LSB Extractor
Extract hidden LSB steganography from PNG/BMP images. Auto-detects LSBSTEG format. Ranked heuristic scan (10 CTF patterns). Bit plane viewer. Flag detector.
Drop image file or click to browse
PNG, BMP, WebP, TIFF, JPEG — max 50 MB (10 MB on mobile)
100% Client-Side Processing
Your image is decoded using the Canvas API entirely in your browser. Nothing is uploaded. Output is always lossless PNG.
How to Extract LSB Hidden Data from an Image (4 steps)
- Upload the PNG or BMP image that may contain hidden LSB data. The tool immediately reads the LSBSTEG header (if present) — a green card confirms auto-detected settings.
- Quick mode auto-extracts with detected settings. Standard mode lets you run a ranked 10-config heuristic scan for images encoded without the LSBSTEG header. Enter a passphrase if the payload was encrypted.
- Forensic mode opens the bit plane viewer — inspect all 24 bit planes (R/G/B × bits 0–7) for structured patterns. Low-entropy planes (entropy < 0.5) are highlighted in red as anomalous.
- Download the extracted payload — text is shown inline, files as a download button. Forensic JSON report is available for any extraction, successful or not.
LSB Extractor — Detection & Extraction Methods
| Method | Technique | Speed | Best For |
|---|---|---|---|
| Auto (LSTG header) | Reads 20-byte LSBSTEG header from first 54 pixels — exact settings recovered in milliseconds | < 1 second | Images encoded with this tool — guaranteed accurate |
| Ranked Scan (10 configs) | Tries 10 most common CTF patterns (stylesuxx, B-only, RGBA, reversed, LSB-first…) — scores each by entropy drop + ASCII ratio + file magic | ~2 seconds | Unknown source images, CTF challenges, stegsolve/zsteg outputs |
| Manual | User specifies exact variant, bit depth, and channels — use when you know the encoding parameters | < 1 second | When you know the tool that encoded the image |
| Bit Plane Viewer | Renders all 24 bit planes (R/G/B × 8 bits), computes Shannon entropy per plane, flags anomalous planes | ~1–3 seconds | Forensic analysis — detect which channel and depth contains hidden data |
Frequently Asked Questions
What is the LSBSTEG header and how does the extractor use it?
Images encoded with this tool contain a 20-byte header in pixels 0–53 using 1-bit sequential RGB. The header stores magic bytes ('LSTG'), version, variant, bit depth, channels, encryption flag, payload length, and CRC-32. If the CRC matches, the extractor uses the exact recorded settings — no guessing needed.
My image has no LSTG header — what happens?
The extractor runs a ranked heuristic scan across 10 common CTF configurations (stylesuxx, zsteg defaults, B-only, R-only, RGBA, reversed…). Each result is scored by entropy drop, ASCII ratio, and file magic detection. The top 3 candidates are shown — select the one that looks correct.
How do I use the bit plane viewer?
In Forensic mode, open the 'Bit Plane Analysis' accordion. It renders all 24 planes (R/G/B × bits 0–7). Each plane shows its Shannon entropy: natural images have near-random LSB planes (entropy ≈ 1.0). Entropy < 0.5 is flagged in red — structured patterns indicate embedded data. Click any plane to expand it.
What does 'entropy_no_password' error mean?
The LSTG header was found and is valid, but the encFlag is set (AES-256-GCM encrypted). Enter the passphrase used during encoding in the password field and re-run extraction.
The decoded output looks like noise — what went wrong?
Most likely causes: (1) Wrong passphrase — try again carefully. (2) Wrong bit depth — try Manual mode with different settings. (3) Image was re-compressed by a platform (Instagram, WhatsApp) — hidden data is destroyed. (4) The image was not encoded with LSB steganography at all.
Can this tool decode outputs from zsteg, Stegsolve, or OpenStego?
Often yes — the ranked scan includes the most common configurations those tools use (1-bit sequential RGB, B-channel only, LSB-first byte order). If none of the 10 heuristic configs match, try Manual mode with the exact settings you know were used.
What CTF flag patterns does the detector look for?
The flag detector scans decoded text for: flag{…}, CTF{…}, HTB{…}, THM{…}, picoCTF{…}, DUCTF{…}, and standalone hex strings ≥ 32 characters (common MD5/SHA hashes used as flags). Matches are shown in a green banner with a copy button.
Is my image uploaded to any server during analysis?
Never. Extraction runs entirely in a WebWorker in your browser. The image never leaves your device — you can disconnect from the internet after the page loads and the tool still works.