Digital Forensics
Digital Forensics Tools that used in Incident Response CyberTalents scholarship
I wish you all the best of luck in the CTF <3
1. Steganography
stegsolve
linux
GUI tool for viewing hidden data in images by aplaying filter on pixels values
installation:
wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar
chmod +x stegsolve.jar
mkdir bin
mv stegsolve.jar bin/
steghide
linux
for hiding/extracting txt in/from jpg files using passphrase
installation:
sudo apt-get install steghide
stegcracker
linux
for cracking steghide passphrase using any wordlist like rockyou.txt
installation:
sudo apt-get install stegcracker
for more check stego-toolkit
eog
linux
for viewing images and GIFs
installation:
sudo apt-get install eog
GIMP
linux program like photoshop for editing and reading images from raw data
installation:
sudo apt-get install gimp
exiftool
linux there is a tool for windows called exifread
for extracting exif (images metadata)
installation:
sudo apt-get install exiftool
pic2map
online site for locating an image location on a map
binwalk
linux
for detecting and extracting files hidden inside other file or from raw data
installation:
sudo apt-get install binwalk
foremost
linux
same as binwalk
installation:
sudo apt-get install binwalk
audacity
windows & linux
for analyzing audio files and reading data from spectogram
linux installation:
sudo apt-get install binwalk
and for windows there is an exe
sonic visualizer
windows & linux
same purpose as audacity but has a better view for spectogram
download: here
deepsound
windows
GUI tool for hiding files inside sound files with or without password
2. Network fundamentals
wireshark
windows & linux
for packet capturing, analyzing and exporting data as well.
network miner
windows
for quick analyzing network traffic, it gives you a better view than wireshark.
could be installed on linux and run it with mono.
installation:
sudo apt install mono-devel
wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip
sudo unzip /tmp/nm.zip -d /opt/
cd /opt/NetworkMiner*
sudo chmod +x NetworkMiner.exe
sudo chmod -R go+w AssembledFiles/
sudo chmod -R go+w Captures/
run:
mono /opt/NetworkMiner.exe --noupdatecheck
scapy
python lib
Scapy is a powerful tool built in python , it enables you to control the network create packets , send it over the network , also it can sniff the packets in the network and analyse it as well.
installation:
pip install scappy || pip3 install scapy
sending ICMP message example:
from scapy.all import *
send(IP(src="192.168.1.2",dst="192.168.1.3")/ICMP/"message content")
export ICMP load example:
from scapy.all import *
scapy_cap = rdpcap('test.pcap')
for packet in scapy_cap :
if ICMP in packet and Raw in packet :
load = packet[Raw].load
print(load.decode())
tcpdump
linux
command line tool for capture and analyzing network traffic
installation:
sudo apt-get install tcpdump
capture ICMP example:
sudo tcpdump icmp
more examples with filters here
tshark
wireshark command line , installed by defauld with wireshark
installation:
sudo apt-get install tshark
print data field example:
sudo tshark -r test.pcap -T fields -e data | xxd -r -p
xxd to decode the output from hex
netcat
linux
command line tool for monitoring, testing, and sending data across network connections.
installation:
sudo apt-get install netcat
examples here
cryptcat
same as netcat but with encrypted connection
3. Memory forensics
dumpit
command line tool for dumping memory image
FTK imager
GUI tool for dumping memory, taking disk image and viewing/examining images
download: here
volatility
command line tool for analyzing memory images
download & installation: here
volatility -f file.mem imageinfo
...
...
volatility -f file.mem --profile=<profile> <any plugin>
4. OS forensics
hashcalc
windows tool for calculating hashes
download: here
MFTEcmd | MFTExplorer
viewing MFT data for windows
download: here
mail viewer
windows
program: here
evtx explorer
windows event log explorer
download: here
powershell code example viewing security log:
Get-WinEvent -FilterHashtable @{
LogName="security"
ID=4634 # login id
} | measure # for print just a summary
RegistryBrowser
windows program for examining the Windows Registry.
download: here
autopsy
windows is better than linux version
for analysis, recover disks and lost data
download: here
frame extractor
split GIF to frames, check it from here
cyberchef
you know what cyberchecf can do, check it from here
fcrackzip
linux command line tool for cracking zip passwords
installation:
sudo apt-get install fcrackzip
gparted
linux GUI to for managing disks and partions
installation:
sudo apt-get install gparted
dc3dd
linux command line tool for copying data from disk to another disk and split to partions
installation:
sudo apt-get install dc3dd
guymager
like dc3dd but graphical, better compression than dc3dd.
avml
acquiring linux memory, download from here
example:
./avml memory.ram
use
volatilityto analyze it
goaccess
linux log parser
installation: here