Forensics (and Steganography)
Methodology
- Description and hints/try to determine topic
fileexiftool/metadatastrings -t x -w- Carving
Scripts
Tools
- Sans SIFT Workstation
- TSK (The Sleuth Kit)
- Volatility 2/3
- Autopsy
- FTK Imager
- HxD/Okta (Hex editors)
| base64 -D| md5sum
Practice
Links
Topics
TSK
Volatility
FS
- Rekall
- Redline
- DiskEditor
- Testdisk
e2fsckmke2fsdebugfs
Mounting
mount [file] -t [type] -o loop,ro,noexec /mnt/[name]
NTFS
Windows
- Eric Zimmerman’s Tools
- RegRipper
Linux Logs
aureport/ausearch
Carving
binwalk- Update configuration files for tailored results for scalpel and foremost
scalpelforemost- PhotoRec
PCAPs
- Wireshark
- CapLoader
- NetworkMiner
- USB HID Keyboard scan codes
General Steg
- Online 1
- Online 2
- Online 3
- Online 2 (old)
- DIIT (old)
- Stego Toolkit
- Stegsolve and Steganabara
- StegoVeritas
- ZSteg
- BitCrypt
- Steghide
stegdetect/stegbreakxortool
Steg methods to check
- LSB/MSB/other bit hiding techniques
- Morse Code
- Phone keypad tones
Images
- ImageMagick
- GIMP
- PIL
- LSBSteg
- QuickStego
- For data hidden in pixels, check both row-major and column-major orders
PNG
- Extract chunks
pngcheck/pnginfo
JPG
BMP
GIF
Video
- Example
- opencv-python
- Data can be hidden in frames, streams, etc
Audio
- AudioStego
- DeepSound
WAV
- Audacity
- Spectrogram to left of “audio”
- That’s exactly what spyware would say (jk)
- Sonic Visualiser
- WavSteg
- Check number of audio channels to see if data is hidden in one or multiple
- Python wave library
MP3
- Stream orientated mp3 frame decoder
- MP3Stego
- PDFMiner
- pdf-parser.py
- pdftotext
ZIP
-F (fix zipfile) -FF (really fix) --out output.zipzipdetails/zipinfo- Password cracking
1
2
3
4
run\zip2john.exe [zipfilename] > hash
run\john.exe --pot=pot --wordlist=[dictionary] hash
// password in pot
unzip -P [password] [zipfilename]
Microsoft Office
Password Cracking
john/hashcat- John Rules
- rockyou
HAR
- browser files
- Google Tool
This post is licensed under
CC BY 4.0
by the author.