OK, well let's go through what has been tried then. First of all, assumptions; beware.. assumption is the mother of all fuck-ups
No information has been given on which OS the alterations to the files were done.
Admin previously did mention as a hint 'dir /r' which would imply checking on windows
and thus imply that the work should be able to be done on a Windows system.
I am also assuming that what was done to the files was done using standard tools on the
OS and not using any specialised 3rd party software.
So I am thinking of simple commands entered in ms-dos and the like, with the possible exception of
hints being provided in metadata (so checking with exiftool).
Considering getting the info difference is reportedly done within a minute or so, a lot of the below
is over the top checking, but if you dont know what to look for, you have to look at a lot !IMAGE COMPARISON
So based on taking the 1st .jpg file as basis and first comparing it with the .png (left image
and then with the 2nd .jpg (right image) ; "copy /b" hiding technique
My first thought was to check to see whether any compressed archive was 'hidden' in the image by using the 'copy /b' approach.
So basically this means you compress/zip information, and then copy this as binary information to an image file as follows ;
copy /b my_image.jpg + hidden.zip my_image.jpg
This image file will then still look and act like an image file, however you can extract information from the file by
simply treating it as a archive file (for instance right click in explorer and choose extract with your installed archive tool)
So I checked this by simply verifying whether or not I could treat any of the file as a zip/archive file and extract anything.
You can also do the same, hiding a simple text file;
copy /b my_image.jpg + my_text.txt new_image.jpg
On opening the new_image.jpg with a text editor, you should see the text of your hidden file at the very end.Checking for hints in metadata of the files
Doing this by checking the information in a GUI version of exiftool ; Challenge 1
In the .jpg version of the file there is a reference to Ducky and to Adobe.Challenge 2
This image is 7.5kB whereas the first .jpg image was 7.1kB, indicating possibly hidden info,
most likely text, depending on whether the 1st image was just what it appeared to be.
image quality 77% with 8355 unique colours used on the first jpg image
image quality 80% with 9291 unique colours used on the 2nd jpg image. ADS / Alternate Data Streams
Considering Admin mentioned checking out dir /r, I did of course and it would then seem that ADS is part of the deal.
But you will find ADS references on nearly all items you DL from the net, and the stream references on the lightbulbs
just appear to be the general type you get when you download files from internet.
The way streams work is that you can 'hide' data in a stream of a different file.
For instance I created a text file called 'ads-test.txt' and put an image called test.JPG in the same directorty.
Now to add the test image (a 4MB jpeg image) to the 6byte text file, you would follow ;
type test.JPG > ads-test.txt:test.JPG
Now when doing a dir check, you will see that the ads-test.txt has not even changed size, it remains identical.
However when doing a dir /r you will see the ADS reference clearly indicating the presence of the test.JPG file.
So the actual size is not showing the real size although it is over 4.25MB difference !
OK you say, so what happens when we delete the intiially used test.JPG file and check again ?
it is still there.. ;
To 'extract' the data hidden in the ADS, you need to know what program can actually do what you want.
In this case as it is a JPEG file that is hidden, you can think of mspaint.
(if you would have seen a .txt file you would have started the command with notepad, etc.)
Will open that babt right up in Paint.
Now if I upload that file to a filesharing site and download again, what do I get ?
Soo... this simple test shows that if there was a file hidden with ADS, it is possible that it would
not be retrieved after having uploaded / downloaded it. STEGANOGRAPHY
As steganography in the sense of using tools to hide date in images requires 3rd party tools, I
dont believe that is what is being done here.
But for sake of good order did do a quick test with stegdetect ;
Those have been my tests and my findings with a little information on how the methods to hide info work.
What were your tests and what were your results ?