Digital Forensics Tools
When to Use
Load this skill when:
-
Analyzing suspicious files or unknown file formats
-
Extracting hidden data or carved files
-
Detecting steganography in images/audio
-
Analyzing network PCAP files
-
Scanning for high-entropy (encrypted/compressed) data
-
Working with file signatures and magic bytes
File Analysis and Carving
Binwalk - Extract Embedded Files
Scan for embedded files
binwalk suspicious.bin
Extract all found files
binwalk -e suspicious.bin
Extract with signature scan
binwalk --dd='.*' suspicious.bin
Scan for specific file types
binwalk --signature image.png
Common File Signatures (Magic Bytes)
File Type Signature (Hex) Signature (ASCII)
PNG 89 50 4E 47 0D 0A 1A 0A
.PNG....
JPEG FF D8 FF E0/E1
ÿØÿà
GIF 47 49 46 38 37/39 61
GIF87a/GIF89a
ZIP 50 4B 03 04
PK..
PDF 25 50 44 46
ELF 7F 45 4C 46
.ELF
RAR 52 61 72 21 1A 07
Rar!..
Manual File Carving with dd
Extract bytes from offset to end
dd if=input.bin of=output.bin skip=1024 bs=1
Extract specific byte range
dd if=input.bin of=output.bin skip=1024 count=2048 bs=1
Find PNG signature and extract
grep --only-matching --byte-offset --binary --text $'\x89PNG' file.bin
Strings Analysis
Extract ASCII strings
strings suspicious.bin
Extract with minimum length
strings -n 10 suspicious.bin
Search for specific patterns
strings suspicious.bin | grep -i "flag|password|key"
Unicode strings (16-bit little-endian)
strings -el suspicious.bin
With file offsets
strings -t x suspicious.bin
Steganography Detection
Image Steganography
#!/usr/bin/env python3 """Quick steganography checks""" from PIL import Image import numpy as np
def check_lsb(image_path): """Check LSB (Least Significant Bit) steganography""" img = Image.open(image_path) pixels = np.array(img)
# Extract LSBs
lsb = pixels & 1
# Visualize LSBs (amplify for visibility)
lsb_img = Image.fromarray((lsb * 255).astype('uint8'))
lsb_img.save('lsb_analysis.png')
print("[+] LSB analysis saved to lsb_analysis.png")
def extract_lsb_data(image_path): """Extract data from LSBs""" img = Image.open(image_path) pixels = np.array(img).flatten()
# Extract LSBs as bits
bits = ''.join([str(p & 1) for p in pixels])
# Convert to bytes
data = bytearray()
for i in range(0, len(bits), 8):
byte = bits[i:i+8]
if len(byte) == 8:
data.append(int(byte, 2))
return bytes(data)
Usage
check_lsb('suspicious.png') data = extract_lsb_data('suspicious.png') print(data[:100]) # First 100 bytes
Common Steganography Tools
Steghide (JPEG, BMP, WAV, AU)
steghide info suspicious.jpg steghide extract -sf suspicious.jpg
StegSolve (GUI tool for image analysis)
java -jar stegsolve.jar
Zsteg (PNG, BMP)
zsteg suspicious.png zsteg -a suspicious.png # All checks
Exiftool (metadata analysis)
exiftool suspicious.jpg exiftool -all suspicious.jpg
Foremost (file carving)
foremost -i suspicious.bin -o output/
Audio Steganography
Spectogram analysis with Sox
sox audio.wav -n spectrogram -o spectro.png
Or with Python
python3 helpers/spectrogram.py audio.wav
Audacity (GUI)
File -> Open -> Analyze -> Plot Spectrum
Network Forensics
PCAP Analysis with tshark
Basic statistics
tshark -r capture.pcap -q -z io,phs
Extract HTTP objects
tshark -r capture.pcap --export-objects http,output/
Filter by protocol
tshark -r capture.pcap -Y "http" tshark -r capture.pcap -Y "dns" tshark -r capture.pcap -Y "tcp.port == 80"
Extract HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e http.request.full_uri
Extract HTTP POST data
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data
Follow TCP stream
tshark -r capture.pcap -z follow,tcp,ascii,0
Extract files
tshark -r capture.pcap --export-objects http,extracted/ tshark -r capture.pcap --export-objects smb,extracted/
Extract HTTP Traffic
#!/usr/bin/env python3 """Extract HTTP traffic from PCAP""" from scapy.all import *
def extract_http(pcap_file): """Extract HTTP requests and responses""" packets = rdpcap(pcap_file)
for pkt in packets:
if pkt.haslayer(TCP) and pkt.haslayer(Raw):
payload = pkt[Raw].load
# Check for HTTP
if payload.startswith(b'GET') or payload.startswith(b'POST'):
print("[HTTP Request]")
print(payload.decode('latin-1', errors='ignore'))
print("-" * 60)
elif payload.startswith(b'HTTP/'):
print("[HTTP Response]")
print(payload.decode('latin-1', errors='ignore')[:200])
print("-" * 60)
extract_http('capture.pcap')
Reconstruct Files from PCAP
NetworkMiner (Windows/Linux with Mono)
mono NetworkMiner.exe --nogui -r capture.pcap -o output/
tcpflow - Reconstruct TCP sessions
tcpflow -r capture.pcap -o output/
Wireshark export
File -> Export Objects -> HTTP/SMB/TFTP
Entropy Analysis
Detect Encrypted/Compressed Data
#!/usr/bin/env python3 """Scan file for high-entropy regions""" import math from collections import Counter
def calculate_entropy(data): """Calculate Shannon entropy""" if not data: return 0
entropy = 0
counter = Counter(data)
length = len(data)
for count in counter.values():
probability = count / length
entropy -= probability * math.log2(probability)
return entropy
def scan_entropy(filename, block_size=256): """Scan file for high-entropy blocks""" with open(filename, 'rb') as f: data = f.read()
print(f"Scanning {filename} for high-entropy regions...")
print(f"Block size: {block_size} bytes")
print("-" * 60)
for i in range(0, len(data), block_size):
block = data[i:i+block_size]
if len(block) < block_size // 2:
continue
entropy = calculate_entropy(block)
# High entropy (> 7.5) indicates encryption/compression
if entropy > 7.5:
print(f"Offset 0x{i:08x}: Entropy = {entropy:.4f} [HIGH]")
Usage
scan_entropy('suspicious.bin', block_size=512)
Memory Forensics
Volatility (if applicable in CTF)
Identify profile
volatility -f memory.dmp imageinfo
List processes
volatility -f memory.dmp --profile=Win7SP1x64 pslist
Dump process memory
volatility -f memory.dmp --profile=Win7SP1x64 memdump -p 1234 -D output/
Extract files
volatility -f memory.dmp --profile=Win7SP1x64 filescan volatility -f memory.dmp --profile=Win7SP1x64 dumpfiles -Q 0x000000003e8b6f20 -D output/
Quick Reference
Task Tool Command
File carving binwalk binwalk -e file.bin
Strings strings strings -n 10 file.bin
Image LSB zsteg zsteg -a image.png
JPEG steg steghide steghide extract -sf image.jpg
Metadata exiftool exiftool image.jpg
PCAP HTTP tshark tshark -r file.pcap --export-objects http,out/
TCP stream tshark tshark -r file.pcap -z follow,tcp,ascii,0
Spectrogram sox sox audio.wav -n spectrogram -o spec.png
Entropy custom python3 helpers/entropy_scan.py file.bin
Bundled Resources
File Analysis
- file_analysis/binwalk_extract.sh
- Wrapper for binwalk extraction
Steganography
-
steganography/steg_quickcheck.py
-
Automated steg detection
-
LSB analysis
-
Metadata extraction
-
Entropy visualization
Network Forensics
-
network_forensics/pcap_extract_http.py
-
Extract HTTP from PCAP
-
network_forensics/pcap_extract_files.py
-
Reconstruct files from PCAP
Helpers
-
helpers/entropy_scan.py
-
Scan files for high-entropy regions
-
helpers/file_signature_check.py
-
Verify file signatures
-
helpers/strings_smart.py
-
Enhanced string extraction
External Tools
Install common forensics tools
sudo apt install binwalk foremost steghide exiftool
Python tools
pip install pillow numpy scapy
Specialized tools
- StegSolve: https://github.com/zardus/ctf-tools (Java-based)
- Audacity: https://www.audacityteam.org/ (audio analysis)
- Wireshark: https://www.wireshark.org/ (PCAP GUI analysis)
Keywords
forensics, digital forensics, file carving, binwalk, steganography, steg, LSB, least significant bit, PCAP, packet capture, network forensics, tshark, wireshark, entropy analysis, strings, metadata, exiftool, file signatures, magic bytes, audio steganography, spectrogram, image analysis, data extraction, hidden data