Forensics
General Forensics Tools
- HexEd.it — Online hex editor
- Autopsy Forensic Browser — Digital forensics platform
- pspy — Low privilege process snooper.
- Audacity — Analyze sound files.
Unzip, Extract Files
- 7-Zip — File archiver with a high compression ratio (and opens just about anything)
unzip file.zipto extract the archive file residing in the current directory and extract its contents also to the current directory.unzip file.zip -d dest_folderto extract the zip file to another folder.unzip filename.docx -d dest_folderto unzip .docx files to see what’s inside.gzip -d file.gz(orgzip -dk file.gzto keep compressed file) — UnzipgzFilegunzip file.gz— Unzipgzfile (this command is essentially an alias togzip -d.tar -xf archive.tar.gzto extract atar.gzfile.unrar—
General Forensics Command Line Analysis Tools
file— Determine the type of a file.file -i— View mime type of file.file -z— Try to look inside compressed files.
- Exif Tool — Read, write, edit file metadata.
- Exif — Shows EXIF information in JPEG files.
xxd— Dump file in hex format.- Binwalk — Search a binary image for embedded files, executable code.
- Foremost — May catch something Binwalk misses.
- Pngcheck — Verifies PNG integrity, dump chunk-level info in human-readable form.
- scalpel — fast file carver that reads database of header and footer definitions and extracts matching files from a set of image files or raw device files.
- identify — Image format and characteristics
- Supported file formats include JPEG, PNG, GIF, TIFF, PDF.
- Extundelete — Recover lost data from mountable images.
- PDF Streams Inflater — Find, extract zlib files compressed in PDF files.
Steganography
Note that many other steganography tools are detailed on the Steganography page
- FotoForensics
- Supported formats: JPEG, PNG, WebP, HEIC, and AVIF.
- The “Hidden Pixels” analysis option is particularly useful.
- Binwalk — Search a binary image for embedded files, executable code (described below).
- Foremost — May catch something Binwalk misses.
- steghide — Hides and extracts data from files.
- zsteg — Find steganography in PNG and BMP files.
zsteg -aruns every detection method on the given file.zsteg -Eextracts data with the given payload.
- stegsolve — Can be used to find hidden information in files.
fft(Fast Fourier Transform)- stegoveritas — Carve and extract; similar to zsteg.
- stegdetect — Statistically determine if steganograhpic content is present and how.
- Snow — Whitespace steganography tool
- StegCracker — Brute-force utility to uncover hidden data inside files.
Generate hash from command line
sha256sum <datafile>sha256sum /path/to/datafile > checksumto generate the hash for a file in a directory. Usecatcommand to display the contents.
File Extensions (and what to try)
.docx
.tar.gz
.zip
.bin
The .bin extension is most commonly associated with compressed binary files. A BIN file is a generic data file that stores information entirely or partially in binary format. A BIN file may be an image or a video (think CD or DVD), or some other kind of executable.
Bin files are often used for distributing executable files for program installations; in this case, a .bin file is a self-extracting binary file for Linux and Unix-like operating systems. In this case, to extract and open a bin file:
- Make the file executable by using
chmodcommand:chmod +x filename.bin - Execute the file:
./filename.bin
If the BIN file isn’t executable, you can instead mount the file to a virtual drive. Instructions for Linux systems can be found in this article.
Alternatively, you can convert the BIN file into an ISO file, which allows you to use many more programs to burn or mount it. One popular program to do this is MagicISO.
Finally, if the above fail, you can extract the contents of the file using one of the following tools:
- bchunk
- acetoneiso
- ISO Furius
- Gmount-iso
- cdemu