Secure way of masking out sensitive information in screenshots? [duplicate]

Question

As a guy working in security/pentest, I regularly take screenshots of exposed passwords/sensitive information. Whenever I report these, I mask parts or complete info as in the sample given below

I often wonder, is it possible for someone to 'reverse engineer' these pics and recover the original information? If so, what should be the correct way of masking such kind of info?

I am using shutter for taking screenshots and using accompanied edit tool to add the black stroke.

EDIT:

As pointed out by some of you, my question is different from this since:

• I am not asking about MS paint/black strokes. The image is just an example to better explain the question
• I have clearly asked for the correct/most secure way of producing photographic evidence.

Answer 1

Yes, it can be recovered.

As long as shutter does not use layer (it almost certainly does not) and as long as the black is really all black (it must not be transparent), it is enough.

The picture that you provided uses some amount of transparency, see here:

All I had to do is use the Fill tool in MS Paint. If I used some algorithm that would take the jpg compression into account, I could probably get better results.

Solution:

Use an editor that does not make the block transparent. Make sure layers are not used. Make sure change history is not stored (to allow undo) in the file. I believe MS paint + bitmap format satisfy all the requirements. Most editors combined with bitmap (BMP) format without compression should satisfy these requirements, but I can not confirm this.

Remove the data. You can do so in many editors by selecting it and pressing delete or Ctrl + X. Then apply redaction graphics, whether black box, or anything else.

DO NOT use JPEG (jpg) or other lossy formats anywhere from capture until redaction. JPEG may leave artifacts that may convey information about the deleted pixels. This may also apply to other lossy formats, use lossless formats if possible. Using any format after the image is redacted is fine.

As lossless formats may also retain some information, if they are not completely re-encoded after the edit, it is recommended to either only use pure bitmap format with no compression before redacting, or to change the format after redacting.

Double check:

You can double check no compression is used in BMP format by checking the file size. The size should be larger than color_depth / 8 * width * height (resolution in pixels, color depth usually 24). Note that this check will not reveal transparency and artifacts caused by lossy compression, so make extra sure you did not use lossy format at any point.

It may also be useful to post a specific question about your proposed setup here, so you can see additional opinions and recommendations. It is hard to give definitive answer, that would work in general for all platforms, formats and editors as they all have their specific caveats.

Answer 2

You don't even need to use an image editor in this case to recover the "redacted" text. Simply zooming in on the image is enough to read it.

So I would say that yes, it most certainly is possible to recover the original text.

Answer 3

In this case the image can be recovered very well

As others already pointed out the dark patch is not completely black. It has a transparent effect and only darkens the original image. The original image can be recovered almost completely:

In this case the recovery was pretty straightforward. I needed to check the range of grey levels of the patch and re-adjust the range to the original values. I used Gimp for that. The unmodified text uses only 7 visibly distinctive levels of grey. The darkened part has retained about 6 levels (when ignoring the anti-aliased border and JPEG artifacts) so we can get almost exactly the original image.

The level and curve adjustment in Gimp and similar image editors can be used to check almost invisible information in the image.

To summarize the recommendations:

• Use an image editor which covers the area completely (non-transparently).
• If compression artifacts (JPEG, dithered GIF etc.) surrounding the area could reveal some information, hide them too.

Answer 4

Yes, the text can be unmasked, either by simply zooming in or using any of the techniques - but not restricted to - pointed by pabouk and Peter answers.

---

I have clearly asked for the correct/most secure way of producing photographic evidence.

Completely remove any sensitive data from print-screens.

---

Steps

1. Press the PRT SCR button on your keyboard (lossless capture, no artifacts);

2. Open gimp/photoshop/paint and select new file, the default image size should be the same as your print-screen, hit CTRL+V to paste the ps into the newly created file and export it immediately as your original;

3. Select the sensitive data using the appropriate tool on your software and hit CTRL+X to cut it;

4. Cover the hole with a black rectangle, as you normally do (purely visual, nothing under);

5. Export your dummy_copy as a new file (jpeg, gif, png);

6. Keep the original untouched and share the dummy_copy.

---

Note

Even if any of the safe masking techniques presented on this page work at the moment, you've absolutely no guarantee that your "secret" data will remain like that tomorrow. The only way to be 100% sure is to cut/remove/destroy/erase/nuke the sensitive data from the original file and export it as new file.

---

Bottom Line:

Answer 5

Examples

As shown above, your example was breakable,the blacks of the redaction had variation showing the text.

Real life example

New York Times Suffers Redaction Failure, Exposes Name Of NSA Agent And Targeted Network In Uploaded PDF

This was an example of a PDF that appeared redacted, but the data could be recovered.

Ways data can leak

• Document titles
  • Quite a simple one, but can be dangerous
• Colour variations like the one you had
• Blurring
  • If the data is not varied enough it can be attacked source
• Unedited thumbnail
  • You may redact the details in the image itself, but not in the thumbnail -Metadata
  • A surprising amount of data can be stored in some image format's metadata

Defences against the above attacks

• Titles
  • Check the filename doesn't contain anything sensitive
• Colour variations
  • Make sure the blocked out area is all one consistent character, so that it can't be read
• Blurring
  • Always block out, rather than blurring
• Thumbnail and metadata
  • Re-export the image in a format that has less metadata, or use a tool to strip the metadata. Make sure the thumbnail is remade.

Answer 6

I think you may be misusing what's meant to be a highlight tool (I'm not at any of my Ubuntu machines ATM and don't have shutter installed anyway to test). I can't quite believe that a tool meant for redacting would have such an obvious flaw as working with transparency takes more effort than not).

In the GIMP you can select an area and fill that area with solid colour (the "fill whole selection" option). Then save in a format that doesn't support layers (perhaps flattening manually first).

Here's a sample image:

and here's an indication of the tools in the GIMP (red freehand shows rectangle select, bucket fill, and fill whole selection):

You can equally do this in MS paint but the GIMP is FOSS and cross-platform. Note that you should export rather than saving in GIMP's own .xcf file format, as that supports a few features that could reveal this (like layers, which actually aren't created in this approach) and is also not widely supported.

Note that I didn't save the image at any point in any format until after masking the password. This doesn't mean it's not saved locally in an undo buffer but I assume your machine is sufficiently secure for the purpose, at least as far as this question goes.

Answer 7

Don't provide screnshots. Provide descriptions OR sample screenshots taken at times when sensitive data is not on the screen, with description that "X appeared here".

"It's no evidence!" you may say. BUT - a screenshot that had been redacted is also not an evidence. It's just a product of your artistic skills. Your testimony of the situation usually carries more weight.

Many answers here focus on making sure that the masking rectangle is actually uniform. But that's not all. The masked text can be recovered with statistical analysis of the size of the masked area. Especially when there is unmasked text before and after, its layout says quite a lot about what was redacted. Proportional fonts are particularly prone to this technique, as characters have more or less unique width. Monospace fonts disclose less information, but the length is known with 100% accuracy.

Answer 8

Most consumer and professional products just put a layer over the top. Most application recover the image under the redaction is a good thing.

Wipe out the image under is often referred to as burning the redaction.

If the image had been OCRs and you are producing text then need to OCR again after burning.

You come across this in litigation where on parties produce. Also search on dDiscovery.
Guidance on Redacting Personal Data Identifiers in Electronically Filed Documents.

As far a shutter not sure but unless it specifically give you an option to burn it is probably just a layer.