Forensics Analysis Skill

Quick Workflow

Progress:
- [ ] Identify file type (file, xxd)
- [ ] Check metadata (exiftool)
- [ ] Search strings for flag
- [ ] Check for embedded data (binwalk)
- [ ] Try steganography tools
- [ ] Extract hidden content

Step 1: Quick Analysis

file suspicious_file
exiftool suspicious_file
strings suspicious_file | grep -iE "flag|ctf|secret|key"
binwalk suspicious_file

Step 2: Identify Challenge Type

File Type	Approach	Reference
Image (PNG/JPG)	Steganography	reference/steganography.md
Memory dump	Volatility	reference/memory.md
Unknown/corrupted	File analysis	reference/file-analysis.md
PCAP	Network skill	Use `networking` skill

Image Stego - Quick Start

# Try AperiSolve first (online)
# https://www.aperisolve.com/

# PNG
zsteg image.png
zsteg -a image.png

# JPEG
steghide extract -sf image.jpg
stegseek image.jpg rockyou.txt  # Brute force

Full techniques: reference/steganography.md

Memory Dump - Quick Start

# Volatility 3
vol -f memory.dmp windows.info
vol -f memory.dmp windows.pslist
vol -f memory.dmp windows.filescan | grep -i flag

Full techniques: reference/memory.md

File Carving - Quick Start

binwalk -e suspicious_file      # Extract embedded files
foremost -i file -o output/     # Carve files

# Fix corrupted header
xxd file | head -10             # Check magic bytes

Full techniques: reference/file-analysis.md

Online Tools

Tool	URL	Purpose
AperiSolve	aperisolve.com	All-in-one stego
StegOnline	stegonline.georgeom.net	Image analysis
CyberChef	gchq.github.io/CyberChef	Data transform

Reference Files

Steganography: Image/audio stego, LSB, AperiSolve
Memory: Volatility 2/3, process analysis
File Analysis: Magic bytes, binwalk, password cracking

forensics

Forensics Analysis Skill

Quick Workflow

Step 1: Quick Analysis

Step 2: Identify Challenge Type

Image Stego - Quick Start

Memory Dump - Quick Start

File Carving - Quick Start

Online Tools

Reference Files