Hiding Files with Steganography

This exercise complements material in the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. You can use this as part of a use case to support obfuscation.

Here’s a simple method of using steganography by embedding a text file into an image file.

Requirements: This exercise assumes you’re running a Windows system and know how to access the command line. You’ll need a copy of WinRAR, which is available as a free download. Search Google with “winrar download” if necessary to download and install it on your system. You’ll also need a .jpg picture file from any digital camera or smartphone.

Note: Be default, extensions (such as .jpg, .txt, and .rar) are not viewable in Windows. To make them viewable in Windows 10 File Explorer, follow these steps:

  • Open File Explorer
  • Click the View tab
  • Select File name extensions (as shown in following graphic)

Click to see larger image

1. Create an empty folder in the root directory of your system and name it StegExample.

2. Copy your picture into the folder and rename it to pic.

3. Create a text file by right-clicking in the folder, and selecting New -> Text Document. Name the document Secret1. It should have a .txt extension.

4. Open the text document and type My Secrets into it. Save and close the file.

5. Use WinRAR to compress the text document. You can do this by right-clicking on the document and selecting Add to Secret1.rar. If you want to embed multiple files into your image, select them all and add them to the .rar file. This exercise uses only one file for simplicity.

stegcompress

 6. Open a command line on your Windows system. Change the directory with this command: cd \stegexample

7. View the contents of your folder with the dir command. You’ll see something like this:

Directory of C:\StegExample
06/08/201701:31 PM< DIR >.
06/08/201701:31 PM< DIR >..
05/28/201705:25 PM210,817pic.jpg
06/08/201701:31 PM83Secret1.rar
06/08/201701:31 PM8Secret1.txt
3 File(s)210,825 bytes
2 Dir(s)977,883,119,616 bytes free

8. Copy the text file and the image file into a new image file with the following command:

Copy /b pic.jpg + secret1.rar stegpic.jpg

This example creates a new file named stegpic.jpg so that it can easily show the differences in sizes. However, it’s also possible to simply embed the secret1.rar file within the original pic.jpg file with this command:
Copy /b pic.jpg + secret1.rar pic.jpg

9. View the contents of the folder with the dir command.

Directory of C:\StegExample
06/08/201701:31 PM< DIR >.
06/08/201701:31 PM< DIR >..
05/28/201705:25 PM210,817pic.jpg
06/08/201701:31 PM83Secret1.rar
06/08/201701:31 PM8Secret1.txt
06/08/201701:31 PM210,900stegpic.jpg
3 File(s)843,422 bytes
2 Dir(s)977,882,718,208 bytes free

10. Note the difference in the size of the stegpic.jpg file from the original pic.jpg file. It is now larger than it was originally indicating that it holds the contents of the compressed text file. However, there are times when you add a relatively small file to a picture file, it will just fill the whitepsace of the file and not change its size.

11. If you want to extract the hidden files, you need to rename the extension of the picture from jpg to rar (stegpic.jpg to stegpic.rar). You may need to change the display to show the extensions. You can also create a copy of the file giving it a new extension like this:

copy stegpic.jpg stegpic.rar

12. You can then extract the text file using WinRAR within Windows Explorer by right-clicking it and selecting Extract files.

stegextract

Note that the files look the same to a casual user.

Security analysts use hashing tools to detect files modified with steganography. For example, if an analyst has a copy of the original file and a copy of the file with the embedded data, the analyst can create hashes of both files. If the hashes are not the same, it shows definitively that the files are different and the most likely explanation is that someone hid data within the file using steganography.

Check out the Creating and Comparing Hashes lab to see how hashing is done.

Back to SY0-501 Security+ labs.

error: