03 Technical picture hiding places

Besides the purely optical variants, a lot of nastiness can be done with digital images in a technical way. In geocaching mysteries, I find computerised steganography the worst. As nice as it is to be able to hide almost any imaginable thing in pictures invisibly and almost uncrackable with programs available free of charge, it is rather tedious for the mystery solver, because you have to use exactly the same software to decrypt the picture that was used to encrypt it. If you know which software it is, you may only have to find a password and you are one round further. If you don’t know the software, it’s a frustratingly boring trial and error of the usual suspects.

Image properties

But there are much nicer and easier ways to hide and retrieve information in images. For example, simply the image size, height and width in pixels, could be the missing north and east coordinates (or at least their last three digits). Alternatively, the location of a relevant pixel could also show the coordinate.

If the image is a JPEG (the extension of the image .jpg), it may contain EXIF additional information. This is intended for author notes, comments or data on cameras and photo settings. Newer cameras often already contain a GPS receiver and save the coordinates where the picture was taken. Smartphones can also do this.

And many a mystery thus gives away its final coordinates by careless geocachers who unwittingly upload photos with such interesting additional information in their logs.

To make this additional information (EXIF, IPTC, comments) visible, you can use image viewers (the aforementioned IrfanView or xnview) or go to the internet (Jeffreys Exif viewer). Image editing programmes also show this. My favourite here is the freeware Gimp, which is in no way inferior to its big brother Photoshop, at least in my semi-professional fields of application.

For those who use Firefox, there are also some appropriate add-ons that may eliminate the need to download the image. In my tests, however, these tended to work only moderately well.

Additional image data

If you don’t find anything useful in the image properties, you should take a look at the image in a hex editor. In IrfanView you can do this with View -> Show hex view or by pressing the F3 key. In IrfanView, the hexadecimal data is then displayed in an extra window on the left, and the “plain text” on the right, which is of course largely not human-readable in an image.

A normal hex editor (such as HxD) does the same, of course. In the hex view, you may discover information or manipulations that you cannot see in the image itself. The format jpg is basically bound to fixed rules, but you can bend them quite a bit and the image will still be displayed without errors. For example, text can be hidden in some places (in the upper area and at the bottom), which the reader can only read in the hex view. A popular option for geocaching is to attach a zip, i.e. a packed file, to the jpeg image. If you open this jpg in a zip programme (e.g. Winrar), the archive opens and you can unpack the contents. Sometimes the owner of the mystery has included a password, which can hopefully be found in the listing (perhaps cache title, GC code or owner name?).

If something has been appended to a Jpeg image, it is easy to check via the hex view. According to the JPEG specifications, a JPEG image must start with the hexadecimal value FF D8 and end with FF D9. If it ends differently, it has been manipulated. Something like the zipped has been appended, or possibly simply text inserted at the end. To get to the bottom of this mystery, one must – if the information is not already directly readable – use a hex editor to cut off everything after the actual end of the JPEG image, i.e. the hex FF D9 , and pack it into a new file (the FF D9 may, intentionally or not, occur more than once! In that case, you may have to try all possible “cutting variants”).

Now save this new document under a suitable name and open it with sensible programmes.

  • It could also be an image, in which case an image viewer would be appropriate.
  • Perhaps also a text editor.
  • A video or music player perhaps?
  • Maybe a PDF reader to display content?

Data can also be attached to PNG files. In HEX terms, a PNG starts with the HEX numbers 89 50 4E 47 and ends with 49 45 4E 44 AE 42 60 82 . If there is more hex code after the ending, I would cut it off with the HEX editor, save it and see what it could be. If it starts with 89 50 4E 47 again, it is a new PNG. Alternatively, you can try to open unknown files with the typical programmes (image viewer, audio analyser, notepad, etc.). Or try the internet and give the first HEX characters to a search engine. The vast majority of file formats have special start-up sequences.

For a deeper analysis of PNG files I can recommend the tool tweakpng.

Colour/contrast/saturation and gamma controls

Another way to demystify nasty image puzzles is to use the colour/contrast/saturation and gamma controls of a tilted image viewing or editing software. Simply move the existing sliders (in IrfanView under Image / Color correction, in Gimp there are different windows under the menu item Colours) back and forth. Especially move the gamma slider completely to both ends, sometimes something appears in the picture that was definitely invisible before. Well… actually not completely invisible, depending on the type of image and colour filling, you would have found out about this trick if you used the editing function (e.g. in IrfanView Edit, Paint Dialogue) and tipped colour over various optically monochrome areas with this fancy bucket symbol (set the tolerance threshold to as small as possible). However, this counter magic only helps with images that have little detail and large areas of solid colour. Alternatively, using the “magic wand” of the image editing software and a sensitivity of “0” or “1”, you can try to highlight all areas of exactly the same colour and get those that may differ only marginally and visually invisible.

Colours and colour values

If you have an image that consists of only two colours or has particularly striking areas of the image, the colour values could be the key. With Gimp and the eyedropper in the tool window you can “pick up” the colour value and with a double click on the square, which has now taken on the colour in the tool window, you can find out details about it. For example, the RGB colour values, where red, yellow and blue are each represented by a number (R 52/G 12/B 33) or the hexadecimal value of the colour, like #4fad91. Oh how nice, decimal is 5221777, a north coordinate! 😉 . What you can do with colours in geocaches, I tried to explain here.

Animated images – GIF

If you have a GIF file (ending with .gif), it can consist of several parts that run after a predetermined time like a flip book. This can be so fast that it looks like one, or so slow that you probably won’t look at all when the image finally changes. That’s why you should always take GIFs apart.

When opened in the Gimp, you can see the different layers in the layer window, in xnview you can jump back and forth between the individual ones under View -> Frame and see their number and your own position in the bottom left of the status bar. Jeffrey’s Exif viewer also shows all the individual images online.

GIFs and PNGs may contain information that you can’t see against a white background (which is common to both geocaching.com and the usual image viewers). Against a different coloured one, you may recognise what was not visible before.

If the picture is a familiar one, or if it appears twice in the listing, it is worth looking for differences. If these are not visually obvious, you can superimpose these two images in an image editing programme that can handle layers (gimp, for example, once again representing the freeware faction, or of course the almost-all-rounder Photoshop). Then make the image on top translucent (transparent), maybe play a little with the contrast and transparency controls or set the mode to subtract and see if the magic works.

If you can’t make out anything in the picture except a jumbled “wallpaper graphic” of a designer on LSD, it could be a stereogram. With enough training, a bit of squinting and the right eyes, many people can see things in here after a while that I unfortunately cannot. If I don’t have a suitable “squinting eye” nearby, I use software that shows me the hidden information in the stereogram. There is now a flood of such software, so I’d rather not make a recommendation. If you are good with image editing software, this might be enough: copy the image into a new layer, set it to difference mode (in Gimp in the layer window, Mode, Subtract). Now you have a black image and can move the new layer back and forth until you can see what you wanted to hide. The shift can be as much as 50 pixels.

My last image tip for now, which I use almost daily: tineye and (usually even more productive) the
Google image search! If you want specific information about a particular image, don’t know who or what is pictured here, these two services do a great job! Tineye is available as a Firefox plugin, my absolute favourite. For this, the google image search can find more, tineye only finds what has exactly the same section as the image you are looking for. The easiest way for me to use the google image search is to put the complete URL of the image into the search window and click on “Find matching images with image search” in the following window at the top.