LSB: WavSteg (§2) │ ├── DTMF tones: multimon-ng (§2) │ ├── Morse code: manual or decoder (§2) │ ├── SSTV: qsstv (§2) │ └── Check file size vs expected: header analysis (§2) │ ├── Text file? │ ├── Check whitespace: cat -A, stegsnow (§4) │ ├── Check zero-width chars: Unicode analysis (§4) │ ├── Check homoglyphs: non-ASCII detection (§4) │ └── Check encoding: multiple base decodings │ ├── Any file type? │ ├── strings: strings -n 8 file | grep -i "flag\|key\|pass" │ ├── binwalk: binwalk -e file (embedded files) (§3) │ ├── file: file suspicious_file (true type) │ ├── xxd: check magic bytes, compare headers │ └── NTFS? → check ADS: dir /r (§3) │ └── Password/passphrase needed? ├── steghide → stegseek / stegcracker (§3) ├── Check challenge description for hints └── Try common passwords: password, file name, challenge name ```