SKILL: Steganography Techniques — Expert Analysis Playbook

AI LOAD INSTRUCTION: Expert steganography detection and extraction techniques. Covers image steganography (LSB, PNG chunk hiding, JPEG DCT, EXIF metadata, dimension tricks, palette manipulation), audio steganography (spectrogram, LSB, DTMF, morse), file steganography (polyglots, binwalk, NTFS ADS, steghide), and text steganography (whitespace, zero-width Unicode, homoglyphs). Base models miss the systematic file-type-based analysis approach and tool-specific extraction workflows.

0. RELATED ROUTING

Before going deep, consider loading:

traffic-analysis-pcap for extracting files from network captures before stego analysis
memory-forensics-volatility for extracting files from memory dumps
classical-cipher-analysis if extracted hidden data is further encrypted/encoded

Tool Reference

Also load STEGO_TOOLS_GUIDE.md when you need:

Tool installation instructions and dependencies
Detailed command reference for each stego tool
Workflow patterns for specific file types

1. IMAGE STEGANOGRAPHY

LSB (Least Significant Bit)

LSB embeds data in the least significant bits of pixel color channels.

bash

# zsteg — LSB analysis for PNG/BMP
zsteg image.png                       # auto-detect all LSB patterns
zsteg image.png -a                    # try all known methods
zsteg image.png -b 1                  # extract bit plane 1
zsteg image.png -E "b1,rgb,lsb,xy"   # specific extraction pattern

# StegSolve (Java GUI)
java -jar StegSolve.jar
# Navigate color planes: Red 0, Green 0, Blue 0 → look for hidden image/text
# Data Extractor: specify bit planes + byte order

# stegoveritas — comprehensive automated analysis
stegoveritas image.png
# Runs: exiftool, binwalk, zsteg, foremost, color plane extraction

PNG Specific

bash

# pngcheck — validate structure, find hidden chunks
pngcheck -v image.png

# Hidden chunks: tEXt, zTXt (compressed text), iTXt (international text)
# Custom/private chunks may contain hidden data

# CRC vs dimensions trick
# If CRC doesn't match declared dimensions → image was cropped
# Fix: brute-force correct width/height → reveals hidden rows/columns
python3 -c "
import struct, zlib
with open('image.png','rb') as f:
    data = f.read()
# Check IHDR CRC at offset 29
ihdr = data[12:29]
for h in range(1,2000):
    for w in range(1,2000):
        new_ihdr = struct.pack('>II',w,h) + ihdr[8:]
        if zlib.crc32(b'IHDR'+new_ihdr) & 0xffffffff == struct.unpack('>I',data[29:33])[0]:
            print(f'Width: {w}, Height: {h}')
"

# APNG (animated PNG) — hidden frames
# Use apngdis to extract all frames: apngdis image.png

JPEG Specific

bash

# steghide — embed/extract from JPEG (DCT coefficient modification)
steghide extract -sf image.jpg                 # extract (no passphrase)
steghide extract -sf image.jpg -p PASSWORD     # extract with passphrase
steghide info image.jpg                        # check if data is embedded

# stegcracker — brute force steghide passphrase
stegcracker image.jpg wordlist.txt

# jsteg — JPEG LSB steganography
jsteg reveal image.jpg output.txt

# JPEG structure analysis
exiftool -v3 image.jpg       # verbose metadata + structure
jpegdump image.jpg           # raw JPEG marker analysis

EXIF Metadata

bash

# exiftool — comprehensive metadata extraction
exiftool image.jpg
exiftool -b -ThumbnailImage image.jpg > thumb.jpg   # extract thumbnail
exiftool -all= image.jpg                             # strip all metadata

# Hidden data in EXIF fields (comment, artist, copyright, etc.)
exiftool -Comment image.jpg
exiftool -UserComment image.jpg
strings image.jpg | grep -i "flag\|key\|secret"

Palette-Based (GIF)

bash

# GIF color table manipulation — data in color palette order
gifsicle -I image.gif                    # info
gifsicle --color-info image.gif          # palette details
# Check for animation frames: convert -coalesce image.gif frame_%d.png

2. AUDIO STEGANOGRAPHY

Spectrogram Analysis

bash

# Sonic Visualiser — best for spectrogram viewing
# Layer → Add Spectrogram → look for visual patterns (text/images)

# Audacity
# Analyze → Plot Spectrum
# Select audio → change view to Spectrogram

# sox for command-line spectrogram generation
sox audio.wav -n spectrogram -o spectro.png

Audio LSB

bash

# DeepSound — hide/extract files in audio (Windows)
# GUI tool: open audio file → extract hidden files

# WavSteg — LSB in WAV files
python3 WavSteg.py -r -i audio.wav -o output.txt -n 1   # extract 1 LSB
python3 WavSteg.py -r -i audio.wav -o output.txt -n 2   # extract 2 LSBs

DTMF / Morse Code

bash

# DTMF decoder (phone tones)
multimon-ng -t wav -a DTMF audio.wav

# Morse code
# Audacity → visual inspection of on/off pattern
# Online decoder or manual: .- = A, -... = B, etc.

# SSTV (Slow-Scan Television) — image in audio
qsstv                    # GUI decoder
# Or: RX-SSTV (Windows)

WAV Header Manipulation

bash

# Check for data appended after WAV audio data
# WAV data chunk size vs actual file size
python3 -c "
import wave
w = wave.open('audio.wav','rb')
print(f'Frames: {w.getnframes()}, Channels: {w.getnchannels()}, Width: {w.getsampwidth()}')
expected = w.getnframes() * w.getnchannels() * w.getsampwidth() + 44  # 44 = WAV header
import os
actual = os.path.getsize('audio.wav')
if actual > expected:
    print(f'Extra data: {actual - expected} bytes appended')
"

3. FILE STEGANOGRAPHY

Polyglot Files

A single file that is valid in two or more formats simultaneously.

bash

# Detection: check file with multiple tools
file suspicious_file
xxd suspicious_file | head          # check magic bytes
binwalk suspicious_file             # find embedded files

# Common polyglots: PDF+ZIP, JPEG+ZIP, JPEG+RAR, PNG+ZIP
# Try unzip on image files:
unzip image.jpg -d extracted/
7z x image.jpg -oextracted/

Appended / Embedded Data

bash

# binwalk — scan for embedded files and data
binwalk image.png                   # scan
binwalk -e image.png                # extract embedded files
binwalk --dd='.*' image.png         # extract everything

# foremost — file carving
foremost -i suspicious_file -o output_dir/

# dd — manual extraction
# If binwalk shows embedded ZIP at offset 0x1234:
dd if=suspicious_file bs=1 skip=$((0x1234)) of=extracted.zip

NTFS Alternate Data Streams (ADS)

cmd

:: List ADS (Windows)
dir /r file.txt
Get-Item file.txt -Stream *

:: Read hidden stream
more < file.txt:hidden_stream
Get-Content file.txt -Stream hidden_stream

:: Create ADS (for testing)
echo "hidden data" > file.txt:secret

Steghide Brute Force

bash

# stegcracker — wordlist attack on steghide passphrase
stegcracker image.jpg /usr/share/wordlists/rockyou.txt

# stegseek — faster alternative
stegseek image.jpg /usr/share/wordlists/rockyou.txt
# stegseek is ~10000x faster than stegcracker

4. TEXT STEGANOGRAPHY

Whitespace Encoding

bash

# Tabs and spaces encode binary (tab=1, space=0 or vice versa)
# stegsnow — whitespace steganography
stegsnow -C message.txt                # extract hidden message
stegsnow -C -p PASSWORD message.txt    # extract with password

# Manual detection:
cat -A file.txt | head     # show tabs (^I) and line endings ($)
xxd file.txt | grep "09 20\|20 09"    # look for tab/space patterns

Zero-Width Characters

bash

# Unicode invisible characters used for encoding:
# U+200B (Zero-Width Space), U+200C (ZWNJ), U+200D (ZWJ), U+FEFF (BOM)

# Detection:
python3 -c "
text = open('message.txt','r').read()
hidden = [c for c in text if ord(c) in [0x200b, 0x200c, 0x200d, 0xfeff]]
print(f'Found {len(hidden)} zero-width characters')
binary = ''.join('0' if ord(c)==0x200b else '1' for c in hidden)
# Convert binary to ASCII
"

# Online tools: holloway.nz/steg, Unicode Steganography decoders

Homoglyph Substitution

bash

# Visually identical characters from different Unicode blocks
# e.g., Latin 'a' (U+0061) vs Cyrillic 'а' (U+0430)

# Detection:
python3 -c "
text = open('message.txt','r').read()
for i, c in enumerate(text):
    if ord(c) > 127:
        print(f'Position {i}: char={c} ord={ord(c)} name={__import__(\"unicodedata\").name(c,\"?\")}')
"

5. DECISION TREE

Suspect hidden data — what file type?
│
├── Image (PNG/BMP)?
│   ├── Check metadata: exiftool (§1 EXIF)
│   ├── Check structure: pngcheck, binwalk (§1 PNG)
│   ├── LSB analysis: zsteg, StegSolve (§1 LSB)
│   ├── Check dimensions vs CRC: height/width brute force (§1 PNG)
│   ├── Check for appended data: binwalk -e (§3)
│   └── Try as polyglot: unzip/7z (§3)
│
├── Image (JPEG)?
│   ├── Check metadata: exiftool (§1 EXIF)
│   ├── Try steghide: steghide extract (§1 JPEG)
│   │   └── Password protected? → stegseek brute force (§3)
│   ├── Try jsteg: jsteg reveal (§1 JPEG)
│   ├── Check for appended data: binwalk -e (§3)
│   └── Check thumbnail: exiftool -b -ThumbnailImage (§1 EXIF)
│
├── Image (GIF)?
│   ├── Check frames: extract all animation frames (§1 Palette)
│   ├── Check palette: gifsicle --color-info (§1 Palette)
│   └── Check for appended data: binwalk -e (§3)
│
├── Audio (WAV/MP3/FLAC)?
│   ├── Spectrogram: Sonic Visualiser / Audacity (§2)
│   ├── LSB: WavSteg (§2)
│   ├── DTMF tones: multimon-ng (§2)
│   ├── Morse code: manual or decoder (§2)
│   ├── SSTV: qsstv (§2)
│   └── Check file size vs expected: header analysis (§2)
│
├── Text file?
│   ├── Check whitespace: cat -A, stegsnow (§4)
│   ├── Check zero-width chars: Unicode analysis (§4)
│   ├── Check homoglyphs: non-ASCII detection (§4)
│   └── Check encoding: multiple base decodings
│
├── Any file type?
│   ├── strings: strings -n 8 file | grep -i "flag\|key\|pass"
│   ├── binwalk: binwalk -e file (embedded files) (§3)
│   ├── file: file suspicious_file (true type)
│   ├── xxd: check magic bytes, compare headers
│   └── NTFS? → check ADS: dir /r (§3)
│
└── Password/passphrase needed?
    ├── steghide → stegseek / stegcracker (§3)
    ├── Check challenge description for hints
    └── Try common passwords: password, file name, challenge name

steganography-techniques

NPX Install

Tags

SKILL.md Content

SKILL: Steganography Techniques — Expert Analysis Playbook

0. RELATED ROUTING

Tool Reference

1. IMAGE STEGANOGRAPHY

LSB (Least Significant Bit)

PNG Specific

JPEG Specific

EXIF Metadata

Palette-Based (GIF)

2. AUDIO STEGANOGRAPHY

Spectrogram Analysis

Audio LSB

DTMF / Morse Code

WAV Header Manipulation

3. FILE STEGANOGRAPHY

Polyglot Files

Appended / Embedded Data

NTFS Alternate Data Streams (ADS)

Steghide Brute Force

4. TEXT STEGANOGRAPHY

Whitespace Encoding

Zero-Width Characters

Homoglyph Substitution

5. DECISION TREE