X-ways - Steganogra...
 
Notifications
Clear all

X-ways - Steganography tools

6 Posts
3 Users
0 Likes
1,079 Views
 Dimi
(@dimi)
Posts: 13
Active Member
Topic starter
 

Hello,

Can X-ways detect the use of steganography tools ?

Can X-ways detect text files, zip files, other pictures in a picture when steganography tools are used?

Kind regards,

Dimi

 
Posted : 27/06/2018 5:20 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Can X-ways detect the use of steganography tools ?

Can X-ways detect text files, zip files, other pictures in a picture when steganography tools are used?

Well, depending on the OS and version you're examining, you can use any tool to pull out the info you need.

For example, was there a stego tool installed? Was a stego tool used on the system (i.e., check JumpLists, UserAssist, Prefectch if Win7, all that and AmCache/BAM key if Win10…)?

 
Posted : 28/06/2018 1:30 pm
 Dimi
(@dimi)
Posts: 13
Active Member
Topic starter
 

Hello all,

Sorry for my late response.

Im investigating an image with Windows 10.
There is no steganography tool installed.
There might be a file (picture) downloaded with a zip file with cp files inside.

I'm using x-ways. I have done the Rvs.(refine volume snapshot)

Can i be sure that x-ways has found the embedded zip file?

Kind regards

 
Posted : 30/06/2018 3:30 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Compressing something with zip has nothing to do with stenography or stenography tools.

Do a raw search on your image based on file header signatures of picture types, you might discover more then the results by the default search for pictures.

 
Posted : 30/06/2018 3:34 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Compressing something with zip has nothing to do with stenography or stenography tools.

True, but what the OP said was, "There might be a file (picture) downloaded with a zip file with cp files inside."

 
Posted : 03/07/2018 12:54 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

There might be a file (picture) downloaded with a zip file with cp files inside.

Sure, there might be…there might be a lot of things.

What data do you have that points to a downloaded image file with a zipped archive of images stego'd inside it?

In the DF field, we can really caught up in the "maybes" and "what ifs", to the point where we never actually finish anything.

Look at it this way…*if* a suspect downloaded an image file that has a zipped archive of images stego'd inside it, they would then need an application to access/retrieve the stego'd file, right? Otherwise, how would they access it?

Yes, opening a JPG file for viewing is easy. Opening a zipped archive is easy. But retrieving a zipped archive that is stego'd inside a JPG file is not, and requires a specialized application, one specific to the method of steganography used.

Also, something of a side thought…for an image file to have a zipped archive of images stego'd inside it, it's gonna have to be HUGE. (I know you just said the word "HUGE" in your best Donald Trump voice…)

 
Posted : 03/07/2018 1:02 am
Share: