CSE 3482

Introduction to Computer Security

Lab 1
Information Hiding

Within each computer, information can be stored as a normal file, hidden file, or in the slack or free
space. The purpose of this lab is to demonstrate each of these approaches to data/information hiding.
In particular, in Part 1, we will examine how one can hide standalone files and folders in Windows OS.
In Part 2, we will examine how data can be stored onto the storage device without actually being
saved as a file in the operating system. In Part 3, we will investigate the use of digital images for the
purpose of data hiding.

Tools: Hex Workshop, JPHS (JP Hide and Seek).

Before you start …

This and all subsequent labs are done in a specially created Windows Virtual Machine. Once you have
logged into a machine in LAS 1002, you can start (i.e., log in) this virtual machine by typing ‘3482’ in
the Linux shell. After the VM is created, you need to download (i.e., set up) a few files that are
required for the execution of Lab 1. In particular,
1. In the C:\ drive of your VM, create a directory ‘3482’.
2. In this newly created C:\3482 directory, download Lab1.zip from eClass Lab 1 module.
3. By unzipping Lab1.zip, a directory C:\3482\Lab1 will be created. Verify that this directory comprises
three subdirectories: Part 1, Part 2, and Part 3, each with a number of respective files in it.

1. Hiding Files in Windows [20 points]

One common information/file hiding technique in Windows OS is to place the respective file in an
obscure location such as C:\Winnt\System32\OS2\Drivers. This will usually prevent the average user
from finding the file. However, a system search will quickly defeat this unsophisticated attempt at data
hiding. More advanced ways of hiding files in Windows are outlined below.

1. Open a Windows Explorer and browse to C:\3482\Lab1\Part1.

How many files are in this folder? ___________________________________

What are their respective names and sizes (as shown in Windows Explorer)?

_______________________________________________________________

_______________________________________________________________
2. Now, click on to Windows Start -> Control Panel -> Appearance and Personalization -> Folder
Options -> View. Under ‘Hidden files and folders’, check ‘Show hidden files, folders, and drives’
option. Click Apply. Go back to the Windows Explorer.
How many files do you see now in the folder C:\3482\Lab1\Part1? ___________ .

3. In Control Panel -> Appearance and Themes -> Folder Options -> View, switch back to ‘Don’t
show hidden files, folders, or drives’ option under ‘Hidden files and folders’. Click Apply. (Verify
that, again, you can see only SimpleText_1.txt and SimpleText_2.txt in C:\3482\Lab1\Part1
directory.)
4. Now, open/run another Windows Explorer, but this time ‘as administrator’. (Go to Windows Start ->
All Programs -> Accessories, right-click on Windows Explorer, and select ‘Run as administrator’.)
In this Windows Explorer browse to C:\3482\Lab1\Part1. Right-click on SimpleText_1.txt. Under
Properties -> General -> Attributes check ‘Hidden’ option. Click OK. (Select the Refresh option on
the Right Mouse menu to ensure that the latest change is applied.)
How many files do you see now in the folder C:\3482\Lab1\Part1? ___________ .

5. Open the Command Prompt in Windows (e.g., by going to Start -> (type) cmd). Use the CD
command to navigate to C:\3482\Lab1\Part1. Type: >attrib –h SimpleText_1.txt.

(Back in Windows Explorer) how many files do you see now in the folder

C:\3482\Lab1\Part1? ______________________________________________ .

6. Which prompt command would you use to make SimpleText_2.txt hidden?

______________________________________________________________ .

7. Type: >attrib. Observe the output. What is the purpose of attrib command?

______________________________________________________________

______________________________________________________________

In Windows, in addition to making a file ‘hidden’, it is also possible to hide a file ‘behind’ a file. This
feature is known as Alternate Data Streams (ADS), and its use is demonstrated below.
8. In the Command Prompt window, type: >attrib –h LittlePrince_1.jpg. Verify that
LittlePrince_1.jpg can now be seen in the Windows Explorer.
9. Type: >type LittlePrince_1.jpg > SimpleText_1.txt:LittlePrince_1.jpg.
10. Type: >erase LittlePrince_1.jpg.
Can LittlePrince_1.jpg now be seen in Windows Explorer? ______________ .

Is LittlePrince_1.jpg now enlisted when executing >attrib? ______________ .

10. Type: >mspaint SimpleText_1.txt:LittlePrince_1.jpg. What happens?

_______________________________________________________________

_______________________________________________________________

11. In the Windows Explorer observe the size of SimpleText_1.txt.

Is the displayed size bigger or smaller than what you initially recorded (in 1.)?

________________________________________________________________
2. Hiding Data in Files [30 points]
In order to do this exercise, you will need to install Hex Workshop Editor on your VM from the
following site: www.hexworkshop.com. Follow the instructions as indication in the installation
procedure.

1. Open a Windows Explorer and browse to C:\3482\Lab1\Part2.

You will observe the following three files in this directory:
Hearts.exe, SecretHearts.exe, SimpleText.txt.
2. Run the file Hearts.exe. Verify that the game run as intended.
The filesize of Hearts.exe is: ___________ KB.

3. From the Windows Start menu run Hex Workshop Editor.

4. From within Hex Workshop Editor, open C:\3482\Lab1\Part2\Hearts.exe file. You should see the
byte sequence for the executable arranged as a grid of hexadecimal values, with memory offsets
to the left (in grey), and character representation of individual bytes to the right.
To get a better understanding the content displayed by Hex Workshop, you could also try opening
C:\3482\Lab1\Part2\SimpleText.txt. You should be able to see the text of your file on the right and
its respective hexadecimal values in the main grid.
5. In Hearts.exe tab, start to slowly scroll down the file. You should observe sections of hex values
with rows of 00 (null) characters in between them. In many cases, these areas comprising
numbers of consecutive 00 (shown as dots in the character pane) are the so called ‘slack space’
– space that sits unoccupied by the file (i.e., does not contain information that is of any
significance for the file). A hex editor can be used to store data directly onto such ‘slack space
areas’, as will be subsequently demonstrated.
6. Generate MD5 checksum for Hearts.exe by selecting Tools -> Generate Checksum -> MD5 (128
bit) -> Generate.
MD5 checksum for Hearts.exe is: ___________________________________ .

7. Adjust the mid pane so that it displays 15 bytes per row (i.e., data should be arranged into 15
columns: 0 to E).
8. Now, scroll to memory location 000 000 1E, or use Edit -> Goto menu option to reach this location.
You should see a row of zeros, indicating that this is (likely) an area of the executable that is not
being used and would be an ideal location to start inserting some of our own code. Change this
entire row to be a row of 1-s (11 11 11 11 … 11). Save this new version of Hearts.exe as
Hearts_modified_1.exe.
9. Run the new Hearts_modified_1.exe from Windows Explorer. Verify that the new executable still
runs despite the change.
The filesize of Hearts_modified_1.exe is: ___________ KB.

10. Generate HD5 checksum for Hearts_modified_1.exe.

MD5 checksum for Hearts_modified_1.exe is: __________________________ .

11. In addition to changing 0000001E, change the last several rows of Hearts_modified_1.exe –
specifically, rows 0001EFD2 to 0001EFFF – from all-‘00’ to all-‘11’. Save this new version of the
executable as Hearts_modified_2.exe. Verify that even this version of the executable still runs as
 intended. (With further experimentation, you would find that you could insert quite a bit of code
before the executable eventually ‘broke’, i.e., was not running properly. Be careful when
experimenting, though, since you could accidentally create code with unintended consequences,
e.g., you could damage the file system or corrupt computer memory.1)
The filesize of Hearts_modified_2.exe is: ___________ KB.

12. Generate HD5 checksum for Hearts_modified_2.exe.

MD5 checksum for Hearts_modified_2.exe is: __________________________ .

13. By comparing the previously recorded values, answer the following question.
What is the impact of data inserting on the file’s size and file’s checksum?

________________________________________________________________

________________________________________________________________

14. Close all files in Hex Workshop. Go to Tools -> Compare -> Compare Files ... . Click the button
(with ellipses) to the right of the Source box, and browse to C:\3482\Lab1\Part2\Hearts.exe. Click
the button (with ellipses) to the right of the Target box and browse to
C:\3482\Lab1\Part2\Hearts_modified_2.exe. Make sure the Resynchronizing Compare radio
button option is selected. Click Ok to begin comparing the two files.
15. View the results of the Compare File operation in Results pane (appears at the bottom of Hex
Workshop window).
How many Replaced/Inserted/Deleted segments have been identified?

_________________________________________________________________

16. Finally, run SecretHearts.exe from Windows Explorer. Verify that this executable also runs as
intended.
17. SecretHearts.exe hides a secret message. By following the procedure described in 14. identify the
content of the secret message. (Hint: inspect the content of all Replaced/Inserted/Deleted
segments.)
The secret message is: _____________________________________________

__________________________________________________________________

__________________________________________________________________

1 To avoid potentially destructive consequences, try experimenting with image instead of executable files.
3. Steganography [50 points]
Steganography is the art of secret writing. With steganography,
message can be hidden in an image or a sound file. While in
cryptography the attacker knows that there is a secret message
and attempts to decipher it, in steganography the objective is
to keep the attacker from knowing that a secret message exists.

3.1) Data Hiding using JP Hide and Seek

1. Find Jphswin (JPHS) icon on the computer’s desktop, and double-click on it to launch the
application. After accepting the licence terms, you should see the following screen.

2. In the Windows Explorer, browse to C:\3482\Lab1\Part3.

3. Double-click on MonaLisa.jpeg to bring it up in the Windows Picture Viewer. Inspect the image;
keep the Picture Viewer open.
The filesize of MonaLisa.jpeg is: _______________ KB.

4. From JPHS menu, choose ‘Open.jpeg’, navigate to C:\3482\Lab1\Part3, and open MonaLisa.jpeg.
JPHS will populate the ‘Input jpeg file’ information from the selected file. Notice that it will specify a
maximum file size that can be hidden within this image (under “Approximate max capacity”), and
recommend a limit that will make it less likely that the corruption of the image will be visually
detectable (under “recommended limit”).
What is the recommended limit to the data
file size that can be hidden in MonaLisa.jpeg? __________________________

What is the maximum size for a data file that

can be hidden in MonaLisa.jpeg? __________________________

5. In the Windows Explorer, right click on the secret/confidential file CONFIDENTIAL.pdf, and
choose ‘Properties’.
The filesize of CONFIDENTIAL.pdf is: ________________ KB.

Is CONFIDENTIAL.pdf suitable for hiding in MonaLisa.jpeg? ________________

6. Choose ‘Hide’ from JPHS menu. You are prompted for a passphrase. This is the passphrase that,
later on, would be needed to extract the hidden data. Choose the word ‘security’ as our
passphrase. Enter and confirm the passphrase is ‘security’. Click ‘OK’.
7. You will now be prompted to select the file containing the information to hide. Choose the file
CONFIDENTIAL.pdf that we examined earlier, and click ‘Open’. JPHS will now report the details of
the file to be hidden.
8. Click on ‘Save jpeg as’. Save the file under the name MonaLisa_modified.jpeg. JPHS will,
subsequently, display the details of this newly created file/image.
The filesize of MonaLisa_modified.jpeg is: ________________ KB.

Is the saved image file larger or smaller

than the Input image MonaLisa.jpeg? __________________________

9. In the Windows Explorer, double-click on MonaLisa_modified.jpeg to bring it up in the Windows

Picture Viewer. Switch between MonaLisa.jpeg and MonaLisa_Modified.jpeg to study visual
differences.
What differences between the two files
are detectable visually? __________________________

10. Restart JPHS. Repeat steps 4. to 9., but this time use nature.jpeg as the image in which you will
hide CONFIDENTIAL.pdf. Save the newly created image (containing CONFIDENTIAL.pdf) as
nature_modified.jpeg. Open both nature.jpeg and nature_modified.jpeg in Windows Picture
Viewer. Switch between the two files to study visual differences.
What differences between nature.jpeg and
nature_modified.jpeg can you detect? _________________________

11. Now, use Windows Picture Viewer ‘zoom in’ feature. Zoom into the sky at/above the horizon line
on both images, equally.
What differences between the two images can you now detect? Explain!

________________________________________________________________

________________________________________________________________

_______________________________________________________________

3.2) Data Recovery using JP Hide and Seek

13. In the Windows Explorer, double-click on flowers.jpeg to bring it up in the Windows Picture
Viewer. Inspect the image.
Do you observe anything unusual about this image? _____________________

14. Restart JPHS one more time. Choose ‘Open jpeg’ from the menu. Select flowers.jpeg.
15. Choose ‘Seek’ from the menu. A passphrase dialog box will open. Enter ‘surprise’ into both - the
passphrase and confirmation text boxes. Click ‘OK’.
16. A dialog box will open to allow you to choose a file name and location in which to deposit the
recovered information. Enter the file name myFile.pdf. (As can be observed in Windows Explorer,
a new file named MyFile.pdf will consequently appear in the directory C:\3482\Lab1\Part3.)
17. From the Windows Explorer, open myFile.pdf.
What is the content of myFile.pdf?

________________________________________________________________