Steganography
Detecting and extracting hidden data in files.
Check file metadata first
exiftool reveals hidden comments, GPS data, embedded files
exiftool image.jpg
exiftool -b -ThumbnailImage image.jpg > thumbnail.jpg
strings image.jpg | head -50
binwalk — Find embedded files
Scan for hidden files inside images, firmware, binaries
binwalk image.png
binwalk -e image.png # Extract embedded files
binwalk --dd='.*' image.png # Extract everything
Example Output
DECIMAL HEXADECIMAL DESCRIPTION
0 0x0 PNG image, 800 x 600
45678 0xB26E Zip archive data
steghide — Extract from JPEG/BMP
Most common stego tool — Password may be blank or guessable
steghide info image.jpg
steghide extract -sf image.jpg
steghide extract -sf image.jpg -p "" # Empty password
steghide extract -sf image.jpg -p "password" # Known password
stegseek — Brute force steghide passwords
Extremely fast steghide cracker — Tries rockyou in seconds
stegseek image.jpg /usr/share/wordlists/rockyou.txt
stegseek image.jpg wordlist.txt
Example Output
[i] Found passphrase: "letmein"
[i] Original filename: "secret.txt"
[i] Extracting to "image.jpg.out"
zsteg — PNG/BMP analysis
Detect LSB steganography and other techniques in PNG/BMP
zsteg image.png
zsteg -a image.png # Try all methods
zsteg -e "b1,rgb,lsb,xy" image.png # Extract specific channel
Check for hidden text in images
Strings and hex analysis — Sometimes it's just appended text
strings image.jpg | grep -i "flag\|password\|key\|secret"
xxd image.jpg | tail -20
# Check if file is larger than expected for its dimensions
Check file type vs extension
File might be disguised — Extension doesn't match content
file suspicious_file.jpg
# "suspicious_file.jpg: ASCII text" = not actually a JPEG
# Rename and open as correct type
Stego in audio files
Hidden data in WAV/MP3 — Use sonic-visualiser or audacity
# Spectrogram analysis:
# Open in Audacity → Analyze → Spectrogram
# Hidden messages often visible in spectrogram view
# For WAV files:
steghide extract -sf audio.wav
strings audio.wav | grep -i flag
Common stego workflow
Systematic approach — Don't skip steps
1. file <file> → Verify actual file type
2. exiftool <file> → Check metadata/comments
3. strings <file> | grep -i flag → Quick string search
4. binwalk -e <file> → Extract embedded files
5. steghide extract -sf <file> → Try empty password
6. stegseek <file> rockyou.txt → Brute force password
7. zsteg <file> → LSB analysis (PNG/BMP)
8. Check file size → Unusually large = hidden data