Digital Forensics Tools

When to Use

Load this skill when:

• Analyzing suspicious files or unknown file formats
• Extracting hidden data or carved files
• Detecting steganography in images/audio
• Analyzing network PCAP files
• Scanning for high-entropy (encrypted/compressed) data
• Working with file signatures and magic bytes

File Analysis and Carving

Binwalk - Extract Embedded Files

bash
1# Scan for embedded files
2binwalk suspicious.bin
3
4# Extract all found files
5binwalk -e suspicious.bin
6
7# Extract with signature scan
8binwalk --dd='.*' suspicious.bin
9
10# Scan for specific file types
11binwalk --signature image.png

Common File Signatures (Magic Bytes)

Manual File Carving with dd

bash
1# Extract bytes from offset to end
2dd if=input.bin of=output.bin skip=1024 bs=1
3
4# Extract specific byte range
5dd if=input.bin of=output.bin skip=1024 count=2048 bs=1
6
7# Find PNG signature and extract
8grep --only-matching --byte-offset --binary --text $'\x89PNG' file.bin

Strings Analysis

bash
1# Extract ASCII strings
2strings suspicious.bin
3
4# Extract with minimum length
5strings -n 10 suspicious.bin
6
7# Search for specific patterns
8strings suspicious.bin | grep -i "flag\|password\|key"
9
10# Unicode strings (16-bit little-endian)
11strings -el suspicious.bin
12
13# With file offsets
14strings -t x suspicious.bin

Steganography Detection

Image Steganography

python
1#!/usr/bin/env python3
2"""Quick steganography checks"""
3from PIL import Image
4import numpy as np
5
6def check_lsb(image_path):
7    """Check LSB (Least Significant Bit) steganography"""
8    img = Image.open(image_path)
9    pixels = np.array(img)
10    
11    # Extract LSBs
12    lsb = pixels & 1
13    
14    # Visualize LSBs (amplify for visibility)
15    lsb_img = Image.fromarray((lsb * 255).astype('uint8'))
16    lsb_img.save('lsb_analysis.png')
17    print("[+] LSB analysis saved to lsb_analysis.png")
18
19def extract_lsb_data(image_path):
20    """Extract data from LSBs"""
21    img = Image.open(image_path)
22    pixels = np.array(img).flatten()
23    
24    # Extract LSBs as bits
25    bits = ''.join([str(p & 1) for p in pixels])
26    
27    # Convert to bytes
28    data = bytearray()
29    for i in range(0, len(bits), 8):
30        byte = bits[i:i+8]
31        if len(byte) == 8:
32            data.append(int(byte, 2))
33    
34    return bytes(data)
35
36# Usage
37check_lsb('suspicious.png')
38data = extract_lsb_data('suspicious.png')
39print(data[:100])  # First 100 bytes

Common Steganography Tools

bash
1# Steghide (JPEG, BMP, WAV, AU)
2steghide info suspicious.jpg
3steghide extract -sf suspicious.jpg
4
5# StegSolve (GUI tool for image analysis)
6java -jar stegsolve.jar
7
8# Zsteg (PNG, BMP)
9zsteg suspicious.png
10zsteg -a suspicious.png  # All checks
11
12# Exiftool (metadata analysis)
13exiftool suspicious.jpg
14exiftool -all suspicious.jpg
15
16# Foremost (file carving)
17foremost -i suspicious.bin -o output/

Audio Steganography

bash
1# Spectogram analysis with Sox
2sox audio.wav -n spectrogram -o spectro.png
3
4# Or with Python
5python3 helpers/spectrogram.py audio.wav
6
7# Audacity (GUI)
8# File -> Open -> Analyze -> Plot Spectrum

Network Forensics

PCAP Analysis with tshark

bash
1# Basic statistics
2tshark -r capture.pcap -q -z io,phs
3
4# Extract HTTP objects
5tshark -r capture.pcap --export-objects http,output/
6
7# Filter by protocol
8tshark -r capture.pcap -Y "http"
9tshark -r capture.pcap -Y "dns"
10tshark -r capture.pcap -Y "tcp.port == 80"
11
12# Extract HTTP requests
13tshark -r capture.pcap -Y "http.request" -T fields -e http.request.full_uri
14
15# Extract HTTP POST data
16tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data
17
18# Follow TCP stream
19tshark -r capture.pcap -z follow,tcp,ascii,0
20
21# Extract files
22tshark -r capture.pcap --export-objects http,extracted/
23tshark -r capture.pcap --export-objects smb,extracted/

Extract HTTP Traffic

python
1#!/usr/bin/env python3
2"""Extract HTTP traffic from PCAP"""
3from scapy.all import *
4
5def extract_http(pcap_file):
6    """Extract HTTP requests and responses"""
7    packets = rdpcap(pcap_file)
8    
9    for pkt in packets:
10        if pkt.haslayer(TCP) and pkt.haslayer(Raw):
11            payload = pkt[Raw].load
12            
13            # Check for HTTP
14            if payload.startswith(b'GET') or payload.startswith(b'POST'):
15                print("[HTTP Request]")
16                print(payload.decode('latin-1', errors='ignore'))
17                print("-" * 60)
18            
19            elif payload.startswith(b'HTTP/'):
20                print("[HTTP Response]")
21                print(payload.decode('latin-1', errors='ignore')[:200])
22                print("-" * 60)
23
24extract_http('capture.pcap')

Reconstruct Files from PCAP

bash
1# NetworkMiner (Windows/Linux with Mono)
2mono NetworkMiner.exe --nogui -r capture.pcap -o output/
3
4# tcpflow - Reconstruct TCP sessions
5tcpflow -r capture.pcap -o output/
6
7# Wireshark export
8# File -> Export Objects -> HTTP/SMB/TFTP

Entropy Analysis

Detect Encrypted/Compressed Data

python
1#!/usr/bin/env python3
2"""Scan file for high-entropy regions"""
3import math
4from collections import Counter
5
6def calculate_entropy(data):
7    """Calculate Shannon entropy"""
8    if not data:
9        return 0
10    
11    entropy = 0
12    counter = Counter(data)
13    length = len(data)
14    
15    for count in counter.values():
16        probability = count / length
17        entropy -= probability * math.log2(probability)
18    
19    return entropy
20
21def scan_entropy(filename, block_size=256):
22    """Scan file for high-entropy blocks"""
23    with open(filename, 'rb') as f:
24        data = f.read()
25    
26    print(f"Scanning {filename} for high-entropy regions...")
27    print(f"Block size: {block_size} bytes")
28    print("-" * 60)
29    
30    for i in range(0, len(data), block_size):
31        block = data[i:i+block_size]
32        if len(block) < block_size // 2:
33            continue
34        
35        entropy = calculate_entropy(block)
36        
37        # High entropy (> 7.5) indicates encryption/compression
38        if entropy > 7.5:
39            print(f"Offset 0x{i:08x}: Entropy = {entropy:.4f} [HIGH]")
40
41# Usage
42scan_entropy('suspicious.bin', block_size=512)

Memory Forensics

Volatility (if applicable in CTF)

bash
1# Identify profile
2volatility -f memory.dmp imageinfo
3
4# List processes
5volatility -f memory.dmp --profile=Win7SP1x64 pslist
6
7# Dump process memory
8volatility -f memory.dmp --profile=Win7SP1x64 memdump -p 1234 -D output/
9
10# Extract files
11volatility -f memory.dmp --profile=Win7SP1x64 filescan
12volatility -f memory.dmp --profile=Win7SP1x64 dumpfiles -Q 0x000000003e8b6f20 -D output/

Quick Reference

Bundled Resources

File Analysis

• file_analysis/binwalk_extract.sh - Wrapper for binwalk extraction

Steganography

• steganography/steg_quickcheck.py - Automated steg detection
  • LSB analysis
  • Metadata extraction
  • Entropy visualization

Network Forensics

• network_forensics/pcap_extract_http.py - Extract HTTP from PCAP
• network_forensics/pcap_extract_files.py - Reconstruct files from PCAP

Helpers

• helpers/entropy_scan.py - Scan files for high-entropy regions
• helpers/file_signature_check.py - Verify file signatures
• helpers/strings_smart.py - Enhanced string extraction

External Tools

bash
1# Install common forensics tools
2sudo apt install binwalk foremost steghide exiftool
3
4# Python tools
5pip install pillow numpy scapy
6
7# Specialized tools
8# - StegSolve: https://github.com/zardus/ctf-tools (Java-based)
9# - Audacity: https://www.audacityteam.org/ (audio analysis)
10# - Wireshark: https://www.wireshark.org/ (PCAP GUI analysis)

Keywords

forensics, digital forensics, file carving, binwalk, steganography, steg, LSB, least significant bit, PCAP, packet capture, network forensics, tshark, wireshark, entropy analysis, strings, metadata, exiftool, file signatures, magic bytes, audio steganography, spectrogram, image analysis, data extraction, hidden data