TCStego

From Just Solve the File Format Problem
Jump to: navigation, search
File Format
Name TCStego
Ontology
Released 2011

TCStego by Martin J. Fiedler and Vladimir Ivanov is a Python script that embeds a mountable TrueCrypt/VeraCrypt volume in a QuickTime, MP4 or 3GP video such that both are valid at the same time.


The Media Data (MDAT) and the Sample Table Chunk Offset (STOC) are the key components of the existing multimedia that are used to facilitate the hiding. The MDAT contains the actual raw audio / video data. The MDAT chunks can vary in length and are not required to be in any particular order. The STCO is a table of references that allows for the MDAT to exist in a non-ordered manner. STCO block contains pointers to the starting positions of chunks within the MDAT. This flexibility has many advantages including: quick editing, seeking, local playback, and capabilities for video streaming. Reordering of samples can be done swiftly and easily by simply changing a pointer in the STCO. Thus, any seeking in the file requires consultation of the STCO for the correct MDAT chunk locations. When playing a movie this is what allows us to seek to specific portions of the movie, fast forward, rewind, or remember where we were when we press pause. Through the manipulation of the MDAT and STCO, tcsteg.py can embed a chunk that does not actually contain raw video or audio, but rather contains the content of the TrueCrypt hidden volume.

In order for this to work, the TrueCrypt container must contain both an outer and hidden volume. The outer volume is thrown away during the process of embedding to further disguise the hiding, but the inner or hidden volume remains intact. TCTSTEG also adds some spoofed data to make MDAT seem legitimate. Thus if you were to view the media file with a hex editor, you would not find anything suspicious about the MDAT. At this point the media file will play and operate as you would expect, but if you attempt to mount the media file using TrueCrypt and supply the correct password it operates correctly as a hidden container.

By examining each Chunk Offset contained in the STCO all of the data contained in the MDAT should be accounted for. An orphaned region is an obvious anomaly because the decoder would never attempt to play or seek to that region. By identifying the gap created by the insertion of the TrueCrypt container, you can then estimate the size of the orphan region.


Links

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox