Inplainsight

We obtained an enforcement order on one of our high priority targets' email account.

They have been sending mysterious e-mails to an associate with no subject and no message, although there is an obscure stock image from the internet attached to each e-mail we've seen.

We suspect they are using steganography to obfuscate (hide) meaningful information within the otherwise insignificant image attachments.

Surveilling the target's laptop use in Starbucks via shoulder surfing has revealed that they use Stegosaurus, a bespoke online steganography tool.

We've attached an image file from an e-mail that we believe has had something encoded into it by the target. The idea behind steganography is to implant something and not make it obvious to the naked eye (or ear).

Please tell us what the HIDDEN MESSAGE within the specimen image provided is.

Stegosaurus: https://mystegosaurus.co.uk/

specimen-image.png

Extremely unfortunately, the Stegosaurus website is no longer available. None of the other steganography tools I tried were able to decode the image, so I decided to transition to using a real local tool: the Stego Toolkit.

  1. sudo docker pull dominicbreuker/stego-toolkit

  2. sudo docker run -it -v $(pwd):/data dominicbreuker/stego-toolkit /bin/bash

  3. pngcheck specimen-image.png confirms that the image is a PNG file.

  4. zsteg specimen-image.png to confirm that steganography is being used. This is the output:

    imagedata           .. text: "ejn\"\"\"..."
    b1,bgr,msb,xy       .. text: "txt\rsecretmessagee"
    b2,r,msb,xy         .. text: "wu]W}_(\"*~}_*"
    b2,g,lsb,xy         .. file: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 21.17
    b2,g,msb,xy         .. text: ["U" repeated 18 times]
    b2,b,lsb,xy         .. file: locale data table
    b2,b,msb,xy         .. text: ["U" repeated 18 times]
    b2,bgr,msb,xy       .. text: ".C8.i\"(\"(\n"
    b4,r,lsb,xy         .. text: "vvfvgfvfgvwf"
    b4,g,lsb,xy         .. text: "#2\"3\"#33\"323#333EEEUDDDDDTDDfffwfgvfgwgwwvvfUUEUEEDTUTDUUUDUTTEUTUUDTEEUvgfwgvwgggvwvwvfvgvwggvwwwwwwgwvwgvvDUDDftUDTR\"#2!"
    b4,g,msb,xy         .. text: "\"\"\"\"\"*\"\"fff"
    b4,b,lsb,xy         .. file: raw G3 (Group 3) FAX, byte-padded
    b4,b,msb,xy         .. text: "]UUU]U]U"
    

    The txt\rsecretmessagee looks super shady, so we definitely want to pursue that.

  5. stegano-lsb reveal -i specimen-image.png -e UTF-8 -o output.txt > In theory, this command should have worked, but the Docker image was using outdated dependencies, so the Stegano library errored out when running it:

    Traceback (most recent call last):
    File "/opt/Stegano/stegano-lsb", line 94, in <module>
    data = tools.base642binary(secret)
    File "/opt/Stegano/stegano/tools.py", line 100, in base642binary
    b64_fname += '==='
    TypeError: unsupported operand type(s) for +=: 'NoneType' and 'str'
    

    So I had to go and drop a quick PR to fix the issue. In the meantime, I needed another way to extract the hidden message.


Tags

  1. evidence investigation (Private)