Remember this thread?
The user found that in one of the podesta emails, an image tested positive to a steganography method called JPHIDE. In non technical terms this means that hidden data (text message, other image, or any other file) has been intentionally encoded in the image itself. If someone managed to find the password, he or she would have access to the hidden data, which in turn could potentially be a smoking gun.
view the rest of the comments →
Vigilia_Procuratio ago
I'm not convinced about this. The program found the “CDN” marker in the hex, which is apparently a hallmark of Hiderman, but it looks like random data. It's a bit like finding “PK” and assuming there's an archive hidden in it, which is precisely what happened with an attachment from Wikileaks.
Further reading: http://www.spy-hunter.com/Steganography_V7.0_BlackHat_V3.pdf
newworldahead ago
This picture has been steg flagged twice using two different programs. Sure we can try with a third one but so far it looks like there's really something hidden inside this "Action shot" picture.
Vigilia_Procuratio ago
They will flag it if they search for and find “CDN” in the hex, which is the case here. As it happens, it's also in two of these...
https://wikileaks.org/podesta-emails/emailid/38306
We could probably do with some kind of comparison, that being how often “CDN” appears in random images. If it keeps on showing up in Wikileaks attachments then it will eventually go beyond coincidence.
newworldahead ago
If I understand correctly, the "CDN" signature must appear at the very end of the hex for the image to be positive, thus making it less likely to be a mere coincidence.
Vigilia_Procuratio ago
If you look at this one for example...
https://archive.fo/sBs0G
That isn't the email you posted, it's one of those from the link I gave. So “CDN” is clearly there in the hex and StegSpy flags this. In fact, it's in the hex twice in this file. It looks like random data, there's simply nothing else around it which looks out of place. But who knows?
newworldahead ago
I see. I'll try scanning some random images later today and see what comes up.
Vigilia_Procuratio ago
Right, well that's not the case here. If you use XVI32 for example, that's a hex editor, you can take the decimal position StegSpy gives and go to that location in the editor, so you can see the exact code it's flagging. In this case, and in the cases of the above emails, it's not at the end of the file so it could just be random. Like I said though, if you looked for “CDN” in a thousand images and only found it in Wikileaks attachments then it would be rather odd, but so far it looks like it's just normal hex.