Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Week 5 - Anti-Forensics Technique-2

Lab 3 - Image Steganalysis

Setup

  1. Start the Kali Linux virtual machine. If you don't have one you can

    1. (Recommadnded)You can find a VM in your Cyberlab folder, or
    2. You can download kali vm from here then deploy. Login credentials:
    • Username: kali
    • Password: kali

  2. Update your Kali Linux environment:

    sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade

Activity 1 - Hiding a Text File in an Image File

Note: You can use any image files for these exercises.

  1. Prepare Image File:

    • Copy an image (.jpg) file into your home directory (<filename1>.jpg).
      • You can drag and drop the file from your Windows explorer into the VM desktop, then move it to the home directory.

  2. Create the Secret Message:

    • Create a .txt file (<filename>.txt) containing your secret message. 
      echo "<message>" > <filename>.txt

  3. Verify the Contents of the Text File:

    cat <filename>.txt

  4. Create a Password-Protected ZIP Archive:

    • Archive the text file with a password to make it harder to detect. 
      zip -P <password> <filename>.zip <filename>.txt

  5. Remove the Original Text File:

    rm <filename>.txt

  6. Combine the Image and ZIP File:

    • Use the cat command to merge the original image and the ZIP file into a new image. 
      cat <filename1>.jpg <filename>.zip > <filename2>.jpg

  7. View the New Image:

    • Open the new image file with Firefox: 
      firefox <filename2>.jpg
    • Can you see any indication that the image contains hidden data?

  8. Challenge:

    • If you want more of a challenge, exchange your <filename2>.jpg with someone else and try to discover their secret message.

Activity 2 : Analysing the Hidden Data

  1. Using the strings Command:

    • The strings command will show all printable ASCII strings in a binary file. 
      strings <filename2>.jpg

  2. Using stegdetect:

    • stegdetect attempts to determine which steganographic technique was used to hide information.
      • If stegdetect is not installed, run: 
        sudo apt-get install stegdetect

      stegdetect <filename2>.jpg

  3. Using foremost for Forensic Analysis:

    • foremost scans a file (or device) for header and footer information and extracts any discovered files.

      • If foremost is not installed, run: 
        sudo apt install foremost

      foremost <filename2>.jpg

    • In the output directory, there will be directories for each file type found. You should see one called jpg and another called zip.

      ls -al output

  4. Explore the ZIP File:

    • View the contents of the zip directory: 
      ls -la output/zip

  5. Crack the ZIP File Password:

    • Make a note of the ZIP file name (<zipfilename>.zip). Since the ZIP file is password-protected, you'll need to crack the password.
      • If fcrackzip is not installed, run: 
        sudo apt install fcrackzip
      • Use fcrackzip with the rockyou wordlist to crack the password: 
        fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt output/zip/<zipfilename>.zip

  6. Extract the ZIP File:

    • Using the cracked password, unzip the file: 
      unzip -P <password> output/zip/<zipfilename>.zip

  7. View the Contents of the Text File:

    • Check the contents of the extracted text file. It should be exactly the same as when it was originally created. 
      cat <filename>.txt

Activity 3: Challenges to Enhance Your Skills:

  1. Challenge 1: Detecting Modified Files

    • Objective: Use forensic tools to detect if an image file has been modified by hiding data.
    • Instructions: After hiding a file within the image using the cat command, try using tools like binwalk or exiftool to detect any anomalies or embedded data within the image.
      • If binwalk is not installed, run: 
        sudo apt-get install binwalk
      • If exiftool is not installed, run: 
        sudo apt-get install libimage-exiftool-perl

      binwalk <filename2>.jpg
exiftool <filename2>.jpg
    • Goal: Can you detect the hidden data or notice unusual file signatures in the metadata?

  2. Challenge 2: Extract Data from a Different Image Format

    • Objective: Explore the effect of using different image formats on the steganography process.
    • Instructions: Repeat the process of hiding and extracting data, but this time, use a different image format like .png or .bmp. Compare how easily the hidden message can be detected and extracted from these different formats.
    • Goal: Can you see any difference in detection between .jpg, .png, and .bmp images?

  3. Challenge 3: Cracking Multiple Passwords

    • Objective: Practice cracking multiple password-protected files.
    • Instructions: Create several password-protected ZIP files, each with a different password, and hide them in the same image. Use fcrackzip to crack the passwords. 
      fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt output/zip/<zipfilename1>.zip
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt output/zip/<zipfilename2>.zip
    • Goal: How efficiently can you crack multiple passwords? What strategies can you use to manage multiple password cracks?

  4. Challenge 4: Blind Extraction

    • Objective: Extract hidden data from an unknown image file without knowing how the data is hidden.
    • Instructions: Receive a .jpg file from a colleague that contains a hidden text file (but you don't know the method used to hide it). Use tools like binwalk, steghide, and zsteg to try to extract the hidden data.
      • If steghide is not installed, run: 
        sudo apt-get install steghide
      • If zsteg is not installed, run: 
        sudo apt-get install zsteg

      binwalk <received_filename>.jpg
steghide extract -sf <received_filename>.jpg
zsteg <received_filename>.jpg
    • Goal: Can you successfully extract the hidden file? This simulates a forensic investigation where you don't know the technique used to hide the data.

  5. Challenge 5: Encoding Text Using Different Methods

    • Objective: Experiment with different encoding methods to hide text in the image.
    • Instructions: Before hiding your text file, encode it using Base64 or hexadecimal encoding. 
      echo "<message>" | base64 > <filename_base64>.txt
echo "<message>" | xxd -p > <filename_hex>.txt
      Now hide the encoded file in the image as you did previously.
    • Goal: When extracting, decode the text to retrieve the original message. Try different encoding methods to observe how they affect the hiding and extraction process.

  6. Challenge 6: Hiding Files in Audio or Video Files

    • Objective: Expand the concept of hiding files to audio or video files.
    • Instructions: Try using audio (WAV) or video (MP4) files to hide data. You can use similar techniques like cat to append the ZIP file into the media file.
      • If ffmpeg is not installed, run: 
        sudo apt-get install ffmpeg

      cat <filename1>.wav <filename>.zip > <filename2>.wav
cat <filename1>.mp4 <filename>.zip > <filename2>.mp4
    • Goal: Can you successfully hide and extract files from audio or video? Use tools like binwalk or ffmpeg to help analyse the files.

Best,

Ali Jaddoa

Copyright © 2026 • Created by Ali Jaddoa

Page last updated: Wednesday 11 February 2026 @ 11:12:30 | Commit: 3219b15