Digital Forensics

1# STEP 1: Identify file type (magic bytes)
2file mystery_file
3file -i mystery_file    # MIME type
4xxd mystery_file | head  # Manual magic byte check
5 
6# STEP 2: Search for readable strings
7strings mystery_file
8strings -n 8 mystery_file  # Min 8 chars
9strings mystery_file | grep -i flag
10strings mystery_file | grep -i ctf
11strings mystery_file | grep -iE "(password|secret|key)"
12 
13# STEP 3: Search with pattern
14grep -a "FLAG" mystery_file
15grep -abo "CTF{" mystery_file  # With byte offset
16grep -oP "CTF{[^}]+}" mystery_file  # Extract full flag
17 
18# STEP 4: Check for embedded files
19binwalk mystery_file
20binwalk -e mystery_file  # Extract embedded files
21binwalk --dd='.*' mystery_file  # Extract everything
22 
23# STEP 5: Metadata analysis
24exiftool mystery_file
25exiftool -a -u -g1 mystery_file  # Verbose
26 
27# STEP 6: Hex analysis
28xxd mystery_file | less
29hexdump -C mystery_file | less

1Image:
2PNG:  89 50 4E 47 0D 0A 1A 0A  (.PNG....)
3JPEG: FF D8 FF E0/E1            (ÿØÿà/á)
4GIF:  47 49 46 38 37/39 61      (GIF87a/89a)
5BMP:  42 4D                     (BM)
6 
7Archive:
8ZIP:  50 4B 03 04               (PK..)
9RAR:  52 61 72 21 1A 07         (Rar!..)
107z:   37 7A BC AF 27 1C
11GZIP: 1F 8B 08
12TAR:  75 73 74 61 72            (ustar)
13 
14Document:
15PDF:  25 50 44 46               (%PDF)
16DOC:  D0 CF 11 E0               (DOCX = ZIP)
17 
18Executable:
19ELF:  7F 45 4C 46               (.ELF)
20EXE:  4D 5A                     (MZ)
21Java: CA FE BA BE
22 
23Other:
24SQLite: 53 51 4C 69 74 65       (SQLite format)
25XML:    3C 3F 78 6D 6C          (<?xml)

1# Protocol filters
2http
3tcp
4udp
5dns
6ftp
7ftp-data
8smtp
9telnet
10ssh
11 
12# IP filtering
13ip.addr == 192.168.1.1
14ip.src == 10.0.0.1
15ip.dst == 10.0.0.2
16!(ip.addr == 192.168.1.1)
17 
18# Port filtering
19tcp.port == 80
20tcp.port == 443
21tcp.dstport == 22
22udp.port == 53
23 
24# HTTP specific
25http.request
26http.response
27http.request.method == "POST"
28http.request.method == "GET"
29http.request.uri contains "flag"
30http.request.uri contains "admin"
31http.host contains "target.com"
32http.response.code == 200
33http.content_type contains "image"
34 
35# Content search
36frame contains "password"
37frame contains "FLAG"
38tcp contains "secret"
39http contains "flag"
40 
41# Follow stream shortcuts
42Right-click packet → Follow → TCP/UDP/HTTP Stream

1# Basic read
2tshark -r capture.pcap
3 
4# Apply filter
5tshark -r capture.pcap -Y "http"
6tshark -r capture.pcap -Y "http.request.method==POST"
7 
8# Extract specific fields
9tshark -r capture.pcap -Y "http" -T fields -e http.request.uri -e http.host
10tshark -r capture.pcap -Y "http.request" -T fields -e http.request.full_uri
11 
12# Extract ALL HTTP objects (files)
13tshark -r capture.pcap --export-objects "http,./extracted_files"
14 
15# Extract FTP data
16tshark -r capture.pcap -Y "ftp-data" -T fields -e ftp-data.command
17 
18# DNS queries
19tshark -r capture.pcap -Y "dns.qry.name" -T fields -e dns.qry.name
20 
21# Credentials search
22tshark -r capture.pcap -Y "http.request.method==POST" -T fields -e http.file_data
23tshark -r capture.pcap -Y "ftp.request.command==PASS" -T fields -e ftp.request.arg
24 
25# Statistics
26tshark -r capture.pcap -z conv,tcp
27tshark -r capture.pcap -z endpoints,ip
28tshark -r capture.pcap -z http,tree

1# Extract files from HTTP traffic
2# 1. Wireshark: File → Export Objects → HTTP
3# 2. NetworkMiner (GUI tool)
4# 3. foremost/binwalk on pcap
5 
6# Reconstruct TCP stream
7tcpflow -r capture.pcap
8 
9# Find credentials
10# Look for: POST requests, FTP PASS, Telnet, Basic Auth
11# Base64 in Authorization header: Basic dXNlcjpwYXNz
12 
13# DNS exfiltration check
14# Unusual long subdomain queries might contain data
15# Example: ZmxhZ3t0aGlzaXNzZWNyZXR9.evil.com (base64 encoded)
16 
17# Covert channels
18# Check ICMP data section (ping exfil)
19# Check DNS TXT records

1# ===== Basic Checks =====
2file image.png
3strings image.png | grep -i flag
4exiftool image.png
5xxd image.png | head -50
6 
7# ===== Steghide (JPEG, BMP, WAV, AU) =====
8steghide info image.jpg
9steghide extract -sf image.jpg              # Try blank password
10steghide extract -sf image.jpg -p password  # With password
11# Bruteforce: stegcracker image.jpg wordlist.txt
12 
13# ===== zsteg (PNG, BMP) - VERY POWERFUL =====
14zsteg image.png          # Quick scan
15zsteg -a image.png       # All methods (comprehensive)
16zsteg -E "b1,rgb,lsb" image.png  # Extract specific
17 
18# ===== Binwalk =====
19binwalk image.png
20binwalk -e image.png     # Auto extract
21binwalk --dd='.*' image.png
22 
23# ===== Stegsolve (GUI - Bit planes) =====
24java -jar stegsolve.jar
25# Try: Analyse → Data Extract
26# Check each color channel bit planes
27 
28# ===== Other tools =====
29foremost image.png               # Carve embedded files
30pngcheck image.png               # PNG integrity
31identify -verbose image.png      # ImageMagick info
32openstego extract -sf image.png  # OpenStego format
33 
34# ===== Python LSB extraction =====
35from PIL import Image
36img = Image.open('image.png')
37px = img.load()
38binary = ''
39for y in range(img.height):
40    for x in range(img.width):
41        r, g, b = px[x, y][:3]
42        binary += str(r & 1)  # Extract LSB of red
43# Convert binary to text

1# ===== Spectrogram Analysis =====
2# Sonic Visualizer (best tool):
3# Layer → Add Spectrogram
4# Look for visual messages
5 
6# Audacity:
7# View → Switch to Spectrogram
8# Or: Effect → Amplify (for hidden audio)
9 
10# sox
11sox audio.wav -n spectrogram -o spec.png
12 
13# ===== Tool-based stego =====
14# DeepSound (Windows, GUI)
15# AudioStego
16 
17# ===== Check metadata =====
18exiftool audio.wav
19mediainfo audio.mp3
20ffprobe audio.wav
21 
22# ===== Strings in audio =====
23strings audio.wav | grep -i flag

1# Differences between two images
2compare image1.png image2.png diff.png
3convert image1.png image2.png -compose difference diff.png
4 
5# Extract specific color channel
6convert image.png -channel R -separate red.png
7convert image.png -channel G -separate green.png
8convert image.png -channel B -separate blue.png
9 
10# Invert colors (reveal hidden content)
11convert image.png -negate inverted.png
12 
13# Adjust brightness/contrast
14convert image.png -brightness-contrast 50x50 adjusted.png
15 
16# Check EXIF GPS coordinates for flag location
17exiftool -GPSLatitude -GPSLongitude image.jpg
18# Convert to decimal and check on maps

1# Step 1: Identify profile
2volatility -f memory.dmp imageinfo
3# Look for "Suggested Profile(s)"
4 
5# Step 2: Set profile and analyze
6PROFILE="Win7SP1x64"
7 
8# Process listing
9volatility -f memory.dmp --profile=$PROFILE pslist
10volatility -f memory.dmp --profile=$PROFILE pstree
11volatility -f memory.dmp --profile=$PROFILE psscan  # Incl. hidden
12 
13# Command line arguments
14volatility -f memory.dmp --profile=$PROFILE cmdline
15volatility -f memory.dmp --profile=$PROFILE consoles
16 
17# Network connections
18volatility -f memory.dmp --profile=$PROFILE netscan
19volatility -f memory.dmp --profile=$PROFILE connscan
20 
21# File handles
22volatility -f memory.dmp --profile=$PROFILE filescan
23volatility -f memory.dmp --profile=$PROFILE filescan | grep -i "flag|secret"
24 
25# Dump specific file
26volatility -f memory.dmp --profile=$PROFILE dumpfiles -Q 0xaddress -D ./output/
27 
28# Registry
29volatility -f memory.dmp --profile=$PROFILE hivelist
30volatility -f memory.dmp --profile=$PROFILE printkey -K "SAM\Domains\Account\Users"
31 
32# Credentials
33volatility -f memory.dmp --profile=$PROFILE hashdump
34volatility -f memory.dmp --profile=$PROFILE lsadump
35 
36# Clipboard
37volatility -f memory.dmp --profile=$PROFILE clipboard
38 
39# Screenshots
40volatility -f memory.dmp --profile=$PROFILE screenshot -D ./screenshots/

1# Vol3 auto-detects profile
2 
3# Process
4vol3 -f memory.dmp windows.pslist
5vol3 -f memory.dmp windows.pstree
6vol3 -f memory.dmp windows.cmdline
7 
8# Files
9vol3 -f memory.dmp windows.filescan
10vol3 -f memory.dmp windows.dumpfiles --physaddr 0xADDRESS
11 
12# Network
13vol3 -f memory.dmp windows.netscan
14 
15# Registry
16vol3 -f memory.dmp windows.registry.printkey
17vol3 -f memory.dmp windows.hashdump
18 
19# Malware detection
20vol3 -f memory.dmp windows.malfind
21 
22# Strings in memory
23strings -el memory.dmp | grep -i "flag|password|secret"

1# ===== Mount disk image =====
2# Linux
3sudo mount -o loop,ro disk.img /mnt/evidence
4 
5# With offset (if multiple partitions)
6fdisk -l disk.img  # Find offset
7sudo mount -o loop,ro,offset=1048576 disk.img /mnt/evidence
8 
9# ===== File system info =====
10fsstat disk.img
11fls disk.img          # List files
12icat disk.img <inode> # Extract file by inode
13 
14# ===== Deleted files recovery =====
15# List deleted files
16fls -rd disk.img
17 
18# PhotoRec (file recovery)
19photorec disk.img
20 
21# Foremost (file carving)
22foremost -i disk.img -o recovered/
23 
24# ===== Autopsy (GUI) =====
25# Great for comprehensive disk analysis
26# Timeline, deleted files, artifacts
27 
28# ===== Search in disk =====
29strings disk.img | grep -i "flag"
30grep -abo "FLAG{" disk.img

1# ===== Common Log Locations =====
2# Linux
3/var/log/auth.log        # Authentication
4/var/log/syslog          # System events
5/var/log/apache2/        # Apache
6/var/log/nginx/          # Nginx
7~/.bash_history          # User commands
8 
9# Windows
10C:\Windows\System32\winevt\Logs\
11# Security.evtx, System.evtx, Application.evtx
12 
13# ===== Basic Analysis =====
14# Search for patterns
15grep -i "flag" access.log
16grep -i "password" auth.log
17grep "POST" access.log
18 
19# Filter by IP
20grep "192.168.1.100" access.log
21 
22# Count by IP (find attackers)
23awk '{print $1}' access.log | sort | uniq -c | sort -rn | head
24 
25# Timeline analysis
26grep "2024-01-01" syslog
27 
28# ===== Apache/Nginx Log Format =====
29# IP - - [Date] "METHOD /path HTTP/1.1" status size "referer" "user-agent"
30# 
31# Useful fields:
32# $1 = IP
33# $4 = Date/Time
34# $6 = Method
35# $7 = Path
36# $9 = Status code
37 
38# Find all URLs accessed
39awk '{print $7}' access.log | sort | uniq -c | sort -rn
40 
41# Find 404 errors (directory enumeration)
42grep '" 404 ' access.log
43 
44# ===== URL/Base64 Decode =====
45python3 -c "import urllib.parse; print(urllib.parse.unquote('encoded%20string'))"
46echo "base64string" | base64 -d

1# Tools for EVTX
2evtx_dump Security.evtx | grep -i "flag"
3python-evtx (pip install python-evtx)
4 
5# Chainsaw (fast triage)
6chainsaw hunt evtx_logs/ -s sigma/ --mapping mappings/
7 
8# Important Event IDs:
9# 4624 - Successful login
10# 4625 - Failed login
11# 4648 - Explicit credentials logon
12# 4720 - User account created
13# 4732 - User added to group
14# 7045 - Service installed

1# Foremost - signature-based carving
2foremost -i disk.img -o output/
3foremost -t jpg,png,pdf -i disk.img -o output/
4 
5# Scalpel - configurable carving
6scalpel disk.img -o output/
7 
8# PhotoRec - interactive recovery
9photorec disk.img
10 
11# Bulk Extractor - extract emails, URLs, etc.
12bulk_extractor -o output/ disk.img
13 
14# Binwalk - embedded files
15binwalk -e mysterious_file
16 
17# dd - manual extraction
18# If you know offset and size:
19dd if=disk.img of=extracted.jpg bs=1 skip=1024 count=50000