Scenario: You are learning how steganography tools work by embedding a secret text file into a JPEG photograph. Understanding the hiding process is essential before you can detect it. Your working directory contains a cover image and a file you want to hide.
Learning objective: Understand steghide's embed workflow — specifying the cover file (-cf), the file to embed (-ef), choosing a passphrase, and verifying the output file size barely changes despite containing hidden data.
Activity 2: Detecting & Extracting with steghide
Scenario: During an investigation, you found a JPEG image on a suspect's USB drive named family_dinner.jpg. The file size is slightly larger than expected for its resolution. You suspect it contains hidden data. Use steghide to probe and extract it.
Evidence Directory: ~/case-2026-0412/images/
family_dinner.jpg (3.1 MB, 2048×1536 JPEG)
analyst@forensic-ws:~/case-2026-0412/images
analyst@forensic-ws:~/case-2026-0412/images$
Learning objective: Use steghide info to probe for embedded data without extracting, then steghide extract with the correct passphrase to recover the hidden file. Understand that steghide requires the passphrase — without it, extraction fails.
Activity 3: LSB Analysis with zsteg
Scenario: A PNG image was recovered from a suspect's cloud storage. Unlike steghide (which works on JPEG/BMP), zsteg is specialized for detecting LSB steganography in PNG and BMP files. It checks multiple bit channels and encoding schemes automatically.
Learning objective: Understand that zsteg scans multiple LSB channels (R, G, B, RGB combined) with different bit orders and encodings. Unlike steghide, zsteg does not require a passphrase — it performs statistical and pattern-based detection. The -a flag runs all checks.
Activity 4: File Carving with binwalk
Scenario: Not all steganography uses LSB substitution. A common technique is simply appending a file (like a ZIP archive) after the JPEG's end-of-file marker (FF D9). The image renders normally, but hidden data rides along after the EOF. binwalk scans for embedded file signatures inside any binary.
Evidence Directory: ~/case-2026-0412/images/
corporate_logo.jpg (4.7 MB — suspiciously large for a 800×600 logo)
analyst@forensic-ws:~/case-2026-0412/images
analyst@forensic-ws:~/case-2026-0412/images$
Learning objective: Understand that binwalk detects embedded files by scanning for magic byte signatures (file headers) at every offset in the binary. The -e flag automatically extracts discovered files. This technique catches appended archives, embedded executables, and concatenated files that LSB tools would miss.
Activity 5: Full Steganography Investigation
Scenario: You are analyzing a suspect's hard drive image. During examination, you flagged several image files that are larger than expected. You don't know which steganography method was used — it could be LSB embedding, appended data, or something else entirely. Apply a systematic detection workflow using multiple tools.
Learning objective: Apply a systematic workflow: start with file to verify file types, use binwalk to scan for appended data, steghide info for JPEG/BMP probing, and zsteg for PNG/BMP LSB analysis. Real investigations require trying multiple tools because each detects different hiding methods.