Digital Forensics Tools
When to Use
Load this skill when:
- •Analyzing suspicious files or unknown file formats
- •Extracting hidden data or carved files
- •Detecting steganography in images/audio
- •Analyzing network PCAP files
- •Scanning for high-entropy (encrypted/compressed) data
- •Working with file signatures and magic bytes
File Analysis and Carving
Binwalk - Extract Embedded Files
bash
# Scan for embedded files binwalk suspicious.bin # Extract all found files binwalk -e suspicious.bin # Extract with signature scan binwalk --dd='.*' suspicious.bin # Scan for specific file types binwalk --signature image.png
Common File Signatures (Magic Bytes)
| File Type | Signature (Hex) | Signature (ASCII) |
|---|---|---|
| PNG | 89 50 4E 47 0D 0A 1A 0A | .PNG.... |
| JPEG | FF D8 FF E0/E1 | ÿØÿà |
| GIF | 47 49 46 38 37/39 61 | GIF87a/GIF89a |
| ZIP | 50 4B 03 04 | PK.. |
25 50 44 46 | %PDF | |
| ELF | 7F 45 4C 46 | .ELF |
| RAR | 52 61 72 21 1A 07 | Rar!.. |
Manual File Carving with dd
bash
# Extract bytes from offset to end dd if=input.bin of=output.bin skip=1024 bs=1 # Extract specific byte range dd if=input.bin of=output.bin skip=1024 count=2048 bs=1 # Find PNG signature and extract grep --only-matching --byte-offset --binary --text $'\x89PNG' file.bin
Strings Analysis
bash
# Extract ASCII strings strings suspicious.bin # Extract with minimum length strings -n 10 suspicious.bin # Search for specific patterns strings suspicious.bin | grep -i "flag\|password\|key" # Unicode strings (16-bit little-endian) strings -el suspicious.bin # With file offsets strings -t x suspicious.bin
Steganography Detection
Image Steganography
python
#!/usr/bin/env python3
"""Quick steganography checks"""
from PIL import Image
import numpy as np
def check_lsb(image_path):
"""Check LSB (Least Significant Bit) steganography"""
img = Image.open(image_path)
pixels = np.array(img)
# Extract LSBs
lsb = pixels & 1
# Visualize LSBs (amplify for visibility)
lsb_img = Image.fromarray((lsb * 255).astype('uint8'))
lsb_img.save('lsb_analysis.png')
print("[+] LSB analysis saved to lsb_analysis.png")
def extract_lsb_data(image_path):
"""Extract data from LSBs"""
img = Image.open(image_path)
pixels = np.array(img).flatten()
# Extract LSBs as bits
bits = ''.join([str(p & 1) for p in pixels])
# Convert to bytes
data = bytearray()
for i in range(0, len(bits), 8):
byte = bits[i:i+8]
if len(byte) == 8:
data.append(int(byte, 2))
return bytes(data)
# Usage
check_lsb('suspicious.png')
data = extract_lsb_data('suspicious.png')
print(data[:100]) # First 100 bytes
Common Steganography Tools
bash
# Steghide (JPEG, BMP, WAV, AU) steghide info suspicious.jpg steghide extract -sf suspicious.jpg # StegSolve (GUI tool for image analysis) java -jar stegsolve.jar # Zsteg (PNG, BMP) zsteg suspicious.png zsteg -a suspicious.png # All checks # Exiftool (metadata analysis) exiftool suspicious.jpg exiftool -all suspicious.jpg # Foremost (file carving) foremost -i suspicious.bin -o output/
Audio Steganography
bash
# Spectogram analysis with Sox sox audio.wav -n spectrogram -o spectro.png # Or with Python python3 helpers/spectrogram.py audio.wav # Audacity (GUI) # File -> Open -> Analyze -> Plot Spectrum
Network Forensics
PCAP Analysis with tshark
bash
# Basic statistics tshark -r capture.pcap -q -z io,phs # Extract HTTP objects tshark -r capture.pcap --export-objects http,output/ # Filter by protocol tshark -r capture.pcap -Y "http" tshark -r capture.pcap -Y "dns" tshark -r capture.pcap -Y "tcp.port == 80" # Extract HTTP requests tshark -r capture.pcap -Y "http.request" -T fields -e http.request.full_uri # Extract HTTP POST data tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data # Follow TCP stream tshark -r capture.pcap -z follow,tcp,ascii,0 # Extract files tshark -r capture.pcap --export-objects http,extracted/ tshark -r capture.pcap --export-objects smb,extracted/
Extract HTTP Traffic
python
#!/usr/bin/env python3
"""Extract HTTP traffic from PCAP"""
from scapy.all import *
def extract_http(pcap_file):
"""Extract HTTP requests and responses"""
packets = rdpcap(pcap_file)
for pkt in packets:
if pkt.haslayer(TCP) and pkt.haslayer(Raw):
payload = pkt[Raw].load
# Check for HTTP
if payload.startswith(b'GET') or payload.startswith(b'POST'):
print("[HTTP Request]")
print(payload.decode('latin-1', errors='ignore'))
print("-" * 60)
elif payload.startswith(b'HTTP/'):
print("[HTTP Response]")
print(payload.decode('latin-1', errors='ignore')[:200])
print("-" * 60)
extract_http('capture.pcap')
Reconstruct Files from PCAP
bash
# NetworkMiner (Windows/Linux with Mono) mono NetworkMiner.exe --nogui -r capture.pcap -o output/ # tcpflow - Reconstruct TCP sessions tcpflow -r capture.pcap -o output/ # Wireshark export # File -> Export Objects -> HTTP/SMB/TFTP
Entropy Analysis
Detect Encrypted/Compressed Data
python
#!/usr/bin/env python3
"""Scan file for high-entropy regions"""
import math
from collections import Counter
def calculate_entropy(data):
"""Calculate Shannon entropy"""
if not data:
return 0
entropy = 0
counter = Counter(data)
length = len(data)
for count in counter.values():
probability = count / length
entropy -= probability * math.log2(probability)
return entropy
def scan_entropy(filename, block_size=256):
"""Scan file for high-entropy blocks"""
with open(filename, 'rb') as f:
data = f.read()
print(f"Scanning {filename} for high-entropy regions...")
print(f"Block size: {block_size} bytes")
print("-" * 60)
for i in range(0, len(data), block_size):
block = data[i:i+block_size]
if len(block) < block_size // 2:
continue
entropy = calculate_entropy(block)
# High entropy (> 7.5) indicates encryption/compression
if entropy > 7.5:
print(f"Offset 0x{i:08x}: Entropy = {entropy:.4f} [HIGH]")
# Usage
scan_entropy('suspicious.bin', block_size=512)
Memory Forensics
Volatility (if applicable in CTF)
bash
# Identify profile volatility -f memory.dmp imageinfo # List processes volatility -f memory.dmp --profile=Win7SP1x64 pslist # Dump process memory volatility -f memory.dmp --profile=Win7SP1x64 memdump -p 1234 -D output/ # Extract files volatility -f memory.dmp --profile=Win7SP1x64 filescan volatility -f memory.dmp --profile=Win7SP1x64 dumpfiles -Q 0x000000003e8b6f20 -D output/
Quick Reference
| Task | Tool | Command |
|---|---|---|
| File carving | binwalk | binwalk -e file.bin |
| Strings | strings | strings -n 10 file.bin |
| Image LSB | zsteg | zsteg -a image.png |
| JPEG steg | steghide | steghide extract -sf image.jpg |
| Metadata | exiftool | exiftool image.jpg |
| PCAP HTTP | tshark | tshark -r file.pcap --export-objects http,out/ |
| TCP stream | tshark | tshark -r file.pcap -z follow,tcp,ascii,0 |
| Spectrogram | sox | sox audio.wav -n spectrogram -o spec.png |
| Entropy | custom | python3 helpers/entropy_scan.py file.bin |
Bundled Resources
File Analysis
- •
file_analysis/binwalk_extract.sh- Wrapper for binwalk extraction
Steganography
- •
steganography/steg_quickcheck.py- Automated steg detection- •LSB analysis
- •Metadata extraction
- •Entropy visualization
Network Forensics
- •
network_forensics/pcap_extract_http.py- Extract HTTP from PCAP - •
network_forensics/pcap_extract_files.py- Reconstruct files from PCAP
Helpers
- •
helpers/entropy_scan.py- Scan files for high-entropy regions - •
helpers/file_signature_check.py- Verify file signatures - •
helpers/strings_smart.py- Enhanced string extraction
External Tools
bash
# Install common forensics tools sudo apt install binwalk foremost steghide exiftool # Python tools pip install pillow numpy scapy # Specialized tools # - StegSolve: https://github.com/zardus/ctf-tools (Java-based) # - Audacity: https://www.audacityteam.org/ (audio analysis) # - Wireshark: https://www.wireshark.org/ (PCAP GUI analysis)
Keywords
forensics, digital forensics, file carving, binwalk, steganography, steg, LSB, least significant bit, PCAP, packet capture, network forensics, tshark, wireshark, entropy analysis, strings, metadata, exiftool, file signatures, magic bytes, audio steganography, spectrogram, image analysis, data extraction, hidden data