I'd like to help out if I can but I'm very much a novice at this sort of thing. On the other hand I can find my way around a hex editor and would be willing to work at prying apart image files. At a minimum I could try to help gather up best practices and tools from what people post.
I've worked in software, written machine code, so hex is no biggie, now that the family isn't pestering me nonstop I can take a look. Thanks.
I don't think you have to compress it before opening it. I opened it in a hex editor (plenty online for free) and could search the data for the word 'zip' in there. It only shows up once as far as I can tell. If it is some kind of bookmark or flag for zip data then you'd need to figure out the extents of it. Where does it stop and start?
I'm going to do a little bit of learning on zip file structure to see if I can get some other clues. Sadly I never had much training in forensics. That isn't to say I don't find the stuff rather interesting.
I tend to be a skeptic in that I will take something like this and think, well you know the 'zip' showing up in all that junk could just be stupid random happenstance. What if it isn't even intentional? (But we know there are no coincidences).
SO I had noticed upon looking at a zipped txt file with just one word in it that the zip file had the letters PK showing up in it (beginning and end) and I thought that was interesting.
If you read up on zip file structure (thanks wikipedia):
Most of the signatures end with the short integer 0x4b50, which is stored in little-endian ordering. Viewed as an ASCII string this reads "PK", the initials of the inventor Phil Katz. Thus, when a ZIP file is viewed in a text editor the first two bytes of the file are usually "PK". (DOS, OS/2 and Windows self-extracting ZIPs have an EXE before the ZIP so start with "MZ"; self-extracting ZIPs for other operating systems may similarly be preceded by executable code for extracting the archive's content on that platform.)
So applying that to the original image from 3277
If you open it in a hex editor you can absolutely find PKs in there. If that encourages anyone at allโฆ I think that that it is further evidence that there is a zip file hidden in the image. I will pry at this some more and see if I can tease it out but this is my first time trying anything like this.
If there is actually a zip file in there, I don't think it was cobbled together with this method. I tried opening it in 7-zip earlier and it didn't find an archive. There are a few tutorials like this online and it is a clever way to combine images with files but I don't think it applies here.
I've been studying the file in a hex editor and while I did initially find PK in there and the text string 'zip' easily enough, there is no Central directory file header signature = 0x02014b50
The central directory is a crucial part of the zip file. If there is none, then there can't be a zip file archive.
Since there is no obvious central directory file header signature, I went back to looking at the PNG file format to see if there were any other clues in there.
I was not discounting it just because I couldn't open it in 7zip. I was discounting the method because the author said that using that method it ought to be openable in 7zip (which makes sense based on a number of things). I also discounted it because of the other observations I had made.
Note: there is only one instance of 'zip' and one instance of 'PK' (all caps and case is important) in the file.
You can make these observations on your own with a hex editor just by doing searches for the relevent lines.
I also did go back and look at
>>4837427
What he did is NOT stenography. It looks to me like he was looking at hex code and trying to imagine words out of it. He was including the standard PNG tags like IHDR and IDAT in his supposed coded message. This is not legit. I have not studied forensics but I have done programmed computers professionally and I am sure based on things that I do have experience with that this was not a sensible way to analyze a hex file.
and before someone else pounces on me for it, I did not find the header for a pkzip central directory file header in there eitherโฆ this would be 504b0102
The test file I created to verify my methods did include a pkzip header in it and I was able to find it effectively with my method.
Not Steganography either heheh