Steganography Lab

Back to Vault
Phase 1 Learn the Concept
Phase 2 Learn the Tools
Phase 3 Investigation

What is Steganography?

Understanding the art of hiding in plain sight

The Basic Idea

Steganography is the practice of hiding secret data inside ordinary-looking files. Unlike encryption (which scrambles data so it's unreadable), steganography hides the fact that secret data exists at all.

Normal Photo
245 KB
Same Photo + Secret
247 KB (has 50KB hidden)
Key insight: Both images look IDENTICAL to human eyes. You cannot tell which one has hidden data just by looking at it. That's the power of steganography.

How Does Data Hide in an Image?

Every digital image is made of pixels. Each pixel has color values (Red, Green, Blue) stored as numbers from 0-255.

The LSB Technique (Least Significant Bit)

Each color value (0-255) is stored in 8 bits (binary digits). The last bit is called the LSB.

Changing the LSB changes the color by only 1 unit (e.g., 156 → 157). This change is invisible to humans.

Example: Hiding a bit in a pixel

Original pixel (Red=156)
10011100
LSB = 0
Modified pixel (Red=157)
10011101
LSB = 1 (hidden bit!)

Color change: Can you see the difference? Neither can anyone else.

By changing the LSB of thousands of pixels, we can hide entire files. 8 pixels = 1 byte of hidden data (since each pixel contributes 1 bit).

Why Should Security Analysts Care?

Attackers use steganography to:

  • Bypass Data Loss Prevention (DLP) - Hide stolen data in innocent-looking photos
  • Evade network monitoring - Secret commands hidden in images on websites
  • Exfiltrate sensitive information - Send customer databases disguised as vacation photos
  • Hide malware payloads - Embed malicious code in seemingly harmless files
Real threat: In 2020, hackers used steganography to hide credit card skimmers in image files on e-commerce websites. The malicious code was invisible to security scans because it looked like a normal product image.

Check Your Understanding

What makes steganography different from encryption?

Steganography is stronger than encryption
Steganography hides the existence of data; encryption just makes it unreadable
Steganography only works with images
Encryption is faster than steganography

Types of Steganography

Image Stego
Hide data in PNG, JPEG, BMP pixels
Audio Stego
Hide data in WAV, MP3 sound waves
Text Stego
Hide data in whitespace, unicode, formatting
Network Stego
Hide data in packet headers, timing

Learn the Tools

Master each detection tool step by step

1
file
2
exiftool
3
strings
4
binwalk
5
steghide
6
zsteg

Tool 1: file

Basic Analysis
What it does Identifies the TRUE type of a file by reading its "magic bytes" (file signature)
Why use it File extensions can lie. A file named "photo.jpg" could actually be a ZIP or executable.
Install Pre-installed on Linux/Mac. Windows: use WSL or Git Bash.
analyst@soc:~$ file vacation.jpg
vacation.jpg: JPEG image data, JFIF standard 1.01

How to Read the Output

"JPEG image data" - The file really IS a JPEG (magic bytes match)

"JFIF standard 1.01" - Specific format variant

Red flags: If it says "data" (unknown type), or the type doesn't match the extension (e.g., file.jpg is actually "Zip archive")

What would this output mean?

analyst@soc:~$ file document.pdf
document.pdf: Zip archive data, at least v2.0 to extract
Suspicious! File claims to be PDF but is actually a ZIP - could be hiding data
Normal - PDFs are sometimes stored as ZIPs
Error in the file command

Tool 2: exiftool

Metadata Analysis
What it does Reads metadata embedded in files - timestamps, software used, camera info, GPS, comments
Why use it Metadata tells a file's history. Stego tools often leave traces in metadata fields.
Install sudo apt install exiftool (Linux) or brew install exiftool (Mac)
analyst@soc:~$ exiftool suspicious.jpg
File Name : suspicious.jpg
File Size : 2.3 MB
Image Width : 1920
Image Height : 1080
Software : Steghide 0.5.1
Comment : (none)

Red Flags in Metadata

  • Software: "Steghide", "OpenStego", "S-Tools" - Known stego tools!
  • Large file size for image dimensions (2.3MB for 1920x1080 is suspicious)
  • Missing camera data on a "phone photo"
  • Modification dates that don't make sense

Spot the suspicious indicator

File Size : 245 KB
Image Width : 1920
Software : Adobe Photoshop
Make : Apple
Model : iPhone 15
The Software field shows Photoshop - definitely suspicious
Nothing obviously suspicious - normal file size, real camera data, common software
The file size is too small

Tool 3: strings

Text Extraction
What it does Extracts readable ASCII text from binary files
Why use it Hidden data appended after a file's end marker shows up as readable text at the end
Install Pre-installed on Linux/Mac (part of binutils)
analyst@soc:~$ strings suspicious.jpg | tail -10
...image pixel data...
-----BEGIN ENCRYPTED DATA-----
U2FsdGVkX19vbWdoaWRkZW4=
-----END ENCRYPTED DATA-----

Understanding the Command

strings suspicious.jpg - Find all readable text in the file

| tail -10 - Show only the last 10 lines (hidden data is usually appended at the END)

Why the end? Attackers append data after the image's EOF (end-of-file) marker. Image viewers stop reading at EOF, but the extra data is still there.

Is this output suspicious?

JFIF
Exif
Adobe
ICC_PROFILE
Normal - these are standard JPEG metadata strings
Suspicious - "Adobe" indicates tampering
Suspicious - too many strings for a normal image

Tool 4: binwalk

Embedded File Detection
What it does Scans files for embedded file signatures (magic bytes) - finds files hidden inside other files
Why use it Attackers hide ZIP/RAR archives, executables, or other files inside images
Install sudo apt install binwalk (Linux) or brew install binwalk (Mac)
analyst@soc:~$ binwalk suspicious.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data
2418523 0x24E5EB Zip archive data, encrypted

Reading the Output

DECIMAL column - Byte offset where the signature was found

0x0: JPEG image data - Normal, image starts at byte 0

0x24E5EB: Zip archive - A ZIP file found at byte 2,418,523! This is WAY past where the JPEG should end.

Verdict: Someone appended a ZIP archive after the JPEG's end. Classic "append steganography."

Is this binwalk output suspicious?

0 0x0 JPEG image data
12 0xC TIFF image data (Exif)
Normal - Exif metadata is embedded in JPEGs at a low offset
Suspicious - two different image formats in one file
Error - binwalk misidentified the file

Tool 5: steghide

JPEG/BMP Stego
What it does Detects and extracts data hidden using the Steghide algorithm (JPEG, BMP, WAV, AU)
Why use it Steghide is the most popular stego tool. If attackers used it, only steghide can detect it.
Install sudo apt install steghide
analyst@soc:~$ steghide info suspicious.jpg
"suspicious.jpg":
format: jpeg
capacity: 45.2 KB
Try to get information about embedded data? (y/n) y
Enter passphrase: [Enter]
embedded file "data.txt":
size: 12.4 KB
encrypted: rijndael-128, cbc

Understanding the Output

capacity: 45.2 KB - Maximum data this image could hide

embedded file "data.txt" - FOUND! Hidden file detected

encrypted: rijndael-128 - AES-128 encryption (need password to extract)

To extract: steghide extract -sf suspicious.jpg -p "password"

Tool 6: zsteg

PNG/BMP LSB Analysis
What it does Scans PNG/BMP files for data hidden in LSB (Least Significant Bit) planes
Why use it PNG uses lossless compression, making LSB steganography very effective. zsteg checks all possible bit combinations.
Install gem install zsteg (requires Ruby)
analyst@soc:~$ zsteg suspicious.png
b1,rgb,lsb,xy .. text: "SECRET: customer_data.csv"
b1,r,lsb,xy .. file: data
b2,g,msb,xy .. text: "\x7f#K@..."

Reading zsteg Output

b1,rgb,lsb,xy - Bit 1, RGB channels, LSB, row-by-row scan

text: "SECRET:..." - Readable text = likely hidden message!

text: "\x7f#K@..." - Garbage = probably just noise, ignore

Key insight: Real hidden data produces readable text or valid file signatures. Random characters are false positives.

Important: zsteg only works on PNG and BMP files. For JPEG, use steghide instead. JPEG compression destroys LSB data.

Investigation Lab

Apply your skills to a realistic scenario

OPERATION: HIDDEN CHANNEL

SOC Analyst Investigation Brief

Your Data Loss Prevention (DLP) system flagged suspicious outbound traffic from an employee workstation. Large image files are being sent to personal email accounts.

Your mission: Analyze the flagged files and determine if data exfiltration is occurring.

Intel Summary:
  • Employee has access to customer database
  • Files sent: vacation_photo.jpg (2.3MB), logo.png (188KB)
  • Sending pattern: Daily at 2:30 AM

Investigation Terminal

Use the tools you learned to analyze the evidence files. Type commands or click the hints below.

Evidence Analysis Terminal

Evidence Files
vacation_photo.jpg [2.3MB]
logo.png [188KB]
report.pdf [1.1MB]
Reference
clean_photo.jpg [245KB]
Evidence files loaded. Begin your analysis.
Type 'help' for available commands.
analyst@soc:~$
file vacation_photo.jpg exiftool ... strings ... binwalk ... steghide ... zsteg logo.png

Investigation Report

Based on your analysis, answer these questions:

Q1: Does vacation_photo.jpg contain hidden data?

Yes - multiple indicators confirm steganography
No - file appears clean

Q2: What technique was used on vacation_photo.jpg?

LSB encoding only
Steghide embedding + appended ZIP archive
Metadata hiding only

Q3: What hidden message did zsteg find in logo.png?