How to reveal the hidden code behind a Steganography with the help of magic

numbers.
Introduction
Steganography is the art and science of encoding hidden messages in such a
way that no one, apart from the sender and intended recipient, suspects the existence
of the message. Steganography includes the concealment of information within
computer files. In digital steganography, electronic communications may include
steganography coding inside of a transport layer, such as a document file, image file,
program or protocol. Media files are ideal for stenographic transmission because of their
large size. For example, a sender might start with an innocuous image file and adjust
the color of every 100th pixel to correspond to a letter in the alphabet, a change so
subtle that someone not specifically looking for it is unlikely to notice it.
In computer programming, the term magic number has multiple meanings out of
which one means a constant numerical or text value used to identify a file format or
protocol for files.
List of few File Extensions with their magic numbers
File Type
Adobe
Illustrator
Bitmap graphic
Class File
JPEG graphic
file
JPEG 2000
graphic file
GIF graphic file

Extension Magic Number

.ai
25 50 44 46 [%PDF]
.bmp
.class
.jpg

42 4D [BM]
CA FE BA BE
FFD8

.jp2

0000000C6A5020200D0A [....jP..]

.gif

47 49 46 38 [GIF89]

TIF graphic file

PNG graphic
file
Photoshop
Graphics
Windows Meta
File
MIDI file
Icon file
MP3 file with
ID3 identity tag
AVI video file
Flash
Shockwave
Flash Video
Mpeg 4 video
file
MOV video file
Windows
Video file
Windows
Audio file
PKZip
GZip
Tar file
Microsoft
Installer
Object Code
File
Dynamic
Library
CAB Installer
file
Executable file
RAR file
SYS file
Help file
VMWare Disk
file
Outlook Post
Office file
PDF Document
Word
Document
RTF Document

.tif
.png

49 49 [II]
89 50 4E 47 .PNG

.psd

38 42 50 53 [8BPS]

.wmf

D7 CD C6 9A

.mid
.ico
.mp3

4D 54 68 64 [MThd]
00 00 01 00
49 44 33 [ID3]

.avi
.swf

52 49 46 46 [RIFF]
46 57 53 [FWS]

.flv
.mp4

46 4C 56 [FLV]
00 00 00 18 66 74 79 70 6D 70 34 32 [....ftypmp42]

.mov
.wmv

6D 6F 6F 76 [....moov]
30 26 B2 75 8E 66 CF

.wma

30 26 B2 75 8E 66 CF

.zip
.gz
.tar
.msi

50 4B 03 04 [PK]
1F 8B 08
75 73 74 61 72
D0 CF 11 E0 A1 B1 1A E1

.obj

4C 01

.dll

4D 5A [MZ]

.cab

4D 53 43 46 [MSCF]

.exe
.rar
.sys
.hlp
.vmdk

4D 5A [MZ]
52 61 72 21 1A 07 00 [Rar!...]
4D 5A [MZ]
3F 5F 03 00 [? _..]
4B 44 4D 56 [KDMV]

.pst

21 42 44 4E 42 [!BDNB]

.pdf
.doc

25 50 44 46 [%PDF]
D0 CF 11 E0 A1 B1 1A E1

.rtf

7B 5C 72 74 66 31 [{ tf1]

Excel
Document
PowerPoint
Document
Visio
Document
DOCX (Office
2010)
XLSX (Office
2010)
PPTX (Office
2010)
Microsoft
Database
Postcript File
Outlook
Message File
EPS File

.xls

D0 CF 11 E0 A1 B1 1A E1

.ppt

D0 CF 11 E0 A1 B1 1A E1

.vsd

D0 CF 11 E0 A1 B1 1A E1

.docx

50 4B 03 04 [PK]

.xlsx

50 4B 03 04 [PK]

.pptx

50 4B 03 04 [PK]

.mdb

53 74 61 6E 64 61 72 64 20 4A 65 74

.ps
.msg

25 21 [%!]
D0 CF 11 E0 A1 B1 1A E1

.eps

25 21 50 53 2D 41 64 6F 62 65 2D 33 2E 30 20 45 50
53 46 2D 33 20 30
50 4B 03 04 14 00 08 00 08 00
4D 69 63 72 6F 73 6F 66 74 20 56 69 73 75 61 6C 20
53 74 75 64 69 6F 20 53 6F 6C 75 74 69 6F 6E 20 46
69 6C 65
78 9C

Jar File .jar

SLN File .sln
Zlib File .zlib
Demo

For this demonstration Ive binded a Rar file in a JPEG image.

Step 1
<figure 1>
Select a jpeg file
Step 2 <figure 2>
Select a Rar file
Step 3
Save the output file as filename.jpeg here in our case Ive saved as Secret.jpeg
<figure 3>
Step 4
Open the Secret.jpeg file which is our steganography file in any Hex Editor program. In
our case Ill be using Hex Workshop.

<Figure 4>
Step 5
Now suppose that we dont know whats behind the file(Secret.jpg) hence we assume
that it is just a jpg file as mentioned in its properties & start searching for the magic
number associated for jpeg in our Hex Workshop and as we know the magic number
associated for .jpg file is FFD8 lets start searching it in.
As we can see in the image below after searching for the appropriate magic
number FFD8 which is for our .jpg file, we did not get the desired result (see the right
side mark) we can clearly see that we got only two dots (..) which clearly proves that
this is not a .jpg file.
<figure 5>
Step 6
Now as we know that our file (Secret.jpg) is not a .jpg file in real we can search or look
in the dump (right hand side of the Hex Workshop) by scrolling for different values or
extensions. For now Ill search for .Rar magic number in the search box which is 52
61 72 21 1A 07 00
<figure 6>
As you can see in the above image as soon as we searched for 52 61 72 21 1A 07 00
value we got our desired result i.e. we found a .Rar!...
Step 7
From the above results we have now confirmed that the Secret.jpg is not actually a
.jpg file but is a .Rar file. So well try to open it in WinRAR & see whats inside the
Secret.jpg file.
<figure 7>
As you can see in the above image that after opening the Secret.jpg file with WinRAR
there was an .exe file stored in it.
Conclusion
From the above scenario we can study that things are not what they seem. In our
scenario the Secret.jpg could be binded with a Trojan, any kind of malicious file or any
secret message stored in it. Generally Cyber Criminals send such hidden messages
with different modes like images, videos, audio etc. We should always be aware before
opening such files and also should take necessary measure like continuously
monitoring all the ports & services. Antivirus/Anti Malware with the latest definitions
should be updated on regular basis. Also if the actual size of a particular file seems to
be large than its general size then always scan such files before opening. MD5
Checksum of files is also an important measure which should be followed to check the
integrity of the file. Steganography, especially combined with cryptography, is a powerful

tool which enables people to communicate without possible eavesdroppers even

knowing there is a form of communication in the first place.
TOOLS Used to perform this demo:
1) Jpg File Binder
2) HEX Workshop
3) WinRAR
To study more about Steganalysis in detail you can refer to the following sites:
1. http://diit.sourceforge.net/
2. http://en.wikipedia.org/wiki/Steganalysis
Recommended Book
1. Handbook of Statistics: Data Mining and Data Visualization