Steganography Techniques

Name: Steganography Techniques
Author: yaklang

yaklang/hack-skills

Systematically detect and extract hidden data from images, audio, files, and text during security reviews, CTFs, or incident triage.

Overview

Steganography Techniques is an agent skill most often used in Ship (also Operate iterate, Build integrations) that guides systematic detection and extraction of hidden data across image, audio, file, and text carriers.

Install

npx skills add https://github.com/yaklang/hack-skills --skill steganography-techniques

What is this skill?

File-type branches: image (LSB, PNG chunks, JPEG DCT, EXIF), audio (spectrogram, DTMF), file (polyglots, binwalk, ADS)
Text stego: whitespace, zero-width Unicode, homoglyphs
Routes to traffic-analysis-pcap, memory-forensics-volatility, classical-cipher-analysis, and STEGO_TOOLS_GUIDE
Systematic detection-before-deep-extraction workflow base models often skip
Covers steghide and tool-specific extraction patterns
Coverage spans image, audio, file, and text stego branches plus related-skill routing table

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

What problem does it solve?

You have suspicious media or dumps but ad-hoc stego guesses miss LSB, chunk, spectrogram, and text-channel hiding that systematic analysis would catch.

Who is it for?

CTF players, indie devs auditing upload pipelines, or solo responders triaging odd attachments with agent-assisted tool runs.

Skip if: High-volume enterprise eDiscovery without local tooling, or pure network pentest with no artifact files—start with traffic-analysis-pcap instead.

When should I use this skill?

Analyzing images, audio, files, or text for hidden data—LSB, PNG chunks, JPEG DCT, EXIF, spectrogram, polyglots, whitespace, zero-width, homoglyphs.

What do I get? / Deliverables

You follow a typed analysis path, apply the right tools, and optionally chain to PCAP/memory/cipher skills when extracted blobs need further decoding.

Typed analysis checklist per media
Extracted hidden payloads or negative findings
Pointers to follow-on PCAP/memory/cipher skills

Recommended Skills

Azure Compliancemicrosoft/azure-skills

Azure Compliance is a Microsoft agent skill for solo builders and small teams who need structured security and complianc…373k installs·1.2k stars

Openclaw Secure Linux Cloudxixu-me/skills

OpenClaw Secure Linux Cloud guides a hardened VPS deployment—rootless Podman, loopback-only gateway, SSH-tunneled Contro…201k installs·61 stars

Entra Agent Idmicrosoft/azure-skills

entra-agent-id is a Microsoft-authored agent skill for provisioning and operating OAuth-capable identities tailored to A…99.1k installs·1.2k stars

Firebase Security Rules Auditorfirebase/agent-skills

Firebase Security Rules Auditor turns your agent into a senior penetration-style reviewer for Firestore rulesets. Solo b…40.3k installs·345 stars

Firestore Security Rules Auditorfirebase/agent-skills

Firestore-security-rules-auditor is a checker skill for solo builders and small teams shipping Firebase-backed apps who …20.3k installs·345 stars

Skill Vetteruseai-pro/openclaw-skills-security

Skill Vetter is a security-first OpenClaw agent skill that makes your coding agent behave like a pre-install auditor for…19.2k installs·62 stars

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

First shelf is Ship → Security for pre-release malware/stego checks; same workflow supports Operate forensics after extraction. Security covers structured stego analysis on artifacts that could smuggle payloads or C2 hints past casual inspection.

Also useful

OperateIteration & experiments

Also useful

BuildIntegrations & version control

Where it fits

Example use

ShipSecurity

Scan user-uploaded images for LSB and metadata stego before enabling public galleries.

Example use

OperateIteration & experiments

Triage a suspicious PNG from a support ticket using chunk and EXIF workflows.

Example use

BuildIntegrations & version control

After PCAP file carving, run typed stego extraction on recovered blobs.

How it compares

Forensics-style stego playbook with tool routing—not a single-purpose LSB decoder or generative media skill.

Common Questions / FAQ

Who is steganography-techniques for?

Solo builders and security practitioners who analyze images, audio, archives, or text for concealed payloads using repeatable, tool-aware steps.

When should I use steganography-techniques?

Use in Ship → Security on upload/abuse samples; in Operate → iterate on incident artifacts; in Build → integrations when piping extracted files from PCAP or memory skills.

Is steganography-techniques safe to install?

It may reference shell-based forensic tools—only analyze files you are allowed to handle; verify the skill source on the Security Audits panel for this listing.

SKILL.md

READMESKILL.md - Steganography Techniques

# SKILL: Steganography Techniques — Expert Analysis Playbook

> **AI LOAD INSTRUCTION**: Expert steganography detection and extraction techniques. Covers image steganography (LSB, PNG chunk hiding, JPEG DCT, EXIF metadata, dimension tricks, palette manipulation), audio steganography (spectrogram, LSB, DTMF, morse), file steganography (polyglots, binwalk, NTFS ADS, steghide), and text steganography (whitespace, zero-width Unicode, homoglyphs). Base models miss the systematic file-type-based analysis approach and tool-specific extraction workflows.

## 0. RELATED ROUTING

Before going deep, consider loading:

- [traffic-analysis-pcap](../traffic-analysis-pcap/SKILL.md) for extracting files from network captures before stego analysis
- [memory-forensics-volatility](../memory-forensics-volatility/SKILL.md) for extracting files from memory dumps
- [classical-cipher-analysis](../classical-cipher-analysis/SKILL.md) if extracted hidden data is further encrypted/encoded

### Tool Reference

Also load [STEGO_TOOLS_GUIDE.md](./STEGO_TOOLS_GUIDE.md) when you need:
- Tool installation instructions and dependencies
- Detailed command reference for each stego tool
- Workflow patterns for specific file types

---

## 1. IMAGE STEGANOGRAPHY

### LSB (Least Significant Bit)

LSB embeds data in the least significant bits of pixel color channels.

```bash
# zsteg — LSB analysis for PNG/BMP
zsteg image.png                       # auto-detect all LSB patterns
zsteg image.png -a                    # try all known methods
zsteg image.png -b 1                  # extract bit plane 1
zsteg image.png -E "b1,rgb,lsb,xy"   # specific extraction pattern

# StegSolve (Java GUI)
java -jar StegSolve.jar
# Navigate color planes: Red 0, Green 0, Blue 0 → look for hidden image/text
# Data Extractor: specify bit planes + byte order

# stegoveritas — comprehensive automated analysis
stegoveritas image.png
# Runs: exiftool, binwalk, zsteg, foremost, color plane extraction
```

### PNG Specific

```bash
# pngcheck — validate structure, find hidden chunks
pngcheck -v image.png

# Hidden chunks: tEXt, zTXt (compressed text), iTXt (international text)
# Custom/private chunks may contain hidden data

# CRC vs dimensions trick
# If CRC doesn't match declared dimensions → image was cropped
# Fix: brute-force correct width/height → reveals hidden rows/columns
python3 -c "
import struct, zlib
with open('image.png','rb') as f:
    data = f.read()
# Check IHDR CRC at offset 29
ihdr = data[12:29]
for h in range(1,2000):
    for w in range(1,2000):
        new_ihdr = struct.pack('>II',w,h) + ihdr[8:]
        if zlib.crc32(b'IHDR'+new_ihdr) & 0xffffffff == struct.unpack('>I',data[29:33])[0]:
            print(f'Width: {w}, Height: {h}')
"

# APNG (animated PNG) — hidden frames
# Use apngdis to extract all frames: apngdis image.png
```

### JPEG Specific

```bash
# steghide — embed/extract from JPEG (DCT coefficient modification)
steghide extract -sf image.jpg                 # extract (no passphrase)
steghide extract -sf image.jpg -p PASSWORD     # extract with passphrase
steghide info image.jpg                        # check if data is embedded

# stegcracker — brute force steghide passphrase
stegcracker image.jpg wordlist.txt

# jsteg — JPEG LSB steganography
jsteg reveal image.jpg output.txt

# JPEG structure analysis
exiftool -v3 image.jpg       # verbose metadata + structure
jpegdump image.jpg           # raw JPEG marker analysis
```

### EXIF Metadata

```bash
# exiftool — comprehensive metadata extraction
exiftool image.jpg
exiftool -b -ThumbnailImage image.jpg > thumb.jpg   # extract thumbnail
exiftool -all= image.jpg                             # strip all metadata

# Hidden data

What is this skill?

File-type branches: image (LSB, PNG chunks, JPEG DCT, EXIF), audio (spectrogram, DTMF), file (polyglots, binwalk, ADS)

Text stego: whitespace, zero-width Unicode, homoglyphs

Routes to traffic-analysis-pcap, memory-forensics-volatility, classical-cipher-analysis, and STEGO_TOOLS_GUIDE

Systematic detection-before-deep-extraction workflow base models often skip

Covers steghide and tool-specific extraction patterns

Coverage spans image, audio, file, and text stego branches plus related-skill routing table

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).

Journey fit

Spans multiple journey phases - primary shelf plus alternate fits below.

Primary fit

Also useful

OperateIteration & experiments

Also useful

BuildIntegrations & version control

Where it fits

Example use

ShipSecurity

Scan user-uploaded images for LSB and metadata stego before enabling public galleries.

Example use

OperateIteration & experiments

Triage a suspicious PNG from a support ticket using chunk and EXIF workflows.

Example use

BuildIntegrations & version control

After PCAP file carving, run typed stego extraction on recovered blobs.

SKILL.md

READMESKILL.md - Steganography Techniques

# SKILL: Steganography Techniques — Expert Analysis Playbook

> **AI LOAD INSTRUCTION**: Expert steganography detection and extraction techniques. Covers image steganography (LSB, PNG chunk hiding, JPEG DCT, EXIF metadata, dimension tricks, palette manipulation), audio steganography (spectrogram, LSB, DTMF, morse), file steganography (polyglots, binwalk, NTFS ADS, steghide), and text steganography (whitespace, zero-width Unicode, homoglyphs). Base models miss the systematic file-type-based analysis approach and tool-specific extraction workflows.

## 0. RELATED ROUTING

Before going deep, consider loading:

- [traffic-analysis-pcap](../traffic-analysis-pcap/SKILL.md) for extracting files from network captures before stego analysis
- [memory-forensics-volatility](../memory-forensics-volatility/SKILL.md) for extracting files from memory dumps
- [classical-cipher-analysis](../classical-cipher-analysis/SKILL.md) if extracted hidden data is further encrypted/encoded

### Tool Reference

Also load [STEGO_TOOLS_GUIDE.md](./STEGO_TOOLS_GUIDE.md) when you need:
- Tool installation instructions and dependencies
- Detailed command reference for each stego tool
- Workflow patterns for specific file types

---

## 1. IMAGE STEGANOGRAPHY

### LSB (Least Significant Bit)

LSB embeds data in the least significant bits of pixel color channels.

```bash
# zsteg — LSB analysis for PNG/BMP
zsteg image.png                       # auto-detect all LSB patterns
zsteg image.png -a                    # try all known methods
zsteg image.png -b 1                  # extract bit plane 1
zsteg image.png -E "b1,rgb,lsb,xy"   # specific extraction pattern

# StegSolve (Java GUI)
java -jar StegSolve.jar
# Navigate color planes: Red 0, Green 0, Blue 0 → look for hidden image/text
# Data Extractor: specify bit planes + byte order

# stegoveritas — comprehensive automated analysis
stegoveritas image.png
# Runs: exiftool, binwalk, zsteg, foremost, color plane extraction
```

### PNG Specific

```bash
# pngcheck — validate structure, find hidden chunks
pngcheck -v image.png

# Hidden chunks: tEXt, zTXt (compressed text), iTXt (international text)
# Custom/private chunks may contain hidden data

# CRC vs dimensions trick
# If CRC doesn't match declared dimensions → image was cropped
# Fix: brute-force correct width/height → reveals hidden rows/columns
python3 -c "
import struct, zlib
with open('image.png','rb') as f:
    data = f.read()
# Check IHDR CRC at offset 29
ihdr = data[12:29]
for h in range(1,2000):
    for w in range(1,2000):
        new_ihdr = struct.pack('>II',w,h) + ihdr[8:]
        if zlib.crc32(b'IHDR'+new_ihdr) & 0xffffffff == struct.unpack('>I',data[29:33])[0]:
            print(f'Width: {w}, Height: {h}')
"

# APNG (animated PNG) — hidden frames
# Use apngdis to extract all frames: apngdis image.png
```

### JPEG Specific

```bash
# steghide — embed/extract from JPEG (DCT coefficient modification)
steghide extract -sf image.jpg                 # extract (no passphrase)
steghide extract -sf image.jpg -p PASSWORD     # extract with passphrase
steghide info image.jpg                        # check if data is embedded

# stegcracker — brute force steghide passphrase
stegcracker image.jpg wordlist.txt

# jsteg — JPEG LSB steganography
jsteg reveal image.jpg output.txt

# JPEG structure analysis
exiftool -v3 image.jpg       # verbose metadata + structure
jpegdump image.jpg           # raw JPEG marker analysis
```

### EXIF Metadata

```bash
# exiftool — comprehensive metadata extraction
exiftool image.jpg
exiftool -b -ThumbnailImage image.jpg > thumb.jpg   # extract thumbnail
exiftool -all= image.jpg                             # strip all metadata

# Hidden data

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is steganography-techniques for?

When should I use steganography-techniques?

Is steganography-techniques safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Where it fits

Who is steganography-techniques for?

When should I use steganography-techniques?

Is steganography-techniques safe to install?

SKILL.md