STRINGS: THE FIRST GLANCE

The strings command is often your first line of defense (or offense) when analyzing an unknown file. It extracts printable character sequences (usually ASCII or Unicode) from binary files, making it excellent for finding embedded text, URLs, copyright notices, hidden messages, or configuration data.

HOW IT WORKS:

strings scans the input file for sequences of characters that are at least 4 (by default) printable characters long and are terminated by a null character or newline.

BASIC USAGE:

$ strings cover_image.jpeg
JFIF
Exif
Photoshop 3.0
...
(C) Pexels
https://www.pexels.com/
...

In the output above, even from a simple JPEG, you can see human-readable metadata, copyright information, and URLs. In a CTF or forensic scenario, this can reveal flags, passwords, or clues.

FINDING SPECIFIC STRINGS:

$ strings binary_file | grep "password"
Password123
AdminPassword

OPTIONS:

-n <length>: Specify the minimum string length (default is 4).

-e <encoding>: Specify character encoding (s=s_byte, S=s_word, b=big_endian, l=little_endian, L=little_endian_long, B=big_endian_long).

HIDING ZIP IN IMAGE: THE CAT CONCATENATION

A remarkably simple and effective steganographic technique involves concatenating a ZIP archive to the end of an image file. Many image viewers will display the image correctly, completely ignoring the appended data. This works because image parsers generally stop reading the file once they encounter the "end of image" marker.

HOW IT WORKS:

The cat command (concatenate) is used to combine the bytes of two files. By placing the image first and the ZIP archive second, a new "polyglot" file is created that is both a valid image and a valid ZIP file.

EMBEDDING (WINDOWS & LINUX): First, ensure you have a cover image (e.g., cover_image.jpeg) and a secret ZIP file (e.g., secret.zip containing your hidden data).

# On Linux/macOS:
$ cat cover_image.jpeg secret.zip > stego_image.jpeg
 
# On Windows (using `copy` command, a little different):
> copy /b cover_image.jpeg + secret.zip stego_image.jpeg

Now, stego_image.jpeg will appear as a normal image, but it secretly contains secret.zip.

EXTRACTION (LINUX/WINDOWS): To extract the hidden ZIP, you can use binwalk (covered later) or simply try to open the file directly with an archive utility. Most modern ZIP extractors are smart enough to find the ZIP header even if it's at an offset.

# Using `unzip` (Linux/macOS - sometimes works directly):
$ unzip stego_image.jpeg

More robust extraction using binwalk (recommended for discovery): $ binwalk stego_image.jpeg # Output will show embedded ZIP archive. You can then extract it: $ binwalk -e stego_image.jpeg

This technique is effective for simple concealment, but tools specifically designed for steganography detection can often flag such files.

STEGHIDE: HIDING IN PLAIN SIGHT

Steghide is a popular command-line steganography program that can embed data into various image (JPEG, BMP) and audio (WAV, AU) files. It supports encryption of the embedded data, compression, and passphrase protection, making it more robust than simple concatenation.

KEY FEATURES:

Supports JPEG, BMP, WAV, AU formats.
Encrypts embedded data using algorithms like Rijndael (AES), DES, Triple DES,
etc.
Compresses data before embedding to maximize capacity.
Uses passphrase for extraction.

EMBEDDING DATA:

You'll need a cover file (e.g., cover_image.jpeg) and a secret file (e.g., secret.txt).

$ steghide embed -ef secret.txt -cf cover_image.jpeg -sf output.jpeg
Enter passphrase: [your_passphrase]
Enter passphrase again: [your_passphrase]
embedding "secret.txt" in "cover_image.jpeg"... done

-ef: Embed file (your secret).

-cf: Cover file (the image/audio to hide in).

-sf: Stego file (the output file with hidden data).

EXTRACTING DATA:

$ steghide extract -sf output.jpeg
Enter passphrase: [your_passphrase]
wrote extracted data to "secret.txt".

OTHER USEFUL COMMANDS:

steghide info output.jpeg: Displays information about embedded data (if any),
but won't extract without the passphrase.
steghide --help: For full list of options.

Steghide is widely used in CTFs due to its effectiveness and ease of use.

STEGSEEK: CRACKING THE CODE

Stegseek is a fast and efficient tool for detecting and cracking hidden data in JPEG files, particularly those created by other steganography tools like JSteg, JPHide, and OutGuess, or even Steghide itself. Its primary strength lies in its ability to perform brute-force passphrase cracking using wordlists.

HOW IT WORKS:

Stegseek works by analyzing the JPEG image for signs of embedded data and then attempting to extract that data using a provided wordlist to guess the passphrase. It's optimized for speed, making it suitable for large-scale dictionary attacks.

BASIC USAGE:

You'll need a stego-image (e.g., output.jpeg from Steghide) and a wordlist (e.g., commonly found in /usr/share/wordlists/ on Kali Linux).

$ stegseek output.jpeg /usr/share/wordlists/rockyou.txt
[INFO] Trying password: 'password'
[INFO] Trying password: '123456'
...
[+] Found password: 'your_passphrase'
[+] Data extracted to 'output.jpeg.extracted.txt'

Stegseek will try each word in the wordlist as a passphrase. If successful, it will extract the hidden file and save it.

OPTIONS:

-f: Force overwrite output file.

-t <seconds>: Set timeout for each password attempt.

This tool is indispensable when you suspect data is hidden in a JPEG and a passphrase is required.

STEGSOLVE: THE VISUAL ANALYZER

Stegsolve.jar is a powerful Java-based GUI tool for visualizing and analyzing steganography in images. It's not for embedding, but for identifying hidden data by manipulating image planes, colors, and applying various filters. It's a go-to tool for image steganography challenges in CTFs.

KEY FEATURES:

Color Planes: View individual color channels (Red, Green, Blue, Alpha).

Bit Planes: Isolate and view specific bit planes (e.g., Red 0, Green 1, Blue 2). This is crucial for LSB detection. Image Combiner: Combine two images in various ways to reveal differences. Frame Browser: Analyze animated GIFs frame by frame. Data Extract: Extract raw data from different planes. Difference View: Highlight differences between subsequent planes.

USAGE OVERVIEW:

To use Stegsolve, run it via Java:

$ java -jar Stegsolve.jar

Once open, load an image. You'll see a panel with various "Analyzer" options. Clicking through these options (especially the "Colour Invert", "Red", "Green", "Blue", and then the "0 Plane", "1 Plane", etc.) will show you different visualizations of the image data. Hidden messages often appear as distinct patterns or text when specific bit planes are isolated.

The "Bit Plane" options are particularly important for LSB steganography. By cycling through "Red 0", "Green 0", "Blue 0" (the least significant bit planes of each color channel), you can often spot anomalies or hidden images embedded using LSB.

LSB STEGANOGRAPHY: THE BIT-LEVEL SECRET

Least Significant Bit (LSB) steganography is one of the most common and conceptually simple methods for hiding data in digital media, particularly images. It manipulates the imperceptible details of a file to embed information.

THE PRINCIPLE:

Digital images are made of pixels, each with color values (e.g., Red, Green, Blue components). In a 24-bit image, each component is an 8-bit value (0-255). The least significant bit of this 8-bit value contributes very little to the overall color, meaning a small change in this bit is often undetectable by the human eye.

Example: A pixel's red value is 10101010 (170 decimal). Changing its LSB to 1 makes it 10101011 (171 decimal). This is a tiny change. Changing its LSB to 0 keeps it 10101010 (170 decimal).

EMBEDDING PROCESS:

To embed a secret message, each bit of the message is sequentially inserted into the LSB of selected pixel color channels. For example, if we want to hide a 1, and the pixel's LSB is 0, we change it to 1. If it's already 1, we leave it. If we want to hide a 0, and the pixel's LSB is 1, we change it to 0. If it's already 0, we leave it.

# Pseudocode for embedding a single message_bit into a pixel_value
function embed_lsb(pixel_value, message_bit):
   # Clear the LSB of the pixel value
   pixel_value = (pixel_value & 0xFE) # 0xFE is 11111110 in binary
   # Set the LSB to the message_bit
   pixel_value = (pixel_value | message_bit)
   return pixel_value

EXTRACTION PROCESS:

Extraction is the reverse. Knowing which pixels and channels were used, the extractor simply reads the LSB of each relevant channel and concatenates these bits to reconstruct the message.

# Pseudocode for extracting a single message_bit from a pixel_value
function extract_lsb(pixel_value):
   return (pixel_value & 0x01) # 0x01 is 00000001 in binary

DETECTABILITY:

LSB steganography is vulnerable to lossy compression (like JPEG), as it will destroy the hidden bits. Statistical analysis can also detect LSB changes if they alter the expected distribution of color values.

POLYGLOTS: THE MULTI-FORMAT FILE

A polyglot file is a single file that is valid under more than one file format simultaneously. This sophisticated technique exploits how different file parsers identify and interpret file structures, allowing a single file to be seen as both a GIF and a JAR, or a JPEG and a ZIP, for instance.

HOW IT WORKS:

File formats are defined by specific byte sequences, often at the beginning (header) and sometimes at the end (footer). A polyglot is crafted so that its byte stream satisfies the header requirements of one format, while also containing valid structures (like a ZIP archive's central directory) for another format, without causing conflicts for either parser.

A common example involves embedding a ZIP archive (which can contain arbitrary data) within the comment or metadata section of an image file. Image parsers will stop at the image's End-Of-Image marker, ignoring the appended ZIP. A ZIP extractor, however, will scan for the ZIP header (which can appear at an offset) and extract its contents.

EXAMPLE: JPEG + ZIP POLYGLOT This is conceptually similar to the cat example from earlier, but a true polyglot is more carefully constructed to ensure valid headers and footers for both formats are present and properly interpreted.

Consider a file that starts with JPEG headers, then contains image data, and somewhere within its "comment" or "application" data sections, the structure of a ZIP file (including its central directory and end of central directory record) is embedded. The JPEG parser processes its part, and the ZIP parser finds its magic bytes elsewhere in the file.

# Conceptual Structure
+-------------------+
| JPEG Header       |
+-------------------+
| JPEG Image Data |
| (Optional: Some   |
| JPEG markers)     |
|                   |
| +-----------------+
| | ZIP Header      |
| +-----------------+
| | Zipped Data     |
| +-----------------+
| | ZIP End of Dir |
| +-----------------+
|                   |
| JPEG End-of-Image |
+-------------------+

This allows the file to be opened by an image viewer AND extracted by a ZIP utility. Polyglots are often used to bypass file type checks or to smuggle data.

PIXEL-BASED STEGANOGRAPHY: BEYOND LSB

While LSB is the most common pixel-based method, other techniques exist that manipulate pixel data in different ways to hide information. These often involve more complex algorithms to achieve higher capacity, better imperceptibility, or greater robustness against attacks.

COLOR PALETTE MANIPULATION (INDEXED COLOR IMAGES): For indexed color images (like GIF or some PNGs), where pixels don't directly store RGB values but rather an index into a color palette, steganography can involve subtly rearranging the palette entries or modifying the color values of "similar" colors in the palette. For example, two colors that look identical to the human eye but have slightly different RGB values can be used to encode a bit.

RANDOM PIXEL EMBEDDING:

Instead of sequentially embedding bits, some methods use pseudo-random number generators (seeded with a key) to select pixels for embedding. This makes detection harder as the changes are spread non-contiguously throughout the image.

IMAGE INTERPOLATION:

Data can be hidden by slightly adjusting pixel values such that when the image is scaled or interpolated (e.g., when resizing), certain patterns emerge or data becomes visible. This is more niche but demonstrates creative uses of image processing.

COVERT CHANNELS IN PIXEL DATA:

Advanced techniques might create "covert channels" by slightly altering pixel values to represent information in their statistical properties rather than direct bit replacement. For example, altering the noise characteristics in specific areas to embed data.

The core idea remains the same: leverage the redundancy or human perceptual limitations in image data to hide secrets. Understanding LSB is fundamental, and these methods often build upon similar principles with added layers of complexity.

BINWALK: THE FIRMWARE ARCHAEOLOGIST

binwalk is an incredibly powerful tool primarily designed for analyzing, reverse engineering, and extracting files from firmware images. However, its utility extends greatly to steganography, where it can be used to identify embedded files and data within various binary formats, including images.

HOW IT WORKS:

binwalk scans a given binary file for known file signatures (magic bytes) and filesystem headers. It has a massive database of these signatures, allowing it to quickly pinpoint where other files (ZIPs, JPEGs, PNGs, executables, etc.) might be hidden or concatenated within a larger file.

BASIC USAGE (SCANNING): Run binwalk against your suspicious file. It will output a list of identified signatures and their offsets.

$ binwalk stego_image.jpeg
DECIMAL       HEXADECIMAL       DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
123456         0x1E240          Zip archive data, at least v1.0 to extract, compressed siz
123600         0x1E2D0          End of Zip archive comment, length: 0

In this example, binwalk not only identifies the JPEG but also a hidden ZIP archive starting at offset 0x1E240.

EXTRACTING EMBEDDED FILES:

The -e (extract) option tells binwalk to attempt to extract any identified files. It will create a new directory (e.g., _stego_image.jpeg.extracted) containing the extracted files.

$ binwalk -e stego_image.jpeg
# This will create a directory like '_stego_image.jpeg.extracted'
# Inside, you might find files like '1E240.zip' which you can then unzip.

OTHER USEFUL OPTIONS:

-M: Enable entropy analysis, which can help spot unusual data patterns. -S: Perform a deep scan for more obscure signatures.

-y <module>: Only scan for signatures defined in a specific module.

binwalk is an indispensable tool for uncovering hidden data in complex files and firmware.

10. ZSTEG: LSB ANALYSIS FOR PNG/BMP

zsteg is a Ruby tool specifically designed for LSB (Least Significant Bit) steganography detection in PNG and BMP image files. It's highly effective at identifying various LSB encoding schemes and can often extract hidden data automatically.

KEY FEATURES:

Detects common LSB steganography methods.
Supports different bit orders (MSB, LSB first).
Analyzes various pixel channels (R, G, B, A, mixed).
Can often extract hidden data directly.

BASIC USAGE:

Simply run zsteg against your suspicious PNG or BMP file.

$ zsteg suspicious.png
[?] 105 x 105 image, 8-bit RGBA, PNG format
b1,r,lsb,buffered,msb: "...hidden_message_here..."
b4,g,lsb,unbuffered: "another_secret"

The output shows potential hidden data, along with the specific bit plane and channel where it was found (e.g., b1,r,lsb means 1st bit plane, Red channel, LSB order). zsteg tries many combinations, which makes it powerful.

EXTRACTING DATA:

If zsteg finds something interesting, it will often show a preview. To extract the full data, you can specify the identified bit stream.

$ zsteg -E "b1,r,lsb,buffered,msb" suspicious.png > extracted_data.txt

-E <bits>: Extract the specified bit stream.

--all: Try all known methods.

zsteg is an essential tool for any CTF involving PNG or BMP image steganography, particularly when LSB is suspected.

PNGCHECK: VALIDATING PNG INTEGRITY

pngcheck is a utility that checks PNG (Portable Network Graphics) and JNG (JPEG Network Graphics) files for integrity and can optionally print all chunk-level information. While not a steganography tool itself, it's invaluable for analysis because it can reveal suspicious or custom chunks that might hide data, or indicate file corruption due to manipulation.

HOW IT WORKS:

PNG files are structured as a series of "chunks," each with a specific type and data. pngcheck validates this structure. If a file has unknown, invalid, or unusual chunks, it can be a strong indicator of steganography or tampering.

BASIC USAGE:

$ pngcheck suspicious.png
File: suspicious.png (12345 bytes)
 chunk IHDR at offset 0x0000c, length 13
   100x100, 8-bit grayscale, non-interlaced

chunk IDAT at offset 0x00025, length 12000 chunk tEXt at offset 0x02ed9, length 25, keyword: Comment chunk ZIMG at offset 0x02efa, length 1000 (unknown private chunk) chunk IEND at offset 0x032eb, length 0 No errors detected in suspicious.png

In the example above, the line chunk ZIMG at offset 0x02efa, length 1000 (unknown private chunk) immediately flags a suspicious chunk named "ZIMG". Steganographers often create custom, unrecognized chunks to hide data.

DETECTING ANOMALIES:

Unknown Private Chunks: Any chunk not part of the official PNG specification
(e.g., "ZIMG", "hidd", "data") is highly suspicious.
Incorrect CRC: If pngcheck reports CRC errors, the file has likely been
tampered with.
Excessive Metadata: Unusual amounts of metadata in known chunks (like tEXt or
zTXt) can also be a hiding place.

Always run pngcheck on PNG files in steganography challenges to check for hidden chunks or integrity issues.

SSTV: SLOW-SCAN TELEVISION

Slow-Scan Television (SSTV) is a method for transmitting still images over radio. In the context of steganography and CTFs, you often encounter SSTV challenges where an audio file, when played, sounds like static or an unusual modem-like screech, but actually encodes an image.

HOW IT WORKS:

SSTV encodes an image by transmitting different frequencies to represent different colors or grayscale values, line by line, much slower than standard television. Each pixel or line of the image is translated into an audio tone of a specific frequency and duration. When this audio is "decoded" by an SSTV program, the original image is reconstructed.

IDENTIFYING SSTV AUDIO:

SSTV audio has a distinct sound: a series of chirps, beeps, and squawks that can last from a few seconds to several minutes. It's very different from normal voice or music.

DECODING TOOLS:

Common tools for decoding SSTV audio include:

QSSTV (Linux): A popular ham radio software for sending and receiving SSTV.
MMSSTV (Windows): Another widely used software.
Robot36 (Mobile App): An excellent mobile app for decoding SSTV directly from
your phone's microphone or audio output.

DECODING PROCESS (CONCEPTUAL): You typically feed the SSTV audio (either live from a radio, or from an audio file) into the input of an SSTV decoding software. The software then analyzes the frequencies over time and reconstructs the image pixel by pixel on its display.

             An image successfully decoded from an SSTV audio signal.

SSTV challenges require identifying the unique audio signature, then using the correct decoding software (and sometimes the correct SSTV mode, e.g., Scottie 1, Martin 1) to reveal the hidden image.

MORSE CODE: DOTS AND DASHES

Morse code is an old but enduring method of encoding text characters as sequences of short and long signals (dots and dashes). In steganography challenges, Morse code can be hidden in various forms, including audio, visual signals (flashing lights), or even subtle patterns in images.

HOW IT WORKS:

Each letter of the alphabet, number, and some punctuation marks have a unique sequence of dots (short signals) and dashes (long signals). Spaces separate letters, and longer pauses separate words.

Dot (•): Short duration
Dash (-): Three times the duration of a dot
Space between dots/dashes in a character: One dot duration
Space between characters: Three dot durations (one dash duration)
Space between words: Seven dot durations

IDENTIFYING MORSE CODE:

You might encounter Morse code as:

Audio: A series of beeps (dit-dahs) in an audio file. Visual: Flashing lights in a video, or patterns of pixels in an image (e.g., short lines vs. long lines). Text: A string like .... . .-.. .-.. ---.

DECODING TOOLS:

Online Decoders: Many websites can translate Morse code. Manual Decoding: With practice, one can decode Morse code by ear or by eye. Audio Spectrum Analyzers: Can sometimes visualize the dot/dash patterns in an audio spectrogram.

EXAMPLE:

.... . .-.. .-.. --- / .-- --- .-. .-.. -..

Decodes to: HELLO WORLD

Morse code challenges often require keen observation and knowledge of the standard sequences, or the use of appropriate decoding tools.

SPECTROGRAMS: UNVEILING HIDDEN AUDIO-VISUALS

We touched upon spectrograms briefly in the SSTV section, but they are a powerful forensic tool in their own right for uncovering hidden data within audio files. A spectrogram is a visual representation of the frequencies present in an audio signal over time.

HOW IT WORKS:

X-axis: Represents time. Y-axis: Represents frequency (lower frequencies at the bottom, higher at the top). Color/Intensity: Represents the amplitude (loudness) of that specific frequency at that specific time. Brighter or darker colors indicate louder or quieter sounds, respectively.

By manipulating the audio signal, steganographers can embed visual information directly into these frequency patterns. This often appears as distinct shapes, text, or QR codes that become visible only when viewing the spectrogram.

IDENTIFYING HIDDEN DATA:

Tools like Audacity, Sonic Visualiser, or online spectrogram viewers can generate these visualizations. Look for:

Unusual Patterns: Straight lines, blocks, or geometric shapes that don't
correspond to natural audio.
Text: Sometimes, hidden messages are simply spelled out in the spectrogram.
QR Codes/Barcodes: A common method for hiding flags or URLs.
Images: Entire (often low-resolution) images can be embedded.

When analyzing audio files in CTFs, always check their spectrogram. Adjusting the display settings (like window size, gain, or color scheme) in your spectrogram viewer can often make hidden data more apparent.

DTMF: MOBILE TONES AS DATA

Dual-Tone Multi-Frequency (DTMF) signaling is the method used by touch-tone telephones to dial numbers. Each digit (0-9) and symbols (*, #) corresponds to a unique combination of two distinct audio frequencies. In steganography or CTFs, an audio file might contain these tones, which, when decoded, reveal a hidden message or numerical sequence.

HOW IT WORKS:

The DTMF system uses a set of 8 distinct frequencies, arranged into two groups: a low-frequency group (697 Hz, 770 Hz, 852 Hz, 941 Hz) and a high-frequency group (1209 Hz, 1336 Hz, 1477 Hz, 1633 Hz).

When you press a key on a phone, it generates a unique tone that is a combination of one frequency from the low group and one from the high group. For example, pressing '1' generates 697 Hz + 1209 Hz. DTMF Frequencies Table: 1209 Hz 1336 Hz 1477 Hz 1633 Hz 697 Hz 1 2 3 A 770 Hz 4 5 6 B 852 Hz 7 8 9 C 941 Hz * 0 # D

IDENTIFYING DTMF:

DTMF audio sounds like distinct, short beeps or "boops." If you encounter an audio file with these characteristic telephone tones, it's a strong indicator of a DTMF challenge.

DECODING TOOLS:

Online DTMF Decoders: Many websites can analyze uploaded audio files or live
audio input for DTMF tones.
Audacity: Can visualize the frequencies in a spectrogram, making it easier to
manually identify the tones, or specialized plugins might exist.
Python Libraries: Libraries like dtmf-decoder can programmatically decode DTMF
tones from audio files.

EXAMPLE:

An audio file containing the sequence of tones for '4', '8', '1', '5', '*' could hide a password or a clue. Decoding these tones reveals the sequence.

DTMF challenges test your knowledge of this signaling system and your ability to use appropriate tools to extract the hidden numerical or symbolic sequence.

// END OF TRANSMISSION // © 2026 The Hidden Archive