Professional Documents
Culture Documents
numbers.
Introduction
Steganography is the art and science of encoding hidden messages in such a
way that no one, apart from the sender and intended recipient, suspects the existence
of the message. Steganography includes the concealment of information within
computer files. In digital steganography, electronic communications may include
steganography coding inside of a transport layer, such as a document file, image file,
program or protocol. Media files are ideal for stenographic transmission because of their
large size. For example, a sender might start with an innocuous image file and adjust
the color of every 100th pixel to correspond to a letter in the alphabet, a change so
subtle that someone not specifically looking for it is unlikely to notice it.
In computer programming, the term magic number has multiple meanings out of
which one means a constant numerical or text value used to identify a file format or
protocol for files.
List of few File Extensions with their magic numbers
File Type
Adobe
Illustrator
Bitmap graphic
Class File
JPEG graphic
file
JPEG 2000
graphic file
GIF graphic file
42 4D [BM]
CA FE BA BE
FFD8
.jp2
0000000C6A5020200D0A [....jP..]
.gif
47 49 46 38 [GIF89]
.tif
.png
49 49 [II]
89 50 4E 47 .PNG
.psd
38 42 50 53 [8BPS]
.wmf
D7 CD C6 9A
.mid
.ico
.mp3
4D 54 68 64 [MThd]
00 00 01 00
49 44 33 [ID3]
.avi
.swf
52 49 46 46 [RIFF]
46 57 53 [FWS]
.flv
.mp4
46 4C 56 [FLV]
00 00 00 18 66 74 79 70 6D 70 34 32 [....ftypmp42]
.mov
.wmv
6D 6F 6F 76 [....moov]
30 26 B2 75 8E 66 CF
.wma
30 26 B2 75 8E 66 CF
.zip
.gz
.tar
.msi
50 4B 03 04 [PK]
1F 8B 08
75 73 74 61 72
D0 CF 11 E0 A1 B1 1A E1
.obj
4C 01
.dll
4D 5A [MZ]
.cab
4D 53 43 46 [MSCF]
.exe
.rar
.sys
.hlp
.vmdk
4D 5A [MZ]
52 61 72 21 1A 07 00 [Rar!...]
4D 5A [MZ]
3F 5F 03 00 [? _..]
4B 44 4D 56 [KDMV]
.pst
21 42 44 4E 42 [!BDNB]
.pdf
.doc
25 50 44 46 [%PDF]
D0 CF 11 E0 A1 B1 1A E1
.rtf
7B 5C 72 74 66 31 [{ tf1]
Excel
Document
PowerPoint
Document
Visio
Document
DOCX (Office
2010)
XLSX (Office
2010)
PPTX (Office
2010)
Microsoft
Database
Postcript File
Outlook
Message File
EPS File
.xls
D0 CF 11 E0 A1 B1 1A E1
.ppt
D0 CF 11 E0 A1 B1 1A E1
.vsd
D0 CF 11 E0 A1 B1 1A E1
.docx
50 4B 03 04 [PK]
.xlsx
50 4B 03 04 [PK]
.pptx
50 4B 03 04 [PK]
.mdb
53 74 61 6E 64 61 72 64 20 4A 65 74
.ps
.msg
25 21 [%!]
D0 CF 11 E0 A1 B1 1A E1
.eps
25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 20 45 50
53 46 2D 33 20 30
50 4B 03 04 14 00 08 00 08 00
4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C 20
53 74 75 64 69 6F 20 53 6F 6C 75 74 69 6F 6E 20 46
69 6C 65
78 9C
<Figure 4>
Step 5
Now suppose that we dont know whats behind the file(Secret.jpg) hence we assume
that it is just a jpg file as mentioned in its properties & start searching for the magic
number associated for jpeg in our Hex Workshop and as we know the magic number
associated for .jpg file is FFD8 lets start searching it in.
As we can see in the image below after searching for the appropriate magic
number FFD8 which is for our .jpg file, we did not get the desired result (see the right
side mark) we can clearly see that we got only two dots (..) which clearly proves that
this is not a .jpg file.
<figure 5>
Step 6
Now as we know that our file (Secret.jpg) is not a .jpg file in real we can search or look
in the dump (right hand side of the Hex Workshop) by scrolling for different values or
extensions. For now Ill search for .Rar magic number in the search box which is 52
61 72 21 1A 07 00
<figure 6>
As you can see in the above image as soon as we searched for 52 61 72 21 1A 07 00
value we got our desired result i.e. we found a .Rar!...
Step 7
From the above results we have now confirmed that the Secret.jpg is not actually a
.jpg file but is a .Rar file. So well try to open it in WinRAR & see whats inside the
Secret.jpg file.
<figure 7>
As you can see in the above image that after opening the Secret.jpg file with WinRAR
there was an .exe file stored in it.
Conclusion
From the above scenario we can study that things are not what they seem. In our
scenario the Secret.jpg could be binded with a Trojan, any kind of malicious file or any
secret message stored in it. Generally Cyber Criminals send such hidden messages
with different modes like images, videos, audio etc. We should always be aware before
opening such files and also should take necessary measure like continuously
monitoring all the ports & services. Antivirus/Anti Malware with the latest definitions
should be updated on regular basis. Also if the actual size of a particular file seems to
be large than its general size then always scan such files before opening. MD5
Checksum of files is also an important measure which should be followed to check the
integrity of the file. Steganography, especially combined with cryptography, is a powerful