Hidden message in unknow file (type)

ronorono GSEC, GCIH, GMON - Blue teamMember Posts: 121 ■■■□□□□□□□
edited January 11 in Cybersecurity
Hello.


I've got a file with an message in it and I need some ideas how can I found/extract the message. The file seems to be a GIF file after running on virustotal.com. I tried some Linux steganography tool and conversion from GIF to other pictures formats or Base64 and to text but no luck. I'm kind of stuck and any ideas or tips it will be appreciated. 
Mess with the best,Die like the rest!

Comments

  • yoba222yoba222 Senior Member Member Posts: 1,213 ■■■■■■■■□□
    Not much of a steganography person, but I'd try to run strings, check the metadata, and perhaps check for alternate data streams on a Windows machine.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • c5rookiec5rookie CISSP-ISSAP, CCNA, GCED, GCFA, GCIA, GCIH, GCUX, GCWN, GPEN, GWAPT, A+, Net+, Sec+, Linux+, Pentest+ U.S.Member Posts: 51 ■■■□□□□□□□
    Do you know where the source file came from?  Extracting messages can be a crap shoot since steganography tools are independent from each other.  What you embed with one tool, is unlikely to be extracted by another tool.  If the file was created on a computer you have access to, that system might have the steganography program installed.  Once you know what tool was used, it should make it a little easier to extract the message.  Of course there are other factors such as password protection which will be another hurdle.
    Other things to check would be to examine the file in a hex editor and look at the file header to confirm that Virus Total was right about it being a GIF file.  You might need to rebuild the header or end of file marker to match the correct file type.  If the file has a second file embedded in it, you could see what information 'binwalk' provides.
  • ronorono GSEC, GCIH, GMON - Blue team Member Posts: 121 ■■■□□□□□□□
    Thanks for input @yoba222 and @c5rookie. I have opened the file in a notepad which was a looong file with scrambled and weird text. I found a string that could be read in norwegian like "who is s3arching it will finally find it" ...and it was the right answer.... in my attempt to find a solution i tried to fix the original gif file and always get same error like : " error occured at block 177....blah blah"....and thought that I should look at the content with a notepad since all steganography tools are independent from each other as mentioned by @c5rookie
    .Thanks!
    Mess with the best,Die like the rest!
Sign In or Register to comment.