JangoTheJanitor | 32 points | Nov 11 2016 16:11:56

Thoughts on the encrypted data / steganography recently found in CPPP pictures.

I just woke up and started reading about "encrypted data found in pictures" and got happy. Not to toot my own horn or anything, but I brought up the possibility of steganography in these pictures yesterday, went to bed, and I'm glad to see that I was in the right ballpark. I'm guessing that's what this data is.

Those who don't know, familiarize yourself with the concept a bit: https://en.wikipedia.org/wiki/Steganography

Whoever's looking into these should look at various solutions like stegdetect and a number of the tools that come with security distros like Kali. You might also look at lower-sophistication Windows solutions because the people involved in the day-to-day of this are likely not sophisticated (i.e. programmers or Linux users) and probably have a "drag-n-drop-n-password" type of solution for their steg.

Just food for thought.

permalink

IntenseDreams65 | 4 points | Nov 11 2016 16:16:44

I think others have said it's fake.. I'm completely unsure if its real or not. I'd advise checking out 8chan they've been looking into that kinda stuff pretty intensely lately. Iirc, one person posted that image of the encrypted data, yet many others were unable to replicate it using the same method

Edit: I'm specifically talking about what someone "found" in the pizza.jpg

permalink

JangoTheJanitor | 6 points | Nov 11 2016 16:18:50

I'll take a look sometime today. I work in cybersecurity / forensics and I've got a lot of stuff setup at my office that would be perfect for this.

Any particular links to the alleged "encrypted" pictures? I'm still loading up on coffee and trying to catch up with the recent news on this.

permalink

hoeskioeh | 4 points | Nov 11 2016 16:26:01

the 4chan thread got trolled pretty fast.

it was not the pizza.jpg with the hidden stuff, but some pdf from that Comet Ping Pong site, IIRC

unfortunately that site is now aware of the attention, so anything still there is most probably clean by now.

other threads mentioned the weird .pps files with pictures of birds in the podesta files, e.g. [this] (https://wikileaks.org/podesta-emails/emailid/11339), all from the same sender.

permalink

JangoTheJanitor | 2 points | Nov 11 2016 17:42:30

Do we have any centralized backups of all the findings on this so far? Might be a good idea for someone to zip this all together and host it in a few different places (outside the Googleverse), given the fact that the subjects are now aware they're under the internet's collective microscopes.

permalink

IntenseDreams65 | 2 points | Nov 11 2016 16:31:42

I saw some links to various 8chan threads on this subreddit while I myself was catching up on it. I'd say just look around on here and definitely check on the threads on 4chan and 8chan (which are confusing af to me lol). I think people have been saying 4chans been getting DDOS's and/or the threads are being deleted. I specifically saw the thread about trying to find encrypted data in the various images on 8chan though.

permalink

JangoTheJanitor | 3 points | Nov 11 2016 17:40:29

Has anybody checked out their weird Instagram pictures yet? I'll download a big batch of everything when I get my daily caseload a bit more under control. Supposed to respond to a small business breach this afternoon so I might not have as much time as I anticipated, but I'll definitely be giving it a crack over the weekend.

permalink

DepressedExplorer | 1 points | Nov 11 2016 17:54:18

You seem to be the specialist, but to my understanding, as Instagram does compress the images and the images we talk about are JPGs, there would be no data left on Instagram images?

permalink

JangoTheJanitor | 1 points | Nov 11 2016 17:57:57

Good point. Theoretically there could also potentially be extraneous (if corrupted) data visible in a hex editor, but unless the Instagram compression algorithm is known and accounted for in the steg method, it's unlikely.

permalink

justforthissubred | 2 points | Nov 11 2016 18:43:09

Check out the files sent to Podesta here. Very strange. https://www.reddit.com/r/pizzagate/comments/5cg181/steganography_possible_communication_through/

Edit: and Please let me know what you find!!!

permalink

toneii | 1 points | Nov 11 2016 16:21:51

Just start with the basic, get the pizza.jpg off Wikileaks and verify if it contains extra bytes at the end that indicate another file at the end.

permalink

GulliverDark | 4 points | Nov 11 2016 16:56:57

Yeah, the pictures are straight from Wikileaks. Anyone can download and have a go at releasing the data that is encrypted in them. I'd be wary. I'm sure it's 'can't unsee' kind of moment when you do crack the code.

permalink

JangoTheJanitor | 4 points | Nov 11 2016 17:53:02

I've worked on a lot of cases involving "can't unsee" kind of content in the past, so at least I'm a bit more prepared for the worst.

permalink

p00p431 | 3 points | Nov 11 2016 18:55:06

There's nothing in pizza.jpg. You can verify yourself (if you're on a Mac):

  • Opening the Podesta emails and searching for "pizza.jpg" gives us these results: https://wikileaks.org/podesta-emails/?q=pizza.jpg&mfrom=&mto=&title=&notitle=&date_from=&date_to=&nofrom=&noto=&count=50&sort=6#searchresult

  • Open this email: https://wikileaks.org/podesta-emails/emailid/10037

  • Click the attachments tab. Download the file to your computer.

  • Open a Terminal window and browse to the directory where you saved the pizza.jpg file.
  • Run the command "xxd pizza.jpg pizza-hex.txt" to create a hex dump of the file.
  • Use any text editor to view the pizza-hex.txt file.
  • Note that there is no additional information after "ffd9" the marker indicating the end of a JPEG file (You can read about file markers for JPEG here: https://en.wikipedia.org/wiki/JPEG#Syntax_and_structure)

permalink

alfy26 | 2 points | Nov 11 2016 23:10:28

I explained this in greater detail in this thread .

The original /pol/ thread about this PK stuff was meant to direct people to download/install iSteg, which uses a pedologo, IMO in an attempt to hack anons investigating the pizzagate. https://np.reddit.com/r/conspiracy/comments/5cgv3x/if_i_was_being_investigated_by_4chanreddit_and/

permalink

JangoTheJanitor | 2 points | Nov 11 2016 17:41:11

Thanks - just wanted to make sure I was looking at the same file(s) as everybody else.

permalink

alfy26 | 1 points | Nov 11 2016 23:02:48

By order of priority, please look at:

Pizza.jpg

The "playing cards" image

The Antartica images

The images in the pps files (and the pps files themselves) that have Chinese characters in the name

permalink

JangoTheJanitor | 3 points | Nov 11 2016 23:42:02

So far I've looked at of these except for the playing cards image. I had to step away from my Linux box for a while but I'll throw that into the mix as well.

As for the others, see: https://www.reddit.com/r/pizzagate/comments/5cg181/steganography_possible_communication_through/

Stegdetect picked up some possible steganography in some of the Chinese PPS files. Nothing so far for the Antarctica images but I'm just at the tip of the iceberg with those (pun intended).

permalink

Mr_Reight | 3 points | Nov 12 2016 01:11:46

https://wikileaks.org/podesta-emails/emailid/48897

This attachment says it's a 1.2mb .png file

changed the extension to .txt and opened it in sublime, 10,721 lines.....a similar sized .png i had was 2-300 lines.

So then i tried opening the wikileaks.png in Adobe Illustrator (error-ed out, could not understand the file, but could open my plain .png just fine.)

I didn't have any luck with any known file extensions(.zip, .7z, .pgp, .mp3, .mp4, .mov[i know the last few are a strech since its only 1.2mb]), except .hc, which is VeraCrypt and it let me at least try and mount it to put in a password, all passwords i tried failed, I was searching for the Social Security like 9 digit number that got posted the last few days.....does anyone have that to give it a shot?

permalink

JangoTheJanitor | 3 points | Nov 12 2016 03:08:34

Try a hex editor - that's the most basic way of looking at a file. Also try running it through CGSecurity's PhotoRec - it's data carving software that can be targeted against raw data. If a file exists within another file (slack space), PhotoRec will often pick up on it.

~~I'll try in the morning as well.~~ Of course I'm not going to bed now. That black area at the bottom of the PNG is really suspicious. I've seen that kind of thing before in data recovery, like using PhotoRec to recover images from unallocated space and allowing corrupted files. An image file can be "corrupt" to a certain degree and still be functional. That "corruption" may very well be hidden data. Updates to come.

Edit: That email title really makes me cringe.

Edit 2: Looking at the metadata with exiftool yields a "Warning: Corrupted PNG image" response. As I suspected by the black bar, this PNG has extraneous data in it. As to whether it's garbage or something hidden... still examining.

Edit 3: Here's the text source for the article contents in case we want to throw that into a custom dictionary. http://ricerca.repubblica.it/repubblica/archivio/repubblica/2015/04/11/hillary-20-social-network-e-giovani-per-riportare-i-clinton-alla-casa-bianca21.html

Edit 4: Another email with "puttanesca" in the title. (https://wikileaks.org/podesta-emails/emailid/8936). No attachment, but the content refers to La Repubblica: the newspaper the corrupt PNG is a part of. Obviously code, but it could be something as simple as "shitty press relations." The corrupt PNG is still suspect, unless it's something somebody scanned in or otherwise beat with a metaphorical idiot-hammer. Interestingly, for those who don't know, "spaghetti alla puttanesca" literally translates to "spaghetti in the style of a prostitute." The etymology is closely related to "puttanata," an Italian noun meaning something worthless. It derives from the Italian word for whore, "puttana."

Edit 5: Heading to bed now, running on two hours of sleep and not getting much yet. This one might deserve its own thread. Since it's an iPhone screenshot, having it corrupted really makes me curious what's going on, yet the paint-bucket approach doesn't yield any noticeable artifact patches. My gut tells me there's something going on here but I just haven't gotten there yet.

permalink

chayesdigital | 0 points | Nov 12 2016 03:57:01

join hackforums and ask for help - there are some real pros there

permalink

JangoTheJanitor | 1 points | Nov 12 2016 04:06:37

If by "pros" you mean middle school scriptkiddies, then yes, tons and tons of pros.

permalink

chayesdigital | 1 points | Nov 12 2016 04:20:40

"There are some real pros" on hack forums. Read again. I know the userbase is mostly skids. Doesn't change the fact there are some very skilled hackers there as well.

permalink

JangoTheJanitor | 2 points | Nov 12 2016 04:27:49

I'm just speaking from my perspective as somebody who regularly testifies in court as an expert witness on digital forensic cases and who has taught cybercrime investigation at the university level. Obviously I'm not going to do this by myself, so I understand the need for extra resources, but the difficulty is finding the diamonds amidst the rubble. First you have to locate the pros, then you have to convince them it's of interest to them, and thirdly the case itself has to be more interesting to them than just trolling the person who sent it to them. It's a hassle. Feel free to go recruiting if you feel the need, of course.

permalink

chayesdigital | 1 points | Nov 12 2016 04:45:40

You're right about it being difficult to recruit talent to help. No harm in making a thread and asking though. At worst it's 10 minutes of wasted time.

permalink

JangoTheJanitor | 1 points | Nov 12 2016 04:47:22

The more the merrier as far as I'm concerned. It's not like anything can be done to alter the integrity of the data - it's all on Wikileaks and thus should be forensically replicable by anybody engaging in the same process.

permalink

chayesdigital | 1 points | Nov 12 2016 04:54:33

Sorry to waste your time asking this but how does this process usually work? The encrypted image is sent by email and then they send the decryption key via text message or some other means?

Stegdetect is just flagging that there's a hidden message. So you still need the key. Is it possible to brute force?

permalink

JangoTheJanitor | 1 points | Nov 12 2016 05:13:33

I doubt it. Chances are, the parties involved on both ends of the transmission know the transmission scheme. Let's say that you and I have an agreement that the third word in whatever email I send you is the key. I regularly send you seemingly innocent pictures of funny animals from /r/aww with hidden data. You know to look to the third word and use that.

Each sender may have a different system, but the same senders would likely use the same key system across various emails. See the ones from johnson_lo, the Chinese text with titles like "peony," or comments like "it takes two to Tango." Words that pop out like that immediately make me want to try them first (like trying "puttanesca" or variants thereof for IMG_4533.png.

Bruteforcing is always "possible" but rarely realistically feasible. A better approach is to create a custom dictionary from the whole batch of Podesta emails since we know the content belongs to him, or even limited custom dictionaries based on the senders with suspected coded content.

permalink