Data Hiding/Embedding
Parchivist (Talk | contribs) |
Parchivist (Talk | contribs) |
||
Line 86: | Line 86: | ||
See also: [[MP3 wrapper]] | See also: [[MP3 wrapper]] | ||
+ | |||
+ | |||
+ | == [[Office Open XML]] == | ||
+ | |||
+ | Office XML (Microsoft Office 2007+ DOCX, XLSX, PPTX, etc) files are just [[ZIP]] files with other files inside. If you don't care about the file opening successfully afterwards, you can just add anything you want in there. | ||
+ | |||
+ | To get the file to open, you'll need to edit [Content_Types].xml so office programs don't complain about a corrupted file. | ||
+ | |||
+ | If you save any changes in the Office document after you hide a file, the embedded file will be lost. | ||
+ | |||
+ | |||
+ | === Links === | ||
+ | * [[Office XML Steganography Tool]] | ||
+ | * [[Steganography for OfficeXML file]] | ||
+ | * [https://onlinelibrary.wiley.com/doi/epdf/10.1002/sec.378 Text split-based steganography in OOXML format documents for covert communication], Zhangjie Fu et al. (2012) | ||
+ | * [https://ir.library.ontariotechu.ca/bitstream/handle/10155/146/Raffay_Muhammad.pdf Data Hiding and Detection in Office Open XML (OOXML) Documents], Raffay, M.A. (2011) | ||
+ | * [https://dl.ifip.org/db/conf/IEEEares/murpbes2011/CastiglioneDSP11.pdf New Steganographic Techniques for the OOXML File Format], Castiglione, A., D’Alessio, B., De Santis, A., Palmieri, F. (2011) | ||
+ | * [https://yadda.icm.edu.pl/baztech/element/bwmeta1.element.baztech-article-BWAD-0031-0020/c/httpwww_wat_edu_plm000000biuletynmfhandler_phpfile204-2012_pdftable3bazaartykulowfielddodajpobierzpagetypelistkey1820.pdf Stego.docx — hidden communication system using docx files], Kamil Kaczyński (2012) | ||
+ | * [https://patents.google.com/patent/CN109993681A/en A kind of digital watermark method of the OOX format file based on color attribute value transformation] | ||
+ | |||
Revision as of 04:04, 2 September 2023
Data hiding/embedding is a cruder form of Steganography that relies on not being noticed/looked for in the first place while true steganography tries to remain hidden even when actively being looked for.
Contents[hide] |
Generic appending
Appending a file to the end of another often results in a file that continues to work as usual, with the file viewer/player ignoring the extra bytes at the end.
A common tactic to take advantage of this behavior is to manually append a zip/rar file to the end of a file. The resulting file will still open as regular, but any archiver will automatically detect and open zip/rar part.
In DOS/Windows command line, files can be appended by using the command:
copy /b host.jpg + hidden.zip combined.jpg
In Linux/Mac the command looks like:
$ cat host.jpg hidden.zip > combined.jpg
This can work with JPEG, GIF, MP3, some executables and more
Links
- Smuggle Bus - more sophisticated file appending
- Our Secret (formerly Pipisoft Steganography)
- Safe & Quick Hide Files and Folders (SQHideFile) (aka Secure Box)
- Camouflage
- JPGRAR lore
JPEG
There are two main approaches to embedding data in a JPEG file: using the EXIF headers or appending it after the end of image marker (FF D9)
Links
- Under the hood: Hiding data in JPEG images
- Malware Hidden Inside JPG EXIF Headers
- GG-AESY - implements both methods of hiding data
- JPegX - functions like a generic appender, but limited to txt messages in JPEG
- Invisible Secrets - hidden data in the comment field at the beginning of the JPEG file
- Stegdetect - detects data at the end of JPEG files hidden with tools like appendX or camouflage.
PNG
Links
- Invisible Secrets - hidden data in the comment field at the end of the PNG file
BMP
Links
- js-bmp-packer - combine js code and a bmp file into a file that can be viewed as an image and run as code
PDF allows embedding complete files in the actual PDF file.
PDF allows adding arbitrary objects anywhere (or almost anywhere) in the file.
PDF allows writing data between objects
PDF allows adding for example white text on a white background or text behind other objects.
Adobe's PDF spec allows at least 1K of fluff after the %%EOF marker (although ISO 32000 does not).
Links
MP3
MP3 files are fairly tolerant of random data being added to the file, and not just the end, but also the beginning.
Hence wrapping an MP3 in a zip/rar with no compression will still be playable.
See also: MP3 wrapper
Office Open XML
Office XML (Microsoft Office 2007+ DOCX, XLSX, PPTX, etc) files are just ZIP files with other files inside. If you don't care about the file opening successfully afterwards, you can just add anything you want in there.
To get the file to open, you'll need to edit [Content_Types].xml so office programs don't complain about a corrupted file.
If you save any changes in the Office document after you hide a file, the embedded file will be lost.
Links
- Office XML Steganography Tool
- Steganography for OfficeXML file
- Text split-based steganography in OOXML format documents for covert communication, Zhangjie Fu et al. (2012)
- Data Hiding and Detection in Office Open XML (OOXML) Documents, Raffay, M.A. (2011)
- New Steganographic Techniques for the OOXML File Format, Castiglione, A., D’Alessio, B., De Santis, A., Palmieri, F. (2011)
- Stego.docx — hidden communication system using docx files, Kamil Kaczyński (2012)
- A kind of digital watermark method of the OOX format file based on color attribute value transformation
NTFS Alternate Data Streams
NTFS provides Alternate Data Streams (ADS) for each file and directory.
You can create one from the command line:
echo hello > test.txt:stream
You can also copy an existing file into a stream:
type hidden.txt > test.txt:hidden.txt
To read the stream back:
more < test.txt:stream
They can also be opened directly in notepad:
notepad test.txt:stream
Links
- How to Create, Open, Detect, and Remove Alternate Data Stream
- Exploring NTFS Alternate Data Streams from a security standpoint
- Streams - finds files and directories with streams
- Nirsoft AlternateStreamView - find/view/copy/delete NTFS Alternate Data Streams
- NTFS Streams - A .NET library for working with alternate data streams on NTFS file systems.