Gif-It-Up Signature Information

*NOTE* You can view each image separately and in full size by right clicking on it and selecting view image or by saving to your hard drive.

There are literally hundreds of various steganography applications posted on the Internet. Some are stronger than others in the methods they utilize to hide information. Some of them also leave behind signatures in the carrier file that make it very simple to detect the existence of hidden information. Gif-It-Up is one of those applications.

To view this siganture, please utilize a normal hex editor. The application you choose may use a different numbering system per line (e.g. ASCII, hex, decimal). But you should still be able to follow along, regardless.

o Automatically converts Gif89 into Gif87 images (removes transparency)
o Inserts a series of periods (00 in hex) starting at 00000180/14 and continuing on until 00000310/02.
o This also occurs with encrypted payload

With encrypted payloads (sig-giu-4.gif):

o Gif-It-Up data 'appears' to start with a string, after the string of periods (00). It begins at 00000310/03 and goes through 00000320/12.
o There are only sporadic matching values across all blocks.
o Is there a point where other GIU signatures appear?

Examples

Original File

<
Non-Encrypted Payload (large)

2nd Original File

<
Encrypted Payload (large)

Encrypted Payload (tiny)

Signatures have their ups and downs where steganography is concerned. For instance, if we use signatures to detect hidden information we can more likely detect a payload even when the amount of information is VERY small. In contrast, if we use anomaly based detection, small amounts of hidden information will not be enough to trigger a detection. Unfortunately, that leaves us in the incomfortable position of maintaining a signature database for steganography; much like we do currently with Virus detection. The key for detection appears to be a combination of signature and anomaly based detection.