Hiding files inside images (Steganography)

cirx08

Prevent your family, friends and anyone that has access to your computer from viewing your precious files!

I am a student studying Software Development in college and over the Summer I decided to learn how to program in C#. The results of all my learning is a program called Steganography by Cirx08.

Download the app here - http://www.sourceforge.net/projects/steganography/


Creation Interface:



Open File Interface:



What is does:
It takes any archive file made in a program like WinRAR, 7-zip, etc. and hides it inside the LSB of any image. After the secret image is created the image still looks and feels like a normal image to unsuspecting users. It can be viewed with image software, it can be printed as normal and edited in editing software (This part will save the image as a new image deleting all you secret files). But once you use the program to open the secret image you will be able to see all the files hidden inside it. Otherwise you can also simply right click the file and select the "Open With" option and select the Archiving program of your choice and it will open inside there.



Where to download it:
You can download it over at my profile on SourceForge at this link - http://sourceforge.net/projects/steganography/



Other apps by me:
After I was done with this app I created a few more that you might find interesting, you can view these apps by visiting either my website or my profile over on SourceForge.

Website - http://www.chrispbacon10.com/
SourceForge - http://www.sourceforge.net/users/cirx08


How to use:

File size limits:
There are no file size limits if you use .RAR type archives, I used this program to hide a 6.7GB file inside a 461KB .JPG image and it worked perfectly! You won't have to worry about going over any limits which is great

Note: The larger the file the longer it will take to create, just let the program do its thing until you get the "Image was created successfully" message.

Hope you all like it and are willing to give it a try and tell me what you think.

Also to all the guys out there we all know what most of you are going to hide with this

CreepingDeath

cirx08 wrote: »

Prevent your family, friends and anyone that has access to your computer from viewing your precious files!

Steganography is extremely limited, limited by fractions of the file size of the image you use. So it's only for very small files.

cirx08 wrote: »

It takes any archive file made in a program like WinRAR, 7-zip, etc. and hides it inside the parity bit of a .JPG image.

When you release software you should mention the limitations.
It will not take "any archive file", at best it might take an archive file around 3/8s the size of the image.

There's no "parity bit" in a JPG image as far as I know.
Typically you can get away with using the 3 least significant bits in each RGB value. So that means your hidden message is limited to 3/8 the size of the image file.

It might be better to say you want to use it for hidden key exchange, eg. of a 2048 bit public or private key to another party.

Kur4mA

This might get more interest over on the Information Security forum.

cirx08

CreepingDeath wrote: »

Steganography is extremely limited, limited by fractions of the file size of the image you use. So it's only for very small files.



When you release software you should mention the limitations.
It will not take "any archive file", at best it might take an archive file around 3/8s the size of the image.

There's no "parity bit" in a JPG image as far as I know.
Typically you can get away with using the 3 least significant bits in each RGB value. So that means your hidden message is limited to 3/8 the size of the image file.

It might be better to say you want to use it for hidden key exchange, eg. of a 2048 bit public or private key to another party.

Oh crap sorry yes I meant to say LSB, I'll change that now and also no there are no limitations with this program. Any archive will work. The only problem with having a huge archive is that the image size will go up and that might look suspicious but I'm working on a fix for that in the next update. I have tested it with a 6.7GB archive inside a 461KB .JPG image and it worked perfectly (Other than the fault I mentioned above).

Next version should hopefully fix that though

cirx08

kyub wrote: »

This might get more interest over on the Information Security forum.

Thanks for the tip I might move it then :P

Procasinator

CreepingDeath wrote: »

Steganography is extremely limited, limited by fractions of the file size of the image you use. So it's only for very small files.



When you release software you should mention the limitations.
It will not take "any archive file", at best it might take an archive file around 3/8s the size of the image.

There's no "parity bit" in a JPG image as far as I know.
Typically you can get away with using the 3 least significant bits in each RGB value. So that means your hidden message is limited to 3/8 the size of the image file.

It might be better to say you want to use it for hidden key exchange, eg. of a 2048 bit public or private key to another party.

I haven't looked at the program, but I would imagine he isn't really doing steganography, only merging 2 files. This is why the file can be opened in both and image viewer and an archive tool (WinZIP, WinRAR, e.t.c) without change.

If you watch his video, you will see when he hovers over the file sizes of the original JPEG and the merged one, there is a difference of about 12 MB between the two files.

You can do this in Windows without extra software using the copy command:

copy /b original.jpg + archive.zip merged.jpg

cirx08

Procasinator wrote: »

I haven't looked at the program, but I would imagine he isn't really doing steganography, only merging 2 files. This is why the file can be opened in both and image viewer and an archive tool (WinZIP, WinRAR, e.t.c) without change.

If you watch his video, you will see when he hovers over the file sizes of the original JPEG and the merged one, there is a difference of about 12 MB between the two files.

You can do this in Windows without extra software using the copy command:

copy /b original.jpg + archive.zip merged.jpg

Exactly right, this program just simplifies this method... On YouTube and other places they still like to call this steganography so I stuck with it

Procasinator

cirx08 wrote: »

Exactly right, this program just simplifies this method... On YouTube and other places they still like to call this steganography so I stuck with it

You probably could call this method stenography as well, I suppose. The concealment is just move obvious than other methods - the file size is a big give-away.

cirx08

Procasinator wrote: »

You probably could call this method stenography as well, I suppose. The concealment is just move obvious than other methods - the file size is a big give-away.

Yeah I know I'm currently working on an update to do something about that, at the moment I just tell people to store the image in a folder with other images so as to make people think it's just part of a gallery

Graham

cirx08 wrote: »

Yeah I know I'm currently working on an update to do something about that, at the moment I just tell people to store the image in a folder with other images so as to make people think it's just part of a gallery

And hope the 27GB jpeg doesn't stand out

cirx08

Graham wrote: »

And hope the 27GB jpeg doesn't stand out

Yeah I'm working on fixing this but if you're hiding 27GB of files I'd highly suggest hiding them in multiple images anyway...

Graham

cirx08 wrote: »

Yeah I'm working on fixing this but if you're hiding 27GB of files I'd highly suggest hiding them in multiple images anyway...

But then you'd have to give the jpegs meaningful names so you could find your hidden files.

FairCityEpisode734582.jpg would be a bit of a giveaway. :pac:

cirx08

Graham wrote: »

But then you'd have to give the jpegs meaningful names so you could find your hidden files.

FairCityEpisode734582.jpg would be a bit of a giveaway. :pac:

You could call it something like IMG_734582.jpg and leave it in a folder that you know holds the Fair City episodes, maybe even name the folder FC if you need to?

srsly78

How about storing your secret jpeg inside a movie? Or movies inside movies etc.

Proper steganography would do stuff like store 1 pixel in each Nth frame - indistinguishable from noise unless the viewer knows what to look for. The exact "secret pixel" in each Nth would be governed by some pre-determined algorithm.

cirx08

srsly78 wrote: »

How about storing your secret jpeg inside a movie? Or movies inside movies etc.

Proper steganography would do stuff like store 1 pixel in each Nth frame - indistinguishable from noise unless the viewer knows what to look for. The exact "secret pixel" in each Nth would be governed by some pre-determined algorithm.

Would be easier to cover up the huge file size but unfortunately it won't work with movie files

srsly78

It will work, you just have to understand how the movie format works.

cirx08

srsly78 wrote: »

It will work, you just have to understand how the movie format works.

I'd have to learn all about the ways all the different formats work and make custom code for every type of video format which would take a long time and I start back at college next week which means lots of assignments and work I have to do, I'll definitely be working on this and some of my other projects on the side tho so I might look into it at some stage.

fergalr

Interesting project.

A wise man once wrote:

Bruce Schneier wrote:

There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.

I am guessing this is the former?

I know its a steg project, not crypto, but what I'm asking is, if someone suspects you are using this program it's going to be pretty easy for them to A) confirm it, and recover the message? Or not?

cirx08

fergalr wrote: »

Interesting project.

A wise man once wrote:



I am guessing this is the former?

I know its a steg project, not crypto, but what I'm asking is, if someone suspects you are using this program it's going to be pretty easy for them to A) confirm it, and recover the message? Or not?

Yes it would but this is a very small program, not many know about it and it's not really meant for high security... In the update I'm working on right now, I'm adding a password option so that even if they find the files and know how to open it they will need a password to decrypt the contents

ChRoMe

cirx08 wrote: »

Yes it would but this is a very small program, not many know about it and it's not really meant for high security... In the update I'm working on right now, I'm adding a password option so that even if they find the files and know how to open it they will need a password to decrypt the contents

Use PGP, don't roll your own.

fergalr

ChRoMe wrote: »

Use PGP, don't roll your own.

If its the same password to encrypt and decrypt, that's symmetric encryption that you want, so probably not PGP/GPG which are more associated with asymmetric/public-private key encryption.

But the point chrome is making, to not roll your own encryption, is something that everyone agrees on. If you try to write your own encryption, you'll get it wrong and it'll probably be easy for someone skilled to break.


Whether you care about that depends on the scope of your project.


If you want strong encryption, you probably want something like AES for symmetric encryption. That's a common standard. Openssl has good implementations and a lot of people use it when they need an encryption library.

But even then you'll need something that people can't just brute force by guessing the password...

These things take an awful lot of work to get right, if you want to make them 'strong'. One error, one side channel, can compromise everything. Whether this project is worth that much work is up to the OP. If you do want to make it strong, there's a good bit of reading to do, followed by careful coding etc.


Just make sure you are clear to your users whether the hard work to make it properly secure has been done, or not.

Non technical people can end up relying on software to secure them, without having a clue whats going on. That might be a big deal if someone is living under an oppressive regime or something... so you generally want to be clear about what level of security users can expect.

srsly78

The very first post said it was done as an educational exercise, thus not a serious roll-your-own effort.

TrueCrypt (foss) has steganography built-in (hidden partition feature).

cirx08

srsly78 wrote: »

The very first post said it was done as an educational exercise, thus not a serious roll-your-own effort.

TrueCrypt (foss) has steganography built-in (hidden partition feature).

No better way to get better at programming than to keep practising

fergalr

srsly78 wrote: »

TrueCrypt (foss) has steganography built-in (hidden partition feature).

It's debatable, but I would call that 'plausible deniability' and not 'steganography'.

fergalr

cirx08 wrote: »

No better way to get better at programming than to keep practising

Absolutely.

Just, if you release something to the public that has encryption, or security, listed as a feature, make sure you are up front and unambiguous about the limits of how much they should trust the security.

ChRoMe

fergalr wrote: »

It's debatable, but I would call that 'plausible deniability' and not 'steganography'.

Thats exactly what it is, true crypt's concept is that if someone holds a gun to your head and you supply them the key/password to decrypt, if the hidden partition is not exposed, that will help prove you did it under duress.

mad turnip

This is pretty cool, could be expanded by adding some kind of passcode to the file and running it through some kind of decryption algorithm, a very simple one being a caesar cipher.

edit:
nevermind looks like other people are already discussing that!

Procasinator

fergalr wrote: »

It's debatable, but I would call that 'plausible deniability' and not 'steganography'.

Personally, I would say the plausible deniability TrueCrypt offers you is achieved through the use of steganography.

fergalr

Procasinator wrote: »

Personally, I would say the plausible deniability TrueCrypt offers you is achieved through the use of steganography.

I think I understand the semantics you are using, if I understand you right:

You are saying that 1) the fact that encrypted volumes are indistinguishable (at least in theory) from random data,
2) means that the random data at the end of the outer volume could contain a hidden volume which can't be discovered.
Hence, you would say that that entire system is a steganographic system which allows volumes to be stored in a hidden manner at the end of a containing volume.

And you would say that this entire setup allows plausible deniability, in that someone could say 'oh there is no hidden volume'.

While I agree with the last bit, about plausible deniability, I don't like describing truecrypt as offering steganography. (Maybe you agree?)

I guess you could to say it uses steganography to offer deniability, but that isn't the same thing as the system as a whole offer steganography, which I don't think it does.


The wikipedia definition of steganography (first sentence):

Wikipedia wrote:

"Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. "

Truecrypt fails that test.
An adversary, upon seeing a truecrypt volume (or large unmarked file in the filesystem), will always suspect that 1) there's a truecrypt volume there, and 2) there's a hidden volume in that truecrypt volume.

The owner of the volume could plausibility deny it, but the adversary will still suspect the existance of the message; so truecrypt, as a whole system, doesn't offer steganography.


Which brings us on to...

ChRoMe wrote: »

Thats exactly what it is, true crypt's concept is that if someone holds a gun to your head and you supply them the key/password to decrypt, if the hidden partition is not exposed, that will help prove you did it under duress.

I don't exactly understand your post, there, Chrome - Im not sure it makes sense?


But, anyway, what I wanted to say, is that if you are in a 'gun to head' scenario (improbable, but heaven forbid), truecrypt offers no protection.

The bad guys will just beat you with the $5 wrench until you tell them the password to the inner volume.

You will tell them the password before they stop beating you with the wrench, because that's how humans work.


And, that, is why I don't consider truecrypt steganography.
Whereas perhaps a clever way of embedding messages in images, like the OP is working on (but (at least somewhat) statistically secure, which the OP doesn't have) is potentially steganography, in that an adversary would never even suspect a message, truecrypt does not offer that.

mad turnip wrote: »

This is pretty cool, could be expanded by adding some kind of passcode to the file and running it through some kind of decryption algorithm, a very simple one being a caesar cipher.

The caesar cipher won't even keep out your kid sister :-)

srsly78

Fergal TrueCrypt lets you give a "fake password" for $5 wrench scenarios, this gives access to a fake "secret" partition.

mad turnip

fergalr wrote: »

The caesar cipher won't even keep out your kid sister :-)

I mistakenly just read page one, and stupidly forgot that people on boards actually have an idea what there talking about!!!!!!!!!!