Steganography

On Habré already written several times about steganography , in particular the recent post about LSB steganography (which, unfortunately, the author moved to drafts) aroused in me the desire to share my knowledge and thoughts on this topic.

Let's assume that you are a spy and (like any self-respecting spy) you have a lot of secret information on your hard drive. You need to hide it so that no one finds it. And if they catch you, they will give your computer for an examination and the one who will look for this information will be 99% sure that there is such information on the hard disk.

So what are the ways to hide information at our disposal ...

')

Method 1 - Banal

The easiest way is to rename the file. For example, you have a picture to hide. You simply rename the file extension and the picture is no longer defined by the system as a picture. But, of course, this is protection against a fool. If you, for example, rename a JPG file to RAR, then such a RAR archive cannot be opened, WinRar will argue that this archive is broken, which will cause suspicion and a deeper study of this file.

Method 2 - Banal, advanced

Another simple way, but still more advanced, is to merge two different files into one. The simplest example: add a rar archive to the end of a jpeg image. Such an image will open without any problems in any program for viewing / editing pictures, and will also open in WinRar. The fact is that almost all programs for working with archives are designed for the fact that the archive does not start from the beginning of the file, as it is possible that the archive is enclosed in a self-extracting shell. But the disadvantages of this method are that such bonding can be easily noticed. For example, if the picture has a size of 200x200 and at the same time weighs 2 megabytes, then suspicions immediately arise. In addition, all formats (containers) usually have a clear structure and if all of a sudden there is some redundant information in the file, it is easy to detect.

Therefore, we need a way to hide information that does not violate the file structure of the selected format.

Method 3 - LSB

As already written earlier, this method is very simple to implement, while it does not violate the rules of the container and the file does not store redundant information. But this method has quite a few minuses. First, it applies only to a small number of containers. For example, it can not be applied to the format of JPG, MP3 or AVI. But as a rule, files of these formats are stored in hundreds on our computers and it is there that the most convenient is to hide information. Personally, I immediately would have suspected not well, having found on the computer a large library of pictures in the BMP format. Also, this method displays itself with giblets on images with a uniform surface. And try to apply this method to an MP3 file. Changing just one bit every 2 or even more bytes will lead to inevitable loss of audio data.

For those who want to play with this method, I can offer a plugin for Total Commander that allows you to hide data in some image containers, as well as in WAV (provided that the audio data is encoded with a PCM codec).

There are also more advanced algorithms, for example the Koch-Zhao algorithm, which hides data only in pictures. Its difference is that it encodes one bit of information in blocks of 8x8 pixels. Unfortunately, due to the small amount of information about this algorithm on the Internet, I can not tell you something else about it.

Method 4 - Meta Data

Very many formats can store certain meta data. The advantage of this method is that it also does not violate the file format, and working with this meta-data is usually well documented and there are already ready libraries that allow you to quickly write a program to store your data in these files. Almost all media formats have meta data support. However, it is not always possible to store data there so that it is not visible. So where can you try to keep secret data:

MP3

Only recently, a post appeared on a Habré. Hide text in MP3, where the implementation of PHP stores its information in the ID3v1 tag is described. But the fact is that the ID3v1 tag has very strict limitations and there is not a lot of information to be stored there. In addition, in any normal media player, all your data is clearly visible. The ID3v2.4 tag is quite another thing, which allows you to store data of much larger sizes, and also allows you to save any non-standard data. For example, some programs store there the volume and normalization settings for each individual file. Media players usually do not display unknown parameters.
Since we are talking about MP3, it is worth mentioning the little-known Lyrics3 tag, which was created to store the song text in the file, as well as the ID3v1 tag extension (for example, it allowed you to save a longer song name), but the output of the ID3v2 tag standard is didn't let Lyrics3 tag get widespread. But it is not strange, a large number of MP3 files that can now be found on the Internet, contain this tag (although nothing is stored there except the name of the song).

Jpeg

JPEG format has EXIF ​​tag support. The data in this tag is stored in pairs key = value. In theory, there is no problem to add there some kind of non-standard key containing your encrypted data. The program working with this tag, having come across this key, will most likely just ignore it and not display it.

Avi

Not many people know that AVI files also have support for metadata, and you can store a lot of things there. As in MP3 and JPEG, you can create some kind of your own key, which will be simply ignored by programs working with meta data. I can recommend a good program to view the meta data of AVI files: abcAvi Tag Editor

The minus of storing secret data in the file's meta-data is obvious, there are many programs that display absolutely their contents, including non-standard and private values.

Method 5

And finally, I want to tell you about one great way to store sensitive data in MP3 files. It is implemented in the program MP3Stego . Unfortunately, the author of this program has not updated the project since 2006. The idea is that the data is first encrypted, and then in the heart of the encoding process of the MP3 file (from WAV) are mixed into the final result. The result is a regular MP3 file, with no noticeable distortion, but it contains encoded data.