2

I have a 10GB .iso file with sensitive information.

How can I fake its format to be a format of my choice (say .mp4)

Is this method valid for any format?

$ cat picture.png myiso.iso.gpg > picture2.png

where picture.png is a random picture, myiso.iso.gpg, a gpg encrypted file with sensitive information and picture2.png the hidden file with fake format.

muru
  • 197,895
  • 55
  • 485
  • 740
user202459
  • 49
  • 3
    Why not encrypt the file? –  Nov 26 '16 at 17:00
  • 3
    why is the encryption not good enough?! – Rinzwind Nov 26 '16 at 17:09
  • 5
    Even if you could fake the file format, it is an extremely bad way of protecting sensitive information. Consider strong encryption instead for your own sake. – edwinksl Nov 26 '16 at 17:18
  • 5
    @bc2946088: ".png" is not a MIME Type. You are getting confused between MIME Types, file extensions and what is really important here, which is the magic number at the start of most files. – Lightness Races in Orbit Nov 26 '16 at 21:52
  • You're right, my comment is flawed. I simply meant to say when prepending the graphic file to the start of the image file, the magic number will then be reported back with file as the graphic, not the image. So in my example, PNG image data. I am not confused but I can see how my comment would make it seem that way. @LightnessRacesinOrbit –  Nov 26 '16 at 22:42
  • One of the first things a forensic examiner is going to do is to run file (or an equivalent) against all files, and compare the actual file type to the file extension. They'll stand out like you spray-painted SUSPICIOUS on them in bright red. – SomeoneSomewhereSupportsMonica Nov 27 '16 at 08:17
  • @SomeoneSomewhere: I imagine that's why the OP suggests prepending an actual PNG file. – Lightness Races in Orbit Nov 27 '16 at 11:21
  • @LightnessRacesinOrbit Hmm, didn't read that properly. Nonetheless, file may sometimes check parts other than the start of the file, and it makes it somewhat more difficult to read the file without (smoking gun) extra software/scripts – SomeoneSomewhereSupportsMonica Nov 28 '16 at 08:35

3 Answers3

8

Linux does not care about file extension. Changing the file name does NOT let the file command show it is a picture. It will still show it is an ISO.

How do you believe to retrieve the ISO from doing this:

cat picture.png myiso.iso.gpg > picture2.png

Why do you not encrypt the file?

gpg -c {file}

would be enough. It will ask for a password twice. Make it a good one, and don't forget it

If you do not want anyone to see the file start the name of it with a "." and put it into a directory, remove all permissions except for the user and lock it down with chattr -i {file} from a root session.

Rinzwind
  • 299,756
  • 1
    Displaying it as being encrypted shows that it has precious content and is therefore more subject to be cracked by expensive ad hoc hardware. – user202459 Nov 26 '16 at 17:10
  • 13
    A 10gb png might clue someone into taking a look at it. @user202459 –  Nov 26 '16 at 17:11
  • 5
    @user202459 and a 10Gb png would not? :D :D Really?! – Rinzwind Nov 26 '16 at 17:11
  • @Rinzwind I also though about faking its size: [https://unix.stackexchange.com/questions/326210/how-to-fake-the-size-of-a-file] – user202459 Nov 26 '16 at 17:21
  • 1
    I think faking the size of a file will be about as effective as renaming the ISO to PNG. @user202459 – TheWanderer Nov 26 '16 at 17:34
  • 6
    @user202459 You lack an understanding of security. If you are really worried about specialized hardware attacks, obfuscating the type is useless. It's much easier to bypass than real encryption. Specialized hardware is still thousands of dollars. If it's worth enough for an attacker to use it, it'll be worth it for them to overcome very weak obfuscation techniques. – jpmc26 Nov 26 '16 at 22:35
  • 1
    @jpmc26, if you're trying to bypass GPG, specialized hardware isn't thousands of dollars, it's $5. The encryption used by GPG is strong enough that the only practical attack is to beat the password out of the user. – Mark Nov 27 '16 at 03:55
  • @Mark Yes, true. I intentionally neglected that aspect to highlight the complete misconception that this obfuscation technique somehow improves the situation at all. Even assuming that breaking GPG using specialized hardware becomes feasible at some point in the future, the obfuscation the OP asked about still doesn't make sense. – jpmc26 Nov 27 '16 at 07:12
6

This sounds very very much like an A/B problem to me. You want to protect data in such a way people won't suspect that it's sensitive data.

The easiest way to hide data is to just encrypt it using gpg, TrueCrypt, LUKS, or similar encryption utility.

Now, you could use steganography, but that isn't exactly the best idea because the concept of "security by obscurity" still comes into play. Any determined enough attacker will still be able to extract the file or at least find it ("why does this person have a 10GB image or a corrupt MP4? It might be hiding data!"). You're relying on security by obscurity, which is always a bad idea.

Instead, if you want to save something and keep plausible deniability, you just need to make sure that the data looks random and has no headers. LUKS/cryptsetup has an option (--header) that allows you to store the LUKS headers separately from the data (say, on a USB drive you always carry on you), so any attacker using file will only see it as random data. And, if you suspect someone's closing in, just conveniently "lose" the drive.

If you're really paranoid, you can always use hidden volumes in LUKS, which will allow you to have a fake outer volume as well as a more secret inner volume. Why would this be useful? Case in point:

Comic borrowed from XKCD

Even if you're subject to rubber-hose cryptanalysis, you can just give away the outer (non-secret) volume password with only trash data. And, if you've already destroyed the header drive (or didn't take it from its safe place), it's impossible to decrypt and is effectively just a collection of random data.

TL;DR: Don't try steganography. Instead, just remove the encryption header to make it look like random data. If you're really paranoid, make an additional "hidden" volume just to be safe. Your encrypted file won't be cracked because that'll take literally millions of years with specialized equipment. If you get caught/tortured for the password, you can just give a "fake" password to non-important data. Either way, you get 2FA, plausible deniability, and the ability to destroy one of the factors quickly and efficiently.

Or, you can just ignore all of that and just have a normal encrypted file. To counter your comment:

Displaying it as being encrypted shows that it has precious content and is therefore more subject to be cracked by expensive ad hoc hardware.

Encryption is really common nowadays. Almost every smartphone out there has encryption on it. Does every smartphone have precious/sensitive content? Good encryption would take millions of years and hundreds of thousands of dollars to crack with very specialized equipment, it's infeasible to try to crack data just "on a suspicion." True, you might get national secrets, but you might just as easily get some cat pictures (and the latter is far more likely). As the title text for the above XKCD says:

Actual actual reality: nobody cares about his secrets.

Kaz Wolfe
  • 34,122
  • 21
  • 114
  • 172
  • If you're trying to hide the fact that you've got encrypted data, TrueCrypt is probably the second-worst idea out there: the "hidden volume" functionality has been the main selling point for so long that any attacker who encounters TrueCrypt won't stop beating you until you've provided two passwords. Removing the header from a LUKS volume isn't much better, since in the real world, people don't carry large quantities of headerless data around -- any large random-looking file without a header is probably encrypted. – Mark Nov 27 '16 at 04:01
0

Since none of the answers currently presented answer the question of how to fake a format of a file:

There's two ways of hiding the ISO's data inside a PNG, or MP4 file.

  1. Steganography, the practice of concealing a file, message, image, or video within another file, message, image, or video. The resultant file will be perfectly viewable, like an innocent picture or film. However, this might take a lot of effort to do.
  2. The second way is to simply insert the header of your chosen file format, such as PNG's 8-byte header, into the start of your file to trick any programs opening your file into thinking it's that format. You should also change the file extension, just in case. However, the resultant file is would most probably be corrupted upon view, which might draw suspicion.

Of course, this also means that you might need to break the ISO into portions to make for a more convincing disguise. A 10-GB PNG file is pretty suspicious.

Ignis Incendio
  • 101
  • 1
    A folder containing 10,000 corrupted PNGs is also pretty suspicious. – Mark Nov 27 '16 at 04:02
  • True. Something like an MP4 might be more worth a try, or a RAW video file. – Ignis Incendio Nov 27 '16 at 07:06
  • @IgnisIncendio MP4 H264 uses Inter-frame compression, with a key frame being fully compressed and then it is encoded partial information about the changes of color between the frames, to save space. How would you fit this into that format? – Ismael Miguel Nov 27 '16 at 07:56
  • Truth be told: I have no idea. Stenography at this scale would probably be impossible. A RAW video file, maybe? – Ignis Incendio Nov 27 '16 at 09:52
  • No idea why everyone sticks to .png where .mkv or many other extensions can do the job! that .png in the question was just an example guys! :D – Ali Hashemi Nov 27 '16 at 11:23