Hide it Lest find it: Zip Steganography
Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. When it comes to digital steganography no stone should be left unturned in the search for viable hidden data. Although digital steganography is commonly used to hide data inside multimedia files like images, videos and may other visual data formats, a similar approach can be used to hide data in archives as well.
Steganography imposes the following data hiding rule:
Data must be hidden in such a fashion that the user has no clue about the hidden message or file’s existence.
Data(hidden) should not be tempered during process of hiding, and the data loss of the hidden file should be minimal.
The ZIP file format is one of the most common archive file formats used today. The format was originally created in 1986 by Phil Katz for PKZIP, and evolved from the previous ARC compression format by Thom Henderson. The PKZIP format is nby archivers but leaving it present and its state easily reversible to the original.ow supported by many software utilities other than PKZIP.
File Structure:
A normal Zip file has following sections:
- The ZIP file’s contents comprise files and directories stored in arbitrary order. The files and directories are represented by file entries.
2. The central directory consists of file headers holding, among other metadata, the file names and the relative offset in the archive of the local headers for each file entry. Each file entry is marked by a specific 4-byte “signature”; each entry in the central directory is likewise marked with a different particular 4-byte signature.
ZIP file parsers typically look for the appropriate signatures when parsing a ZIP file. Due to the fact that the order of the file entries in the central directory need not conform to the order of file entries in the archive, the format is non-sequential. Thus modifying the central directory in a way that we can remove a files entry(or just a attribute of that entry) can result in data hiding. But there are some significant challenges infront of us:
- Checksum presence in zip file structure ensures integrity of the compressed data.
2. The zip file gets corrupted, if we try to make changes in the file entries.
Zip Steganogrphy works can be implemented in 3 ways:
- Utilization of extra data fields described in the PKWARE ZIP file format specification.{ more robust}
- Simply modify the file_name attribute of any file entry in the central directory.{ can be defeated}
- Changing location of Central Directory
Utilization of extra data fields : Extra data fields were introduced because of the need to store extra information about the file such as NTFS data streams, encryption information and other data utilized by applications that process this format. We know that there is unlimited amount(almost unlimited) of files that we can hide in Alternate Data Streams, thus there was no limitation on the maximum space these fields, which can be exploited for data hiding.
Thus we only need to expand the extra field of one file to consume one or more of the files that follow it in the archive header. After this, correcting the fields ThisDiskItemEntries(central directory’s attribute) and DiskItemEntries(central directory’s attribute) is a must, as it ensures that the archive remains valid.
Modify the file_name attribute of any file entry : This method does fail to work with a few zip parsers as ZIP stores file names at two locations, once at the central directory entry and once at the local directory entry and since only one of the two is modified, the other one can be used to revert the file to original state.
Changing location of Central Directory : Another method was discussed in BlackHat-EU-10, wherein they simply change the LocationOfCentralDir pointer to point to the first file you want to be visible in the archive. After you do this, correcting the fields ThisDiskItemEntries and DiskItemEntries ensures that the archive remains valid.
A few tools that works on the similar principle are:
Let me know, what you think about the some other possibilities of data-hidding in ZIP file like : using comments section( of ZIP file) to smuggle data or changing the FileNameStringLength(in central directory) to zero.
