SteganographyToday we are going to use some steganography tools, and a tool to detect the use of steganography.1. Copy the folder names Stg from our module folder on the shared drive. This contains JPHide and Seek, Stegdetect and Stegbreak. 2. the shared drive in our module folder.3. S-Tools is already in your forensic VM.JP Hide and SeekHiding Data in a .jpg using JP Hide and Seek

1. Unzip the contents of JP Hide and Seek.rar into your Forensic VM.

2. Double click on the file Florence holiday snap. This is a clean (no hidden data) photograph.

3. View the properties of this photograph using Windows Explorer;

4. Examine the secret_password1.pdf file. This file contains usernames and passwords.

5. Run Jphswin.exe by double clicking on the file.

6. Choose Open jpeg from the menu and open the Florence holiday snap.jpg. JPHS will populate the input jpeg file information from the selected file.

It will specify a maximum file size that can be hidden within this image and recommend a limit that will make it less likely that the corruption of the image will be visually detectable.

7. Check to see that your data matches the expected values:What is the recommended limit to the data file size that can be hidden in this picture file?What is the maximum size for a data file that can be hidden in this picture file?

8. From Windows Explorer, examine the properties of the file secret_password1.pdf.

What is the exact file size of the file?Will the picture Florence holiday snap.jpg be suitable, in terms of size, for hiding this data?

9. Choose Hide from the menu. You are prompted for a passphrase which will be needed to extract the hidden data. Choose a passphrase, Enter and confirm this passphrase. Click OK.

10. You will be prompted to select the file containing the information to hide. Choose the file secret_passwords1.pdf.

11. JPHS will report the details of the file to be hiiden. Note that the values reported in JPHS are approximate.What is the JPHS reported size of the hidden file secret_passwords1.pdf?According to JPHS, will this image be suitable, in terms of size, for hiding this data.

12. Click on Save jpeg as. Save the file as my_florence_holiday_snap.jpg.

13. Note the difference in the input and saved jpeg files. Examine the properties of the newly created picture file.

What is the exact size of this file containing the picture?Is the saved picture file larger or smaller that the input picture file?

14. Open both of the picture files- Are there any differences detectable visually?

.

Recovering hidden data in a jpeg picture using JP Hide and Seek

1. Run Jphswin.exe

2. Choose Open jpeg from the menu3. Select the file my_florence_holiday_snap.jpg ie the file containing the hidden data.

4. Choose Seek from the menu. A dialogue box will open. Enter the passphrase.

5. Choose a file name and location in which to save the recovered information. Open this file and check that its contents are the same as the original file.

6. Check the file sizes of the original data file secret_password1.pdf and the recovered data file.7. Has the steganography changed the hidden data?

S-ToolsYou will be using the s-tools steganography tool, located in C:\Win7_Software\s-tools in the forensic VM (there is a short cut on the desktop). Start with the tutorial in Quick start.doc which is on the shared S: drive. Then try hiding files yourself:

1. What happens if you choose an inappropriate cover file type (i.e. not bmp, gif or wav)?

2. What happens if you try to put too much into the cover file?

3. How much data can you hide in a given size of cover file?

4. Does the cover file or hidden file(s) type affect the amount of data that can be stored?

5. Now open the original cover file and the stegofile in WinHex. a. Can you locate some of the changed bytes? b. Which bits in those bytes have been changed? c. Are the same bit-positions always changed? d. What happens if you change one of the changed bytes in the stegofile back to its original value does the stegofile still work with s-tools?

Detecting hidden data in a Jpeg using Stegdetect1. Use Stegdetect which can be found in the shared drive.2. Place your stegged and non-stegged picture files together within a folder.3. Run xsteg.exe . 4. Point it at this folder.5. Which files does Stegdetect suspect of containing hidden data?

Recovering stegographic passwords with Stegbreak

1. Extract the contents of the usr.zip file directly to your C:\ drive. The .zip file contains a folder named Usr. Do not modify or change this folder. It contains the required file structure needed forStegBreak for function.

2. From StegDetect, identify a file which has a hidden message eg zebras2.jpg

3. We will use a DOS based program Stegbreak.exe, to crack the passwords. It will be easier to run if the files with contained messages are in the same folder.

4. Go to a DOS window by using CMD in RUN under the Start menu. Make sure that the command window has administrator privileges Navigate to the stego directory in which you placed the stegged file.

5. The command syntax for the stegbreak.exe application can be found in Stegbreak.pdf file.

6. Make sure the dictionary used (MedDict.dic) and the rules.ini file are in the same directory as stegbreak.exe. The syntax to run a dictionary attack is:

stegbreak -r rules.ini -f meddict.dic my_2009_miss_gsu.jpg

a) the name following the r parameter is the rules.ini file. It comes with the program but must be in the same directory as stegbreak.b) the name following the f parameter is for the name of the dictionary to use. In this case, the dictionarys name is: MedDict.Dic which is found in this same DOS directory as the other files.c) stegbreak defaults to break jphide an additional parameter, t, can be used to crack outguess or jsteg-shell codes. See the stegbreak.pdf file.

6. The figure below shows the results of breaking the file zebras2.jpg. 6. What is the password for the hidden message in the file zebras2.jpg?

Extension activityIdentify and Download some steganography and steganalysis tools from the Internet and try them out. (See this weeks lecture notes for some links). For example:

SNOW http://www.darkside.com.au/snow/