Steganography

forensic_file_artifacts Difficulté 1–5 30 min certifiable

Théorie

Why This Matters

Steganography — hiding data within a carrier medium so that the existence of the hidden message is not apparent — has been documented in real-world espionage cases. In 2010, the FBI arrested a Russian spy ring whose members communicated by embedding messages in images posted publicly on the internet, a technique confirmed during court proceedings. Unlike cryptography, which makes content unreadable, steganography aims for the covert channel itself to be invisible. Digital forensic analysts must be able to detect and extract steganographically concealed content from images recovered during investigations or presented as evidence, since suspects frequently combine encryption and steganography to layer their defenses.

Core Concept

LSB steganography (Least Significant Bit steganography) is the most common spatial-domain technique. In a 24-bit RGB PNG or BMP image, each pixel is represented by three bytes: one each for Red, Green, and Blue, each ranging from 0–255. The least significant bit of each colour channel contributes only a value of ±1 to the overall colour, a difference imperceptible to the human eye. By replacing the LSB of selected channels with bits from the secret message, an attacker can store approximately width × height × channels / 8 bytes of data while causing negligible visual distortion.

A simple LSB embedder iterates pixels in raster order and overwrites bit 0 of the R channel of pixel 1 with message bit 0, bit 0 of the G channel of pixel 1 with message bit 1, and so on. The bit-plane view organises all bit-0 values of a channel into a single binary image; random content produces a visually noisy plane, while a plane carrying hidden text produces structured patterns (rows of similar bits corresponding to repeated ASCII characters). Bit-plane decomposition using tools like stegsolve renders each bit-plane as a separate image, making structured LSBs immediately visible.

The statistical signature of LSB embedding is detectable via the chi-square attack: in an unmodified image, pairs of colour values that differ only in their LSB (called PoVs — Pairs of Values) should occur with approximately equal frequency; after LSB embedding, these pairs are forced toward equality, producing a statistical anomaly measurable with a chi-square test. Tools like zsteg and stegdetect implement this automatically.

Steghide is a dedicated steganography tool that uses a more sophisticated embedding algorithm (based on graph matching) and requires a passphrase, producing output indistinguishable from random noise even under chi-square analysis. Detecting steghide-embedded content requires either knowing or bruteforcing the passphrase.

Technical Deep-Dive

# Manual LSB extraction from a PNG (no passphrase, sequential bit extraction)
from PIL import Image

def extract_lsb(image_path, num_bits=None):
    img = Image.open(image_path).convert("RGB")
    pixels = list(img.getdata())
    bits = []
    for r, g, b in pixels:
        bits.append(r & 1)   # LSB of Red channel
        bits.append(g & 1)   # LSB of Green channel
        bits.append(b & 1)   # LSB of Blue channel
    # Group bits into bytes
    chars = []
    for i in range(0, len(bits) - 7, 8):
        byte = 0
        for j in range(8):
            byte = (byte << 1) | bits[i + j]
        chars.append(chr(byte))
        if num_bits and i >= num_bits:
            break
    return '.join(chars)

# Print the first 200 characters of LSB data
print(extract_lsb("challenge.png")[:200])

# Automated detection and extraction tools

# zsteg: detects LSB in PNG/BMP, tries multiple channel orders
zsteg -a challenge.png          # try all channel combinations
zsteg -E "b1,rgb,lsb,xy" challenge.png > extracted.bin  # extract specific plane

# stegsolve (Java GUI): open image, use Analyse > Data Extract
# Select bit planes 0 for R, G, B; choose LSB first; click Extract

# steghide: requires passphrase; bruteforce with stegcracker
steghide extract -sf challenge.jpg -p ""          # try empty passphrase first
stegcracker challenge.jpg /usr/share/wordlists/rockyou.txt

# stegdetect: chi-square statistical detection for JPEG
stegdetect -t jopi challenge.jpg   # test for jsteg, outguess, jphide, invisible

Analytical Methodology

Visual inspection — Open the image in an image viewer; check for unusual colour banding, visible noise, or artefacts that do not match the described content.
Bit-plane analysis with stegsolve — Load the image and cycle through bit planes 0–7 for each channel. Bit plane 0 (LSB) containing hidden text will show horizontal bands or structured patterns rather than uniform noise.
zsteg automated scan — zsteg -a challenge.png tests LSB in multiple channel orders and bit depths and prints any results that resemble printable text or known file magic bytes.
Statistical chi-square test — Use stegdetect (JPEG) or inspect zsteg output for chi-square p-values. A p-value < 0.05 in the LSB distribution strongly suggests embedding.
Attempt steghide extraction — Try steghide extract -sf challenge.jpg -p "" for an empty passphrase. If it fails, check the challenge for passphrase hints (filenames, description, EXIF fields).
Capacity estimation — For a PNG of dimensions W×H, maximum LSB capacity in all three channels is W × H × 3 / 8 bytes. Compare this to your extracted output size; if extraction yields far more garbage than signal, you may have the wrong channel order.
Distinguish benign from steganographic — A "clean" image's LSB plane looks statistically random (noise). A steganographic image's LSB plane looks structured. Thumbnail images created by cameras have predictable LSB distributions; CTF images often do not.

Common Analytical Errors

Assuming only bit plane 0 — Embedders can use bit planes 1 or 2 as well, trading capacity for subtlety. Always scan all lower bit planes, not just the LSB.
Ignoring the alpha channel — PNG files support an alpha (transparency) channel. The alpha channel LSB is often overlooked and used to carry extra data.
Wrong channel order — zsteg tries common orders (RGB, RBG, GRB…) but a custom tool may use BGR or ARGB. If standard tools yield nothing, try reordering channels manually.
Not trying an empty or trivial passphrase — A surprising fraction of steghide challenges use empty string, the filename, or the challenge title as the passphrase. Always try obvious candidates before running a full wordlist.
Treating extraction as the end — The extracted bytes may themselves be Base64-encoded, compressed (gzip magic 1f 8b), or XOR-encrypted. Run file and xxd on every extracted binary.
Stopping after one tool — zsteg and stegsolve cover spatial-domain LSB well but will miss DCT-domain (JPEG) steganography. If the carrier is a JPEG and zsteg finds nothing, proceed to DCT-domain tools.

NICE Framework Alignment

Code	Knowledge/Skill/Task Statement	How This Card Develops It
K0060	Knowledge of operating systems and file system structures including binary data representations	Grounds bit-level pixel manipulation in the binary representation of RGB image data
K0082	Knowledge of file format standards and covert channel techniques	Teaches PNG/BMP format structure and how LSB embedding exploits per-channel bit representation
S0068	Skill in using binary analysis tools to examine file content	Develops hands-on proficiency with zsteg, stegsolve, steghide, and PIL for bit-level analysis
T0048	Task: Perform file system forensic analysis	Applies systematic forensic methodology to detect and extract concealed data from image files