Home > Writeups > DEADROP Forensics 2 - Safehouse

DEADROP Forensics 2 - Safehouse

A PNG with a flag hidden in the least significant bits of pixel data. Classic LSB steganography, stegsolve or zsteg extracts it directly.

Date: March 01, 2026 Category: Forensics Difficulty: Medium Views: 10
Tags:
forensics steganography lsb png stegsolve zsteg DEADROP

Forensics 2: Safehouse

Overview

A PNG surveillance photo of a parking garage with a "NOTHING SUSPICIOUS HERE" sign edited in. The flag is hidden in the least significant bit of the blue channel, reading pixels left-to-right, top-to-bottom.

Solution

Option A: zsteg (fastest)

gem install zsteg
zsteg safehouse_photo.png

zsteg tries all common LSB configurations automatically. Look for the line containing DEADROP{.

Option B: stegsolve (GUI)

Open the image in stegsolve, cycle through bit planes, select "Blue plane 0" (the LSB). The flag text is readable directly.

Option C: Python script

from PIL import Image

img = Image.open('safehouse_photo.png')
pixels = img.load()
w, h = img.size

bits = []
for row in range(h):
    for col in range(w):
        r, g, b = pixels[col, row]
        bits.append(b & 1)

chars = []
for i in range(0, len(bits), 8):
    byte = 0
    for j in range(8):
        byte = (byte << 1) | bits[i + j]
    if byte == 0:
        break
    chars.append(chr(byte))

print(''.join(chars))

The script reads LSBs of the blue channel, packs them into bytes MSB-first, and stops at a null terminator.

Flag: DEADROP{lsb_steg_the_classic_move}

Key Takeaway

LSB steganography embeds data in the least significant bit of color channel values. The change per pixel is ±1, imperceptible to the human eye. Detection requires statistical analysis (chi-square test) or tools like zsteg/stegsolve.

< Back to All Writeups

ma1ice@ctf:~/writeups$ cat deadrop-forensics-2-safehouse.md | wc -l

Published 2026-03-01 • Forensics