During last week I've found some interesting stuff on Steganography, well I wanna discuss about detection and not about Steganography, so please if yu're interested on this post read the wiki pedia definition linked above.
Well, right now I've seen lot of people who don't know anything about Steganography and how to detect it, I know there are lots of free software like StegoDetect that can easily detect if the current file has been compromised, but as usually I like touch by hand what happen inside the file. So during these days I've analyzed some file extension with and without Steganography.
Let me start with classics examples like .gif images.
This is a normal gif image without any items hidden.
And this one is the same picture with some plain text steganographed inside.
Human eyes can't see the difference between the two pictures, but the hexadecimal editor can !!! So if we try to open normal .gif images and the compromised one we can compare the differences and understand how it's possible detect Steganography inside GIF image.
And, yep we got it ! As you can see from the following pictures the first bytes are different !
This is first picture's hexadecimal view, and you can read "47 49 46 38" that's means "GIF" in ASCII way.
This is the second Pictures' s hexadecimal view, you can't see "GIF" bytes ...
Well, it's so easy to detect !!! Let me try with others pictures formats for instance with .jpg files. Apparently there are not similarity between a normal jpg pics and a compromised one, but if you study JPG header and body format you can discover that every JPG image ends with "FF D9" Bytes. So you if it's true we must find "FF D9" in the normal JPG and others stuff in the compromised image. De facto it's true. Safe JPG following:
Compromised JPG following:
PNG is another important image format, the PNG header is well known so should be easy detecting injections. It's still true, the difference in the header is impressive. Normal PNG format.
And Fake PNG header.
So here we are.. It's not so difficult understanding if an image has been compromised ! Some times some Steganographic software are more smart than others ones but it's difficult lying to hex editor. Anyway it's really different for MP3, exe and other stuff like that.