This article will teach you enough image steganography and forensics to solve at least "beginner" level image forensic challenges in CTFs. This blog isn't concerned with legal forensic practices, and thus data integrity is out of concern.
The topics which will be covered throughout this article are mentioned in the index of contents below, you can have a glimpse and directly jump to a specific topic if you'd like to.
Index
Metadata Analysis
Strings
MIME Type Analysis
Analysing File Headers
Fixing File Headers
Steganography
File Carving
Adventure Time!!
EndNote and Resources
Metadata Analysis
The very "first" step to solving an image forensic challenge is to view and analyse the metadata and lookout for something that might interest us, or aid the further process. If you do not know, or do not know "well" what metadata is, then this is the simplest explanation you could find —
a set of data that describes and gives information about other data.
#definition from google
To achieve our purpose of metadata analysis, we utilise the exiftool utility on kali. The syntax is to use the exiftool command, followed by the name of the file.
exiftool filename
Strings
The next step in our approach is to use the strings command, which helps us to determine the contents of a non-text file.
strings filename | grep -i "flag"
Using strings command on an ordinary image, or other ordinary non-text files would return output similar to this -
And a file with embedded raw text would look something like this -
MIME Analysis
MIME - Short for Multipurpose Internet Mail Extensions, is a standard that defines the nature and format of different files and documents. While doing forensics, you'll often encounter files with spoofed extensions, i.e. the extension of files will be intentionally changed to something other than what you'd normally expect it to be.
To confirm that we're dealing with the correct file type, and the extension is not spoofed, we use the file command on linux. If a file has a spoofed extension, the MIME-type will still remain the same, unless the file headers aren't maliciously forged too.
file filename
File Header Analysis
After we confirm the MIME type, the next move is to verify file signatures and fix them if they're spoofed or changed too. File signatures (headers) or what people refer to as "Magic Numbers" are the initial data blocks of a file, used to identify its format. These magic numbers or headers are the reason how we're able to identify file formats, even if the extensions are changed or spoofed.
For instance, all jpeg files have the same signature, i.e. "FF D8 FF E0".
To view headers of a file, we can use the hexdump tool on kali.
hexdump -C -n 8 filename
NOTE: -n argument is to limit the output to initial 8 bytes.
Fixing File Headers
Now that we've some idea about file signatures, our concern is to fix these headers if they're tampered too. We can look online for valid file signatures of various file formats, and fix the headers of our file. To edit file headers, we can use the hexeditor tool on kali.
hexeditor filename
This is what the tool looks like, when you open a file with it:
NOTE: Do not freak out with how it looks, think you're using nano editor, and change the signature with a valid value.
Steganography
Moving ahead of basic operations, we try to detect if the image is stenographic. For this purpose, we can use multiple tools. The first tool in our pocket is steghide. The tool can also be utilised for detecting steganographic data in images, and extract it, if possible. The tool can be directly installed from apt-repository or GitHub.
steghide extract -sf picture.jpg
Lets look at another popular tool, zsteg. Zsteg can detect different steganography techniques on PNG and Bitmap Images. The tool can be installed with ruby gems or from its github repository.
zsteg --all filename
The third and last tool I'll mention in this section is stegsolve. Another great tool to pick up menacing steganography tricks on images. The jar file of the tool can be downloaded from its github repository.
java -jar stegsolve.jar
NOTE: Discover more, resources are mentioned at the end of the post.
File Carving
File Carving is the base for many classical forensic based CTF challenges. File carving refers to embedding files inside files, and believe me this is the most frustrating job you could think of. If files are embedded multiple times, it gets difficult to keep track of all those extracted files. To put it simply, it creates a colossal heap of trash images, and you may have to repeat all previous steps on each image. This is less likely to be the case, however, you may encounter this once in a while.
To detect embedded data on images (or other files) we can use binwalk and foremost tool on kali.
binwalk filename
To extract embedded files (if any), with binwalk -
binwalk --extract filename
Binwalk is great, but Foremost is even greater, faster, and simple to use. Foremost automatically extract embedded data out of files(if any), and saves the output in the present working directory with the name "output", and creates an audit file too.
foremost filename
Adventure Time!!
If you have made this far, congratulations. Now it is time to set off for an adventure! I've prepared three easy challenges for you to attempt and solve. All 3 challenges contain a flag, which you've to submit to me. To submit your flags, you can either send me a message on telegram or twitter.
NOTE: Do not submit the flags in comments.
This marks the end of my practical image forensics guide, if you learnt something new and or useful, share it with others and consider leaving a nice comment. Read the endnotes for some more useful resources, and keep learning, keep exploring.
EndNote
A big thank you to CyberPJ, for recommending some great tools and sharing his methodology.
- Use this site to detect basic steganography or file carving techniques on images.
Some more resources to continue learning:
Practice whatever you learnt from this article on picoctf gym.
If you found trouble following along, or want to give feedback on my writings, you can reach out to me on Twitter (might as well follow).
Nice bro keep it up !
ReplyDelete