Forensic Challenge 13 – A Message in a Picture

08 Apr 2013

Forensic Challenge 13 – “A Message in a Bottle Picture“ (provided by the PNW Chapter)

Skill Level: Intermediate Background

Communication using hidden channels (steganography) is one way to protect that communication from third parties. You are a law enforcement agent in the forensics unit. In a recent raid, the agency has been able to obtain the three attached packages of images from a suspected command and control server. These images could potentially contain hidden messages that will be relayed to a powerful botnet army that could destroy earth. Obviously a high priority item! While your colleagues try to reverse the botnet code, you are tasked with analyzing the images directly and extract the hidden messages.

When analyzing these images, develop tools that take advantage of the full spectrum of steganalysis - statistical methods, visual attacks, machine learning, visualization - and make them available as open-source so your colleagues can take advantage of your work without needing to reinvent the wheel.

Note that we received a tip from a mole that none of the images utilize encryption in addition to steganography. Lucky us. Lets get to it!

Main Questions 

  1. What images contain hidden messages? (15pts)
  2. Describe how each hidden message is stored in the images. (15pts)
  3. What are the hidden messages contained in those images (save each hidden message in a file and submit as a .zip archive along with this document)? (15pts) 

Bonus: 

  1. With the tools you have developed, what hidden messages are you able to identify in the wild (bittorrent, usenet, web)? (5pts)
  2. Provide a link to your tool (src, binary and documentation) (10pts)

This work by the Honeynet Project Pacific Northwest Chapter is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. 

The Winners 

  1. Faure Bastien (1360962789_FC13_AnswerSheet_Bastien_Faure.pdf)
  2. Andrey “Zed” Zaikin (1357726419_from_IMG_0744.zip)

Since the noone found all hidden messages, we also posted a sample solution: solution.zip

Note: All files can be found in challenges.zip and submissions.zip attached below.

Attachment Pass Sha1sum
challenges.zip 892f249dda98d87aa19654633098ab18044152507c9cdb49f1a783efb98ddccd 9cef5ddaea8568d4d47dc61ebc6e23ceac40dca7
submissions.zip 4c3923af684abed1a08a03213a1a43574dd4e957acafec528ed4cf68c295cc9a b75825e3841546c154e61ab5d4c0cc0489847ae0