Steganography

A good list to look at can be found here.

Images

exiftool

Can be installed with sudo apt install exiftool. This tool can be used to extract metadata from images.

  • exiftool image.jpg: Shows all the metadata in the image image.jpg.

strings

This is the most basic tool for extracting data from images. Can be installed with sudo apt install binutils.

  • strings image.jpg: Shows all the strings in the image image.jpg, possibly uncovering hidden data.

steghide

Can be installed with sudo apt install steghide.

  • steghide info image.jpg: Displays info about whether image.jpg has embedded data or not.
  • steghide extract -sf image.jpg: Extracts any hidden data from the image image.jpg using the default password list.
  • steghide extract -sf image.jpg -p password: Extracts any hidden data from the image image.jpg using the password password.

stegseek

This is a faster version of the well-known stegcracker tool. Can be installed with sudo docker pull rickdejager/stegseek. Repository available here.

  • sudo docker run --rm -it -v "$(pwd):/steg" rickdejager/stegseek image.jpg rockyou.txt: Extracts any hidden data from the image image.jpg using the wordlist rockyou.txt.

stego-toolkit

Can be installed with sudo docker pull dominicbreuker/stego-toolkit, then ran with sudo docker run -it -v $(pwd):/data dominicbreuker/stego-toolkit /bin/bash.

  • pngcheck image.png: Confirms that the image is a PNG file.
  • zsteg image.png: Confirms that steganography is being used.

stegsolve

Can be installed with the following:

wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
chmod +x stegsolve.jar
java -jar stegsolve.jar

A new modded version can be found here, and it has the added benefit of being open-source unlike the original.

zsteg

Can be installed with sudo gem install zsteg. Useful for png and bmp files.

  • zsteg -a image.png: Runs all methods on the image image.png.
  • zsteg -E image.png: Extracts data from the given payload (example : zsteg -E b4,bgr,msb,xy image.png)

foremost

Can be installed with sudo apt install foremost. Most useful for png files, but can also be used for jpg files. Repository available here.

  • foremost -i image.png: Extracts any hidden data from the image image.png.

binwalk

Can be installed with sudo apt install binwalk. Useful for both images and audio files.

  • binwalk -e image.jpg: Extracts any hidden data from the image image.jpg.

Digital Invisible Ink Toolkit

Can be downloaded from here. Useful for image files. Can run the software with java -jar -Xmx512m diit-1.5.jar.

The BlindHide mode is often used. Use the Set Message option to set an output text file, then investigate the contents to determine the type of file.

Audio

WavSteg

Can be installed with pip install stego-lsb. Useful for wav files. More information available here.

  • stegolsb wavsteg -h -i sound.wav -s file.txt -o sound_steg.wav -n 1
  • stegolsb wavsteg -r -i sound_steg.wav -o output.txt -n 1 -b 1000

ZIP Files

fcrackzip

Can be installed with sudo apt install fcrackzip. Useful for zip files.

  • fcrackzip -u -D -p rockyou.txt file.zip: Attempts to crack the password of the zip file file.zip using the wordlist rockyou.txt.

Backlinks