Notifications
Clear all

Embedded IIOC  

  RSS
HanBrix
(@hanbrix)
New Member

?

I am currently dealing with a case of IIOC where they have been embedded into a number of .img files associated with the game Grand Theft Auto 4.

These .img files are not forensic image files but a file format used by game modders to create new maps and features "in game" as it were similar to .iwd and .zz files within Call Of Duty series of games.

The images are associated with the GTA IV "Episodes from Liberty City" mod. The images themselves can be carved out in the usual manner but will not possess any file names or relevant data as they will have been packed into the archive by whoever created / edited the mod.

I can only imagine that by playing the game and running the mod allows access to the images in some way.

Anyhoo, I was wondering whether anyone else has stumbled across a similar "set up" or regular use of such a method to conceal such images?

TIA

Quote
Posted : 09/06/2015 6:11 pm
minime2k9
(@minime2k9)
Active Member

I have seen a couple of similar artefacts from investigations.

The first was a suspect who was deliberately putting picture/movie files into his Steam games folder and renaming them to an extension similar to other game files, although file signature analysis showed that they weren't the same.

The second was where a similar file had been allocated space on a disk but hadn't used it all, similar to a download from peer-peer in some cases. Then these images were effectively unallocated space but were recorded as being located in this file.

Not sure if what you have could be either of these cases, however if you think its a mod that is accessible from the game, why not create a VM of the machine and run the game/mod?

If nothing else its the best excuse to run GTA 4 at work )

ReplyQuote
Posted : 09/06/2015 7:49 pm
jaclaz
(@jaclaz)
Community Legend

Isn't that a "specific use" of more generic "image steganography"?

Are these .img "valid" files (i.e. can they be used in the game "normally" on a "normal" system running that game) or are they only a "meaningless container" (like a sandwich made out of bunch of binary rubbish+the JPEG+some more binary rubbish) given the .img file estension?

I mean, if the JPEG can be carved "carved out in the usual manner" (WHICH manner?) they are either "plain JPG's", possibly stripped of all metadata, or are compressed/encrypted/modified in some way that your carver recognizes, whilst usually such "hidden images" are "scattered" in the file (and a specific algorithm is needed to retrieve the relevant data).
As an example LSB (least significant bits) are used
http//thesai.org/Downloads/Volume4No10/Paper_4-Hiding_an_Image_inside_another_Image.pdf

and of course you need a large "container" to store a relatively small image.

jaclaz

ReplyQuote
Posted : 09/06/2015 7:58 pm
emeeuk
(@emeeuk)
New Member

Hi,

Are you dealing with the person suspected of creating this mod? If so, I would suggest looking for the project files used to create *.img in order to identify how the IIOC have been implemented in to the game. From a little googling it would seem there are a few applications capable of modifying textures and models and few which can handle overhauls, look for the presence of these and try to locate any associated project files.

It would appear most (certainly SparkIV) of these applications are also able to view the contents of *.img files for this game. Extracting the GTA4 game folder from the suspect's machine (or booting it from a VM) and and addressing them using this application might provide you with some clues.

Failing these, a fresh install of the Gta on your workstation, replace the stock *.img with your suspect's and have a play through (will make for an interesting overtime claim ))

HTH

ReplyQuote
Posted : 10/06/2015 6:53 pm
HanBrix
(@hanbrix)
New Member

Thanks for the replies folks.

The offender is not the original modder merely a GTA iv user with an unhealthy pochant toward iioc.

He has indeed downloaded the mod via steam for use within the game and it appears to be a mod specifically made available as a way of distributing iioc and attempting to hide the images.

Spark requires the original game to be installed in order to view the operation of the mod. I will be looking to do this with a VM im time permits.

Just for clarity, the images are held within some sort of archive with the .img extension which can only be accessed in the usual way (as opposed to forensic software) via the GTA game files.

As and when and if i get a result ill let you know.

Ps Overtime? whats overtime?

ReplyQuote
Posted : 15/06/2015 6:29 pm
Chris_Ed
(@chris_ed)
Active Member

A few things, just to be clear

First of all, are you aware that GTA IV has a fake 'internet' and as part of this it has a slightly suspect site called lacy surprise pageant? Is it possible your search found the images related to this?

Secondly, is this is a mod specifically for GTAIV "Episodes From Liberty City"? Or is it in the data files for the actual "Episodes From Liberty City" game?

Finally, getting a DirectX-compatible video card to work on a VM will take some considerable tinkering - but good luck! And please document it if you get it working. )

ReplyQuote
Posted : 15/06/2015 9:19 pm
Belkasoft
(@belkasoft)
Active Member

I have not come across such cases prior to this, but I would probably try to import the folder with these files into a forensic tool and try carving for images.

ReplyQuote
Posted : 15/06/2015 9:30 pm
jaclaz
(@jaclaz)
Community Legend

The images are associated with the GTA IV "Episodes from Liberty City" mod. The images themselves can be carved out in the usual manner but will not possess any file names or relevant data as they will have been packed into the archive by whoever created / edited the mod.

Just for clarity, the images are held within some sort of archive with the .img extension which can only be accessed in the usual way (as opposed to forensic software) via the GTA game files.

Well, if the intent was adding clarity, you failed at it (at least for me).

I still cannot understand from your seemingly contrasting reports what format are the images and how did you carve or access them ( or more generally WHAT (the heck) are "the usual manner" or "the usual way" which is also "opposed to forensic software" 😯 .

Maybe I am just having a dumb moment ?

jaclaz

ReplyQuote
Posted : 16/06/2015 12:54 am
Share: