you're reading...
Deep Packet Analysis, Hacking / Counter Intelligence, Lawful Intercept

Detecting Steganography in JPG Images

If you read my article on using MITM attacks on Tor you might be wondering about practical purposes other than stealing passwords and personal information. The fact is that I have no interest whatsoever in targeting specific people. I do what I do for 2 reason, I find the synergy and flow of data sexy, and I don’t like internet predators. An internet predator can take the shape of many different things, a botnet operator, a child predator, or a terrorist bent on destroying innocent human life.

After some deep packet analysis of Tor data, information can be categorized and discarded. In my case I am only interested in images, songs, and anything antivirus flags. Various programs can then attack the data for signs of predator behaviour. For instance my image and facial recognition software looks for weapons, and compares any faces to those appearing on most wanted sites. Images and songs are passed through various steganography detection programs to look for hidden data.

OutGuess is a universal steganographic tool that allows the insertion of hidden information into the redundant bits of data sources. The nature of the data source is irrelevant to the core of OutGuess. The program relies on data specific handlers that will extract redundant bits and write them back after modification. In this version the PNM and JPEG image formats are supported.

At first glance, they would sound like the bad guys helping people subvert prying eyes, however they have some other toys out there as well. StegBreak and StegDetect are also available in their toolkit. These tools can be ran on pretty much any environment to process your incoming data.


About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.


4 thoughts on “Detecting Steganography in JPG Images

  1. You can also look at the header /footer information. The header starts with “FF D8 FF” and the footer ends with “FF D9” Anything before or after these is the embeded data.

    Posted by Kalypto | July 26, 2012, 9:27 pm
    • Agreed, that is a nice quick way of checking. Though what about pixel manipulation? I’m trying to find some more advanced ways of detecting steg in PNGs if you have any input?

      Posted by pythorian | July 26, 2012, 10:11 pm
      • I was wondering what sort of advanced detection in PNGs you had in mind. I was thinking that most pixel manipulation detection for BMPs would work on PNGs. However I’ve played around with embedding data into the Zstream compression that PNG uses, which is hard to detect at the best of times.

        Posted by Bumpy Grastard | October 21, 2012, 6:23 am
      • By randomly seeding the zstream with bit addition at the standard offsets to cause a decompression crash. I should be able to demonstrate a threshold intolerance that is lower with steg embedded PNGs than normal PNGs

        Posted by Pythorian | November 2, 2012, 5:21 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: