Anonymous and Steganography - Blindly Distributing Terrorist Messages?

As previously warned multiple times by Th3J35t3r and myself - Anonymous may be unwitting pawns in a much larger chess game.

While their public support of terrorist organizations is being dismissed with "anyone can claim to be Anonymous" their blind distribution of encrypted files containing information from outside entities may not even be known to the inner-most circles of the organization.

What encrypted files? One of the most common means of distributing Anonymous related information is through social media - especially through the distribution of image files.  Little known to many outside the security field is that images can be used to hide information through a process called Steganography.  For those not familiar with the topic here is an excellent whitepaper on how Steganography works as well as how to detect it.  I have started using the StegDetect program from and have found some interesting results.

I recently started analyzing several images being re-posted by the Twitter handle @YourAnonNews.  Out of 51 images analyzed I found two images which returned "positive" as having embedded data, as well as two additional images which generated errors during analysis (possibly obfuscated?).

The first picture with a positive hit was an internet meme of the TV show "Game of Thrones".

The picture was re-posted by @YourAnonNews here:!/YourAnonNews/media/slideshow?

However the image originated from @57UN here:

Below is the image re-posted by @YourAnonNews

Picture re-posted by @YourAnonNews - Click to Enlarge
And here is a similar meme picture which is "almost" the exact same size as found on

Similar Meme Picture - Click to Enlarge
Running StegDetect against the "Gym" picture above produces a hit for embedded data using "jphide" while running against the "Sandy" picture does not.

Similarities between the two pictures:
Both are of the same content - with only a slight variation (text at the bottom)
Both are 72 dpi resolution
Both are 24-bit color depth

There are also some interesting differences between the two pictures.

The "Gym" picture is 600x461 pixels while the "Sandy" picture is 600x460 (Gym is one pixel taller)
The "Gym" picture is 69,919 bytes while the "Sandy" picture is 51,416 bytes (26% difference)

Error Level Analysis (ELA) using FotoForensics produces some interesting results.

ELA - @YourAnonNews Reposted Image
ELA - "Sandy" image
Areas in while indicate the image has possibly been altered from its original (see FotoForensics Tutorial).  As you can see above there has been significant altering of the first image while the second remains fairly uniform.  You would expect that the images would display the same ELA pattern - the fact that they are drastically different indicates something has definitely been altered.

So the question remains - is there something embedded inside this image?  I believe so.  Unfortunately all of my attempts to crack the password failed.  Whatever secret this image holds we may never know.  But I believe it definitely holds a secret.

It was suggested in the comments below that this is simply a result of resizing or cropping the image.  As such I cropped both images as suggested...and this provided some rather interesting results.

Suspect steganography image "Gym" cropped
ELA of cropped "Gym" image
As you can see above the ELA for the cropped "Gym" image suspected of containing steganography doesn't change much.

More interesting is that StegDetect now throws an error instead of a negative/positive hit for steganography. "error: Quantization table 0x01 was not defined"

Image "Sandy" cropped

ELA of Image "Sandy" cropped
The baseline "Sandy" image ELA does change slightly - but still not as profound as the suspected ELA image above.  This image also produces the same message when performing StegDetect: "error: Quantization table 0x01 was not defined"

Therefore I believe it is safe to conclude that the positive detection for steganography is not a result of resizing or cropping the image.

Related Reading:
Al-Qaeda uses steganography - documents hidden in porn videos found on memory stick -