How to Use the Command 'zsteg' (with examples)

The ‘zsteg’ command is a steganography detection tool that can be used to detect embedded data in PNG and BMP file formats. It has the ability to detect various steganographic techniques such as LSB steganography, ZLIB-compressed data, OpenStego, Camouflage, and LSB with the Eratosthenes set. This command is useful for security professionals and researchers who want to analyze images for hidden data.

Use case 1: Detect embedded data in a PNG

Code:

zsteg path/to/image.png

Motivation:

This use case is useful when you have a suspect PNG image and want to check if there is any hidden data within it. By running the command ‘zsteg path/to/image.png’, you can quickly analyze the image and detect any embedded data.

Explanation:

• ‘zsteg’: This is the command itself.
• ‘path/to/image.png’: This is the path to the PNG image file you want to analyze.

Example output:

imagedata           .. file: JPEG image data, JFIF standard    .
b1,r,lsb,xy         .. text: "@/E0u/*r.95(fu9WYMU-06}#(C"        .
b1,g,lsb,xy         .. text: "Wa<pDN      @{U@sJL0aMR , zY.       .
b1,b,lsb,xy         .. text: "*h&]Dwxj   .4V:BF@wAu8  VoB;        .
b2,r,lsb,xy         .. text: ""w,-  /   XH3k!H2)wep6W\"#N         .
b2,g,lsb,xy         .. file: PXF picture data (none)             .

Use case 2: Detect embedded data in a BMP image, using all known methods

Code:

zsteg --all path/to/image.bmp

Motivation:

In this use case, you want to analyze a BMP image and want to make sure you are using all available detection methods to find any hidden data. By running the command ‘zsteg –all path/to/image.bmp’, you can be confident that you are exhausting all the possibilities of finding embedded data in the image.

Explanation:

• ‘zsteg’: This is the command itself.
• ‘–all’: This argument instructs zsteg to use all known detection methods.
• ‘path/to/image.bmp’: This is the path to the BMP image file you want to analyze.

Example output:

imagedata           .. text: "8h.&MoCTzXSOy\rstuvwxyz{|}~\220\243\242\243" .
b4,g,lsb,xy         .. text: "t>x|~\217|ovei" .
b4,g,msb,xy         .. text: "1p2toeFVh" .
b4,g,msb,yx         .. text: "\003@\003dOo6" .
b4,r,lsb,yx         .. text: "{|xwvutsr[QWVUTHGF<{" .
b4,b,lsb,xy         .. text: ">$w)`3pum+f69" .
bmp,rgb,lsb,xy      .. text: "~-+*)$%#!`" .

Use case 3: Detect embedded data in a PNG, iterating pixels vertically and using MSB first

Code:

zsteg --msb --order yx path/to/image.png

Motivation:

If you suspect that the embedded data in a PNG image is stored using vertical iteration and the most significant bit (MSB) first, this use case will allow you to confirm your suspicion. By running the command ‘zsteg –msb –order yx path/to/image.png’, you can analyze the image with the specified settings.

Explanation:

• ‘zsteg’: This is the command itself.
• ‘–msb’: This argument instructs zsteg to consider the most significant bit first.
• ‘–order yx’: This argument specifies that the pixels should be iterated vertically first and then horizontally.
• ‘path/to/image.png’: This is the path to the PNG image file you want to analyze.

Example output:

b1,b,msb,yx         .. text: "123456" .
b2,b,msb,yx         .. text: "78}pd<w" .
b2,g,msb,yx         .. text: "_29-ze7" .
b2,r,msb,yx         .. text: "fx8si $" .
b3,b,msb,yx         .. text: "unto}" .
b3,g,msb,yx         .. text: "rsi**" .
b3,r,msb,yx         .. text: "(KESE" .
b4,b,msb,yx         .. text: "S{79<{~" .
b4,g,msb,yx         .. text: "324e><?" .
b4,r,msb,yx         .. text: "5=;*,." .

Use case 4: Detect embedded data in a BMP image, specifying the bits to consider

Code:

zsteg --bits 1,2,3|1-3 path/to/image.bmp

Motivation:

Sometimes you may want to ignore certain bit planes when analyzing a BMP image for embedded data. This use case allows you to specify the bits you want to consider, so that you can focus your analysis on specific bit planes. By running the command ‘zsteg –bits 1,2,3|1-3 path/to/image.bmp’, you can customize your analysis according to your requirements.

Explanation:

• ‘zsteg’: This is the command itself.
• ‘–bits 1,2,3|1-3’: This argument specifies the specific bits to be considered. In this example, it includes bits 1, 2, and 3. The ‘|’ denotes a logical OR operation, and the ‘-’ denotes a range of bits.
• ‘path/to/image.bmp’: This is the path to the BMP image file you want to analyze.

Example output:

imagedata           .. file: TIFF image data, big-endian \331\320\332\341;256c27iP44wmsfTXYp2Km2toa_**'_$%# X'#$'  .
b1,b,msb,yx         .. text: "VALR_Y\f^__C^CBY" .
b3,b,msb,yx         .. text: "BDHPFJJPTWjWNO" .
b3,g,msb,yx         .. text: "PAAFEGHORT0" .
b4,g,msb,yx         .. text: "9RPMKTGJF" .

Use case 5: Detect embedded data in a PNG, extracting only prime pixels and inverting bits

Code:

zsteg --prime --invert path/to/image.png

Motivation:

If you suspect that the embedded data in a PNG image has been hidden within prime pixels and the bits are inverted, this use case is suitable for you. By running the command ‘zsteg –prime –invert path/to/image.png’, you can extract prime pixels and invert their bits, which can help reveal any hidden data.

Explanation:

• ‘zsteg’: This is the command itself.
• ‘–prime’: This argument instructs zsteg to extract only prime pixels.
• ‘–invert’: This argument instructs zsteg to invert the extracted bits.
• ‘path/to/image.png’: This is the path to the PNG image file you want to analyze.

Example output:

b1,r,lsb,yx         .. text: "webNotice" .
b1,g,lsb,xY         .. text: "\036\037!0" .
b1,b,lsb,yx         .. text: "co.csc" .
b1,b,msb,xy         .. text: "cbs.com" .
bmp,rgb,msb,xy      .. text: "CD)\035x" .

Use case 6: Detect embedded data in a BMP image, specifying the minimum length of the strings to be found and the find mode

Code:

zsteg --min-str-len 10 --strings first|all|longest|none path/to/image.bmp

Motivation:

If you want to control the findings reported by ‘zsteg’ based on the length of the strings and the desired find mode, this use case is appropriate. By running the command ‘zsteg –min-str-len 10 –strings first|all|longest|none path/to/image.bmp’, you can customize the output according to your requirements.

Explanation:

• ‘zsteg’: This is the command itself.
• ‘–min-str-len 10’: This argument specifies the minimum length of the strings that should be reported.
• ‘–strings first|all|longest|none’: This argument specifies the find mode for the strings. ‘first’ reports only the first string found, ‘all’ reports all the strings found, ’longest’ reports only the longest string found, and ’none’ disables string reporting.
• ‘path/to/image.bmp’: This is the path to the BMP image file you want to analyze.

Example output:

imagedata           .. file: ELF 32-bit LSB executable, Intel 80386 .....
b1,g,lsb,yx         .. text: "[*] End of program" .
b4,g,lsb,xy         .. text: "[+] Information saved to image" .
bmp,rgb,lsb,yx      .. text: "[!] Error: File not found" .

Conclusion:

The ‘zsteg’ command is a versatile steganography detection tool that allows you to analyze PNG and BMP images for hidden data. By understanding and utilizing the various options available, you can conduct thorough and customized analysis according to your needs. Whether you want to detect embedded data in different file formats, specify bits to consider, or customize the reporting of findings, ‘zsteg’ provides a reliable solution for steganography detection.