Data Hiding/Embedding

From Just Solve the File Format Problem
(Difference between revisions)
Jump to: navigation, search
 
(46 intermediate revisions by one user not shown)
Line 21: Line 21:
  
 
This can work with [[JPEG]], [[GIF]], [[MP3]], some executables and more
 
This can work with [[JPEG]], [[GIF]], [[MP3]], some executables and more
 +
  
 
=== Links ===
 
=== Links ===
 +
* [[BDV DataHider]]
 +
* [[Camouflage]]
 +
* [[Cloak]]
 +
* [[Clotho]]
 +
* [[Data Stash]]
 +
* [[Data Stealth]]
 +
* [[DeEgger Embedder]]
 +
* [[FileStegano]]
 +
* [[GRL RealHidden]]
 +
* [[HideMyFile]]
 +
* [[Hider]]
 +
* [[Hiderman]]
 +
* [[Masker]]
 +
* [[Max File Encryption]] (formerly X-EXE)
 +
* [[OmniHide PRO]]
 +
* [[Our Secret]] (formerly Pipisoft Steganography)
 +
* [[Pretty Good Envelope (PGE)]]
 +
* [[Safe & Quick Hide Files and Folders (SQHideFile)]] (aka Secure Box)
 
* [[Smuggle Bus]] - more sophisticated file appending
 
* [[Smuggle Bus]] - more sophisticated file appending
* [[Our Secret]] (formerly Steganography)
+
* [[Steganofile]]
 +
* [[StegoMagic (MrMugiwara)]]
 +
* [[StegoStick]]
 +
* [[Xidie Security Suite]]
 +
* [https://web.archive.org/web/20081210084707/http://googlebordello.crushhumanity.org/jpgrar.html JPGRAR lore]
  
  
Line 37: Line 60:
 
* [https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html Malware Hidden Inside JPG EXIF Headers]
 
* [https://blog.sucuri.net/2013/07/malware-hidden-inside-jpg-exif-headers.html Malware Hidden Inside JPG EXIF Headers]
 
* [[GG-AESY]] - implements both methods of hiding data
 
* [[GG-AESY]] - implements both methods of hiding data
 +
* [[Jpeginsert]] - uses the quantization tables
 +
* [[JPegX]] - functions like a generic appender, but limited to txt messages in JPEG
 +
* [[Invisible Secrets]] - hidden data in the comment field at the beginning of the JPEG file
 
* [https://www.provos.org/p/detection-with-stegdetect/ Stegdetect] - detects data at the end of JPEG files hidden with tools like [[appendX]] or [[camouflage]].
 
* [https://www.provos.org/p/detection-with-stegdetect/ Stegdetect] - detects data at the end of JPEG files hidden with tools like [[appendX]] or [[camouflage]].
 +
 +
 +
 +
== [[PNG]] ==
 +
 +
 +
=== Links ===
 +
* [[Invisible Secrets]] - hidden data in the comment field at the end of the PNG file
 +
* [[tweetable-polyglot-png]]
 +
  
  
Line 45: Line 81:
 
=== Links ===
 
=== Links ===
 
* [[js-bmp-packer]] - combine js code and a bmp file into a file that can be viewed as an image and run as code
 
* [[js-bmp-packer]] - combine js code and a bmp file into a file that can be viewed as an image and run as code
 +
* [[Z-File Camouflage/Encryption System]]
 +
 +
 +
 +
== [[MP3]] ==
 +
 +
 +
MP3 files are fairly tolerant of random data being added to the file, and not just the end, but also the beginning.
 +
 +
Hence wrapping an MP3 in a zip/rar with no compression will still be playable.
 +
 +
See also: [[MP3 wrapper]]
 +
 +
 +
 +
== Video ==
 +
 +
 +
=== Links ===
 +
* [[TCStego]] - hides TrueCrypt/VeraCrypt volumes in [[QuickTime]], [[MP4]], or [[3GP]]
 +
 +
 +
 +
== [[ZIP]] ==
 +
 +
 +
=== Links ===
 +
* [[Zipped Steganography]]
 +
* [https://www.codeproject.com/Messages/1453994/A-few-thoughts Discussion of more ways to hide data in Zip files]
 +
 +
 +
 +
== [[GZIP]] ==
 +
 +
 +
=== Links ===
 +
* [[GZSteg]]
 +
 +
 +
 +
== [[Office Open XML]] ==
 +
 +
Office XML (Microsoft Office 2007+ DOCX, XLSX, PPTX, etc) files are just [[ZIP]] files with other files inside. If you don't care about the file opening successfully afterwards, you can just add anything you want in there.
 +
 +
To get the file to open, you'll need to edit [Content_Types].xml so office programs don't complain about a corrupted file.
 +
 +
If you save any changes in the Office document after you hide a file, the embedded file will be lost.
 +
 +
 +
=== Links ===
 +
 +
* [[Office XML Steganography Tool]]
 +
* [[Steganography for OfficeXML file]]
 +
* [[Xidie Security Suite]]
 +
 +
 +
 +
== [[Microsoft Compound File]] ==
 +
 +
Older Microsoft Office files
 +
 +
 +
=== Links ===
 +
* [[Merge Streams]]
 +
  
  
Line 62: Line 163:
 
=== Links ===
 
=== Links ===
 
* [https://stackoverflow.com/questions/27075859/steganography-hiding-data-in-pdf-files Discussion of hiding spots in PDF]
 
* [https://stackoverflow.com/questions/27075859/steganography-hiding-data-in-pdf-files Discussion of hiding spots in PDF]
 +
* [[wbStego]]
 +
* [[Xidie Security Suite]]
  
 
 
== [[MP3]] ==
 
 
 
MP3 files are fairly tolerant of random data being added to the file, and not just the end, but also the beginning.
 
 
Hence wrapping an MP3 in a zip/rar with no compression will still be playable.
 
 
See also: [[MP3 wrapper]]
 
  
  
Line 90: Line 183:
 
They can also be opened directly in notepad:<br>
 
They can also be opened directly in notepad:<br>
 
notepad test.txt:stream
 
notepad test.txt:stream
 +
  
 
=== Links ===
 
=== Links ===
Line 97: Line 191:
 
* [https://www.nirsoft.net/utils/alternate_data_streams.html Nirsoft AlternateStreamView] - find/view/copy/delete NTFS Alternate Data Streams
 
* [https://www.nirsoft.net/utils/alternate_data_streams.html Nirsoft AlternateStreamView] - find/view/copy/delete NTFS Alternate Data Streams
 
* [https://github.com/RichardD2/NTFS-Streams NTFS Streams] - A .NET library for working with alternate data streams on NTFS file systems.
 
* [https://github.com/RichardD2/NTFS-Streams NTFS Streams] - A .NET library for working with alternate data streams on NTFS file systems.
 +
* [[Xidie Security Suite]]
 +
 +
 +
 +
== Unused Disk Space ==
 +
 +
 +
=== Links ===
 +
* [[BDV DataHider]]
 +
* [[S-Tools]]

Latest revision as of 16:47, 11 November 2023

File Format
Name Data Hiding/Embedding
Ontology

Data hiding/embedding is a cruder form of Steganography that relies on not being noticed/looked for in the first place while true steganography tries to remain hidden even when actively being looked for.


Contents

[edit] Generic appending

Appending a file to the end of another often results in a file that continues to work as usual, with the file viewer/player ignoring the extra bytes at the end.

A common tactic to take advantage of this behavior is to manually append a zip/rar file to the end of a file. The resulting file will still open as regular, but any archiver will automatically detect and open zip/rar part.

In DOS/Windows command line, files can be appended by using the command:
copy /b host.jpg + hidden.zip combined.jpg

In Linux/Mac the command looks like:
$ cat host.jpg hidden.zip > combined.jpg

This can work with JPEG, GIF, MP3, some executables and more


[edit] Links


[edit] JPEG

There are two main approaches to embedding data in a JPEG file: using the EXIF headers or appending it after the end of image marker (FF D9)


[edit] Links


[edit] PNG

[edit] Links


[edit] BMP

[edit] Links


[edit] MP3

MP3 files are fairly tolerant of random data being added to the file, and not just the end, but also the beginning.

Hence wrapping an MP3 in a zip/rar with no compression will still be playable.

See also: MP3 wrapper


[edit] Video

[edit] Links


[edit] ZIP

[edit] Links


[edit] GZIP

[edit] Links


[edit] Office Open XML

Office XML (Microsoft Office 2007+ DOCX, XLSX, PPTX, etc) files are just ZIP files with other files inside. If you don't care about the file opening successfully afterwards, you can just add anything you want in there.

To get the file to open, you'll need to edit [Content_Types].xml so office programs don't complain about a corrupted file.

If you save any changes in the Office document after you hide a file, the embedded file will be lost.


[edit] Links


[edit] Microsoft Compound File

Older Microsoft Office files


[edit] Links


[edit] PDF

PDF allows embedding complete files in the actual PDF file.

PDF allows adding arbitrary objects anywhere (or almost anywhere) in the file.

PDF allows writing data between objects

PDF allows adding for example white text on a white background or text behind other objects.

Adobe's PDF spec allows at least 1K of fluff after the %%EOF marker (although ISO 32000 does not).


[edit] Links


[edit] NTFS Alternate Data Streams

NTFS provides Alternate Data Streams (ADS) for each file and directory.

You can create one from the command line:
echo hello > test.txt:stream

You can also copy an existing file into a stream:
type hidden.txt > test.txt:hidden.txt

To read the stream back:
more < test.txt:stream

They can also be opened directly in notepad:
notepad test.txt:stream


[edit] Links


[edit] Unused Disk Space

[edit] Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox