I have been given some work to find some hidden messages in 5 files. I have found 3 of them but am a little stumped in finding them on a ppm graphic image and in a document with 32 - bit floating point numbers. (Actually I have been sat in front of the screen for hours on end). 😯 😯
Any tips would be gratefully appreciated, as well as links to the types of software (freeware) I could use on a windows GUI. Also, a methodology would be nice.
Thanx in Advance
Can you elaborate a little more on the task you have been given i.e. is it course work or a live investigation, etc – this will help establish where to begin. It sounds like part two of the EnCase EnCE exam. 🙂
Also do you mean - PPM = PBM Portable Pixelmap Graphic?
How did you find the three you already have? How were they hidden?
And what type of document i.e. an MS Word document, or something else?
The 32 bit floating point number sounds to vague, again can you clarify this as it doesn't mean anything to me (it might be a red herring designed to take your eye off the ball).
If this is some kind Forensic Computing 'find the hidden data' test, then there are a number of things that spring to my mind straight away: -
Images:-
1. The images may have hidden messages created by the use of Steganography. There are a number of different software tools out there that will handle graphics that have been 'stegged'. You might need to find a password to get access to the data, and the password might be hidden elsewhere (like an interconnected puzzle). Try downloading Steganos at:
2. Try looking at any meta data within the image file, there sometimes can be extra data there. Use ACDSEE to examine it. You can get a free trial download at:
3. Also try looking at the images with something a little more powerful such as paint shop pro or photoshop. The image might consist of layers, and there may be a hidden message layer in the image. You can download PSP free trial at:
Documents:-
4. Its easy to write data on a plain document then format the font to 'white' and hey presto its hidden. Sweep the whole document with your mouse so everthing is highlighted (or hit Ctrl+A or Edit-Select All) and then change the font back to black. If there are many pages, make sure you scroll all the way to the bottom.
5. Its easy to import a graphic perhaps of some text into a document, then decrease its size down to zero, hey presto its hidden. It might be disguised as a full stop. A little tricky to find in a lot of text. Try highlighting all your text and increasing the font size to 26 or above, then look at the full stops. They should be (if Times New Roman) round in shape. Any full stops that appear square will possibly be the shrunken images.
6. MS Word is a compound file structure (i.e. it has its own rudimentary file structure, bit like FAT and has its own OLE container slack), it also contains metadata, you may find hidden meaning in there. If its a word document try looking at 'file' then 'properties' for extra data.
7. If you do not have any COTS software such as EnCase or FTK, Smart - etc - you might want to look at the files using some hex editor (I prefer WinHex): again free trial download at:
You then can look at all the contents of the file. There might be hidden messages in the file slack area. Do you know what file slack is? (if not I will elaborate!).
8. Is there any text or messages already visible in the documents that might be encrypted?
9. I almost forgot, but it is possible to hide messages, data within alternative data streams. This is very tricky, and may need some tool to establish their presence. Try
Hope this is of help.
Andy
Sorry for the late reply.
Great info. I am using WinHex at this moment in time - but I have not really got the hang of using it correctly.
Its part of an Assignment - One which is NOT marked, but a little taster of things to come. The rules are - simply find the Hidden messages, use ANY tool and research you see fit, record the methodology.
I used BINTEXT to find the first three.
PPM - They are graphics images.
Any way you can post the files, so we can have a look at them?
I'd have to agree with Andy. We need a little more information. Hidden messages could be anything.
Depending on what the hidden message is…you could scour the files for concatenation. Generally, looking for extra file headers within images/files helps.
wotsit.org can help with file header/footer info.
get unxutils from unxutils.sf.net (bunch of nix commands ported to windows).
Try strings and grep..if the hidden message is text, these should help.
s-tools
to add on to what Andy has said about ADS..you can try:
lads
streams.exe
or foundstones FTK:
Andy,
Good catch on the NTFS alternate data streams (
H. Carvey
"Windows Forensics and Incident Recovery"
Without more information my reply is a 'stab in the dark' as apposed to being definitive answers. We could do with knowing a little more (Juniper- you didn't say how you were presented with the files!).
Keydet89 your observation is correct, If the destination is non-NTFS the steams will be lost. ADS are just a ‘possibility’ and although I am not overly familiar with their intricacies, I do believe they survive being copied across a Windows (NTFS) LAN or from one hard drive to another as long as both file system are NTFS - so I wouldn't discount it without the full facts.
Going back to the documents & images - Juniper, you might want to try looking at the cluster slack of each file; it’s another possibility that a message can be hidden there.
Ooops… I almost forgot another possibility - check the file extentions are correct. Do they all open correctly? They may have been altered to something else, a .jpg altered to a .txt file as a very basic example.
Andy
Two quick, easy ideas (that you've probably already tried):
WinHex - Check out any messages put in the file slack
and
Stego tools - maybe its encrypted in a messages using steganography? As for free tools for that, try out
Best of Luck!
OK - Guys,
Forgive me for not being clearer, I am new to this so please bear with me. I would post the images on the discussion board but I am not sure how to do it. (Prehaps I can email them to one of you?) The 2 files that are giving me problems can only be viewed as images on a Unix desktop.
I think the messages are plain to see in amongst all the Hex codes, but can quite easily be missed by an untrained eye. Hence, my use of BINTEXT, this allows me to get rid of all superflous info like - "£$%^&*@~[] and all I am left with are the letters and numbers.
I think I have found one of them but the words a jumbled, its deciphering this that I am having trouble with. I do not think the messages have an encryption on them nor do I believe other types of software has been used to make the messages ineligible.
I believe somebody has sat in front of the PC and manually played around with the Hex codes.
On of the suspect lines read something like this:
Uhhhs!texu sintmd ce!e sx!ghodE nes hu riow!ho uhd!qhcture?
Or maybe I have it all wrong.
😕 😕 😕 😕
That line of text looks like some kind of cipher or anagram. Hummmm……
