Hello and welcome to the Friday, May 2, 2025 edition of the Sands and at Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

And we have another steganography diary from DDIH, further figuring out, well, how to analyze some messages or in this case binaries that are embedded in

images. PNGdump.Py, DDA's tool that he used in last weekend's diary, is able to take a compressed

PNGG image and basically expand it and display the uncompressed

pixel values for the particular image. PNG is compressed. It's lossless compression and

actually lossy compression wouldn't work with steganography, because they exactly sort of do these one-bit changes that are often lost when it comes to compression that loses some of the detail of the image.

So once you have the actual byte values, the one thing that PNGD dump doesn't do,

it actually doesn't sort of help you extract individual bits.

But, well, of course, DDIH has a tool just for that.

It's called format bytes.

So what Didiya did in today's diary was look at two images.

One is with message, one without message.

It uses that least significant bit methodology,

which basically results in identical, at least visually, images.

And then using format bytes,

Didier extracted the executable from the bitstream that you get from PNG dump?

Format bytes is a string tool. If you look at the example, it sort of allows you very flexibly to define the actual format being used,

how many bits, little Indian, big engine, all of these details,

and then extract respective data, which is really useful here.

And Didy also promises, well, a little challenge for Saturday.

And Olivia Brown with Sock, the company that specializes in software security,

...