TAILS of Outguess
online at the same time as your contact, nor do you even need to know one another. Niels Provos’ excellent command line utility Outguess is the chosen stego tool for this tutorial. This is firstly because it is available to install from Ubuntu/Debian repositories and also because it’s very simple to use.
Although the tool hasn’t been updated for a while, it is futureproofed by allowing you to hide two messages inside a container file with separate passwords. This works in a similar way to the plausible deniability feature in encryption programs such as VeraCrypt. If ever a way is found to detect the use of stego in your files, you can use the decoy password to reveal some pre-prepared fake information.
One way that your use of stego can be detected is by analysing your hard drive for the presence of Outguess or checking your internet history to see if you’ve downloaded it. For this reason we recommend using the TAILS operating system for this project.
TAILS loads entirely into your RAM memory so all traces of activity are lost a few minutes after you shut down the machine, including the files you used and the Outguess program itself.
Another advantage of TAILS is that it routes all connections through the Tor network. This makes it virtually impossible for anyone monitoring your connection to tell that you’ve downloaded TAILS, nor where you have uploaded your container file with the hidden message.
Begin your bogus journey
For the purposes of this project, imagine that you have been able to purchase the coveted BillandTed’smostExcellent Collection on DVD, which comes complete with both films and the extras disc with the instruction video on how to play air guitar professionally.
You are rightly concerned about this prized possession being stolen so decide to bury the DVD box set, so you can dig it up and sell it 20 years from now.
After hiding the box set, you decide you want to share the location with a trusted relative in case you’re unable to retrieve it. You meet with them privately to agree on a password to use and that you’ll hide the location inside the image of an antique Chippendale cabinet.
As you both live in a police state [Oceania?–Ed] where the government has a hankering for ‘90s classics, you also agree on a decoy password that either of you can enter under duress to reveal a false location.
You both also agree to use a Live DVD to install Outguess and encode/decode files to make sure there’s no trace of the tool on your respective machines.
You decide to use a QR code to store the GPS coordinates of both the real location of the DVD box set and a fake location, as these are easy to scan into a phone and open in apps such as Google Maps.
Once the stego file has been prepared, your friend can retrieve it at any time to work out where the Bill and Ted film offering is hidden.
Stego the dump
Although using Outguess from a bootable version of Linux such as TAILS will remove all traces of tools and any files you worked on, it won’t delete the original secret and container files. Ideally you should create these while in the “Live” system, but if not use the shred command on all relevant data once you’re finished.
One important point: whether you use an image, sound file or video, remember to record it yourself. If a copy of the original “un-stegged” file is available online it can be compared to yours and the use of steganography can be detected. If you decide to upload a series of photos of the same item such as an antique cabinet, remember that these should all be roughly the same size.
When agreeing the password with your contacts, work out a system whereby they’ll know where to find the container files. For instance you might agree to post a classified advert at a set time each week or you might list a certain phone number alongside each image containing hidden files.
Many sites compress or otherwise alter media files after upload. Try to find one that allows you to upload files unaltered or post a link where the original can be downloaded.
If you live in a jurisdiction with compulsory key disclosure laws such as the UK, then technically you must surrender all keys in your possession when ordered. This includes both the bogus password and the real one. Take time to check the legality of using stego and withholding the real password where you live.