| name | steganography-techniques |
| description | Steganography detection and extraction playbook. Use when analyzing images (LSB, PNG chunks, JPEG DCT, EXIF), audio (spectrogram, DTMF), files (polyglots, appended data, ADS), and text (whitespace, zero-width, homoglyphs) for hidden data. |
SKILL: Steganography Techniques — Expert Analysis Playbook
AI LOAD INSTRUCTION: Expert steganography detection and extraction techniques. Covers image steganography (LSB, PNG chunk hiding, JPEG DCT, EXIF metadata, dimension tricks, palette manipulation), audio steganography (spectrogram, LSB, DTMF, morse), file steganography (polyglots, binwalk, NTFS ADS, steghide), and text steganography (whitespace, zero-width Unicode, homoglyphs). Base models miss the systematic file-type-based analysis approach and tool-specific extraction workflows.
0. RELATED ROUTING
Before going deep, consider loading:
Tool Reference
Also load STEGO_TOOLS_GUIDE.md when you need:
- Tool installation instructions and dependencies
- Detailed command reference for each stego tool
- Workflow patterns for specific file types
1. IMAGE STEGANOGRAPHY
LSB (Least Significant Bit)
LSB embeds data in the least significant bits of pixel color channels.
zsteg image.png
zsteg image.png -a
zsteg image.png -b 1
zsteg image.png -E "b1,rgb,lsb,xy"
java -jar StegSolve.jar
stegoveritas image.png
PNG Specific
pngcheck -v image.png
python3 -c "
import struct, zlib
with open('image.png','rb') as f:
data = f.read()
# Check IHDR CRC at offset 29
ihdr = data[12:29]
for h in range(1,2000):
for w in range(1,2000):
new_ihdr = struct.pack('>II',w,h) + ihdr[8:]
if zlib.crc32(b'IHDR'+new_ihdr) & 0xffffffff == struct.unpack('>I',data[29:33])[0]:
print(f'Width: {w}, Height: {h}')
"
JPEG Specific
steghide extract -sf image.jpg
steghide extract -sf image.jpg -p PASSWORD
steghide info image.jpg
stegcracker image.jpg wordlist.txt
jsteg reveal image.jpg output.txt
exiftool -v3 image.jpg
jpegdump image.jpg
EXIF Metadata
exiftool image.jpg
exiftool -b -ThumbnailImage image.jpg > thumb.jpg
exiftool -all= image.jpg
exiftool -Comment image.jpg
exiftool -UserComment image.jpg
strings image.jpg | grep -i "flag\|key\|secret"
Palette-Based (GIF)
gifsicle -I image.gif
gifsicle --color-info image.gif
2. AUDIO STEGANOGRAPHY
Spectrogram Analysis
sox audio.wav -n spectrogram -o spectro.png
Audio LSB
python3 WavSteg.py -r -i audio.wav -o output.txt -n 1
python3 WavSteg.py -r -i audio.wav -o output.txt -n 2
DTMF / Morse Code
multimon-ng -t wav -a DTMF audio.wav
qsstv
WAV Header Manipulation
python3 -c "
import wave
w = wave.open('audio.wav','rb')
print(f'Frames: {w.getnframes()}, Channels: {w.getnchannels()}, Width: {w.getsampwidth()}')
expected = w.getnframes() * w.getnchannels() * w.getsampwidth() + 44 # 44 = WAV header
import os
actual = os.path.getsize('audio.wav')
if actual > expected:
print(f'Extra data: {actual - expected} bytes appended')
"
3. FILE STEGANOGRAPHY
Polyglot Files
A single file that is valid in two or more formats simultaneously.
file suspicious_file
xxd suspicious_file | head
binwalk suspicious_file
unzip image.jpg -d extracted/
7z x image.jpg -oextracted/
Appended / Embedded Data
binwalk image.png
binwalk -e image.png
binwalk --dd='.*' image.png
foremost -i suspicious_file -o output_dir/
dd if=suspicious_file bs=1 skip=$((0x1234)) of=extracted.zip
NTFS Alternate Data Streams (ADS)
:: List ADS (Windows)
dir /r file.txt
Get-Item file.txt -Stream *
:: Read hidden stream
more < file.txt:hidden_stream
Get-Content file.txt -Stream hidden_stream
:: Create ADS (for testing)
echo "hidden data" > file.txt:secret
Steghide Brute Force
stegcracker image.jpg /usr/share/wordlists/rockyou.txt
stegseek image.jpg /usr/share/wordlists/rockyou.txt
4. TEXT STEGANOGRAPHY
Whitespace Encoding
stegsnow -C message.txt
stegsnow -C -p PASSWORD message.txt
cat -A file.txt | head
xxd file.txt | grep "09 20\|20 09"
Zero-Width Characters
python3 -c "
text = open('message.txt','r').read()
hidden = [c for c in text if ord(c) in [0x200b, 0x200c, 0x200d, 0xfeff]]
print(f'Found {len(hidden)} zero-width characters')
binary = ''.join('0' if ord(c)==0x200b else '1' for c in hidden)
# Convert binary to ASCII
"
Homoglyph Substitution
python3 -c "
text = open('message.txt','r').read()
for i, c in enumerate(text):
if ord(c) > 127:
print(f'Position {i}: char={c} ord={ord(c)} name={__import__(\"unicodedata\").name(c,\"?\")}')
"
5. DECISION TREE
Suspect hidden data — what file type?
│
├── Image (PNG/BMP)?
│ ├── Check metadata: exiftool (§1 EXIF)
│ ├── Check structure: pngcheck, binwalk (§1 PNG)
│ ├── LSB analysis: zsteg, StegSolve (§1 LSB)
│ ├── Check dimensions vs CRC: height/width brute force (§1 PNG)
│ ├── Check for appended data: binwalk -e (§3)
│ └── Try as polyglot: unzip/7z (§3)
│
├── Image (JPEG)?
│ ├── Check metadata: exiftool (§1 EXIF)
│ ├── Try steghide: steghide extract (§1 JPEG)
│ │ └── Password protected? → stegseek brute force (§3)
│ ├── Try jsteg: jsteg reveal (§1 JPEG)
│ ├── Check for appended data: binwalk -e (§3)
│ └── Check thumbnail: exiftool -b -ThumbnailImage (§1 EXIF)
│
├── Image (GIF)?
│ ├── Check frames: extract all animation frames (§1 Palette)
│ ├── Check palette: gifsicle --color-info (§1 Palette)
│ └── Check for appended data: binwalk -e (§3)
│
├── Audio (WAV/MP3/FLAC)?
│ ├── Spectrogram: Sonic Visualiser / Audacity (§2)
│ ├── LSB: WavSteg (§2)
│ ├── DTMF tones: multimon-ng (§2)
│ ├── Morse code: manual or decoder (§2)
│ ├── SSTV: qsstv (§2)
│ └── Check file size vs expected: header analysis (§2)
│
├── Text file?
│ ├── Check whitespace: cat -A, stegsnow (§4)
│ ├── Check zero-width chars: Unicode analysis (§4)
│ ├── Check homoglyphs: non-ASCII detection (§4)
│ └── Check encoding: multiple base decodings
│
├── Any file type?
│ ├── strings: strings -n 8 file | grep -i "flag\|key\|pass"
│ ├── binwalk: binwalk -e file (embedded files) (§3)
│ ├── file: file suspicious_file (true type)
│ ├── xxd: check magic bytes, compare headers
│ └── NTFS? → check ADS: dir /r (§3)
│
└── Password/passphrase needed?
├── steghide → stegseek / stegcracker (§3)
├── Check challenge description for hints
└── Try common passwords: password, file name, challenge name