ThisMeansGroundWar | 153 points
NEED STEGANOGRAPHY ASAP - HIDDEN FILE DETECTED (MORE INFO IN COMMENTS)ThisMeansGroundWar | 22 points
I just verified this myself - this image is coming up as having a hidden file inside.
It had occurred to me the other day, but I dropped it because I do not have a steganography suite.
Original e-mail can be found here: https://wikileaks.org/podesta-emails/emailid/48897
I shouldn't have to tell you, but if you do try to crack this file, do so in a VM you can destroy. There's no telling what will be found inside, if indeed there is something to find.
MAGA_MANGGG | 22 points
http://imgur.com/a/CyRWy
Image in question. Notice the boundaries of the image, which was a mobile screenshot. Awfully weird. Also, filesize is 1,234kb
JangoTheJanitor | 20 points
I've done extensive looking into this file - it's definitely corrupted, as in attempts to upload it as a PNG on any site that has strict validation will fail. However, we have not yet conclusively proven that there is an embedded file, just extraneous data.
I'm going to load this up on my AccessData FTK suite at my office tomorrow and take a closer look. If we can isolate that extraneous data and carve a header out of it, we might be able to determine if it's actually a valid or recoverable file inside, or simply corrupt.
MAGA_MANGGG | 5 points
https://www.reddit.com/r/OperationPizzagate/comments/5d0iov/need_steganography_asap_hidden_file_detected_more/
victimculture | 4 points
Creating an invite reddit removes any plausibile deniability for being there and isolates you from the public. Exactly what safe researchers don't want.
areraswen | 2 points
403 forbidden
[deleted] | 1 points
[deleted]
JangoTheJanitor | 5 points
I have, I am simply saying there isn't conclusive proof it is an embedded file. Until we pull a file out of it, we can't say that like it's a fact - just that it's a corrupt PNG.
Notably, it does not contain an IEND chunk (0xAE426082) which is against the PNG specification; they're supposed to end with that hex value. If they don't, they fail cyclic redundancy check which causes sites to not accept them as valid PNGs if those sites (like 4chan) use strict validation.
a38c16c5293d690d686b | 15 points
It looks like a truncated file to me. The string "IDAT" marks the start of a chunk of data in a PNG file. There's a IDAT near the end of the file, with some few bytes following it. If you truncate the file at the previous IDAT, the file will look like in the screenshot posted here , but the image cuts a bit above. So, until byte number 0x1343d1 it looks like a normal PNG file.
bumblebritches57 | 4 points
Actually, the start of the IDAT chunk is 4 bytes earlier, which contains the chunk size in big endian.
The IDAT sections are all 16384 bytes, and the IDAT chunk is prefixed by the size of the chunk,
and post fixed by the CRC of the block!!!
The last IDAT section contains only 124 bytes, instead of 16384, and the footer (IEND) is missing...
Someone intentionally cut the file off at this point.
The_Ruffneck | 6 points
Old news
The_Ruffneck | 4 points
Well i dunno whats with the downvotes but seriously this was on 4chan 4-5 days ago.We're going in circles here.
Zanting | 6 points
There are multiple files embedded in this image.
JangoTheJanitor | 31 points
Again, that has not been proven yet. I've spent tens of hours dissecting this image and we can't come to that conclusion yet, and I'm a professional digital forensic examiner. It's corrupt, that much is for sure. It's missing the IEND (0xAE426082) chunk, that much is for sure. But we can't jump to conclusions without hard evidence.
PizzagateConspiracy | 6 points
I appreciate your diligence. Way too much conclusion-jumping in these types of threads. That's the quickest way to make ourselves look like crackpots without the aid of shills.
JangoTheJanitor | 2 points
It's essential that we remain narrowly-focused. I understand that it's easy for people to start jumping to conclusions, but it's absolutely paramount that we treat this objectively and scientifically - otherwise, no matter what we "find," nobody will give it a second thought.
T2AmR | 1 points
Have you checked images found on social media accounts? There are plenty of sick instagram accounts with creepy pictures. It I only see people analyzing Wikileaks pics.
JangoTheJanitor | 1 points
It's possible although to my knowledge Instagram compresses the images once they're uploaded, which means that embedded steg could potentially be lost. It's still worth looking at in my opinion, but I don't have high hopes for that reason.
MAGA_DJT | 4 points
After having spent WAY too many hours on this attachment, if you correct the height (2208 to 1722) the file then becomes un-corrupted.
I still can't work out why it has no IEND or why there is junk after the very last IDAT, also increasing the Height on any png file doesn't create a black box. So no idea why this image has a big amount of black under it after it gets cut off.
bumblebritches57 | 3 points
1: Stenography is used to embed text.
2: Stenography embeds text into the macroblocks/huffman tables of jpgs/pngs.
You wouldn't be able to detect stenography this easily.
KiA423469420 | 1 points
(THIS POST SHOULD PROBABLY BE IGNORED. SORRY FOR THE INCONVENIENCE.)
I opened the png in notepad++ looking for anomalous text strings that might be clues. Since this isn't how the file is meant to be interpreted, it is of course almost entirely gibberish. Opening up random-ass files in text editors is rarely a productive investigation avenue, but I find parsing the gibberish to be fun. I have some fond memories of finding my teachers' passwords in crufty bits of the school network that weren't meant to be parsed as text, but turned out to contain things that a text editor could read all too well.
There's nothing so awesome here, but I did find a few things worth mentioning. Near the top, there are two strings of not-gibberish. The first one is four characters in a string that say "IHDR". That appears to be something related to the PNG spec. The second one is "iCCPICC Profile", which I believe represents color formatting data. I wonder if we can "reverse" the corruption somehow by tweaking the data of the PNG.
There's also some repeating D's in lines 280-310 and again at 499-504. I wonder what those represent in terms of the file's structure. Some kind of break in the data? Whatever they are, they're not meant to be parsed as text.
(I originally posted this comment over here just now, but then noticed this thread and decided to post it again here.)
Edit: Since u/a38c16c5293d690d686b mentioned IDAT , I searched the file for repetitions of that string. There are IDATs at lines 28, 178, 327, 462 (IDATE), 595, 696, 829, 958, 1087, 1193 (IDATBLF), 1312, 1436, 1556, 1666, 1771, 1898, 1996, 2098, 2215, 2309, 2396, 2510 (IDAT_VK), 2649, 2777, 2886, 2997, 3122 (IDAT9), 3250 (IDAT4), 3351, 3454, 3530 (IDAT6QG), 3657, 3770, 3871, 3987, 4120, 4260, 4377, 4494 (IDATq), 4620, 4749, 4876, 4984, 5072, 5177, 5280, 5415, 5533 (IDATY), 5655, 5786, and 5896.
Exitx2: There's also an IEND at 5920 in mine (filename Te43AYb.png). Some of y'all may be working on a truncated copy. Although, actually, it's weirder than that... My Te43AYb.png seems to 807 KB instead of the 1.20 MB of IMG_4533.png. Hm. Where'd the poster at the thread I got this from get their version?
EDITx3: Oh, good grief. The larger one that came directly from the email looks different when examined as though it were text. I'll look through it and maybe post more about what I find studying it, but it's a real pain to discover I was looking at the wrong freaking file.
bumblebritches57 | 2 points
You're not gonna find shit in a text editor. Get a hex editor, like Hxd, or HexEdit.
JangoTheJanitor | 31 points | Nov 15 2016 04:50:20
For what it's worth, I wanted to check the file for an embedded zip and manually searched for the hex strings (50 4B 03 04 14) and (50 4B 05 06 00), respectively the header and footer for .zip files, with Bless. Neither is present in the file. Tomorrow I'm going to run it against an automated file carver that can find other headers.
permalink