This article was published more than a year ago, there may have been developments.
Please take this into account.

Literally the term “Steganography” from etymological dictionary means “the art of writing in figures, because the script is still secret and unknown to those who do not have the key”. Typically quansiasi type of encrypted message may be referred steganographic. The oldest steganographic technique dates back a few thousand years ago (the term itself is derived from the ancient greek), was to use common lemon juice instead of ink. Those who received the letter secret was to bring the paper to a source of heat or an open flame. The parties spent with the lemon juice would not be blackened, while the paper is.

In the digital world with steganography could mean any message encrypted with a shared key, but more specifically it refers to text messages hidden within an image. In practice (greatly simplifying the procedure) each pixel which composes the image is composed of a different color, and changing a single bit per pixel content will not be obvious to the human eye changes, while a software encryption, if you set the right key, will be able to extract the message. The most widely used method is the algorithm LSB (Least Significant Bit), that needs to be given in text format to hide and a password to encrypt the message.

The most often used tool to insert or extract the data in an image is Steghide, while the charge extraction via bruteforce attack is Step Break. If we just want to know if it was a hidden message in an image we will use Steg Detect, which however is not able to decrypt the message. In this short tutorial we will show how it is possible “inject” a txt file inside a jpg image, leaving in fact the image visually unchanged.

First you need to have installed “Steghide“, present in the repositories of major distributions, but also easily fillable “a mano”.

For our test we use an image whose color spaces are not too uniform (Type sky, parete bianca o simili). Thank you Tara, the model of exception that lent itself to the experiment.

The text insert is instead taken from the Divine Comedy: “Inferno, Singing 1, Verses 1 – 136”; 136 lines containing any character in the Italian (including accented vowels, apostrophes and quotation marks), that in a txt file can weigh almost 5kb. I called the file “divina.txt”, you can download it below.


Here comes the fun. We include the file within the image with steghide. The command for this is to include the text:

Steghide embed-cf tara_bn.JPG-ef divina.txt

Steghide will ask you to enter a password (I used “ciaociao”). The field can also be left blank, but in this case it will be easier to find out the hidden message. And the result is invisible to the eye:

To extract the data we still use steghide, the reverse is equally simple:

steghide extract-sf tara_bn.JPG-xf estratto.txt

This will create a file named “estratto.txt” that contains the contents of the original file.

Try it yourself to extract the data from the last photo… Also there is a hash bit out of place.

An important function of the command is steghide “info”.

The info command returns one of the most important things that interest us: the maximum amount of data to be hidden in the host file. In our case we can hide 16,2 KB, also entering the password encryption we note that the hosted file weighs 4.9 KB, which was called “divina.txt”, that has been encrypted and compressed.


I keep this blog as a hobby by 2009. I am passionate about graphic, technology, software Open Source. Among my articles will be easy to find music, and some personal thoughts, but I prefer the direct line of the blog mainly to technology. For more information contact me.


Gabriele Merlonghi · 12 March 2013 at 7:30 PM

I arrived on your blog for other purposes related to the reporting of the tutorial than 30 days to learn HTML5 and CSS, But reading this post I was very intrigued.
Personally, I have dealt with iOS encryption and the embedded world and was not familiar with this technique “obscuration” information in a photo.
One thing a lot to 007. The brute force always ensures the penetration and thus the decoding of the text even without knowing the password ?

    TheJoe · 13 March 2013 at 8:15 AM

    Not always… I would say that the bruteforce never guarantees the result and if the password is complex bruteforcing is useless. The password is not removable, but it is a real key to encrypt the message.
    Often before a judge, however, is not so important message, As evidence that was sent. In this case stegdetect is a real boon. Does not decode the message, it alerts you if there is or not.

Guadalupe · 29 November 2012 at 2:14 AM

Thank you for article, dear cognomino , nonche8 codivinsore of my own passion for steganography. And’ really well done and designed with full knowledge of causa.Un saluto.Nicola Amato

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.