zsteg

Detect embedded data in a PNG

$ zsteg [path/to/image.png]

$ zsteg --all [path/to/image.bmp]

$ zsteg --msb --order yx [path/to/image.png]

$ zsteg --bits [1,2,3|1-3] [path/to/image.bmp]

$ zsteg --prime --invert [path/to/image.png]

$ zsteg --min-str-len [10] --strings [first|all|longest|none] [path/to/image.bmp]

zsteg [options] <file>

-E <method>, --explore <method>
    Explores the specified steganography method (e.g., 'lsb', 'zlib', 'all'). This attempts to identify if data is hidden using the given method.

-e <method>, --extract <method>
    Extracts data using the specified steganography method. Requires the method to be known or previously identified.

-x, --extract-all
    Attempts to extract all hidden data it can find using various methods automatically.

-p <password>, --password <password>
    Provides a password to use when attempting to extract password-protected steganographic data.

-b <bits>, --bits <bits>
    Specifies the number of Least Significant Bits (LSB) to analyze or extract from, typically used with LSB methods.

-o <offset>, --offset <offset>
    Defines an offset in bytes from where to start analyzing or extracting data, primarily for LSB methods.

-f <filename>, --file <filename>
    Specifies the input filename to analyze. While often provided as a direct argument, this option explicitly sets the input file.

--save <filename>
    Saves the extracted data to the specified output filename instead of printing to standard output.

--brute
    Enables brute-force mode, attempting various combinations of LSB bits and offsets to find hidden data.

--detect-all
    A comprehensive mode that tries all known detection methods to find any hidden data.

-c <charset>, --charset <charset>
    Specifies a charset for brute-forcing LSB data, e.g., 'printable' or 'ascii'.

-L <level>, --level <level>
    Sets the zlib compression level to use when re-compressing or analyzing zlib streams. Used for specific zlib-based techniques.

-v, --verbose
    Increases verbosity, providing more detailed output during analysis and extraction.

-h, --help
    Displays a help message with usage information and available options.

zsteg is a command-line utility designed for detecting and extracting hidden data within image files (such as PNG, BMP, GIF, and JPG) that employ steganography, particularly focusing on methods involving zlib compressed streams. It acts as a specialized wrapper that automates the process of identifying steganographic content often used in Capture The Flag (CTF) challenges. Unlike general steganography tools, zsteg excels at finding data embedded within the metadata or pixel data of images, especially when common techniques like Least Significant Bit (LSB) steganography are combined with zlib compression. It can explore potential methods, extract hidden files, and even attempt to brute-force passwords for encrypted stego data.

zsteg is highly effective for steganography involving zlib compression and common image formats (PNG, BMP, GIF, JPG). However, its effectiveness may be limited against more sophisticated or custom steganographic methods that do not rely on standard zlib streams or known image structures. It primarily focuses on detection and extraction rather than embedding data. Results can sometimes include false positives or fragmented data due to the nature of steganography detection.

zsteg primarily focuses on image files that often contain zlib-compressed data streams. This includes, but is not limited to, PNG, BMP, GIF, and JPG images. Its methods are tailored to detect modifications within the internal structure or pixel data of these formats.

zsteg is a go-to tool for steganography challenges in CTFs, digital forensics for identifying hidden malicious payloads, and security audits to check for covert channels. Its automated detection capabilities make it useful for initial triage of suspicious image files.

zsteg emerged as a specialized tool within the cybersecurity and Capture The Flag (CTF) community, where steganography challenges are common. Its development was driven by the need for a quick and efficient way to analyze image files for hidden data, particularly when standard tools like steghide or manual analysis with stegsolve proved too slow or cumbersome for zlib-compressed content. It automates several detection heuristics, making it a valuable asset for rapid steganography analysis in competitive hacking scenarios.

steghide(1), stegsolve(1), binwalk(1), exiftool(1)