INVESTIGATION HELP NEEDED Hidden photos on an image hosting site
As someone posted a few days ago on 4c 8c & here the search terms that give the cp results in the images come from the site img src at first look nothing really suspicious is to be seen on the site no really explicit photos of kids can be found other than upskirt, swimsuit, etc. except for when you look at the people a) commenting on the photos trading photos via mail (?) b) photos of flowers, cars, etc. commented by pedophiles talking about stuff other than in the photo

Can anyone please investigate this and see if there is more to this.


screenshot of the tractor photo with comments

the tractor photo

screenshot of flower photos notice comments and SAME photo posted 10x in the album

BANNED URL SO CAN'T POST: /pharnisluvsyung/30034761.html?id=30034761

Attached: tractor comments.png (2492x968, 1.03M)

Other urls found in this thread:

I have been banned on voat for asking help on this.
I know for sure there are also misinformists there because only irrelevant topics get upvoted others get downvoted or just deleted like mine did.

they just shut it down and make it even harder to find
this does not SOLVE anything

please help someone?

Attached: imgsrc.ru_55122461LzA.rar.jpg (550x344 740.33 KB, 45.66K)


I've long since lost my steganography tools and not really wanting to dig, to be honest. Some quick thoughts:
>copy the full-size image (not the file) to any other image utility I like irfanview and save it as the same type with good quality settings

They could be just fucking around, but their whole ethos disgusts me and I can't bring myself to look at it too long. The hidden thing is probably not another entire image, more likely a URL. You could maybe find this unencrypted in the file depending on how they operate.

Some of them might just be generated comments to make the website seem more active than it is.

I'm a shitty phone poster so I can't try right now, but can you open the original picture with winRAR? Old /b/ used this to share cp.

Look at the file name in
You might be right. I'm not checking.

I hadn't even noticed that yet. The pictures posted there are too small though, so they most likely won't contain cp. The originals on the Russian website may though.

I tried opening it in rar or zip didn't work
stegdetect didn't open anything
I just can't find any other explanation

Save a few different copies of the flower one and see if they have different hashes.

Attached: imgsrc.ru_30034761uwc.png (550x344, 45.66K)

idk if it means anything but the photos with hidden content end with C8 or C6

Correct me if I'm wrong, but even if they have different file types, the same image should have the same hash correct?

what do you mean originals this is from the site

If hashes differ but the img res and overall appearances are identical (no filters, resize, blurring, etc), then steg is in use.

Files are just bytes of data, so they should have the same hash regardless of file type. But if the file was compressed or saved using another program, it could have lost some of the original bytes from the original site.

User has password protected albums classified under "kids"

Attached: imgsrc.ru_57803695kVe.jpg (2440x1086 4.32 MB, 376.1K)

This shit makes me sick. Can someone try using wget to detect metadata in the photos? I am learning how to right now but won't have time to finish before I start work.

Pic related is in album "Fund with Dad."

Attached: Fun_With_Dad.jpg (1024x536, 52.26K)

My best guess for attack would be to do a simple dictionary attack with steghide and other steg tools.

His password is: 12345

I just don't get how these pedophiles could be this intelligent and have this super intricate way of hiding photos and communicating.

From one of his password-protected albums.

Attached: Love_Her_Buds.png (1878x878, 260.46K)

So pic related from an old ass thread here is steg?

Attached: e.gif (498x384 876.83 KB, 1.76M)

You'd be surprised what the threat of prison on a sex offense will motivate you to do.

I don't know of gif steg apps. Very bad example from you.

I really never expected that and the cp sites always look like they were made in 1999 with html they often also use their real name in the username….

Don't mind the honeypots!

Attached: FBIBro.png (1024x1024, 87.65K)

good find
so buds is code for ….

Nipples, duh!

Well that's creepy. They are in fact steg. I just opened them as zip files and they contain .opus audio files.

I cannot stand this stuff.

Attached: ClipboardImage.png (373x113, 21.41K)

This to be honest, I would be amazed if these files weren't packed with canaries.

Attached: hairless.jpg (1318x612, 163.63K)

I'm sure the real deal guys use a preconfigured pair of VMs, one containing Tor, I2P, IPFS, and other darknet onramps, while the second VM is the 'view' VM, and skip the 'website' shit. Pro points if it's two physical machines, one behind the other, with the gateway's uplink further clamped.

Attached: MmmmGrayons.jpg (720x736, 32.41K)

i tried changing the file format and it didn't work for me

After some brief digging in the site, I would recommend anyone who wants to dig further use an amnesic OS.

Related: Is Tails still a good tool?

they have been doing this shit for a while
like the old mods arnt lookin post sinks meme
these fgts need the rope
god speed with your diggin lads

Attached: FlowerExiftool.png (4608x2592 49.7 KB, 4.32M)

Here's some nickels pedokidz, buy yourselves some real steg solutions (like steghide)!

Attached: LeXDFace.jpg (600x563 413.47 KB, 61.2K)

Not just amnesiac, but sandboxed/isolated behind a fascist darknet gateway.

It has to be zip. The file name should be "". Not sure it matters, but I'm using 7zip to open it. The file won't open in vlc so I'm assuming you need to unzip all 5 to get the complete video.

An amnesiac OS doesn't help with canaries, they give away your IP. You need to be using Tor or another VPN, both in fact to be safe.

Ummm no, the VPN suggestion proves this isn't your living.
Best way to avoid FreedomHosting like decloak is isolation behind a darknet gateway, no clearnet access.

Thanks for the info. So would this stop a canary from getting your IP? If you just used a VPN would the canary be able to resolve your real IP, since it would be sending the notification from your actual computer?

So doesn't Tails solve this, as all of it's network activity is routed through Tor?

Use a hex editor that can do a diff of 2 files. A large number of differences will probably mean the images were compressed differently, while a smaller number may point to deliberate changes to the data. (Could just be the metadata though.)

weird that nobody checked a very obvious steg
related to the piz case

Attached: 8789b212-5f8e-435a-839f-f6272418ef3b.jpg (200x200, 11.51K)

Pic related?

Attached: e4c7b25c3bc4713820c45c14358a22aeebbc94f7febcf62f5e92445a1bdee6aa.jpg (480x360, 23.21K)

Have you tried DDT extensions? Those are specifically made for imageboards.

Attached: 98710382.jpg (403x400 62.98 KB, 79.8K)

Hard to trust a vpn you do not control, they all "claim" to be anonymous…

As long as Tails has no outside connection or dns leaks, or any other unknown exploits. I have never used it but I hear its secure?…I use "Whonix", a ltitle less mainstream

I could be wrong, but last time I looked into TAILS it did in fact have a dns leak, this was a while ago however and the issue could have been remedied.

it's so obvious he's not refering to mrp in the photo but something else

Attached: mrpp.JPG (405x396, 23.35K)

Personally I dont trust Tails simply because how "mainstream" it is, and how it is pushed as the defacto tor os. Hopefully I'm just overly paranoid.

TAILs will stop application layer exploits. TAILs cannot save you if any clearnet-facing software is exploited, such as Tor router itself, the kernel, the network manager, etc. SELinux should mitigate this though, except for kernel exploits or in misconfiguration cases.
Even VM isolation isn't perfect, Spectre+Meltdown crossed those lines and I'm sure that infoleak exploit is one of the tamer ones in the toolbag.

Yes, assuming VPN routing isn't strict. If it is strict and it routes over VPN, you're dumb to think the VPN won't sing on you.

do you mean a tampermonkey script

I don't know what to think. Wikileaks promotes it, which could be viewed as a reason to use it. Snowden also recommends it, which makes me question its viability, considering he might glow with the lights off.

yeah i have no idea what i am doing but this thread has peaked my interest very much

Attached: steggonbad.jpg (480x360, 506.3K)

Welcome to the world of what the fuck is the truth anymore :) Trust yourself, do your own research.


No, they won't have the same hash if they're different file types.

Use it and Whonix as references and homebrew your own with a pair of extra systems.

This guy guessed correctly, it's steghide. The problem is though you need to get the password, hence they always have email or kik contacts. However, just the fact that there is an encrypted file within their pictures should be enough proof.

I was saying if they were the same file and you changed the file ext. Data is data. Obviously the file headers and such will change if they were totally different file types.

Also, "isolating wifi" with a godlike password means nothing if the flare sweeps the channels spewing a covert distress code + identifiers, if it detects no clearnet + yes wifi card + no open wifi with clearnet, assuming kernel exploit to permit this, and assuming urban area cell towers also double as civilian wifi SIGINT collection stations.

I have no idea how to help or else I would. I hope you good guys find these fuckers.

Not code for anything.
Breast buds are the primordial lumps which sprout on a pubescent girl's chest. Not yet breasts but still not flat like a boy's.
Girls will start to bud as soon as puberty begins, so anywhere from 8 to 10 years old these days.
Conspicuous absence of buds, for example on the chests of a 16-year-old that it's being claimed is just a "late bloomer" are a fairly solid sign that she's actually a boy, because buds form so early.

Attached: no_buds_male.jpg (1268x2128, 217.23K)

I can. I prefer it. I don't want them to obfuscate. I don't want them to be smart enough to hide their statements. Now we know about tractors; we didn't know about tractors before. I prefer they be retarded. I prefer they be out in the open.
We have to kill them all.
We can't very well do that if we don't know who they are, right?

P.I. user here.
All you need to do is to establish probable cause, if we can prove that a crime has occurred or is likely to occur by following the STEG trail, the Feds will be able to secure the warrants and subpoenas needed to put these individuals away.
I know little to nothing about steganography however. Any help this way is much appreciated.

Simply having encrypted/hidden data is not enough to get a warrant, the comments might make or break individual 'cases', but they can't get a blanket warrant for everything that's a violation of due process.
It may be possible to brute force the password, crypto I'm a bit better at so maybe I can be of help, I'll look into the algorithms steghide uses

Along those lines, depending on how far the black project surveillance goes, DPA with smart power meters should pick up coded comms if the flare can make hardware with known power draw characteristics modulate power use. In physical penetration scenarios, mics getting coil whine could be used in a 1-2 punch on a totally isolated (no any-net) system.

Bah, I am digressing!

A steganographic file system, for example, is a partition of your hard drive hidden within the normal file system. Hidden not like a "hidden file" in the OS, but rather the bits which make up the partition itself are spread all around the hard drive rather than being a big lump of gigabytes all together. This hides the existence of the partition from data dump systems and makes all of the information look like junk data if you're just reading files straight off the drive.

exactly I am against just shutting down the sites like the retards have done on seriously they are dumb asf
I posted this there and a retard commented on the pop-ups he got from some game
??? like wtf
trying to derail asf
and they just shutdown sites (((Gaetanne Antat))) as if that solves anything

Can you go into any detail why this over Tails? I don't know that much about this stuff and anything that is less well known will have less attackers. Curious why you like this one user.

Forgetting the password would net them less jail, but if only one is arrested so there's no Nash squeezing possible.

ya, if you need the base script go here:

Doesn't this require a map of all written files to prevent collision on write?

But there's nothing hidden in those files.
What another user suggested is probably the case, posts by bots smart enough to inject context into their comments.
Files are too small, data is not compressed.
At best there's URLs hidden somewhere in the pictures, which point to the real cp and it's those off-site pictures that perverted comments refer to.
But I still think bots is more likely.

I'm the same user, but these threads are always useful to try to learn things from other anons who know about these things. I think we should all strive to know a bit about this type of stuff given the age we live in, but some of us might be "to old" to learn such a thing in depth.

One VM is the router, with one side facing the net and the other a virtual LAN (etherstub), hosting Tor with SOCKS port on the virtual LAN side, and a second 'view' VM with ONLY the virtual LAN for connection.

Could it be something as simple as the images being different for users who are logged in?

If the host is involved, then yes.

Thank you user.

It was just the first one I used, but I like how they have two vms, one handles all connects to tor, and the other runs your apps. Basically just isolates anything you run from the networking and routing.

I like the sound of that, I really need to get into knowing my system better than I do. Everyday it grows much more important nowadays.

I hope all the anons who know how to do this type of thing can do it and hopefully bring them down.

I wish steghide embed WAV → Red Book audio CD → ripped WAV → steghide extract WAV worked.

I know steghide embed WAV → FLAC → WAV → steghide extract WAV works fine, I tried it myself.

Good middle security solution, like Qubes or OpenSolaris 10 + Solaris Trusted Extensions (superior IMO, but dead now pic related).

Attached: SadCatMunchingSadPizza.jpg (370x699, 34.06K)

If we can get a foothold into their little social media platform, we can skiptrace at least a few of them, everyone leaves a trail. Patience and persistence user.

Interesting theory.
Sounds to me undercover is going to net the best results, the problem with that is it opens up the investigator to charges.

Has to operate with sterile gloves. Can't be me now as I expressed capability here without a net-condom on.

If this was the case wouldn't there be telltale signs in the scripting of the webpage that could be viewed in something like firebug or some other source viewing software or is it a setting on the server to specifically serve particular users other images?

If done right, ie on the backend: no.

If the site is hosting injected code then maybe. Probably just sloppy on the webmaster's part himself than an injection.

Think of a CMS as a program which takes database content and creates the page on the fly upon request.

I really don't think it's bots because those users have their own albums with explicit photos of children.

I wouldn't recommend anyone do it unless they were prepared to accept the possibility of being caught up in their own net.

Attached: comb_desert.jpg (625x292, 23.79K)


Ok, I was thinking something like this (pic related) might be going on.

Attached: tractor_with_cp_link.jpg (550x344, 140.38K)

It's nothing until it's something.

A jury would still need to convict. If I sat on that jury: no way would I convict.


Ain't clickin' it!

Attached: DoNotWant.jpg (601x665, 97.91K)