Return to Unfiction unforum
 a.r.g.b.b 
FAQ FAQ   Search Search 
 
Welcome!
New users, PLEASE read these forum guidelines. New posters, SEARCH before posting and read these rules before posting your killer new campaign. New players may also wish to peruse the ARG Player Tutorial.

All users must abide by the Terms of Service.
Website Restoration Project
This archiving project is a collaboration between Unfiction and Sean Stacey (SpaceBass), Brian Enigma (BrianEnigma), and Laura E. Hall (lehall) with
the Center for Immersive Arts.
Announcements
This is a static snapshot of the
Unfiction forums, as of
July 23, 2017.
This site is intended as an archive to chronicle the history of Alternate Reality Games.
  

The time now is Sun Nov 17, 2024 1:33 am
All times are UTC - 4 (DST in action)		 View posts in this forum since last visit
View unanswered posts in this forum
Calendar
 Forum index » Archive » Archive: The Lost Experience » TLE: General, Updates, Spec, & Info
[PUZZLE][SPEC] Stegged Images on Rachel's Blog?
View previous topicView next topic
Page 1 of 1 [10 Posts]  
Author Message
QuinceTheCarpenter
Boot


Joined: 09 Jul 2006
Posts: 40

 		[PUZZLE][SPEC] Stegged Images on Rachel's Blog?
I'm hoping some of the Steganography experts here on unfiction can help answer this question:

Is there information hidden in any of the images on Rachel's blog?

Based on looking at jpg images with Notepad, I am speculating that some of the images posted on Rachel's Blog may have hidden info. I am basing this speculation on what I call "weirdness" which includes repeating characters or "less dense" areas that include whitespace.

To support the idea that whitespace weirdness in a jpg can be a sign that an image is stegged, look at the images here http://sphynxian.blogspot.com/ which were stegged with Camoflage http://camouflage.unfiction.com/
The stegged files have some "less dense" whitespace at the end of the file, while the unstegged files do not.

Some of the images on Rachel's blog include whitespace, but it is not at the end of the file as was seen with Camoflage. I am guessing that some other steg program may have been used. This is where I need help/experience to decide if this is true, and if so, to find the passwords (probably based on hints in the blog).

I am most interested in the Helgus Antonius images, and the Glyphs image. For some reason, these scream "I'm stegged, decode me!"

It may be that the Helgus images or the Hostpital images (temporary and replacement version) are layers that need to be combined in Photoshop somehow, similar to what we saw in the hole3.thehansofoundation.org images previously.

Here are my notes on all the image files from Rachel's Blog, from most recent to oldest, including screen caps of the "weirdness" I am seeing.

--------------------------------------------------------------------------------------------

http://stophanso.rachelblake.com/img/helgus/helgus_2.jpg
http://stophanso.rachelblake.com/img/helgus/helgus_3.jpg (HELGUS ANTONiUS)
http://stophanso.rachelblake.com/img/helgus/helgus_1.jpg
http://stophanso.rachelblake.com/img/helgus/helgus_4.jpg
http://stophanso.rachelblake.com/img/helgus/helgus_5.jpg

helgus_2_weirdness
helgus_3_weirdness
helgus_1_weirdness
helgus_4_weirdness
helgus_5_weirdness

--------------------------------------------------------------------------------------------

http://stophanso.rachelblake.com/img/hospital/hospital.jpg (link: HANSO HOSPITAL)
A HANSO GROUP PUBLICATION?

hostpital_weirdness_top
hostpital_weirdness_one
hospital_weirdness_two

(temporarily posted version of hospital.jpg 070506 has similar weirdness)

--------------------------------------------------------------------------------------------

http://stophanso.rachelblake.com/img/hospital/letterbig.jpg (link: HIS BLOOD)
no weirdness

--------------------------------------------------------------------------------------------

http://stophanso.rachelblake.com/img/microphone/Week3_Post1.jpg
no whitespace weirdness, just one line of repeating characters:
µBmBµBmBµBmBµBmBµBmBµBmBµBmBµBmBµBmBµBmBµBmBµBmBµBm>ˆ҆îÉ´ô•„•úF¤

--------------------------------------------------------------------------------------------

http://stophanso.rachelblake.com/img/contrite/joopgwc.jpg (link: LAST TIME)
GWC
PETER THOMPSON OF THE HANSO FOUNDATION

joopgwc_weirdness_one
joopgwc_weirdness_two

--------------------------------------------------------------------------------------------

http://stophanso.rachelblake.com/img/response/glyphs.jpg

glyphs_weirdness_top
glyphs_weirdness_end

--------------------------------------------------------------------------------------------

http://stophanso.rachelblake.com/img/restaurant/Iceland1.jpg
no weirdness

http://stophanso.rachelblake.com/img/iron/Week2_Post1.jpg
no weirdness

http://stophanso.rachelblake.com/img/iron/maninblack.jpg
no weirdness

http://stophanso.rachelblake.com/img/fire/mentalhealth_2.jpg
(link: Armand Zander's letter to Mittelwerk)
THE VIK INSTITUTE
no whitespace weirdness, some repeating characters at the end

http://stophanso.rachelblake.com/img/wig/WEEK1POST5_still.jpg
no weirdness

http://stophanso.rachelblake.com/img/wig/blurry_map.jpg
no weirdness

--------------------------------------------------------------------------------------------

http://stophanso.rachelblake.com/img/mc_hugh/Hugh/hugh_2.jpg
(link: HUGH MCINTYRE) to http://stophanso.rachelblake.com/img/mc_hugh/Hugh/hugh.htm
(three images in one)
LONDON_capture 05/17/2006 ....
THAT DOESN'T LOOK LIKE SOMEONE'S WIFE OF FIFTEEN YEARS! MR. FAMILY VALUES INDEED! .
RECIEPTS. (mispelled)

hugh_2_weirdness_top
hugh_2_weirdness_one
hugh_2_weirdness_two

--------------------------------------------------------------------------------------------

http://stophanso.rachelblake.com/img/trucker/Wk1PST2_still.jpg
no weirdness

http://stophanso.rachelblake.com/img/comp/computer/one.JPG
no weirdness

http://stophanso.rachelblake.com/img/comp/computer/two.JPG
ALLIED COPENHAGEN MARINE MERCHANTS
ARCHIVAL QUERY PROGRAMME QUERY
no whitespace weirdness, some repeating characters

http://photos.bravenet.com/129/985/900/1/92DE8785E9.jpg
New World Sea Traders
(this file has a different header, etc. including "Exif"
and "Adobe Photoshop CS Macintosh" and some other header stuff)
no weirdness

http://www.rachelblake.com/img/Wk1PST1_still_sml.jpg
no weirdness

--------------------------------------------------------------------------------------------

PostPosted: Sun Jul 09, 2006 11:07 am
 View user's profile
 Back to top 
Bocom
Kilroy

Joined: 09 Jul 2006
Posts: 1

 		You know, I've seen such whitespace else where, outside TLE, it was in Half-Life files, that resembled sprays from in-game.

PostPosted: Sun Jul 09, 2006 12:28 pm
 View user's profile
 Back to top 
oli
Veteran

Joined: 06 Nov 2002
Posts: 121
Location: London, UK

 		There was an image a few weeks back which I suspected may contain stegged information.

Cophenhagen Post 03 contained various photos (since removed from the site) of Hugh McIntyre and a woman. One of them, titled hotel.jpg contained some obviously photoshopped text which read "Pas De Colportage". This was translated as "no soliciting" or similar.

As the text was so obviously superimposed, I ran the image through stegdetect, which give a ** positive for jphide. I tried various combinations of "Pas De Colportage", and possible translations as passwords, but no joy. Given the current quietness, it might be worth revisiting if anyone still has a copy of the picture.

PostPosted: Sun Jul 09, 2006 2:46 pm
 View user's profile
 Back to top 
Jalathas
Decorated


Joined: 05 Jan 2006
Posts: 170

 		Anyone remember this? Very Happy
_________________
Dovie'andi se tovya sagain-It's time to toss the dice.
Thus is our treaty written; thus is agreement made.
Thought is the arrow of time; memory never fades.
What was asked is given; the price is paid.

PostPosted: Sun Jul 09, 2006 3:26 pm
 View user's profile
 Back to top 
QuinceTheCarpenter
Boot


Joined: 09 Jul 2006
Posts: 40
oli wrote:
There was an image a few weeks back which I suspected may contain stegged information.

Cophenhagen Post 03 contained various photos (since removed from the site) of Hugh McIntyre and a woman. One of them, titled hotel.jpg contained some obviously photoshopped text which read "Pas De Colportage". This was translated as "no soliciting" or similar.

As the text was so obviously superimposed, I ran the image through stegdetect, which give a ** positive for jphide. I tried various combinations of "Pas De Colportage", and possible translations as passwords, but no joy. Given the current quietness, it might be worth revisiting if anyone still has a copy of the picture.

I found a copy of the removed Hugh McIntyre images saved by DharmaChick here: http://www.thefuselage.com/Threaded/showpost.php?p=1059529&postcount=2

Direct links to the copies of the images:
hotel.jpg (this is the image with the sign "PAS DE COLPORTAGE")
wedding_3.jpg
knee_touch.jpg
kiss.jpg
zoom_id.jpg

stegdetect is negative for all of these files except hotel.jpg which I also detect as jphide(**)

---------------------------------------------------------------------------------

I ran stegdetect (testing for jsteg, jphide, outguess, and invisible with senstivity 1.00) on all the jpg files from my original post above. All came back negative except http://stophanso.rachelblake.com/img/iron/maninblack.jpg which detected jphide(**)

That throws a curve in my "weirdness" criteria, but is interesting nonetheless, and does not prove the cause of the "weirdness" in other files as steg related or non-steg.

PostPosted: Sun Jul 09, 2006 9:04 pm
Last edited by QuinceTheCarpenter on Sun Jul 09, 2006 11:44 pm; edited 1 time in total
 View user's profile
 Back to top 
Satyr
Boot

Joined: 25 May 2005
Posts: 62

 		I didn't check all the imgs, but I randomly selected a few files (hexdump) and while it confirms photoshop's involvement, there's no camo-like steg on any of the helgus pictures (helgus_1.jpg to helgus_5.jpg)

I doubt the PMs would rely on steg (camo) cos it's not 'common tools' except for ARGers. It's a 'for the common people' experience. Though I guess it's not beyond them to throw a few random 'difficult' puzzles in.

Camo-based steg-jpgs will not see any degredation of the host file (it's tagged at the end past the jpg-end signature).

PostPosted: Sun Jul 09, 2006 11:41 pm
 View user's profile
 Back to top 
jack+sayid=dirtyislandluv
Kilroy

Joined: 10 Jul 2006
Posts: 1

 		Re: [PUZZLE][SPEC] Stegged Images on Rachel's Blog?
QuinceTheCarpenter wrote:
I'm hoping some of the Steganography experts here on unfiction can help answer this question:

Is there information hidden in any of the images on Rachel's blog?

Based on looking at jpg images with Notepad, I am speculating that some of the images posted on Rachel's Blog may have hidden info. I am basing this speculation on what I call "weirdness" which includes repeating characters or "less dense" areas that include whitespace.

To support the idea that whitespace weirdness in a jpg can be a sign that an image is stegged, look at the images here http://sphynxian.blogspot.com/ which were stegged with Camoflage http://camouflage.unfiction.com/
The stegged files have some "less dense" whitespace at the end of the file, while the unstegged files do not.

Some of the images on Rachel's blog include whitespace, but it is not at the end of the file as was seen with Camoflage. I am guessing that some other steg program may have been used. This is where I need help/experience to decide if this is true, and if so, to find the passwords (probably based on hints in the blog).

I am most interested in the Helgus Antonius images, and the Glyphs image. For some reason, these scream "I'm stegged, decode me!"

It may be that the Helgus images or the Hostpital images (temporary and replacement version) are layers that need to be combined in Photoshop somehow, similar to what we saw in the hole3.thehansofoundation.org images previously.

Here are my notes on all the image files from Rachel's Blog, from most recent to oldest, including screen caps of the "weirdness" I am seeing.

------------------------------------------------------------------------------------

{moderator goes *snip*}

------------------------------------------------------------------------------------




Dude!!! Are you the one posting as Quince on Rachel's blog????


I caught your comment on her most recent post (Italy 05) and was very intrigued by this whole hidden file thing.

We started a thread over at the numbers forums. We determined using stegdetect that indeed hotel.jpg and maninblack.jpg were tampered with using jphide. However we we used stegbreak to try and find the hidden files, we had no luck.

What do you all think? False positive on the jphide?? Or are we missing a way to get at whatever is hidden in these jpgs?

[/url]

PostPosted: Mon Jul 10, 2006 11:52 pm
 View user's profile
 Back to top 
QuinceTheCarpenter
Boot


Joined: 09 Jul 2006
Posts: 40

 		Re: [PUZZLE][SPEC] Stegged Images on Rachel's Blog?
jack+sayid=dirtyislandluv wrote:

Dude!!! Are you the one posting as Quince on Rachel's blog????


I caught your comment on her most recent post (Italy 05) and was very intrigued by this whole hidden file thing.

We started a thread over at the numbers forums. We determined using stegdetect that indeed hotel.jpg and maninblack.jpg were tampered with using jphide. However we we used stegbreak to try and find the hidden files, we had no luck.

What do you all think? False positive on the jphide?? Or are we missing a way to get at whatever is hidden in these jpgs?

[/url]
Yes, I posted as QuinceTheCarpenter on Rachel's blog with the question about those two files. I have hit the same wall you did, detecting jphide(**) on maninblack.jpg and confirming it on hotel.jpg

Glad to hear you are working on the problem. The more the merrier.

I have tried a fairly large set of possible passwords (related mostly to Rachel's blog entries and videos) with stegbreak with no luck. Stegbreak does report some kind of errors with each of these files:

Code:
stegbreak -r .\rules.ini -f .\words.txt -tp hotel.jpg
Corrupt JPEG data: 5234 extraneous bytes before marker 0xda

Code:
stegbreak -r .\rules.ini -f .\words.txt -tp maninblack.jpg
Corrupt JPEG data: premature end of data segment


I don't know whether these might indicate a "false positive" and that is what led me to ask the question on Rachel's blog - it would be great to get another hint if there is anything really there.

If you crack 'em, please post here.

PostPosted: Tue Jul 11, 2006 2:34 am
 View user's profile
 Back to top 
makomk
Boot

Joined: 11 Jul 2006
Posts: 56

 		Re: [PUZZLE][SPEC] Stegged Images on Rachel's Blog?
QuinceTheCarpenter wrote:
jack+sayid=dirtyislandluv wrote:

Dude!!! Are you the one posting as Quince on Rachel's blog????


I caught your comment on her most recent post (Italy 05) and was very intrigued by this whole hidden file thing.

We started a thread over at the numbers forums. We determined using stegdetect that indeed hotel.jpg and maninblack.jpg were tampered with using jphide. However we we used stegbreak to try and find the hidden files, we had no luck.

What do you all think? False positive on the jphide?? Or are we missing a way to get at whatever is hidden in these jpgs?

[/url]
Yes, I posted as QuinceTheCarpenter on Rachel's blog with the question about those two files. I have hit the same wall you did, detecting jphide(**) on maninblack.jpg and confirming it on hotel.jpg

Glad to hear you are working on the problem. The more the merrier.

I have tried a fairly large set of possible passwords (related mostly to Rachel's blog entries and videos) with stegbreak with no luck. Stegbreak does report some kind of errors with each of these files:

Code:
stegbreak -r .\rules.ini -f .\words.txt -tp hotel.jpg
Corrupt JPEG data: 5234 extraneous bytes before marker 0xda

Code:
stegbreak -r .\rules.ini -f .\words.txt -tp maninblack.jpg
Corrupt JPEG data: premature end of data segment


I don't know whether these might indicate a "false positive" and that is what led me to ask the question on Rachel's blog - it would be great to get another hint if there is anything really there.

If you crack 'em, please post here.


Your stegbreak is broken (or your JPEGs have got damaged in transit). However, that's probably not what's causing stegdetect to think there's hidden data - I have a seemingly working stegbreak/stegdetect 0.6 install, and it still detects them as jphide(**). If you want to try the latest stegbreak/stegdetect, you might try compiling them from source either under Cygwin on Windows or (preferably) under Linux.

Also, see my post on the numbers forum thread (page 6) for how to fix stegbreak 0.6 so that it doesn't immediately crash, and for other images that test positive...

PostPosted: Tue Jul 11, 2006 12:44 pm
 View user's profile
 Back to top 
QuinceTheCarpenter
Boot


Joined: 09 Jul 2006
Posts: 40

 		Thanks Makomk, that's good information you posted on the other forum...

Quote:
As I mentioned here, stegdetect does pick up false positives sometimes (in fact, if I'm reading the results correctly, it's a lot more confident about http://www.sublymonal.com/gi/dv843010.jpg, http://www.garytroup.net/images/jpg/btm3.jpg, and http://www.rachelblake.com/img/header1.jpg containing jphide stenography (three stars - the maximum) than it is these two).


Oh, and the version of stegbreak in stegdetect-0.6 has a bug that means it may crash immediately (depends on your compiler and your luck). To fix it, look in stegbreak.c, find the line
Code:
struct handler handlers[] = {

and insert just before the following }; a line reading
Code:
    { }



I also get a postitive for jphide(***) for these three images running stegdetect version 0.4 on windows/DOS.

PostPosted: Tue Jul 11, 2006 3:48 pm
 View user's profile
 Back to top 
Display posts from previous:   Sort by:   
Page 1 of 1 [10 Posts]  
View previous topicView next topic
 Forum index » Archive » Archive: The Lost Experience » TLE: General, Updates, Spec, & Info
Jump to:  


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
You cannot post calendar events in this forum



Powered by phpBB © 2001, 2005 phpBB Group