Hex editor and hidi...
Clear all

Hex editor and hiding data

9 Posts
8 Users
Posts: 2
New Member
Topic starter


As you can tell I am new to this site and relatively new to forensics. I have taken a few classes and have just started to dig in )
If I post this in the wrong area, please let me know.
Here is my question
During one of my classes the professor challenged everyone in the class with breaking a code per say. He had a photo of an object (car) and said within this photo there is some data. He said he used a hex editor to insert the data and that a hex editor could solve- extract the data. I bit shifted and did several other things to no avail. Since the class is over and I am sure he is a member here (that still will not reveal how it is done), I am searching for any ideas. I have used FTK, Access Data, hxws and a few others with no luck. He has stated that the hex editor is all that is needed. Can anyone give me some clues to solving this? Please don’t ask for me to send the photo, I really want to learn how to break this, and really just looking for some guidance.

Bound and determined…

Posted : 24/01/2012 7:23 pm
Posts: 3578
Famed Member

Well, given the parameters of the problem, I'm a bit curious as to why you "bit shifted and did several other things to no avail".

That aside, I'd suggest that one way to start might be to run strings on the file (yes, I'm aware it's an image), and maybe even run an EXIF data extractor tool (EXIF-tool comes to mind), if the image file is a .jpg file, or any other image file type that retains such data.

My thinking is that if the instructor used a hex editor to "hide" the data, it might not be too terribly hard to find the data using…well…a hex editor. One doesn't "usually" stego a file using a hex editor…it's kind of time-intensive to do so.

So…run strings, extract EXIF data, open the file in a hex editor…let us know what you find.

Posted : 24/01/2012 7:57 pm
Posts: 934
Prominent Member

Most files have areas of padding that do not contain file data. This can be filled with a bit of text that will not 'upset' the file.

Your excercise is to use the hex editor and get used to looking at hex data. After 30 years you wll see lots of patterns and recognise what type of data is there. Make a start at looking at hex - ultimately you will not regret it and you will start learning a lot.

Tip, I would concentrate on the start or very end of the file

Posted : 24/01/2012 8:32 pm
Posts: 1144
Noble Member

During one of my classes the professor challenged everyone in the class with breaking a code per say. He had a photo of an object (car) and said within this photo there is some data. He said he used a hex editor to insert the data and that a hex editor could solve- extract the data.

Identify the image file format, find a formal description of that file format, and read that standard closely 'with your black hat on', i.e. in order to identify ways to misuse it, e.g. for hiding information. That will give you perhaps a dozen ideas of how it could have been done – now go check for each of them.

If this is any good, you'll find different text in *all* of them.

Posted : 24/01/2012 8:43 pm
Posts: 65
Trusted Member

Echoing everyone else here, it really depends on the format of the file. Since you're new to forensics and probably just now first encountering steganography I'm going to assume your professor is going easy on you and the image is a bitmap. If it is a bitmap then a change to any of the bytes in the main body of the file is only going to slightly change the colour of one of the pixels in the bitmap. Since you have probably already covered bits and bytes you might be able to go through the hex and look for a few bytes in a row that are a little out of place compared to the others around it.
Of course, your professor may have been very easy on you and just hidden the information in ASCII within the image- in which case it should stand out a mile!
If the file format is jpeg or gif, then you'll have to read up on their spec to find places you can hide data.

Posted : 24/01/2012 9:47 pm
Posts: 7
Active Member

Try FlexHex, it is a hex editor, you could probably open the image as a file on FlexHex. " The addresses are shown as hexadecimal numbers but if you point the mouse cursor to an address, the decimal value will appear in the Quick View popup window.
The next is the Hex pane, which displays the file contents as an array of hex bytes. The light green ANSI pane shows the file contents as characters (this is the one that will show you the added data), and the rightmost UNICODE pane shows two-byte UNICODE characters."

the Here is the website to download it


and this one tells you how to use it.


~Hope This Helps~

Posted : 25/01/2012 4:35 am
Posts: 2
New Member
Topic starter

Wow. overwhelmed at the level of support and ideas you "guys" have given. I will try this week as each have said and report back.

One clue he did give was "ASCII simple"… in class

The reason I was using bit shifting we had just completed that section in class and he made the comment "I expect one of you may break it" so I speculated that it had something to do with bit shifting.. It was just a guess based on his vague hints.

I asked him again the other day and only a few students have found the data..

Thanks again and I will try again based on the feedback. !!!!!

Give me a few days to work on these and I will report back.

Posted : 25/01/2012 6:19 am
Posts: 8
Active Member

To somewhat echo what Harlan has stated, I believe you're over-thinking this problem. If he's using a hex editor, it's most likely EXIF data or a sentence, such as, I hope you enjoyed this class.

Posted : 25/01/2012 6:22 am
Posts: 1442
Noble Member

To paraphrase IMHO a Forensic genius, eliminate first where it cannot be, and what remains, however impossible, where it is.

Remember an image file format is very specific and structured. for example, if this is a jpeg file, it contains segments, each beginning with a marker. Markers tell you the type of segment, and sometimes the length.

Remove the appropriate, and standard segments, and what you have left is the data you are looking for.

If this method does not work, then look at each segment and look for anomalies within the segments themselves.

Just an idea. mrgreen

Posted : 25/01/2012 11:05 pm
Share to...