Steganography And Terror

A College Project got me Tracking Terrorist on Image Boards

November 2018

While conduction research I decided to give analysis ago to see how prevalent the found news articles where regarding terrorist organizations using steganography. Checking the popular image board 4chan, I came across this photo posted by an anonymous user on the Random section also known as B Board of the overall website, the picture was found and stored in a thread about asking for advice about family issues, while looking trough the comments, I came across this post that I had to redact as it contained “Not Safe for Work Imagery” in the forum of a nude photograph. for the thread this photo and comment was very out a context.

This was saved as a .png file which also indicates that there may be possible hidden steganography, as a .jpg from my research is unable be saved with stored data inside. The second indicator was the comment on the post with the image and on the thread seemed very out of place for the current conversations that where happening.
Downloading the image in a sandbox and throwing the image trough a tool I downloaded and hosted locally from github I was able to pull the following information from the photo using the tool and after following a guide on reddit to install a language pack to work with it, I was able to pull some Arabic text and a link.
Researching this tool more, since it is an Open Source tool it would not be useable in court as I was unable to find any use cases that may have set a president for the tool to be used in forensic evidence collection.

Copying the text into Google translate I got this translation with the mega link, it is possible that Google translate got words wrong as it has known to be, but the information that was received from the Arabic translation seems readable, and maybe related to the information found on the page.
Going to the mega link via the tor network with whonix gateway configured in sandbox tool like sandboxie, to prevent any files being downloaded to my own system, while also being able to view the file and do an analysis of these files in a sandbox if needed. Going to the link I was immediately show a video player on the website.
The video that was displayed and nearly 1 hour long seemed to be a long propaganda video from ISIS meaning there is a possibility that the shared link is being used as a recruitment tool or by a possible “lone wolf” for motivation. It is also highly possible without future investigation that the link may have been posted by a possible internet troll, with the intent to “Troll” users or people looking for this kind of information on the website. Without more in-depth research or time spent searching up linked sources it is currently inconclusive even though possible evidence was found.

Unfortunately due to time limitations and legal limitations that would give more information such as IP Addresses and possible accurate location data, I was unable to do any more, other then submit my findings to the appropriate authorities for further investigation by them.