top of page
Search

Steghide (Linux)

Updated: Sep 29, 2023


Image showing Mona Lisa magnified.

In this blog:

What is Steghide?


Steghide is an anti-forensics tool that encrypts data at rest.


Information is compressed, encrypted and password protected to use a pseudo random number generator to pick random pixels throughout the image.


This makes tiny changes to the image, impossible for the human eye to perceive.

Installation


In the terminal, type sudo apt install steghide -y. Then type your user password.

-y assumes the answer to any user prompts are yes.


I already have Steghide installed so this is my output.

Steghide installation command.
Steghide installation command.

Downloading our image


I have created a directory called steg to work out of.


The cURL command below downloads an image that I want to use to hide information in.


I can then output the image to an image file that I named and then open it to view it.

Using cURL to pull the image from the internet to our workspace.
Using cURL to pull the image from the internet to our workspace.

The downloaded image ➡️

Image downloaded using cURL command.
Image downloaded using cURL command.

Embedding secret message


Type nano secretmessage.txt to open a text editor and type in a secret message that you want to hide within the image.


Nano script containing secret message.
Nano script containing secret message.

Here it is ➡️

Saved Nano script.
Saved Nano script.

To embed the secret message into the image, type ➡️

Steghide embed -cf <name_of_image_file> -rf <name_of_secret_message_file>

We can now delete the secret message file as it is stored inside our image.

Deleting the secret message file to hide our tracks.
Deleting the secret message file to hide our tracks.

We can send this image to anyone as long as they know the name of the image file.


Once we have this image, we can use Steghide again to extract the message from the image.


This is the image after the message was stored inside it. Virtually no difference to the original image ➡️


Image comparison after text hidden.
Original image Text hidden
Image property comparison.
Original image Text hidden

The images on the surface, look identical, however the sizes are slightly different with the original image taking up 3,023 bytes less than the altered image.


Once the altered image has been sent to someone else and deleted off the desktop system, the sizes cannot be compared.


Image size can also be interfered with due to various reasons such as resolution changes and editing so size cannot be used by itself to diagnose steganography.

Extracting secret message


To reveal the hidden text, use the command ➡️ 

steghide extract -sf <name_of_image_file>

Extracting the secret text using Steghide.
Extracting the secret text using Steghide.

Now typing ls, we can see that the text file has been returned.

The text file has been extracted and returned to our workspace.
The text file has been extracted and returned to our workspace.

We can use nano to reveal the secret message.

Secret text retrieved.
Secret text retrieved.

Clearing tracks


To clear any files or packages that we may have used during our secret message hiding process, we can use null to get rid of the logs that are kept by Linux by default.


We must execute the commands as the root user so we can use the command sudo su and type in our admin password.


Navigate to the log directory by typing cd /var/log.


The dpkg.log file is what holds the package install, update and remove history in Linux. Using Cat, we can see whether there are any logs left behind.

Viewing install logs.
Viewing install logs.

We can now assign a null value to the file so that it is replaced with nothing.

Using null value to clear logs.
Using null value to clear logs.

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
  • GitHub
  • Twitter
  • LinkedIn
bottom of page