Data Hiding/Embedding
Data hiding/embedding is a cruder form of Steganography that relies on not being noticed/looked for in the first place while true steganography tries to remain hidden even when actively being looked for.
Contents |
Generic appending
Appending a file to the end of another often results in a file that continues to work as usual, with the file viewer/player ignoring the extra bytes at the end.
A common tactic to take advantage of this behavior is to manually append a zip/rar file to the end of a file. The resulting file will still open as regular, but any archiver will automatically detect and open zip/rar part.
In DOS/Windows command line, files can be appended by using the command:
copy /b host.jpg + hidden.zip combined.jpg
In Linux/Mac the command looks like:
$ cat host.jpg hidden.zip > combined.jpg
This can work with JPEG, GIF, MP3, some executables and more
Links
- Camouflage
- Max File Encryption (formerly X-EXE)
- Our Secret (formerly Pipisoft Steganography)
- Safe & Quick Hide Files and Folders (SQHideFile) (aka Secure Box)
- Smuggle Bus - more sophisticated file appending
- StegoMagic (MrMugiwara)
- Xidie Security Suite
- JPGRAR lore
JPEG
There are two main approaches to embedding data in a JPEG file: using the EXIF headers or appending it after the end of image marker (FF D9)
Links
- Under the hood: Hiding data in JPEG images
- Malware Hidden Inside JPG EXIF Headers
- GG-AESY - implements both methods of hiding data
- Jpeginsert - uses the quantization tables
- JPegX - functions like a generic appender, but limited to txt messages in JPEG
- Invisible Secrets - hidden data in the comment field at the beginning of the JPEG file
- Stegdetect - detects data at the end of JPEG files hidden with tools like appendX or camouflage.
PNG
Links
- Invisible Secrets - hidden data in the comment field at the end of the PNG file
- tweetable-polyglot-png
BMP
Links
- js-bmp-packer - combine js code and a bmp file into a file that can be viewed as an image and run as code
MP3
MP3 files are fairly tolerant of random data being added to the file, and not just the end, but also the beginning.
Hence wrapping an MP3 in a zip/rar with no compression will still be playable.
See also: MP3 wrapper
ZIP
Links
Office Open XML
Office XML (Microsoft Office 2007+ DOCX, XLSX, PPTX, etc) files are just ZIP files with other files inside. If you don't care about the file opening successfully afterwards, you can just add anything you want in there.
To get the file to open, you'll need to edit [Content_Types].xml so office programs don't complain about a corrupted file.
If you save any changes in the Office document after you hide a file, the embedded file will be lost.
Links
Microsoft Compound File
Older Microsoft Office files
Links
PDF allows embedding complete files in the actual PDF file.
PDF allows adding arbitrary objects anywhere (or almost anywhere) in the file.
PDF allows writing data between objects
PDF allows adding for example white text on a white background or text behind other objects.
Adobe's PDF spec allows at least 1K of fluff after the %%EOF marker (although ISO 32000 does not).
Links
NTFS Alternate Data Streams
NTFS provides Alternate Data Streams (ADS) for each file and directory.
You can create one from the command line:
echo hello > test.txt:stream
You can also copy an existing file into a stream:
type hidden.txt > test.txt:hidden.txt
To read the stream back:
more < test.txt:stream
They can also be opened directly in notepad:
notepad test.txt:stream
Links
- How to Create, Open, Detect, and Remove Alternate Data Stream
- Exploring NTFS Alternate Data Streams from a security standpoint
- Streams - finds files and directories with streams
- Nirsoft AlternateStreamView - find/view/copy/delete NTFS Alternate Data Streams
- NTFS Streams - A .NET library for working with alternate data streams on NTFS file systems.
- Xidie Security Suite