Romero Lab 1 Part 1 - Steganography Lab - Steghide
Class: CYBR-405
Notes:
Q1
What command option allows for the file to be embedded?
Answer:
┌──(kali㉿kali)-[~/Downloads]
└─$ steghide embed -cf sailboat.jpg -ef secrets.txt -sf newimage.jpg
- It asks you for a passphrase, which will help you secure the message if anyone else tries to extract it.
- Options:
-cfis the option for the file to be encoded-efis the option for the file to be embedded-sfis the option for the output file, if not specified it will overwrite the original
Q2
What image type is needed for steghide? And why?
(Note: You may need to research this outside of the lab)
Explanation:
steghide works with lossless image formats, primarily:
- JPEG (.jpg)
- BMP (.bmp)
(It can also work with some WAV and AU audio files.)
Why these formats are needed:
steghide hides data by embedding secret bits into the data structure of the file without noticeably changing the file’s appearance or sound.
- BMP images store raw pixel data, which allows
steghideto directly modify the least significant bits (LSB) of pixel values to hide information. - JPEG files use discrete cosine transform (DCT) compression, and
steghideembeds data within the DCT coefficients of the compressed image.
These formats are suitable because their internal structure allows controlled modification of bits while keeping the image visually unchanged.
Lossy formats that are recompressed after modification could destroy the hidden data, which is why steganography tools rely on formats where the embedded information can remain stable.
Answer:
steghide requires formats such as BMP (.bmp) or JPEG (.jpg) because they allow data to be embedded into the image's internal structure (i.e. pixel bits) without visibly changing the image. These formats preserve the embedded data, making them suitable for steganography.
Q3
What does the 'apt' command do?
Explanation:
The apt command is used in Linux (mainly Debian-based systems like Ubuntu and Kali) to manage software packages.
It allows users to install, remove, update, and upgrade programs from software repositories.
Example: Install a package
sudo apt install steghide
Example: Update the list of available packages
sudo apt update
Example: Upgrade installed packages
sudo apt upgrade
Answer:
The apt command is a package management tool used to install, update, remove, and manage software packages from repositories on Debian-based Linux systems.
Q4
What does the '-xf' option for steghide do?
Explanation:
The -xf option in steghide is used to extract hidden data from a file.
Example:
steghide extract -sf newimage.jpg -p toor -xf recovery.txt
extract→ tellssteghideyou want to retrieve hidden data-sf→ specifies the stego file (the file containing the hidden data)-p→ is the passphrase option-xf→ specifies the name of the file to extract the hidden data into- It is which .txt file to write the message to (it will create one if the file doesn’t exist. It extracts the message and puts it in the file.)
So, -xf defines the output file where the extracted hidden data will be saved.
Answer:
The -xf option tells steghide the filename where the extracted hidden data should be saved when recovering hidden information from a stego file (it will create one if the file doesn’t exist).
Q5
When the new .jpg file is created, there is a message that is in it. Therefore the size of the file increases. What is the size of the original image file and the new one?
How to check the size of a file?
ls -lh original.jpg newimage.jpg
lslists files-lshows detailed information-hshows file sizes in human-readable format (KB, MB)
Example output:
-rw-r--r-- 1 user user 512K Mar 10 14:10 original.jpg
-rw-r--r-- 1 user user 528K Mar 10 14:12 newimage.jpg
Answer:
In order to check the size of the two files I ran:
ls -lh sailboat.jpg newimage.jpg
This shows:
-rw-rw-r-- 1 kali kali 352K Mar 4 09:47 newimage.jpg
-rw-r--r-- 1 kali kali 354K Mar 4 09:40 sailboat.jpg
Where sailboat.jpg is the original image with size 354K and newimage.jpg is the image with the secret embedded with size 352K.
In this case the size of the stego file is actually 2K smaller than the original. This is normal because JPEG images use lossy compression, and when steghide embeds the hidden data it recompresses the image. Because of this, the resulting file can sometimes be slightly smaller or larger than the original file.
Q6
Go to the following url https://pinetools.com/image-histogram which is a histogram tool. One of the ways to detect steganography, if you have the original image, is that the message actually will change the colors slightly. You will need to have two windows open for this. In the first window, use the original image and generate a histogram. In the second window, do the same thing and send in screenshots comparing the differences between them.
NOTE: You may not see any differences at all! Why? Because your secret message text file is not that large, so it did not disrupt the LSB of the image file.
Explanation:
Using the file with the embedded secret: "This is a secret" yields basically no difference in the histogram from the original image:
/CYBR-405/Labs/Lab%20Writeups/Visual%20Aids/image-10.png)
Because I wanted to see some differences in the image histograms, I went ahead and repeat the lab but now embedding a shrek.txt file that contains the half the transcript of the Shrek movie.
/CYBR-405/Labs/Lab%20Writeups/Visual%20Aids/image-11.png)
These are the results:
!histogram-comaprison.png.png
oldsailboat_histogram.jpg
/CYBR-405/Labs/Lab%20Writeups/Visual%20Aids/image-13.png)
newsailboat_histogram.jpg (stego file)
/CYBR-405/Labs/Lab%20Writeups/Visual%20Aids/image-14.png)