Welcome to the Anti-Forensics Toolkit

A focused toolkit to embed messages into images, detect hidden content using steganalysis and cleanse files to remove covert payloads. Built for demonstrations, coursework and lightweight investigations.

🧩 Embed LSB / RGB

Hide a short text inside an image (PNG/JPG). Output is a PNG with the payload embedded.

Go to Embed
🕵️‍♂️ Detect Decoder + Chi-Square / RS

Recover messages embedded by this app and flag suspicious LSB patterns from other tools.

Run Detection
🧼 Cleanse Sanitizer

Rewrite pixel LSBs and export a sanitized PNG. Skips cleansing when no hidden data is found.

Clean a File
🔧 Methods & What Each Tool Does Overview

🧩 Embed

  • Technique: LSB substitution across RGB channels (order: R → G → B), 1 bit/channel/pixel.
  • Payload framing: UTF-8 text with end-marker ##### (sentinel) to indicate stop.
  • Capacity check: Fails early if bits needed > 3 Ă— pixel count.
  • Output: PNG (lossless) to preserve LSBs.

🕵️‍♂️ Detect

  • Decoding: Reconstructs bits in R→G→B order; stops at sentinel #####.
  • Compatibility: Also tries blue-only streams + multiple bit alignments.
  • Steganalysis: Chi-square on LSB distributions and a lightweight RS-style heuristic.
  • Outcomes: “Recovered message” or “Likely stego present” (when encrypted/foreign) or “Clean”.

🧼 Cleanse

  • Gate: Runs detection first; if no hidden data, cleansing is skipped.
  • Sanitization: Rewrites/normalizes LSBs and exports a fresh PNG.
  • Goal: Strip covert payloads while preserving visual appearance.

đź”’ Safety & Validation

  • Image checks: Pillow limits (MAX_IMAGE_PIXELS) + verify() to block bombs/corruption.
  • Uploads: Size limited (16 MB) and extension-checked; PCAP handled separately.
  • Privacy: Decoded text is truncated in logs; downloads served only from outputs.
🧭 Typical Workflow Quick Guide

Demo Path

  1. Choose an image (PNG/JPG) and a short message.
  2. Use Embed → download the embedded PNG.
  3. Upload the embedded PNG to Detect → message should appear.
  4. Upload the same PNG to Cleanse → sanitized output (no hidden data).

Notes & Limits

  • Encrypted/format-specific tools (e.g., OpenStego with password) may be flagged but not decoded.
  • Very small/over-compressed images reduce capacity and reliability.
  • For best results use reasonable-size, lossless or lightly compressed images.
âť“ FAQs & Troubleshooting Helpful

Why detection says “likely stego present” but no message?

This usually means the payload is encrypted or uses a different framing. The LSB statistics look non-natural, but there’s no readable sentinel-framed text to extract.

What images work best?

Medium-to-large PNG/JPG with modest compression. Avoid tiny or already-compressed thumbnails.

Can I decode OpenStego?

If it’s password-protected or uses a different format, the app will flag suspicion but won’t decode without the key.

Tip: If a decoded message is sensitive, cleanse the image and store the output — logs only keep a short preview.