Hi folks,
During last week I’ve found some interesting stuff on Steganography, well I wanna discuss about detection and not about Steganography, so please if yu’re interested on this post read the wiki pedia definition linked above.
Well, right now I’ve seen lot of people who don’t know anything about Steganography and how to detect it, I know there are lots of free software like StegoDetect that can easily detect if the current file has been compromised, but as usually I like touch by hand what happen inside the file. So during these days I’ve analyzed some file extension with and without Steganography.
Let me start with classics examples like .gif images.

This is a normal gif image without any items hidden.

And this one is the same picture with some plain text steganographed inside. 

Human eyes can’t see the difference between the two pictures, but the hexadecimal editor can !!! So if we try to open normal .gif images and the compromised one we can compare the differences and understand how it’s possible detect Steganography inside GIF image.
And, yep we got it ! As you can see from the following pictures the first bytes are different !
This is first picture’s hexadecimal view, and you can read “47 49 46 38” that’s means “GIF” in ASCII way.
This is the second Pictures’ s hexadecimal view, you can’t see “GIF” bytes …

Well, it’s so easy to detect !!! Let me try with others pictures formats for instance with .jpg files. Apparently there are not similarity between a normal jpg pics and a compromised one, but if you study JPG header and body format you can discover that every JPG image ends with “FF D9” Bytes. So you if it’s true we must find “FF D9” in the normal JPG and others stuff in the compromised image. De facto it’s true. Safe JPG following:

Compromised JPG following:

Yet, examples.
PNG is another important image format, the PNG header is well known so should be easy detecting injections. It’s still true, the difference in the header is impressive. Normal PNG format.

And Fake PNG header.

So here we are.. It’s not so difficult understanding if an image has been compromised ! Some times some Steganographic software are more smart than others ones but it’s difficult lying to hex editor. Anyway it’s really different for MP3, exe and other stuff like that.

Published by marcoramilli

Ethical Hacking, Advanced Targeted Attack Expert and Malware Evasion Expert

6 thoughts on “ How to detect Steganography. ”

  2. hi i read your post. its interesting that we can detect the compromised images. but i want to know can we detect by which algorithm the original image was compromised, so we can reconstruct the secret data. is it possible to do that. I'm trying to build a tool that detect compromised image, and algorithm to reconstruct the secret data. so initially i'm going with DCT based stego algorithms.

  4. Google “Jessica Fridrich” if you want to read about some steganography algorithms much more difficult to detect than these examples.Cheers,Ron

  5. WoW, very interesting !!!It was really hard reading this paper, and I’m not sure to have understood every things. Anyway, you are right; it’s possible build a secret algorithm ( but I think this could become security over obscurity) in order to hide message in a quite undetectable way. There are a lot of steganography algorithms (easier than this one 🙂 that show how to do. But if you have both images, I mean the original and the compromised one,I think it’s impossible to *not* recognize the bytes differences. The real problem is that actual Stegos Softwares don’t implement any of this “undetectable” algorithms.Thank you *SO* much for the very *INTERESTING* post .

Comments are closed.