Scribd Logo
Upload

Welcome to Scribd!

  • Steg Lab 2014-15

    Uploaded by

    James Webb
    194 views6 pages
    steganography lab

    Original Title

    Steg lab 2014-15

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    steganography lab

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    194 views6 pages

    Steg Lab 2014-15

    Uploaded by

    James Webb
    steganography lab

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    Steganography

    Today we are going to use some steganography tools, and a tool to detect the
    use of steganography.
    1. Copy the folder names Stg from our module folder on the shared drive.
    This contains JPHide and Seek, Stegdetect and Stegbreak.
    2. the shared drive in our module folder.
    3. S-Tools is already in your forensic VM.

    JP Hide and Seek


    Hiding Data in a .jpg using JP Hide and Seek
    1. Unzip the contents of JP Hide and
    Seek.rar into your Forensic VM.
    2. Double click on the file Florence holiday
    snap. This is a clean (no hidden data)
    photograph.

    3. View the properties of this photograph


    using Windows Explorer;

    4. Examine the secret_password1.pdf file.


    This file contains usernames and
    passwords.
    5. Run Jphswin.exe by double clicking on
    the file.

    6. Choose Open jpeg from the menu and


    open the Florence holiday snap.jpg.
    JPHS will populate the input jpeg file
    information from the selected file.
    It will specify a maximum file size that
    can be hidden within this image and
    recommend a limit that will make it less
    likely that the corruption of the image
    will be visually detectable.
    7. Check to see that your data matches
    the expected values:
    What is the recommended limit to the
    data file size that can be hidden in this
    picture file?
    What is the maximum size for a data file
    that can be hidden in this picture file?
    8. From Windows Explorer, examine the
    properties of the file
    secret_password1.pdf.
    What is the exact file size of the file?
    Will the picture Florence holiday
    snap.jpg be suitable, in terms of size,
    for hiding this data?

    9. Choose Hide from the menu. You are


    prompted for a passphrase which will be
    needed to extract the hidden data.
    Choose a passphrase, Enter and confirm
    this passphrase. Click OK.
    10.You will be prompted to select the file
    containing the information to hide.
    Choose the file secret_passwords1.pdf.
    11.JPHS will report the details of the file to
    be hiiden. Note that the values reported
    in JPHS are approximate.
    What is the JPHS reported size of the
    hidden file secret_passwords1.pdf?

    According to JPHS, will this image be


    suitable, in terms of size, for hiding this
    data.
    12.Click on Save jpeg as. Save the file as
    my_florence_holiday_snap.jpg.

    13.Note the difference in the input and


    saved jpeg files. Examine the properties
    of the newly created picture file.
    What is the exact size of this file
    containing the picture?
    Is the saved picture file larger or smaller
    that the input picture file?

    14.Open both of the picture files- Are there


    any differences detectable visually?
    .

    Recovering hidden data in a jpeg picture using JP Hide and


    Seek
    1. Run Jphswin.exe
    2. Choose Open jpeg from the menu
    3. Select the file my_florence_holiday_snap.jpg ie the file containing the
    hidden data.
    4. Choose Seek from the menu. A dialogue box will open. Enter the
    passphrase.
    5. Choose a file name and location in which to save the recovered
    information. Open this file and check that its contents are the same
    as the original file.
    6. Check the file sizes of the original data file secret_password1.pdf and
    the recovered data file.
    7. Has the steganography changed the hidden data?

    S-Tools
    You will be using the s-tools steganography tool, located in C:\Win7_Software\stools in the forensic VM (there is a short cut on the desktop). Start with the
    tutorial in Quick start.doc which is on the shared S: drive. Then try hiding files
    yourself:

    1. What happens if you choose an


    inappropriate cover file type (i.e. not
    bmp, gif or wav)?
    2. What happens if you try to put too much
    into the cover file?
    3. How much data can you hide in a given
    size of cover file?
    4. Does the cover file or hidden file(s) type
    affect the amount of data that can be
    stored?

    5. Now open the original cover file and


    the stegofile in WinHex.
    a. Can you locate some of the
    changed bytes?
    b. Which bits in those bytes have
    been changed?
    c. Are the same bit-positions always
    changed?
    d. What happens if you change one
    of the changed bytes in the
    stegofile back to its original value
    does the stegofile still work with
    s-tools?

    Detecting hidden data in a Jpeg using Stegdetect


    1.
    2.
    3.
    4.
    5.

    Use Stegdetect which can be found in the shared drive.


    Place your stegged and non-stegged picture files together within a folder.
    Run xsteg.exe .
    Point it at this folder.
    Which files does Stegdetect suspect of containing hidden data?

    Recovering stegographic passwords with Stegbreak


    1. Extract the contents of the usr.zip file directly to your C:\ drive. The .zip file contains a
    folder named Usr. Do not modify or change this folder. It contains the required file
    structure needed forStegBreak for function.
    2. From StegDetect, identify a file which has a hidden message eg zebras2.jpg
    3. We will use a DOS based program Stegbreak.exe, to crack the passwords. It will be
    easier to run if the files with contained messages are in the same folder.
    4. Go to a DOS window by using CMD in RUN under the Start menu. Make sure that the
    command window has administrator privileges Navigate to the stego directory in which
    you placed the stegged file.
    5. The command syntax for the stegbreak.exe application can be found in Stegbreak.pdf
    file.
    6. Make sure the dictionary used (MedDict.dic) and the rules.ini file are in the same
    directory as stegbreak.exe. The syntax to run a dictionary attack is:

    stegbreak -r rules.ini -f meddict.dic my_2009_miss_gsu.jpg


    a) the name following the r parameter is the rules.ini file. It comes with
    the program but must be in the same directory as stegbreak.
    b) the name following the f parameter is for the name of the dictionary to
    use. In this case, the dictionarys name is: MedDict.Dic which is found
    in this same DOS directory as the other files.
    c) stegbreak defaults to break jphide an additional parameter, t, can be
    used to crack outguess or jsteg-shell codes. See the stegbreak.pdf file.
    6. The figure below shows the results of breaking the file zebras2.jpg. 6. What is the
    password for the hidden message in the file zebras2.jpg?

    Extension activity
    Identify and Download some steganography and steganalysis tools from the
    Internet and try them out. (See this weeks lecture notes for some links). For
    example:
    SNOW

    http://www.darkside.com.au/snow/

    You might also like