Computer forensics class. The teacher won't confirm or deny he's hidden anything in it but there are two identical mpg and one is huge compared to the other. Almost 100% sure he's hid something in it we just don't know how to get it out. Any ideas?
or, could just be a MPG with a very very high bit rate
but - yes - you most certainly can hide data inside and MPG
how to get it out? hmm - well, start with playing the file with a player that shows info about the file, and see if the bitrate & compression are reasonable for the size of the file. if it still seems there is data inside, then view it in a raw data/hex format, and look for a obvious change in data. look into the MPG data format, and see how data should be arranged, and see if there is anything which does NOT fit. an easy trick is to just put the data into the extended artist info section.
IP: Logged
12:09 PM
ryan.hess Member
Posts: 20784 From: Orlando, FL Registered: Dec 2002
you can in fact hide almost anything inside of mpg, jpeg, gif, tiff, wmv, and select other formats...
its actually very easy... 7-zip will extract it(usually)
to add you can just "copy /B bleh.mpg +hiddenfile.7z bleh2.mpg"
then its there, mpg will look normal use 7zip right click extract files and it will extract them to the folder... there are other ways to do this, thats just a nice quick easy way....
Computer forensics class. The teacher won't confirm or deny he's hidden anything in it but there are two identical mpg and one is huge compared to the other. Almost 100% sure he's hid something in it we just don't know how to get it out. Any ideas?
If you read any of the answers in this thread, you have just cheated in class. Correct?
But interesting, none-the-less!
IP: Logged
01:18 PM
82-T/A [At Work] Member
Posts: 25401 From: Florida USA Registered: Aug 2002
When code is compiled, or media file types are created, there are often ways of saving COMMENTS in them. Most compiled code strips off the comments to save file space, but with media, there's a lot of places you can hide stuff. You could essentially have an entire word document (RTF or Text) stored as a comment / property in the header of the file.
Easiest way to see if there's anything weird, is to open up the file in NOTEPAD, or even better, download what is called a "Hex Editor"... you should see any strings of text in there.
Unless of course, the text has been encrypted and they just dumped hash codes in there... which you might still be able to see if you know what to expect.
If you read any of the answers in this thread, you have just cheated in class. Correct?
But interesting, none-the-less!
Why? I would think one would be allowed to use all methods to get the answer...
I used to save some stuff in my Work Word docs so if someone tried to pass it off as theirs I could make with the "ha-HA!!!!" and expose their diabolical treachery...
IP: Logged
01:41 PM
PFF
System Bot
squisher86SE Member
Posts: 1350 From: Franklin, IN, USA Registered: May 2005
The data in images rumor was talking about is a trick called "Steganography"
Which I'm sure can be applied to any media file. When applied intelligently it won't significantly alter the size of a file (but it will sure play heck with the checksum!)
Other advice higher in the thread is also appropriate, especially since you mentioned the file size being significantly different.
The data in images rumor was talking about is a trick called "Steganography"
Which I'm sure can be applied to any media file. When applied intelligently it won't significantly alter the size of a file (but it will sure play heck with the checksum!)
Other advice higher in the thread is also appropriate, especially since you mentioned the file size being significantly different.
Hiding things in video streams would be harder i think then still images, but yes stenography is the term. And you can 'correct' checksums too.
IP: Logged
04:04 PM
hookdonspeed Member
Posts: 7980 From: baltimore, md Registered: May 2008
most media (specially mpeg) have EOF type code... anything after it would just be, well whatever you want it to be...
if you want to get really special, they do have tools to embed the code throughout a movie, will "hide" a few bytes in each frame... damn near inpossible to find without knowing what your looking for.
It is and the Professor makes it 100x more interesting.
quote
Originally posted by hookdonspeed:
simple answer... yes
you can in fact hide almost anything inside of mpg, jpeg, gif, tiff, wmv, and select other formats...
its actually very easy... 7-zip will extract it(usually)
to add you can just "copy /B bleh.mpg +hiddenfile.7z bleh2.mpg"
then its there, mpg will look normal use 7zip right click extract files and it will extract them to the folder... there are other ways to do this, thats just a nice quick easy way....
7zip was my first idea. No dice.
quote
Originally posted by Boondawg:
If you read any of the answers in this thread, you have just cheated in class. Correct?
But interesting, none-the-less!
Negative. This teacher let me turn in an assignment using existing opensource code from another published person. He knows the internet is a vast source of information and is ok with you using that source as long as you let it be known it came from others.
quote
Originally posted by 82-T/A [At Work]:
When code is compiled, or media file types are created, there are often ways of saving COMMENTS in them. Most compiled code strips off the comments to save file space, but with media, there's a lot of places you can hide stuff. You could essentially have an entire word document (RTF or Text) stored as a comment / property in the header of the file.
Easiest way to see if there's anything weird, is to open up the file in NOTEPAD, or even better, download what is called a "Hex Editor"... you should see any strings of text in there.
Unless of course, the text has been encrypted and they just dumped hash codes in there... which you might still be able to see if you know what to expect.
Sounds like a really cool class though...
Yeah 1200+ pages of nothing useful (from what i quickly scrolled through) on the smaller (1.9MB) video and the larger (9.3MB) video I gave up on after 3000+ pages
The class its self is experimental this semester. The professor teaches a Computer Forensics I class using free programs as well as FTK, and a few other programs. This semester he managed to get the funding to acquire EnCase. It's not very intuitive be you can do some cool stuff with it. If they decide to keep the class it will become Computer Forensics II
most media (specially mpeg) have EOF type code... anything after it would just be, well whatever you want it to be...
Oh I hadn't thought about that.
quote
if you want to get really special, they do have tools to embed the code throughout a movie, will "hide" a few bytes in each frame... damn near inpossible to find without knowing what your looking for.
That is my worry. He told us if anything was hidden the program would be on the image of the hard drive as well. The more I think about it though I wouldn't put it past him to do something like this and it be a wild goose chase. What kills me is the EnCase software is something I can use only on campus so I'm going to fire up D.E.F.T. on my laptop and do some looking. I've got this to sort out as well as an encrypted zip file.
IP: Logged
04:28 PM
kwagner Member
Posts: 4258 From: Pittsburgh, PA Registered: Apr 2005
EnCase is some cool stuff. I took a forensics class in college, taught by a guy who owns a business doing it. Got to play with some "lunchboxes". I enjoyed it immensely, the skills and knowledge are very useful. As has been said, short answer is yes you could hide something in an mpeg. The question is, did he? It's possible he could have just reencoded the same (original low bitrate) file at a higher bitrate. Use a utility like gspot http://www.headbands.com/gspot/ to see if they are in fact the same.
Figured I'd update this. Right idea wrong file. Found in the registry a program called Invisible Secrets. Hides stuff in jpg bitmap as well as a few other file types... The mpeg was just a distraction dang this stuff is fun.
EnCase is some cool stuff. I took a forensics class in college, taught by a guy who owns a business doing it. Got to play with some "lunchboxes". I enjoyed it immensely, the skills and knowledge are very useful. As has been said, short answer is yes you could hide something in an mpeg. The question is, did he? It's possible he could have just reencoded the same (original low bitrate) file at a higher bitrate. Use a utility like gspot http://www.headbands.com/gspot/ to see if they are in fact the same.
I <3 GSpot. Been using it a LOT lately to figure out what codec they used to create the video... (name makes me chuckle a bit)
[This message has been edited by FieroRumor (edited 12-06-2010).]
dang this stuff is fun.
