Forensic Challenge 13 – “A Message in a
Bottle Picture“ (provided by the PNW Chapter)
Please submit your solution by 2013, Feb 15th at http://www.honeynet.org/challenge2010.
For any questions and inquiries, please contact email@example.com.
Skill Level: Intermediate
Communication using hidden channels (steganography) is one way to protect that communication from third parties. You are a law enforcement agent in the forensics unit. In a recent raid, the agency has been able to obtain the three attached packages of images from a suspected command and control server. These images could potentially contain hidden messages that will be relayed to a powerful botnet army that could destroy earth. Obviously a high priority item! While your colleagues try to reverse the botnet code, you are tasked with analyzing the images directly and extract the hidden messages.
When analyzing these images, develop tools that take advantage of the full spectrum of steganalysis - statistical methods, visual attacks, machine learning, visualization - and make them available as open-source so your colleagues can take advantage of your work without needing to reinvent the wheel.
Note that we received a tip from a mole that none of the images utilize encryption in addition to steganography. Lucky us. Lets get to it!
1. What images contain hidden messages? (15pts)
2. Describe how each hidden message is stored in the images. (15pts)
3. What are the hidden messages contained in those images (save each hidden message in a file and submit as a .zip archive along with this document)? (15pts)
1. With the tools you have developed, what hidden messages are you able to identify in the wild (bittorrent, usenet, web)? (5pts)
2. Provide a link to your tool (src, binary and documentation) (10pts)
This work by the Honeynet Project Pacific Northwest Chapter is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
1. Faure Bastien (1360962789_FC13_AnswerSheet_Bastien_Faure.pdf)
2. Andrey "Zed" Zaikin (1357726419_from_IMG_0744.zip)
Since the noone found all hidden messages, we also posted a sample solution: solution.zip