Steganography - Hachoir - Trac

Wiki Navigation

Many file formats allow "padding" and/or "invalid chunks". It would be possible to use this "empty" space to hide informations.

Examples

Formats which have padding fields

TAR archive use many padding between each file (average: 256 bytes for each file), should be nul bytes
MP3 allows bytes differents than 0xff before the first frame and between other frames. It's possible to write ASCII text before the music content :-)
RIFF container has "JUNK" chunk type: just padding
BMP picture have many padding and "reserved" bytes
FAT file system and Microsoft Office (2000) document:
- Allows free sectors. A sector is 512 bytes in FAT, and between 16 and 4096 in an Office document.
- Have fixed sized string but with a "real length" (end of string is unused)

Invalid chunks

Some file formats are like « header, (type, length, value), (type, length, value), ... ». If the parser doesn't know a chunk type, its behaviour should be to skip this chunk. So it would be possible to add chunks with random type to hide information.

PNG picture: type is 4 bytes (string in ASCII)
ZIP archive: type is 4 bytes
JPEG picture: type is 2 bytes but first byte should be 0xFF

Download in other formats:

Plain Text