Detecting the hidden volume is not trivial.
Actually, it is.
There are only four ways to detect the presence of the hidden volume, all of which are unlikely to be checked even by a knowledgeable person. The easiest way to tell about the manipulation would be bitrate monitoring: If a player tells you that the stream has a bitrate of 1 Mbps, but by analyzing the file size, you can compute that it must have at least 5 Mbps, you can tell something is amiss. But who looks at bitrates this detailed? The only other ways would be (1) a sophisticated packet-by-packet analysis of the mdat data that would find out that from offset 65,536 on, there’s not only random-looking compressed data, but random-looking garbage; (2) checking for a repetition of the first 64k of mdat somewhere later in the file and (3) seeing that there’s much unused space in the mdat that isn’t referenced by any chunk offset table. I can imagine, in theory, that there might be tools to do the latter, but until someone shows me such a tool, I boldly declare my method as safe
First of all: the tool works very well.
Second: it is one of the best solutions i’ve seen.
Third: unfortunately, as many others steganographic solutions it is simple to detect
.
The bitrate isn’t a problem (not so serious, at least). The stream size is the very problem. Look at this test for the difference. First one is a real MP4 video. The Second is the same video with a Truecrypt volume (6 mb) inside.
Infos from mp4 file:
File size : 68.1 MiB
Video Stream size : 58.7 MiB (86%)
Audio Stream size : 9.23 MiB (14%)
Total Stream : 67.93 MiB (100% – more or less, the rest is header)
Infos from TC hybrid file:
File size : 74.6 MiB
Video Stream size : 58.7 MiB (79%)
Audio Stream size : 9.23 MiB (12%)
Total Stream: 67.93 MiB (91% – the rest, of course, is TC volume)
Every file with a stream size lower than 100% is a suspicious file.
Many tools are capable to calculate stream size, MediaInfo (
http://mediainfo.sourceforge.net) can do it, for example.
I used MediaInfo.dll and AutoIt (
http://www.autoitscript.com/) for doing a (very rough) CLI utility for quickly hybrid files detection. It is here:
https://rapidshare.com/files/63434631/TCHFind.zip (MD5: zip file: 774DA43D5706B1B8E5ABA9847420EE87 exe file: A1D68BDAD3FE1CCA8D5717BB0443B330 – tested on Win 7) Read the “ReadMe” file for usage.
However, you did a good job.
This is really no better than
cat SomeVideo.mp4 SecretData.tc.zip > InnocentLookingVideo.mp4 (Zipping the TC file allows it to be easily extracted by just opening the resulting MP4 file as a ZIP file). The resulting file requires no special tools either to create or open, and it's no more likely to be detected than more complicated methods (the MP4 file still works, and is still identified as an MP4 file by all standard file type signature tools, so nobody's going to check it too closely and if they do, they would have found the secret data anyway).
