What is zsteg?
zsteg is a tool specialized in detecting steganography in PNG and BMP files. It is specifically designed to find hidden data using various LSB (Least Significant Bit) techniques.
Concept Behind zsteg
zsteg focuses on LSB steganography, where:
- Least significant bits of each pixel byte are modified
- Minimal changes that are imperceptible to the human eye
- Multiple encoding and bit ordering techniques
Techniques zsteg detects:
- LSB first vs MSB first
- Different bit planes (1st, 2nd, 3rd bit, etc.)
- Pixel scan order (row by row, column by column)
- Color channel combinations (R, G, B, Alpha)
- Encodings such as Base64, ZIP, etc.
Basic Usage
Some Examples
#Basic Analysis
zsteg image.png
#Test all possible combinations (slower, but more complete)
zsteg -a image.png
#See only positive results
zsteg -v image.png
#Extract specific data
zsteg -E "b1,rgb,lsb" image.png > extracted_data.binMain Options
-a, --all #Test all known methods
-v, --verbose #Show more information
-c, --checksum #Calculate checksum of the data
-p, --prime #Use only prime scans
-t, --threshold #Set threshold for detection
--strings #Run 'strings' on the extracted dataExample Analysis
Command:
zsteg -a path/to/file.pngzsteg Output:
b1,r,lsb,xy .. text: "FUXC2LJAFUWS2IBOFYWSALJOFYXC4LJAFYWS2IBOFYQC2LRAFYXC4IBNFYWS4LJN"Decoding:
FUXC2LJAFUWS2IBOFYWSALJOFYXC4LJAFYWS2IBOFYQC2LRAFYXC4IBNFYWS4LJN → you-wins-!Steganography Techniques that zsteg Detects
1. Basic LSB
zsteg -a image.png | grep "lsb,xy"2. LSB with Different Bit Planes
#b1 = first bit, b2 = second bit, etc.
zsteg image.png | grep "b[1-8],"3. Different Color Channels
#r=red, g=green, b=blue, a=alpha, rgb=combination
zsteg image.png | grep -E "r|g|b|a|rgb"4. Different Orders
#xy = row by row, yx = column by column
zsteg image.png | grep -E "xy|yx"