Uncovering Cicada Wiki
Register
Advertisement

Why OutGuess? What is it?

Final

In 2012, Cicada 3301 posted their first image on 4chan. This was the first time they made contact with the world, and the first time they used the steganography program OutGuess. They were very literal when they said: “There is a message hidden in this image”. This line was the first hint 3301 gave to solvers, telling them that they were using steganography to hide information. That led to finding this image (right).

Decoy

You can read about how they got to these images in the What Happened (2012) article.

"WOOPS Just decoys this way. Looks like you can’t guess how to get the message out” was their way of hinting at the steganography program OutGuess. Without this hint, the solvers may not have found or used the program. OutGuess is one of many steganography applications.

Developed in Germany in 1999, OutGuess is available under a BSD software license and is completely free for all users. While there are official executables for Windows operating systems, OutGuess rebirth doesn’t work with 3301’s JPEGs. If you are not Linux savvy and still want to play around with OutGuess, you can use a VM or you can boot most linux distros from a LiveUSB or LiveCD.

Fedora or Ubuntu might be the easiest to use with either of those options if you have no experience with Linux operating systems. Under certain circumstances, OutGuess is considered undetectable1. However; with 3301’s signature JPEGs with white text on a black background, you can find artifacts it produces very easily with visual inspection alone.

1StegDetect is useless. It detects only OutGuess up to version 0.13.

How does OutGuess Work?

"For JPEG images, OutGuess preserves statistics based on frequency counts. As a result, statistical tests based on frequency counts are unable to detect the presence of steganographic content. Before embedding data into an image, OutGuess can determine the maximum message size that can be hidden while still being able to maintain statistics based on frequency counts."

Outguess creates a new JPEG statistically equivalent to the one given as an input. When creating the new JPEG, the default compression is 75 and can be set using -p to a value between 75 and 100. Consequently, the compression level of an image may give a clue about the presence of outguess, but this is not enough to draw any conclusion.

How do I install OutGuess?

To run outguess, you need a linux operating system. While there are official executables for Windows operating systems, OutGuess rebirth doesn’t work with 3301’s JPEGs. If you are not linux savvy and still want to play around with OutGuess, you can use a VM or you can boot most linux distros from a LiveUSB or LiveCD. Fedora or Ubuntu might be the easiest to use with either of those options if you have no experience with the linux operating system. You can also use JOutguess, a convenient web-based tool.

You can download the source code here. Installation directions are in the README file.

To save you some time, unpack the file and cd into it. Run:

./configure && make

because of a bug in GCC, you might have to run:

./configure && make -O0


Great! Now how do I use it?

To retrieve information from any of Cicada's images, open a terminal and type

outguess -r imagename.jpg messageoutput.txt
Advertisement