CyberCheatsheets

Steganography Cheat Sheet

Steganography and hidden-data extraction for CTF and forensics: images, audio, files, and embedded archives.

Forensics & IRctfforensicshidden-dataimagesteganographyUpdated 2026-06-17

Overview

Steganography hides data inside other files—images, audio, documents. In CTFs and forensics you're usually on the extraction side: find and pull out what's concealed. The reliable workflow is to triage the file (type, strings, metadata), check for appended/embedded data, then try format-specific stego tools.

Authorized and lawful use only. Analyze only files you own or are permitted to examine.

Triage any file first

Confirm the real file type (extensions lie)

file suspicious.png

Metadata — comments, GPS, hidden fields

exiftool suspicious.png

Readable strings (flags are often in plaintext)

strings -n 8 suspicious.png | less

Inspect magic bytes / look for anomalies

xxd suspicious.png | head

Appended & embedded files

Detect embedded files/archives

binwalk suspicious.png

Auto-extract embedded content

binwalk -e suspicious.png

Carve files by signature

foremost -i suspicious.png -o out/

Many images have a ZIP appended — just try unzip

unzip suspicious.png

Images

Extract hidden data (JPG/BMP/WAV) — prompts for passphrase

steghide extract -sf image.jpg

Check if steghide data is present

steghide info image.jpg

LSB stego in PNG/BMP (try all methods)

zsteg -a image.png

Brute-force a steghide passphrase (fast)

stegseek image.jpg rockyou.txt

GUI: flick through bit planes / color channels

# stegsolve.jar

Audio

Hidden text/images often appear in the spectrogram

# Audacity / Sonic Visualiser → Spectrogram view

steghide also supports WAV

steghide extract -sf audio.wav

Check for data appended after the audio stream

xxd audio.wav | tail

Passwords & quick wins

Try an empty passphrase first (just press Enter)

steghide extract -sf image.jpg -p ''

Brute-force steghide with a wordlist

stegseek image.jpg /usr/share/wordlists/rockyou.txt

Compare an original vs modified image pixel-by-pixel

compare orig.png stego.png diff.png   # ImageMagick

Tips

  • Always run file + strings + exiftool + binwalk first — they solve a surprising number of challenges.
  • stegseek cracks steghide passphrases far faster than older brute-forcers — keep rockyou handy.
  • For audio, the answer is usually in the spectrogram, not the bytes.
  • zsteg for PNG/BMP LSB, steghide for JPG/WAV — pick the tool by file type.

References

Aide-mémoires similaires