Team Delta

Steganography Lab

IST 454, Section 1 Spring 2011

Team Delta Allison Antis – ama5222@psu.edu Steven Dodge – scd5029@psu.edu

David Lingelbach – djl5092@psu.edu Steven Lizzi – svl5118@psu.edu Adan Ortiz – avo5018@psu.edu

Tammara Ross – trr5029@psu.edu

Steganography Lab 2

Team Delta

Table of Contents

INTRODUCTION: 3

HOW DOES STEGANOGRAPHY WORK? 5

THE SCENARIO 9

HOW FRED SENDS THE RECIPE 9

STEP 1: PREPARE AN IMAGE FOR USE WITH XIAO 9

STEP 2: PREPARE A DOCUMENT TO HIDE 10

STEP 3: SELECT THE FILES IN XIAO 10

STEP 4: SELECT THE ENCRYPTION TYPE 11

STEP 5: SAVE THE NEW FILE 11

STEP 6: SELECT THE FILE TO DECODE 12

STEP 7: EXTRACT THE MESSAGE 12

HOW POPEYE’S READS THE MESSAGE 13

THE FORENSIC INVESTIGATION 14

BACKGROUND 14

INITIAL EVIDENCE 14

MANAGER INTERVIEW 15

COMPUTER EXAMINATION 15

CONCLUSION 16

BIBLIOGRAPHY 17

Steganography Lab 3

Team Delta

Introduction:

How do you hide a message in plain sight? The art or practice of hiding a message within other

information is called steganography. Steganography has been used since the 5th century when

Greek tyrants would shave the heads of their servants, tattoo a message on the servants head, and

send the servant to his destination where his head would be promptly shaved. Unless a person knew

that a hidden message was inscribed on the servant’s head, the message would be transmitted

without any problems. Today, steganography is more commonly used to hide digital messages within

digital information. For example, a password can be embedded in a text file, music file, image file, or

any other kind of file. In the summer of 2010, the FBI discovered that a ring of alleged Russian spies

had been using steganography to hide information in images posted on public websites. For

example, the innocent looking image of the Washington monument below hid a map of the Burlington

Airport in Vermont.

Figure 1. Image of the Washington Monument

Steganography Lab 4

Team Delta

Figure 2. Image of the Burlington Airport Hidden in the Washington Monument

In this lab report, using steganography to hide messages into image files will be explained using a

steganalysis tool called Xiao.

Steganography Lab 5

Team Delta

How Does Steganography Work?

The concept of how Xiao works is actually pretty simple. All Xiao does is slightly change color values

throughout a picture but not by a noticeable amount. Let’s start by examining the structure of an

image file. Images are actually made up of a grid of dots or squares called pixels. Each pixel is a

sample of the original image. As the number of pixels in the grid gets closer to the number of pixels

used to display the image on the screen, the clearer the image becomes. The color shade of each

pixel is determined by some value.

Figure 3. A Picture of a Duck

When examining the image with HexEdit, we can see the hexadecimal values that make up the

image.

Steganography Lab 6

Team Delta

Figure 4. HexEdit

Computers that run in 32 bit color mode today are capable of displaying 16.7 million different color

shades. There are so many different shades that the difference between some of these shades can

be indistinguishable to the human eye. For example, the color on the left was taken from an

individual pixel within the duck picture. Two of the characters within its hex value were then changed,

which produced the color seen on the right. Upon first glance, the colors look exactly alike. Keep in

mind that this is just one pixel out of the 1,482,129 that make up the original picture of the duck. By

making slight changes to multiple pixels, the contents of another file can be hidden within the picture

without making the original image look any different.

Figure 5. 16.7 Million Different Color Shades

Steganography Lab 7

Team Delta

The hexadecimal value of a short text file containing a message like “Ducks go quack.” is made up of

only 30 characters. Let’s use this text file as an example and insert it into our duck picture.

Figure 6. Quack.txt

First, we need to establish a procedure. Let's insert the hex value from each character of the

message into a different pixel. The message hex characters will replace the characters in position 2

and 4 of the pixels' hex values. We'll start 1 block in and one block down from the upper left hand

corner of the picture. We'll modify every other pixel until we've changed 5 of them, then we'll skip a

row and start back 1 pixel in from the left edge. That should mean having to modify pixels in 3

separate rows of pixels on the picture. Remember; think of the image as a grid, table, or two-

dimensional array of squares.

Figure 7. Steganography Procedure

Steganography Lab 8

Team Delta

Using Adobe Fireworks CS5, we can simply type the hex value of the color we want into the color

picker. Then we use the paintbrush with a stroke width of one pixel and the hard line option selected,

which lets us re-color individual pixels.

Figure 8. Adobe Fireworks CS5

Once all the changes have been made, we can look at the original picture next to our version

containing the message. Do you see anything different between them?

Figure 9. The Original and Modified Picture

Xiao’s algorithms may be much more advanced than the one used in our example, but in the end, all

it does is change the hex values of pixels. If you know what method was used to hide a file within the

image, it is easy to know how where to look to extract the hidden file back out. Luckily, Xiao does all

that tedious work for you.

Steganography Lab 9

Team Delta

The Scenario

To demonstrate the Xiao tool, we will run through a fictional example. When conducting corporate

computer forensic investigations, a common type of investigation involves industrial espionage where

sensitive corporate data or intellectual property is sold to another company. In this example, Fred

works at Kentucky Fried Chicken. Fred is having problems at home and is in dire financial straits.

Fred needs money, and competitor Popeye’s wants the Colonel’s secret recipe. Fred and Popeye’s

come to a financial agreement, and both parties decide to exchange this data using steganography

and agree on using Xiao because the tool is free and has a graphical user interface.

How Fred Sends the Recipe

Note: To download Xiao for free, please visit the following link: http://download.cnet.com/Xiao-Steganography/3000-2092_4-

10541494.html

Step 1: Prepare an Image for Use with Xiao

1. Xiao accepts only .BMP images. To convert a photo from another format, open the

photo in Microsoft Paint.

2. Go to file and select “Save As.”

3. Select the BMP file type.

4. Navigate to the appropriate directory and click “Save.”

Figure 10. Microsoft Paint

Steganography Lab 10

Team Delta

Step 2: Prepare a Document to Hide

1. Any type of file can be used. In this example we will create a text file in Notepad and

type a secret message into it. The message will be saved as “secret.txt.”

Figure 11. secret.txt

2. To avoid confusion; make sure the document is saved in the same directory as you

saved the picture in the previous step.

Step 3: Select the Files in Xiao

1. Open Xiao.

2. Select “Add Files.”

3. Select “Load Target File.”

4. Navigate to the directory where you saved your picture and document. The image and

information about it should appear within the window.

5. Select “Next.”

6. In the window that appears, click “Add Files.”

7. Select your document in the file browser and click “Open.” The file should appear in the

Xiao window.

Steganography Lab 11

Team Delta

Figure 12. Xiao File Browser

8. Click “Next.”

Step 4: Select the Encryption Type

1. You can select any encryption or hashing algorithm combination you like. We will use

the defaults of RC2 encryption and MD5 hashing in this example.

2. Type a password for the file into the text field, for this example we'll use

“chickendunk3r.”

Figure 13. Xiao Encryption Type

3. Click “Next.”

Step 5: Save the New File

1. You should see a progress bar indicating that the files you selected are being merged.

A file browser will appear to save the resulting file.

2. Navigate to the directory containing the original files you used and save the file as “New

Picture.bmp.”

Steganography Lab 12

Team Delta

Figure 14. Saving “New Picture.bmp”

3. Click “Finish.”

Step 6: Select the File to Decode

1. If you closed out of Xiao, open Xiao back up.

2. Select “Extract Files.”

3. Select “Load Source File.”

4. Navigate to where you saved “New Picture.bmp,” select it, and click “Open.”

5. The picture should be shown in the window along with information about it.

Figure 15. Xiao File Browser

6. Click “Next.”

Step 7: Extract the Message

1. Xiao should now show you a list of files contained within “New Picture.bmp.”

2. Select “secret.txt” and type the password you used to encrypt the file into the password

text field.

3. Click “Extract File.”

Steganography Lab 13

Team Delta

Figure 16. Extract File

4. Browse to where you want to save the extracted file and save it as “Decoded

Message.txt.”

5. An alert should appear saying that the file was successfully extracted.

6. Click “Exit” to close out of Xiao.

How Popeye’s Reads the Message 1. Navigate to where you saved your decoded file in Xiao.

2. Click on it to open.

3. You should now see the secret message you created in the beginning of the lab.

4. Try encoding your own secret message and sending it to a friend to have him or her decode it.

**Disclaimer: Don't break any laws using this method!

Steganography Lab 14

Team Delta

The Forensic Investigation

Background

The IT department at KFC notices that Fred has been sending a lot of emails to an outside email

address: PoultryPicker@gmail.com. KFC has a written policy stating that a manager must approve

any email sent outside the company, and Fred has not been given approval. Because of the policy,

KFC's IT staff decides to investigate the case to see if any foul play is afoot.

Initial Evidence

The IT staff at KFC discovers that a vast majority of these emails contain image attachments, but the

image attachments are of trivial harmless things.

Figure 17. Example Image Attachment

The staff also notices that the first email that Fred sent to the Gmail address only contained one word:

“chickendunk3r.”

Steganography Lab 15

Team Delta

Figure 18. “chickendunk3r” e-mail

Manager Interview

The IT staff decides to ask Fred's manager about the situation. The manager tells the staff that Fred

has been under a lot of pressure at home recently and has been running into financial troubles. The

IT staff decides to forensically analyze Fred's computer just in case.

Computer Examination

They discover the Xiao tool downloaded on Fred's PC. They run one of the image attachments

through the program and discover that there is a text file hidden in the image file. However, to read

the text file, a password is required. After trying Fred's email, system, and network passwords, the IT

staff tries the “chickendunk3r” password that they noticed in the first email and discovers the secret

message. Fred has been busted.

Steganography Lab 16

Team Delta

Conclusion

In this lab, we have learned the definition of steganography, how steganography works in theory, and

how steganography can be practiced through the use of the Xiao software tool. Remember to

practice responsibility and strong ethics when working with steganography and computer forensics in

general. Thanks and good luck!

Steganography Lab 17

Team Delta

Bibliography

Betancourt, Stephanie R. “Steganography: A New Age of Terrorism.” GSEC Practical Version 1.2f.

2004. SANS Institute. <http://www.giac.org/certified_professionals/practicals/gsec/3494.php>.

“Bin Laden: Steganography Master?” Wired.com. Web. 28 Jan. 2011.

<http://www.wired.com/politics/law/news/2001/02/41658?currentPage=1>.

Chaveriat, Alexander. “Steganography: The Unseen World.” Docstoc – Documents, Templates, Forms,

Ebooks, Papers & Presentations. 13 Apr. 2009. Web. 01 Feb. 2011.

<http://www.docstoc.com/docs/6028160/Hacking-Steganography-The-Unseen-World>.

“Digital Steganography: Threat or Hype?” Information Systems Security Today Home (Index) Page.

Web. 28 Jan. 2011. <http://www.infosectoday.com/Articles/digitalstego.htm>.

Guillermito. “Breaking a Steganography Software in 10 Seconds: SQFileHide.” Guillermito ZONE. 4

Dec. 2003. Web. 01 Feb. 2011. <http://www.guillermito2.net/stegano/sqfilehide/index.html>.

Judge, James C. “Steganography: Past, Present, Future.” Tech. no. 552. SANS Institute, 2001. Web. 30

Jan. 2011. <http://www.sans.org/reading_room/whitepapers/stenganography/steganographypast-

present-future_552>.

Raggo, Michael T. Microsoft PowerPoint. Computer software. Defcon. VeriSign, 26 Feb. 2004. Web. 30

Jan. 2011. <www.defcon.org/images/defcon-12/dc-12-presentations/Raggo/dc-12-raggo.ppt>.

Ramillil, Marco. “How to Detect Steganography.” Marco Ramilli's Blog. Blogspot, 5 Nov. 2007. Web.

30 Jan. 2011. <http://marcoramilli.blogspot.com/2007/11/howto-detect-steganography.html>.

Shachtman, Noah. “FBI: Spies Hid Secret Messages on Public Websites | Danger Room | Wired.com.”

Wired.com. Web. 28 Jan. 2011. <http://www.wired.com/dangerroom/2010/06/alleged-spies-hid-

secret-messageson-public-websites/>.

“Steganography for the Computer Forensics Examiner.” GaryKessler.net Home Page. Web. 29 Jan.

2011. <http://www.garykessler.net/library/fsc_stego.html>.

TopBits. “Steganography.” Web. 30 Jan. 2011. <http://www.techfaq.com/steganography.html>.

Westphal, Kristy. “Steganography Revealed | Symantec Connect.” Symantec Connect. Symantec. Web.

29 Jan. 2011. <http://www.symantec.com/connect/articles/steganography-revealed>.