Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Hiding files inside images (Steganography)

  • 01-09-2013 5:55pm
    #1
    Registered Users, Registered Users 2 Posts: 117 ✭✭


    Prevent your family, friends and anyone that has access to your computer from viewing your precious files!

    I am a student studying Software Development in college and over the Summer I decided to learn how to program in C#. The results of all my learning is a program called Steganography by Cirx08.

    Download the app here - http://www.sourceforge.net/projects/steganography/


    Creation Interface:
    SteganographyCreate.png


    Open File Interface:
    SteganographyOpen.png


    What is does:
    It takes any archive file made in a program like WinRAR, 7-zip, etc. and hides it inside the LSB of any image. After the secret image is created the image still looks and feels like a normal image to unsuspecting users. It can be viewed with image software, it can be printed as normal and edited in editing software (This part will save the image as a new image deleting all you secret files). But once you use the program to open the secret image you will be able to see all the files hidden inside it. Otherwise you can also simply right click the file and select the "Open With" option and select the Archiving program of your choice and it will open inside there.



    Where to download it:
    You can download it over at my profile on SourceForge at this link - http://sourceforge.net/projects/steganography/



    Other apps by me:
    After I was done with this app I created a few more that you might find interesting, you can view these apps by visiting either my website or my profile over on SourceForge.

    Website - http://www.chrispbacon10.com/
    SourceForge - http://www.sourceforge.net/users/cirx08


    How to use:



    File size limits:
    There are no file size limits if you use .RAR type archives, I used this program to hide a 6.7GB file inside a 461KB .JPG image and it worked perfectly! You won't have to worry about going over any limits which is great :D

    Note: The larger the file the longer it will take to create, just let the program do its thing until you get the "Image was created successfully" message.

    Hope you all like it and are willing to give it a try and tell me what you think.

    Also to all the guys out there we all know what most of you are going to hide with this ;)


Comments

  • Closed Accounts Posts: 8,015 ✭✭✭CreepingDeath


    cirx08 wrote: »
    Prevent your family, friends and anyone that has access to your computer from viewing your precious files!

    Steganography is extremely limited, limited by fractions of the file size of the image you use. So it's only for very small files.
    cirx08 wrote: »
    It takes any archive file made in a program like WinRAR, 7-zip, etc. and hides it inside the parity bit of a .JPG image.

    When you release software you should mention the limitations.
    It will not take "any archive file", at best it might take an archive file around 3/8s the size of the image.

    There's no "parity bit" in a JPG image as far as I know.
    Typically you can get away with using the 3 least significant bits in each RGB value. So that means your hidden message is limited to 3/8 the size of the image file.

    It might be better to say you want to use it for hidden key exchange, eg. of a 2048 bit public or private key to another party.


  • Registered Users, Registered Users 2 Posts: 2,216 ✭✭✭Kur4mA


    This might get more interest over on the Information Security forum. ;)


  • Registered Users, Registered Users 2 Posts: 117 ✭✭cirx08


    Steganography is extremely limited, limited by fractions of the file size of the image you use. So it's only for very small files.



    When you release software you should mention the limitations.
    It will not take "any archive file", at best it might take an archive file around 3/8s the size of the image.

    There's no "parity bit" in a JPG image as far as I know.
    Typically you can get away with using the 3 least significant bits in each RGB value. So that means your hidden message is limited to 3/8 the size of the image file.

    It might be better to say you want to use it for hidden key exchange, eg. of a 2048 bit public or private key to another party.

    Oh crap sorry yes I meant to say LSB, I'll change that now and also no there are no limitations with this program. Any archive will work. The only problem with having a huge archive is that the image size will go up and that might look suspicious but I'm working on a fix for that in the next update. I have tested it with a 6.7GB archive inside a 461KB .JPG image and it worked perfectly (Other than the fault I mentioned above).

    Next version should hopefully fix that though :)


  • Registered Users, Registered Users 2 Posts: 117 ✭✭cirx08


    kyub wrote: »
    This might get more interest over on the Information Security forum. ;)

    Thanks for the tip I might move it then :P


  • Registered Users, Registered Users 2 Posts: 1,311 ✭✭✭Procasinator


    Steganography is extremely limited, limited by fractions of the file size of the image you use. So it's only for very small files.



    When you release software you should mention the limitations.
    It will not take "any archive file", at best it might take an archive file around 3/8s the size of the image.

    There's no "parity bit" in a JPG image as far as I know.
    Typically you can get away with using the 3 least significant bits in each RGB value. So that means your hidden message is limited to 3/8 the size of the image file.

    It might be better to say you want to use it for hidden key exchange, eg. of a 2048 bit public or private key to another party.

    I haven't looked at the program, but I would imagine he isn't really doing steganography, only merging 2 files. This is why the file can be opened in both and image viewer and an archive tool (WinZIP, WinRAR, e.t.c) without change.

    If you watch his video, you will see when he hovers over the file sizes of the original JPEG and the merged one, there is a difference of about 12 MB between the two files.

    You can do this in Windows without extra software using the copy command:
    copy /b original.jpg + archive.zip merged.jpg
    


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 117 ✭✭cirx08


    I haven't looked at the program, but I would imagine he isn't really doing steganography, only merging 2 files. This is why the file can be opened in both and image viewer and an archive tool (WinZIP, WinRAR, e.t.c) without change.

    If you watch his video, you will see when he hovers over the file sizes of the original JPEG and the merged one, there is a difference of about 12 MB between the two files.

    You can do this in Windows without extra software using the copy command:
    copy /b original.jpg + archive.zip merged.jpg
    

    Exactly right, this program just simplifies this method... On YouTube and other places they still like to call this steganography so I stuck with it :)


  • Registered Users, Registered Users 2 Posts: 1,311 ✭✭✭Procasinator


    cirx08 wrote: »
    Exactly right, this program just simplifies this method... On YouTube and other places they still like to call this steganography so I stuck with it :)

    You probably could call this method stenography as well, I suppose. The concealment is just move obvious than other methods - the file size is a big give-away.


  • Registered Users, Registered Users 2 Posts: 117 ✭✭cirx08


    You probably could call this method stenography as well, I suppose. The concealment is just move obvious than other methods - the file size is a big give-away.

    Yeah I know I'm currently working on an update to do something about that, at the moment I just tell people to store the image in a folder with other images so as to make people think it's just part of a gallery :)


  • Moderators, Society & Culture Moderators Posts: 17,643 Mod ✭✭✭✭Graham


    cirx08 wrote: »
    Yeah I know I'm currently working on an update to do something about that, at the moment I just tell people to store the image in a folder with other images so as to make people think it's just part of a gallery :)

    And hope the 27GB jpeg doesn't stand out :)


  • Registered Users, Registered Users 2 Posts: 117 ✭✭cirx08


    Graham wrote: »
    And hope the 27GB jpeg doesn't stand out :)

    Yeah I'm working on fixing this but if you're hiding 27GB of files I'd highly suggest hiding them in multiple images anyway... :p


  • Advertisement
  • Moderators, Society & Culture Moderators Posts: 17,643 Mod ✭✭✭✭Graham


    cirx08 wrote: »
    Yeah I'm working on fixing this but if you're hiding 27GB of files I'd highly suggest hiding them in multiple images anyway... :p

    But then you'd have to give the jpegs meaningful names so you could find your hidden files.

    FairCityEpisode734582.jpg would be a bit of a giveaway. :pac:


  • Registered Users, Registered Users 2 Posts: 117 ✭✭cirx08


    Graham wrote: »
    But then you'd have to give the jpegs meaningful names so you could find your hidden files.

    FairCityEpisode734582.jpg would be a bit of a giveaway. :pac:

    You could call it something like IMG_734582.jpg and leave it in a folder that you know holds the Fair City episodes, maybe even name the folder FC if you need to? :)


  • Registered Users, Registered Users 2 Posts: 7,157 ✭✭✭srsly78


    How about storing your secret jpeg inside a movie? Or movies inside movies etc.

    Proper steganography would do stuff like store 1 pixel in each Nth frame - indistinguishable from noise unless the viewer knows what to look for. The exact "secret pixel" in each Nth would be governed by some pre-determined algorithm.


  • Registered Users, Registered Users 2 Posts: 117 ✭✭cirx08


    srsly78 wrote: »
    How about storing your secret jpeg inside a movie? Or movies inside movies etc.

    Proper steganography would do stuff like store 1 pixel in each Nth frame - indistinguishable from noise unless the viewer knows what to look for. The exact "secret pixel" in each Nth would be governed by some pre-determined algorithm.

    Would be easier to cover up the huge file size but unfortunately it won't work with movie files :/


  • Registered Users, Registered Users 2 Posts: 7,157 ✭✭✭srsly78


    It will work, you just have to understand how the movie format works.


  • Registered Users, Registered Users 2 Posts: 117 ✭✭cirx08


    srsly78 wrote: »
    It will work, you just have to understand how the movie format works.

    I'd have to learn all about the ways all the different formats work and make custom code for every type of video format which would take a long time and I start back at college next week which means lots of assignments and work I have to do, I'll definitely be working on this and some of my other projects on the side tho so I might look into it at some stage.


  • Registered Users, Registered Users 2 Posts: 1,922 ✭✭✭fergalr


    Interesting project.

    A wise man once wrote:
    There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files.

    I am guessing this is the former?

    I know its a steg project, not crypto, but what I'm asking is, if someone suspects you are using this program it's going to be pretty easy for them to A) confirm it, and B) recover the message? Or not?


  • Registered Users, Registered Users 2 Posts: 117 ✭✭cirx08


    fergalr wrote: »
    Interesting project.

    A wise man once wrote:



    I am guessing this is the former?

    I know its a steg project, not crypto, but what I'm asking is, if someone suspects you are using this program it's going to be pretty easy for them to A) confirm it, and B) recover the message? Or not?

    Yes it would but this is a very small program, not many know about it and it's not really meant for high security... In the update I'm working on right now, I'm adding a password option so that even if they find the files and know how to open it they will need a password to decrypt the contents


  • Registered Users, Registered Users 2 Posts: 2,021 ✭✭✭ChRoMe


    cirx08 wrote: »
    Yes it would but this is a very small program, not many know about it and it's not really meant for high security... In the update I'm working on right now, I'm adding a password option so that even if they find the files and know how to open it they will need a password to decrypt the contents

    Use PGP, don't roll your own.


  • Registered Users, Registered Users 2 Posts: 1,922 ✭✭✭fergalr


    ChRoMe wrote: »
    Use PGP, don't roll your own.

    If its the same password to encrypt and decrypt, that's symmetric encryption that you want, so probably not PGP/GPG which are more associated with asymmetric/public-private key encryption.

    But the point chrome is making, to not roll your own encryption, is something that everyone agrees on. If you try to write your own encryption, you'll get it wrong and it'll probably be easy for someone skilled to break.


    Whether you care about that depends on the scope of your project.


    If you want strong encryption, you probably want something like AES for symmetric encryption. That's a common standard. Openssl has good implementations and a lot of people use it when they need an encryption library.

    But even then you'll need something that people can't just brute force by guessing the password...

    These things take an awful lot of work to get right, if you want to make them 'strong'. One error, one side channel, can compromise everything. Whether this project is worth that much work is up to the OP. If you do want to make it strong, there's a good bit of reading to do, followed by careful coding etc.


    Just make sure you are clear to your users whether the hard work to make it properly secure has been done, or not.

    Non technical people can end up relying on software to secure them, without having a clue whats going on. That might be a big deal if someone is living under an oppressive regime or something... so you generally want to be clear about what level of security users can expect.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 7,157 ✭✭✭srsly78


    The very first post said it was done as an educational exercise, thus not a serious roll-your-own effort.

    TrueCrypt (foss) has steganography built-in (hidden partition feature).


  • Registered Users, Registered Users 2 Posts: 117 ✭✭cirx08


    srsly78 wrote: »
    The very first post said it was done as an educational exercise, thus not a serious roll-your-own effort.

    TrueCrypt (foss) has steganography built-in (hidden partition feature).

    No better way to get better at programming than to keep practising :D


  • Registered Users, Registered Users 2 Posts: 1,922 ✭✭✭fergalr


    srsly78 wrote: »
    TrueCrypt (foss) has steganography built-in (hidden partition feature).

    It's debatable, but I would call that 'plausible deniability' and not 'steganography'.


  • Registered Users, Registered Users 2 Posts: 1,922 ✭✭✭fergalr


    cirx08 wrote: »
    No better way to get better at programming than to keep practising :D

    Absolutely.

    Just, if you release something to the public that has encryption, or security, listed as a feature, make sure you are up front and unambiguous about the limits of how much they should trust the security.


  • Registered Users, Registered Users 2 Posts: 2,021 ✭✭✭ChRoMe


    fergalr wrote: »
    It's debatable, but I would call that 'plausible deniability' and not 'steganography'.

    Thats exactly what it is, true crypt's concept is that if someone holds a gun to your head and you supply them the key/password to decrypt, if the hidden partition is not exposed, that will help prove you did it under duress.


  • Registered Users, Registered Users 2 Posts: 710 ✭✭✭mad turnip


    This is pretty cool, could be expanded by adding some kind of passcode to the file and running it through some kind of decryption algorithm, a very simple one being a caesar cipher.

    edit:
    nevermind looks like other people are already discussing that!


  • Registered Users, Registered Users 2 Posts: 1,311 ✭✭✭Procasinator


    fergalr wrote: »
    It's debatable, but I would call that 'plausible deniability' and not 'steganography'.

    Personally, I would say the plausible deniability TrueCrypt offers you is achieved through the use of steganography.


  • Registered Users, Registered Users 2 Posts: 1,922 ✭✭✭fergalr


    Personally, I would say the plausible deniability TrueCrypt offers you is achieved through the use of steganography.

    I think I understand the semantics you are using, if I understand you right:

    You are saying that 1) the fact that encrypted volumes are indistinguishable (at least in theory) from random data,
    2) means that the random data at the end of the outer volume could contain a hidden volume which can't be discovered.
    Hence, you would say that that entire system is a steganographic system which allows volumes to be stored in a hidden manner at the end of a containing volume.

    And you would say that this entire setup allows plausible deniability, in that someone could say 'oh there is no hidden volume'.

    While I agree with the last bit, about plausible deniability, I don't like describing truecrypt as offering steganography. (Maybe you agree?)

    I guess you could to say it uses steganography to offer deniability, but that isn't the same thing as the system as a whole offer steganography, which I don't think it does.


    The wikipedia definition of steganography (first sentence):
    Wikipedia wrote:
    "Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. "

    Truecrypt fails that test.
    An adversary, upon seeing a truecrypt volume (or large unmarked file in the filesystem), will always suspect that 1) there's a truecrypt volume there, and 2) there's a hidden volume in that truecrypt volume.

    The owner of the volume could plausibility deny it, but the adversary will still suspect the existance of the message; so truecrypt, as a whole system, doesn't offer steganography.


    Which brings us on to...
    ChRoMe wrote: »
    Thats exactly what it is, true crypt's concept is that if someone holds a gun to your head and you supply them the key/password to decrypt, if the hidden partition is not exposed, that will help prove you did it under duress.

    I don't exactly understand your post, there, Chrome - Im not sure it makes sense?


    But, anyway, what I wanted to say, is that if you are in a 'gun to head' scenario (improbable, but heaven forbid), truecrypt offers no protection.

    The bad guys will just beat you with the $5 wrench until you tell them the password to the inner volume.

    You will tell them the password before they stop beating you with the wrench, because that's how humans work.


    And, that, is why I don't consider truecrypt steganography.
    Whereas perhaps a clever way of embedding messages in images, like the OP is working on (but (at least somewhat) statistically secure, which the OP doesn't have) is potentially steganography, in that an adversary would never even suspect a message, truecrypt does not offer that.

    mad turnip wrote: »
    This is pretty cool, could be expanded by adding some kind of passcode to the file and running it through some kind of decryption algorithm, a very simple one being a caesar cipher.

    The caesar cipher won't even keep out your kid sister :-)


  • Registered Users, Registered Users 2 Posts: 7,157 ✭✭✭srsly78


    Fergal TrueCrypt lets you give a "fake password" for $5 wrench scenarios, this gives access to a fake "secret" partition.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 710 ✭✭✭mad turnip


    fergalr wrote: »
    The caesar cipher won't even keep out your kid sister :-)

    I mistakenly just read page one, and stupidly forgot that people on boards actually have an idea what there talking about!!!!!!!!!! :D


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    kyub wrote: »
    This might get more interest over on the Information Security forum. ;)

    I doubt it.

    A web based solution would make more sense, because if I hack your computer and I see steganography tools installed then I will know you are using steganography and analyse all your pictures.


  • Registered Users, Registered Users 2 Posts: 710 ✭✭✭mad turnip


    fergalr wrote: »

    The owner of the volume could plausibility deny it, but the adversary will still suspect the existance of the message; so truecrypt, as a whole system, doesn't offer steganography.

    Ill tell you what, make some memory dumps compress and encrypt them for security and add all your files in there for any serious software developer memory dumps are quite common and quite large in size :) good luck for anyone shifting through that load of muck! And not to mention if there is 20 memory dumps gl finding the right one!


  • Banned (with Prison Access) Posts: 66 ✭✭boarsboard




  • Registered Users, Registered Users 2 Posts: 1,922 ✭✭✭fergalr


    srsly78 wrote: »
    Fergal TrueCrypt lets you give a "fake password" for $5 wrench scenarios, this gives access to a fake "secret" partition.

    First off, to the best of my knowledge:

    - For a given truecrypt container, there can be one 'standard' 'outer' volume, and one 'inner' 'hidden' volume.

    - The truecrypt docs refer to those as 'standard' and 'hidden' volumes.
    http://www.truecrypt.org/docs/hidden-volume


    So, you are saying, that you just give the password to the 'standard' 'outer' volume, and all your worries are over, Truecrypt has successfully protected you, and hence is equivalent to steganography?


    My point is, that in this unfair and nasty world that we live in, if a bad guy is standing over you with a wrench, and you give him the password to the 'standard' volume, do you think all your worries are over? S/He decrypts the volume, and says 'Oh, that doesnt have the files we are looking for. Sorry about that, you can go now.'? Or, do you think they will say 'oh, I see you are using software which supports an additional hidden volume. Please give me the password for it.'


    Now, thankfully, I live in a nice country like Ireland, where I would only be using truecrypt to stop someone who stole my laptop looking at my personal files, and where $5 wrenches are rare.

    But, there are people who live in nastier parts of the world. If you live in one of those parts, the plausibility deniability of Truecrypt isn't going to help you, if the bad guys take your computer and see at the .tc files.


    You might say 'well, perhaps if they just see jpegs on your computer, they'll suspect you have data hidden in the jpegs, and will interrogate you anyway?'

    However, I would say that the [probability_of_hidden_data, given truecrypt] is very much greater than the [probability_of_hidden_data, given jpegs on computer]. I think it'd be hard to argue with that.


    We are into pretty abstract distinctions, in questions of degree of security here. Thankfully.


  • Registered Users, Registered Users 2 Posts: 3,131 ✭✭✭Dermot Illogical


    The installer won't work offline. Is it set up to phone home or something?

    Edit: It's trying to connect to bi.bisrv.com if I'm reading wireshark correctly. What's that about?


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,021 ✭✭✭ChRoMe


    The installer won't work offline. Is it set up to phone home or something?

    Edit: It's trying to connect to bi.bisrv.com if I'm reading wireshark correctly. What's that about?

    Heh the plot thickens, as this all been an elaborate ruse? :D


  • Registered Users, Registered Users 2 Posts: 1,311 ✭✭✭Procasinator


    fergalr wrote: »
    While I agree with the last bit, about plausible deniability, I don't like describing truecrypt as offering steganography. (Maybe you agree?)

    I get what you are saying and understand why you don't like the label, but hard to say yes or no in this case (or any semantic disputes). Your points are valid, but it assumes the adversary knows about TrueCrypt - they might not. If they think TrueCrypt is just any old HDD encryption software, the fake volume might fool them.

    TrueCrypt themselves obviously consider it steganography, as they list this as one of the main features on the projects homepage.

    Their is papers and software out their describing steganographic file systems, but I'm not sure if TrueCrypt is considered an implementation of such a concept.
    The installer won't work offline. Is it set up to phone home or something?

    Edit: It's trying to connect to bi.bisrv.com if I'm reading wireshark correctly. What's that about?

    I haven't used the installer myself, but if I had to guess, this probably isn't the fault of the OPs. The download is from Sourceforge, which has been wrapping a lot of software in installers later that includes adware.

    http://www.ghacks.net/2013/07/17/sourceforges-new-installer-bundles-program-downloads-with-adware/

    BI in the subdomain stands for Better Installer, I believe.


  • Moderators, Science, Health & Environment Moderators, Social & Fun Moderators, Society & Culture Moderators Posts: 60,110 Mod ✭✭✭✭Tar.Aldarion


    nice simple project that has a little element of cool/fun, nice job.


Advertisement