Skip to Content

Mystery Cache

Solving Puzzles V - Images & Steganography

A cache by Bob & Brenda - Reno Send Message to Owner Message this owner
Hidden : 5/26/2013
In Nevada, United States
Difficulty:
3.5 out of 5
Terrain:
2 out of 5

Size: Size: micro (micro)

Join now to view geocache location details. It's free!

Watch

How Geocaching Works

Please note Use of geocaching.com services is subject to the terms and conditions in our disclaimer.

Geocache Description:

Cache is not located at the posted coordinates.


Congratulations to VegasScotty for the FTF


This is the fifth in a series of caches that we hope will help cachers learn some of the tricks to solving puzzle caches. Although experienced puzzle solvers can jump in at any point in the series, each successive lesson is meant to build on concepts that were demonstrated in the previous caches. The first cache in the series contains some background information on puzzle caches as well as a link to the tools we use when solving puzzle caches.

This series is not meant to be an "end all" on how to solve every puzzle cache that exists. It is only a starting point on what to look for when you see a puzzle cache. If you go through this series, you should be able to solve most puzzle caches that have a difficult of 3 stars or less. If we gave away all our secrets, then we wouldn't have anything to do but put out lamp post caches.


This series of caches contains the following caches

Cache Techniques
GC4AFC5 Hidden Information
GC4AJ0W Lists
GC4ANJW Codes & Ciphers (Basic)
GC4ANKB Codes & Ciphers (Advanced)
GC4AZHP Images & Steganography
GC4AZHW Wordplay
GC4B2YM Mathematics
GC4B2YP Logic
GC4B2ZK Final Exam


Disclaimer:

Alert: There are downloadable files in our toolbox and printable copies (PDF) of the puzzles for the caches in this series. These files are not required to solve the puzzles, although they may be useful to you for both this cache series and other puzzle caches you solve. As the cache owner, I represent that these files are safe to download although they have not been checked by Groundspeak or by the reviewer for possible malicious content. Download these files at your own risk.


Introduction

Many puzzle caches on the geocaching.com web site have pictures on them. Do the pictures have anything to do with the puzzle or are they just eye candy? We'd be willing to bet that they probably have something to do with the puzzle; otherwise why put them there in the first place?

It's up to the puzzle solver to figure out how the pictures work in to the puzzle. Do the pictures create a list puzzle? Is there information stored in the metadata? Does the picture have embedded data-either through embedded files or stenographic means? This lesson in our puzzle solving series should help you figure that out.


Lists

If the number of pictures on the page is equal to the number of digits in a set of coordinates, then the images are probably list items (as discussed in our earlier lesson). You may recognize the images and be able to solve the puzzle with this information alone. But what happens when you don't recognize what the image is?

If one of the pictures was the one to the right, would you know who it is?

How would you search to find out?

Some reverse image search engines that are available and do a good job of finding these images are Google Image Search and Tin Eye.

Just copy the link to the picture or upload it from your computer and you'll get a list of possible matches.

Once you have information about the picture, it's up to you to work out the rest of the information about the picture.

Who Am I?

Metadata

Metadata is basically data about data. If you think of a music file as your data, metadata would include information such as the name of the song, the artist, the album it was released on, etc. Video and image files contain the same types of data.

The Exchangeable Image File (exif) format is a standard used for recording information about image and sound files created with a digital camera. There are many data fields that can be used to hide information. If you right click on a saved .jpg file and select properties, you will see a small subset of those fields similar to the one to the right. As you can see in the example, north coordinates have been placed in the comment field.

Metadata
Metadata If we open the same image using the ImageOps link in our toolbox, we can see not only the information shown in the file properties window, but over 120 other entries as well. Shown to the left is just a small portion of the metadata tags that can be examined.

Of course, not all these fields can be modified, but many of them can. As you can see in the example, there are nearly 12,000 bytes of data in the exif information. It shouldn't be too hard to find some place to hide a small amount of coordinate information or other clues or hints to the cache.


Animated GIF Files

Animation You are getting very sleepy.....you are going back in time to 1995 when animated .gif files were all the rage along with the infamous Netscape blink tag.

As with .jpg files, you can hide information in the comments section. You can also hide information on a single frame of the animation. As the kaleidescope spins around, do you see a slight change near the bottom of the picture? This animation is short (only 8 frames), but each frame is on the screen for only .02 seconds. Your eyes and brain may be able to sense that something is there, but its appearance is so short that you have no time to comprehend what it is.

Tools such as gifmagic.com or ImageOps can split an animated .gif file into its individual frames. If you use one of those tools with the image to the left, you could see that frame 5 (right) shows some hidden coordinates.

Since .gif files are not used as often as .jpg files anymore, any time you see a file with this extension in the source code, you should run it through one of the applications to see if anything is hidden there.

Hidden Info


Embedded Files

An embedded file is a file that is stored or hidden inside another file. Additional files are often hidden in .jpg, .gif and .png files because there is information in them that tell the program reading it how long the file is or when to stop. So, if you add more data after the end of the original file, most readers will ignore that information. For example, examining a .jpg file with a hex editor, you will see that the beginning of the file is marked with 0xFF 0xD8 and the end of the file is marked with 0xFF 0xD9. So, if we use the binary copy command on our computer to copy an Excel spreadsheet to the end of a .jpg file

copy /b original.jpg+sheet.xls result.jpg

we will have a picture (result.jpg) that contains both the original picture and the Excel spreadsheet. We can now post that picture on the web. It will look exactly like the original picture, but anyone can now right click the picture and save it to their computer and extract the spreadsheet and use it with Excel.

How do you tell if the picture you see on a web page has an embedded file? We'll use a .jpg file as an example.

  1. Save the picture to your hard drive
  2. Open the file in your favorite hex editor. If you don't have one, there are plenty of free ones available on the web.
  3. Look at the first two bytes of the file. They should be FF D8 which signifies that it's a .jpg file.
  4. Scroll to the end of the file. The last two bytes should be FF D9. If they aren't, then there's definitely something there for you to discover. However, just because the last two byte are FF D9, it doesn't mean there's nothing there, but the likelyhood is reduced.

Ooooh, ooooh, I think I found something! What next?

  1. Start from the beginning of the file and do a hex search for FF D9. We're only interested in the one near the end of the file for now. There may be more because:
    1. The .jpg format uses application markers to mark the beginning and end of other information such as EXIF data
    2. There is a thumbnail image of the original embedded in the picture
    3. There is a .jpg file embedded in the .jpg file
  2. Once you've found the last one, look at the next few characters. Here are a few common ones you may see:
    1. PK - it means there is an embedded .zip file (PK stands for Phil Katz the inventor of the .zip format)
    2. Rar! - A WinRar file has been embedded
    3. 7Z - Uses the 7Zip compression program
    4. Somewhat readable text - a text file is embedded
  3. If there's a WinZip, WinRar, and 7Zip file embedded, you can try opening the picture with that application. Sometimes it works, sometimes it doesn't.
  4. We prefer to extract the embedded file to its own file using the dd program found in our toolbox. Here's how that works using the picture to the right.
LVFD Bomb Squad Robot

1. Right click the file and save it to your desktop (should be robot2.jpg)

2. Open the file using your favorite hex editor and search for FFD9

3. There's only one occurance in the file and it's not at the end. We see that the next two characters after the .jpg EOF marker are PK which means there is an embedded .zip file there. We see that the new file begins at position 0xC96B which is equal to 5156310.

hex edit

4. Run the following at a command prompt:

dd bs=1 skip=51563 if=robot2.jpg of=robot2.zip

where:

dd - the name of the program we're running

bs=1 - our block size is 1 character

skip=51563 - since we know the embedded file starts at position 51563, we need to skip everything up to that position

if=robot2.jpg - the name of the input file

of=robot2.zip - the name of the output file (this can be anything you want)

As you can see, the program created a new file 2264 bytes in size

dd

5. Open the output file (robots2.zip) and you can see that it contains a text file that may contain information that will help solve the puzzle.

This was a simple example of hiding data using an embedded file in a .jpg image. We've seen some puzzles that have embedded file inside of embedded files. You will need to keep working your way though the repetitive steps until you can't find any more data.



Steganography

From Wikipedia:

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing". Generally, messages will appear to be something else: images, articles, shopping lists, or some other covertext and, classically, the hidden message may be in invisible ink between the visible lines of a private letter. It is high security technique for long data transmission.

The advantage of steganography over cryptography alone is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal. Therefore, whereas cryptography protects the contents of a message, steganography can be said to protect both messages and communicating parties.

Steganography includes the concealment of information within computer files. In digital steganography, electronic communications may include steganographic coding inside of a transport layer, such as a document file, image file, program or protocol. Media files are ideal for steganographic transmission because of their large size. As a simple example, a sender might start with an innocuous image file and adjust the color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that someone not specifically looking for it is unlikely to notice it.


As stated above, steganography can be used to hide information in just about any type of file. This lesson will only cover ways to conceal information inside of image files since that seems to be the most popular method used in geocaching, but be aware that other file types can be used as well. Many of the same techniques that we'll discuss about hiding information in an image file could be used with .mp3 and other file types as well. Dr. Neil Johnson maintains an extensive list of steganography software that can be used to both hide and reveal information hidden through steganographic means.

Information hidden with steganographic techniques will be the hardest to find. First, you have to know something is there-which is the point of steganography-it's supposed to be hidden. Even if you know something is there, you still need to know how to extract it. Hopefully the hider will give you some clues that will lead you in the right direction. It also helps to know what steganography program the hider used--not all programs are created equal. There is good news and bad news in this. The bad news is that most of the freely available detection tools really don't detect that well. The good news is that if you're dealing with .jpg files, jphide/jpseek are the tools most likely used.

One way it is done (technical)

Each pixel on your monitor consists of 24 bits of data to represent its color (8 each of red, green, and blue) which comes out to about 16.7 million different color combinations. The most recent study suggests that the human eye can only distinguish at most 10 million colors. So if we alter the least significant bit of the red, green, or blue color information, the eye probably won't be able to tell the difference.

Look at the three squares below. Can you see any difference in the colors?

square1  square2  square3

The square on the left is made up of the RGB combination of 86,123,30 while the square in the middle has a RGB sequence of 86,124,30. The square on the right has the text Lorem ipsum dolor sit amet, consectetur adipisicing elit stored in it using the jphide program. This small 50x50 pixel square can hold about 120 characters of information without degrading the image so it would be noticable to the casual viewer.

The picture below is one that I took while hiking in Red Rock Canyon looking for the cache On the way to...#2. It looks like a normal .jpg image.

On the way to GC1PXCZ

When we run it through a few steganography detection programs we get the following:

StegSpy

It knows there's a something hidden there, but it believes it was hidden using the Hiderman program (not correct).

StegSecret

Does not detect anything. However, this program is all in Spanish, so I'm not really sure how well it does at detecting this type of steganography. It does detect that there is data after the EOF marker in the robots2.jpg image discussed in the previous section.

StegDetect

Supposedly can anyalyze a .jpg file to see if there was something hidden using jphide (which this was), but every file that I've run with it gives me the message "Corrupt JPEG data", so I'm not sure how well this actually works.

So, we'll assume that the steganography program used was jphide (since this is the most popular free program). As stated above, somewhere the cache hider should have provided you with clues as to what program he/she used and what the passphrase was that you'll need to decrypt it. So, if this were our "real" cache listing, I might have given you a clue such as "hide and seek". I would have also provided you a clue that led you to Ferengi Rule of Acquisition #208 for the passphrase.

After saving the image to our local disk, we would run the jpseek program against it:

jpseek gc1pxcz.jpg output.jpg

The program would ask for our passphrase and create our output file. The image below is output.jpg. It contains the information (blacked out of course) that you would need to complete the virtual cache The Presidential Suite.

This image was totally hidden inside the image above. We could also hide text or just about any other types of information inside another file.

Presidential Palace

Caches hidden by using this technique are somewhat rare. We only know of one existing cache here in the Las Vegas valley (although there is a second one that is suspect--we just haven't worked it that hard yet) that uses this. We'll leave determining what two caches we're talking about as an excercise for the reader.



This Cache

On December 30, 2012, Brenda and I started a cross country trip to Pennsylvania. She was going there for a business trip and I thought it would be fun to tag along and get lots of geocaches on the way. Our original goal was to try to pick up a cache in every county that we drove through and have our travel bug TB540BX visit as many travel bug hotels as we could find. We did pretty well considering that many were after dark and required some trudging through the snow (lots to be said about year round caching in Las Vegas). We made it all the way to Ohio before we came to the conclusion that we wouldn't get to our destination on time if we kept up the pace we were working. Our highest number of counties hit in one day was 18, travelling across Kansas and Missouri. Subtract 149 from a number associated with our travel bug to help you solve this cache.

On our way we got to find lots of clever hides and saw how difficulty ratings varied from location to location. We haven't done a lot of earth caches here in Nevada, but did quite a few on our trip across I-70. Here's a picture at the Kansas Toadstools Earthcache.

Kansas Toadstools

Additional Hints (Decrypt)

Pnpur: Tebhaq yriry; erqqvfu oebja

Decryption Key

A|B|C|D|E|F|G|H|I|J|K|L|M
-------------------------
N|O|P|Q|R|S|T|U|V|W|X|Y|Z

(letter above equals below, and vice versa)



 

Find...

27 Logged Visits

Found it 9     Didn't find it 3     Write note 7     Temporarily Disable Listing 2     Enable Listing 2     Publish Listing 1     Owner Maintenance 3     

View Logbook

**Warning! Spoilers may be included in the descriptions or links.

Current Time:
Last Updated: on 2/3/2017 12:43:06 PM (UTC-08:00) Pacific Time (US & Canada) (8:43 PM GMT)
Rendered From:Unknown
Coordinates are in the WGS84 datum

Return to the Top of the Page