forensics-tools
SKILL.md
Digital Forensics Tools
When to Use
Load this skill when:
- Analyzing suspicious files or unknown file formats
- Extracting hidden data or carved files
- Detecting steganography in images/audio
- Analyzing network PCAP files
- Scanning for high-entropy (encrypted/compressed) data
- Working with file signatures and magic bytes
File Analysis and Carving
Binwalk - Extract Embedded Files
# Scan for embedded files
binwalk suspicious.bin
# Extract all found files
binwalk -e suspicious.bin
# Extract with signature scan
binwalk --dd='.*' suspicious.bin
# Scan for specific file types
binwalk --signature image.png
Common File Signatures (Magic Bytes)
| File Type | Signature (Hex) | Signature (ASCII) |
|---|---|---|
| PNG | 89 50 4E 47 0D 0A 1A 0A |
.PNG.... |
| JPEG | FF D8 FF E0/E1 |
ÿØÿà |
| GIF | 47 49 46 38 37/39 61 |
GIF87a/GIF89a |
| ZIP | 50 4B 03 04 |
PK.. |
25 50 44 46 |
%PDF |
|
| ELF | 7F 45 4C 46 |
.ELF |
| RAR | 52 61 72 21 1A 07 |
Rar!.. |
Manual File Carving with dd
# Extract bytes from offset to end
dd if=input.bin of=output.bin skip=1024 bs=1
# Extract specific byte range
dd if=input.bin of=output.bin skip=1024 count=2048 bs=1
# Find PNG signature and extract
grep --only-matching --byte-offset --binary --text $'\x89PNG' file.bin
Strings Analysis
# Extract ASCII strings
strings suspicious.bin
# Extract with minimum length
strings -n 10 suspicious.bin
# Search for specific patterns
strings suspicious.bin | grep -i "flag\|password\|key"
# Unicode strings (16-bit little-endian)
strings -el suspicious.bin
# With file offsets
strings -t x suspicious.bin
Steganography Detection
Image Steganography
#!/usr/bin/env python3
"""Quick steganography checks"""
from PIL import Image
import numpy as np
def check_lsb(image_path):
"""Check LSB (Least Significant Bit) steganography"""
img = Image.open(image_path)
pixels = np.array(img)
# Extract LSBs
lsb = pixels & 1
# Visualize LSBs (amplify for visibility)
lsb_img = Image.fromarray((lsb * 255).astype('uint8'))
lsb_img.save('lsb_analysis.png')
print("[+] LSB analysis saved to lsb_analysis.png")
def extract_lsb_data(image_path):
"""Extract data from LSBs"""
img = Image.open(image_path)
pixels = np.array(img).flatten()
# Extract LSBs as bits
bits = ''.join([str(p & 1) for p in pixels])
# Convert to bytes
data = bytearray()
for i in range(0, len(bits), 8):
byte = bits[i:i+8]
if len(byte) == 8:
data.append(int(byte, 2))
return bytes(data)
# Usage
check_lsb('suspicious.png')
data = extract_lsb_data('suspicious.png')
print(data[:100]) # First 100 bytes
Common Steganography Tools
# Steghide (JPEG, BMP, WAV, AU)
steghide info suspicious.jpg
steghide extract -sf suspicious.jpg
# StegSolve (GUI tool for image analysis)
java -jar stegsolve.jar
# Zsteg (PNG, BMP)
zsteg suspicious.png
zsteg -a suspicious.png # All checks
# Exiftool (metadata analysis)
exiftool suspicious.jpg
exiftool -all suspicious.jpg
# Foremost (file carving)
foremost -i suspicious.bin -o output/
Audio Steganography
# Spectogram analysis with Sox
sox audio.wav -n spectrogram -o spectro.png
# Or with Python
python3 helpers/spectrogram.py audio.wav
# Audacity (GUI)
# File -> Open -> Analyze -> Plot Spectrum
Network Forensics
PCAP Analysis with tshark
# Basic statistics
tshark -r capture.pcap -q -z io,phs
# Extract HTTP objects
tshark -r capture.pcap --export-objects http,output/
# Filter by protocol
tshark -r capture.pcap -Y "http"
tshark -r capture.pcap -Y "dns"
tshark -r capture.pcap -Y "tcp.port == 80"
# Extract HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e http.request.full_uri
# Extract HTTP POST data
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data
# Follow TCP stream
tshark -r capture.pcap -z follow,tcp,ascii,0
# Extract files
tshark -r capture.pcap --export-objects http,extracted/
tshark -r capture.pcap --export-objects smb,extracted/
Extract HTTP Traffic
#!/usr/bin/env python3
"""Extract HTTP traffic from PCAP"""
from scapy.all import *
def extract_http(pcap_file):
"""Extract HTTP requests and responses"""
packets = rdpcap(pcap_file)
for pkt in packets:
if pkt.haslayer(TCP) and pkt.haslayer(Raw):
payload = pkt[Raw].load
# Check for HTTP
if payload.startswith(b'GET') or payload.startswith(b'POST'):
print("[HTTP Request]")
print(payload.decode('latin-1', errors='ignore'))
print("-" * 60)
elif payload.startswith(b'HTTP/'):
print("[HTTP Response]")
print(payload.decode('latin-1', errors='ignore')[:200])
print("-" * 60)
extract_http('capture.pcap')
Reconstruct Files from PCAP
# NetworkMiner (Windows/Linux with Mono)
mono NetworkMiner.exe --nogui -r capture.pcap -o output/
# tcpflow - Reconstruct TCP sessions
tcpflow -r capture.pcap -o output/
# Wireshark export
# File -> Export Objects -> HTTP/SMB/TFTP
Entropy Analysis
Detect Encrypted/Compressed Data
#!/usr/bin/env python3
"""Scan file for high-entropy regions"""
import math
from collections import Counter
def calculate_entropy(data):
"""Calculate Shannon entropy"""
if not data:
return 0
entropy = 0
counter = Counter(data)
length = len(data)
for count in counter.values():
probability = count / length
entropy -= probability * math.log2(probability)
return entropy
def scan_entropy(filename, block_size=256):
"""Scan file for high-entropy blocks"""
with open(filename, 'rb') as f:
data = f.read()
print(f"Scanning {filename} for high-entropy regions...")
print(f"Block size: {block_size} bytes")
print("-" * 60)
for i in range(0, len(data), block_size):
block = data[i:i+block_size]
if len(block) < block_size // 2:
continue
entropy = calculate_entropy(block)
# High entropy (> 7.5) indicates encryption/compression
if entropy > 7.5:
print(f"Offset 0x{i:08x}: Entropy = {entropy:.4f} [HIGH]")
# Usage
scan_entropy('suspicious.bin', block_size=512)
Memory Forensics
Volatility (if applicable in CTF)
# Identify profile
volatility -f memory.dmp imageinfo
# List processes
volatility -f memory.dmp --profile=Win7SP1x64 pslist
# Dump process memory
volatility -f memory.dmp --profile=Win7SP1x64 memdump -p 1234 -D output/
# Extract files
volatility -f memory.dmp --profile=Win7SP1x64 filescan
volatility -f memory.dmp --profile=Win7SP1x64 dumpfiles -Q 0x000000003e8b6f20 -D output/
Quick Reference
| Task | Tool | Command |
|---|---|---|
| File carving | binwalk | binwalk -e file.bin |
| Strings | strings | strings -n 10 file.bin |
| Image LSB | zsteg | zsteg -a image.png |
| JPEG steg | steghide | steghide extract -sf image.jpg |
| Metadata | exiftool | exiftool image.jpg |
| PCAP HTTP | tshark | tshark -r file.pcap --export-objects http,out/ |
| TCP stream | tshark | tshark -r file.pcap -z follow,tcp,ascii,0 |
| Spectrogram | sox | sox audio.wav -n spectrogram -o spec.png |
| Entropy | custom | python3 helpers/entropy_scan.py file.bin |
Bundled Resources
File Analysis
file_analysis/binwalk_extract.sh- Wrapper for binwalk extraction
Steganography
steganography/steg_quickcheck.py- Automated steg detection- LSB analysis
- Metadata extraction
- Entropy visualization
Network Forensics
network_forensics/pcap_extract_http.py- Extract HTTP from PCAPnetwork_forensics/pcap_extract_files.py- Reconstruct files from PCAP
Helpers
helpers/entropy_scan.py- Scan files for high-entropy regionshelpers/file_signature_check.py- Verify file signatureshelpers/strings_smart.py- Enhanced string extraction
External Tools
# Install common forensics tools
sudo apt install binwalk foremost steghide exiftool
# Python tools
pip install pillow numpy scapy
# Specialized tools
# - StegSolve: https://github.com/zardus/ctf-tools (Java-based)
# - Audacity: https://www.audacityteam.org/ (audio analysis)
# - Wireshark: https://www.wireshark.org/ (PCAP GUI analysis)
Keywords
forensics, digital forensics, file carving, binwalk, steganography, steg, LSB, least significant bit, PCAP, packet capture, network forensics, tshark, wireshark, entropy analysis, strings, metadata, exiftool, file signatures, magic bytes, audio steganography, spectrogram, image analysis, data extraction, hidden data
Weekly Installs
11
Repository
g36maid/ctf-arsenalGitHub Stars
4
First Seen
Feb 9, 2026
Security Audits
Installed on
gemini-cli10
github-copilot10
codex10
kimi-cli10
amp10
opencode10