- The robustness of steganography relies on the algorithm used and the knowledge of the cover medium. A search of the original media allows us to make a comparison and identify the alterations made. A reverse search on Google Image or Yandex Images can find the original media (be sure to check that the file size and type match).
- The Stegsolve tool allows you to perform operations on 2 images, and thus identify the differences between a cover medium and a stegano medium using the XOR operation.
- The Zsteg tool allows you to extract messages and binaries encoded on different layers, such as the 2 green LSB.
$ zsteg file.png 2b,g,lsb,xy
$ zsteg file.png -E '1b,rgb,lsb'
- Sometimes, bit-layer analysis on the Stegsolve tool (or Aperi'Solve) can highlight specific areas that have been altered. Scripting may then be required to extract specific areas. The following python code retrieves an image as a list of pixels: [(100,120,43), (230, 124, 110), ...]
# pip install Pillow
from PIL import Image
stegano_image = Image.open('file.png')
width, height = stegano_image.size
pxs = list(stegano_image.getdata())
print(pxs[:10])
- Stegano mediums can rely on an algorithm using an encryption key. This is the case for Steghide and OutGuess. The password can be the name of the file, a string of characters contained in the file (strings & exiftool), or the object represented by the image. In some cases, the password cannot be retrieved and a bruteforce must be performed. The tool StegCracker and Stegbrute allows bruteforce of hidden secrets with Steghide.
$ steghide extract -p "secret" -sf file.jpg
$ stegcracker file.jpg /usr/share/wordlists/rockyou.txt