Back to Details

forensics-tools

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Digital Forensics Tools

数字取证工具

When to Use

适用场景

Load this skill when:
  • Analyzing suspicious files or unknown file formats
  • Extracting hidden data or carved files
  • Detecting steganography in images/audio
  • Analyzing network PCAP files
  • Scanning for high-entropy (encrypted/compressed) data
  • Working with file signatures and magic bytes
在以下场景中加载本技能:
  • 分析可疑文件或未知文件格式
  • 提取隐藏数据或雕刻文件
  • 检测图像/音频中的隐写术
  • 分析网络PCAP文件
  • 扫描高熵(加密/压缩)数据
  • 处理文件签名与魔术字节

File Analysis and Carving

文件分析与雕刻

Binwalk - Extract Embedded Files

Binwalk - 提取嵌入文件

bash
undefined
bash
undefined

Scan for embedded files

Scan for embedded files

binwalk suspicious.bin
binwalk suspicious.bin

Extract all found files

Extract all found files

binwalk -e suspicious.bin
binwalk -e suspicious.bin

Extract with signature scan

Extract with signature scan

binwalk --dd='.*' suspicious.bin
binwalk --dd='.*' suspicious.bin

Scan for specific file types

Scan for specific file types

binwalk --signature image.png
undefined
binwalk --signature image.png
undefined

Common File Signatures (Magic Bytes)

常见文件签名(魔术字节)

File TypeSignature (Hex)Signature (ASCII)
PNG
89 50 4E 47 0D 0A 1A 0A
.PNG....
JPEG
FF D8 FF E0/E1
ÿØÿà
GIF
47 49 46 38 37/39 61
GIF87a/GIF89a
ZIP
50 4B 03 04
PK..
PDF
25 50 44 46
%PDF
ELF
7F 45 4C 46
.ELF
RAR
52 61 72 21 1A 07
Rar!..
文件类型十六进制签名ASCII签名
PNG
89 50 4E 47 0D 0A 1A 0A
.PNG....
JPEG
FF D8 FF E0/E1
ÿØÿà
GIF
47 49 46 38 37/39 61
GIF87a/GIF89a
ZIP
50 4B 03 04
PK..
PDF
25 50 44 46
%PDF
ELF
7F 45 4C 46
.ELF
RAR
52 61 72 21 1A 07
Rar!..

Manual File Carving with dd

使用dd手动雕刻文件

bash
undefined
bash
undefined

Extract bytes from offset to end

Extract bytes from offset to end

dd if=input.bin of=output.bin skip=1024 bs=1
dd if=input.bin of=output.bin skip=1024 bs=1

Extract specific byte range

Extract specific byte range

dd if=input.bin of=output.bin skip=1024 count=2048 bs=1
dd if=input.bin of=output.bin skip=1024 count=2048 bs=1

Find PNG signature and extract

Find PNG signature and extract

grep --only-matching --byte-offset --binary --text $'\x89PNG' file.bin
undefined
grep --only-matching --byte-offset --binary --text $'\x89PNG' file.bin
undefined

Strings Analysis

字符串分析

bash
undefined
bash
undefined

Extract ASCII strings

Extract ASCII strings

strings suspicious.bin
strings suspicious.bin

Extract with minimum length

Extract with minimum length

strings -n 10 suspicious.bin
strings -n 10 suspicious.bin

Search for specific patterns

Search for specific patterns

strings suspicious.bin | grep -i "flag|password|key"
strings suspicious.bin | grep -i "flag|password|key"

Unicode strings (16-bit little-endian)

Unicode strings (16-bit little-endian)

strings -el suspicious.bin
strings -el suspicious.bin

With file offsets

With file offsets

strings -t x suspicious.bin
undefined
strings -t x suspicious.bin
undefined

Steganography Detection

隐写术检测

Image Steganography

图像隐写术

python
#!/usr/bin/env python3
"""Quick steganography checks"""
from PIL import Image
import numpy as np

def check_lsb(image_path):
    """Check LSB (Least Significant Bit) steganography"""
    img = Image.open(image_path)
    pixels = np.array(img)
    
    # Extract LSBs
    lsb = pixels & 1
    
    # Visualize LSBs (amplify for visibility)
    lsb_img = Image.fromarray((lsb * 255).astype('uint8'))
    lsb_img.save('lsb_analysis.png')
    print("[+] LSB analysis saved to lsb_analysis.png")

def extract_lsb_data(image_path):
    """Extract data from LSBs"""
    img = Image.open(image_path)
    pixels = np.array(img).flatten()
    
    # Extract LSBs as bits
    bits = ''.join([str(p & 1) for p in pixels])
    
    # Convert to bytes
    data = bytearray()
    for i in range(0, len(bits), 8):
        byte = bits[i:i+8]
        if len(byte) == 8:
            data.append(int(byte, 2))
    
    return bytes(data)
python
#!/usr/bin/env python3
"""Quick steganography checks"""
from PIL import Image
import numpy as np

def check_lsb(image_path):
    """Check LSB (Least Significant Bit) steganography"""
    img = Image.open(image_path)
    pixels = np.array(img)
    
    # Extract LSBs
    lsb = pixels & 1
    
    # Visualize LSBs (amplify for visibility)
    lsb_img = Image.fromarray((lsb * 255).astype('uint8'))
    lsb_img.save('lsb_analysis.png')
    print("[+] LSB analysis saved to lsb_analysis.png")

def extract_lsb_data(image_path):
    """Extract data from LSBs"""
    img = Image.open(image_path)
    pixels = np.array(img).flatten()
    
    # Extract LSBs as bits
    bits = ''.join([str(p & 1) for p in pixels])
    
    # Convert to bytes
    data = bytearray()
    for i in range(0, len(bits), 8):
        byte = bits[i:i+8]
        if len(byte) == 8:
            data.append(int(byte, 2))
    
    return bytes(data)

Usage

Usage

check_lsb('suspicious.png') data = extract_lsb_data('suspicious.png') print(data[:100]) # First 100 bytes
undefined
check_lsb('suspicious.png') data = extract_lsb_data('suspicious.png') print(data[:100]) # First 100 bytes
undefined

Common Steganography Tools

常用隐写术工具

bash
undefined
bash
undefined

Steghide (JPEG, BMP, WAV, AU)

Steghide (JPEG, BMP, WAV, AU)

steghide info suspicious.jpg steghide extract -sf suspicious.jpg
steghide info suspicious.jpg steghide extract -sf suspicious.jpg

StegSolve (GUI tool for image analysis)

StegSolve (GUI tool for image analysis)

java -jar stegsolve.jar
java -jar stegsolve.jar

Zsteg (PNG, BMP)

Zsteg (PNG, BMP)

zsteg suspicious.png zsteg -a suspicious.png # All checks
zsteg suspicious.png zsteg -a suspicious.png # All checks

Exiftool (metadata analysis)

Exiftool (metadata analysis)

exiftool suspicious.jpg exiftool -all suspicious.jpg
exiftool suspicious.jpg exiftool -all suspicious.jpg

Foremost (file carving)

Foremost (file carving)

foremost -i suspicious.bin -o output/
undefined
foremost -i suspicious.bin -o output/
undefined

Audio Steganography

音频隐写术

bash
undefined
bash
undefined

Spectogram analysis with Sox

Spectogram analysis with Sox

sox audio.wav -n spectrogram -o spectro.png
sox audio.wav -n spectrogram -o spectro.png

Or with Python

Or with Python

python3 helpers/spectrogram.py audio.wav
python3 helpers/spectrogram.py audio.wav

Audacity (GUI)

Audacity (GUI)

File -> Open -> Analyze -> Plot Spectrum

File -> Open -> Analyze -> Plot Spectrum

undefined
undefined

Network Forensics

网络取证

PCAP Analysis with tshark

使用tshark分析PCAP

bash
undefined
bash
undefined

Basic statistics

Basic statistics

tshark -r capture.pcap -q -z io,phs
tshark -r capture.pcap -q -z io,phs

Extract HTTP objects

Extract HTTP objects

tshark -r capture.pcap --export-objects http,output/
tshark -r capture.pcap --export-objects http,output/

Filter by protocol

Filter by protocol

tshark -r capture.pcap -Y "http" tshark -r capture.pcap -Y "dns" tshark -r capture.pcap -Y "tcp.port == 80"
tshark -r capture.pcap -Y "http" tshark -r capture.pcap -Y "dns" tshark -r capture.pcap -Y "tcp.port == 80"

Extract HTTP requests

Extract HTTP requests

tshark -r capture.pcap -Y "http.request" -T fields -e http.request.full_uri
tshark -r capture.pcap -Y "http.request" -T fields -e http.request.full_uri

Extract HTTP POST data

Extract HTTP POST data

tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data

Follow TCP stream

Follow TCP stream

tshark -r capture.pcap -z follow,tcp,ascii,0
tshark -r capture.pcap -z follow,tcp,ascii,0

Extract files

Extract files

tshark -r capture.pcap --export-objects http,extracted/ tshark -r capture.pcap --export-objects smb,extracted/
undefined
tshark -r capture.pcap --export-objects http,extracted/ tshark -r capture.pcap --export-objects smb,extracted/
undefined

Extract HTTP Traffic

提取HTTP流量

python
#!/usr/bin/env python3
"""Extract HTTP traffic from PCAP"""
from scapy.all import *

def extract_http(pcap_file):
    """Extract HTTP requests and responses"""
    packets = rdpcap(pcap_file)
    
    for pkt in packets:
        if pkt.haslayer(TCP) and pkt.haslayer(Raw):
            payload = pkt[Raw].load
            
            # Check for HTTP
            if payload.startswith(b'GET') or payload.startswith(b'POST'):
                print("[HTTP Request]")
                print(payload.decode('latin-1', errors='ignore'))
                print("-" * 60)
            
            elif payload.startswith(b'HTTP/'):
                print("[HTTP Response]")
                print(payload.decode('latin-1', errors='ignore')[:200])
                print("-" * 60)

extract_http('capture.pcap')
python
#!/usr/bin/env python3
"""Extract HTTP traffic from PCAP"""
from scapy.all import *

def extract_http(pcap_file):
    """Extract HTTP requests and responses"""
    packets = rdpcap(pcap_file)
    
    for pkt in packets:
        if pkt.haslayer(TCP) and pkt.haslayer(Raw):
            payload = pkt[Raw].load
            
            # Check for HTTP
            if payload.startswith(b'GET') or payload.startswith(b'POST'):
                print("[HTTP Request]")
                print(payload.decode('latin-1', errors='ignore'))
                print("-" * 60)
            
            elif payload.startswith(b'HTTP/'):
                print("[HTTP Response]")
                print(payload.decode('latin-1', errors='ignore')[:200])
                print("-" * 60)

extract_http('capture.pcap')

Reconstruct Files from PCAP

从PCAP中重建文件

bash
undefined
bash
undefined

NetworkMiner (Windows/Linux with Mono)

NetworkMiner (Windows/Linux with Mono)

mono NetworkMiner.exe --nogui -r capture.pcap -o output/
mono NetworkMiner.exe --nogui -r capture.pcap -o output/

tcpflow - Reconstruct TCP sessions

tcpflow - Reconstruct TCP sessions

tcpflow -r capture.pcap -o output/
tcpflow -r capture.pcap -o output/

Wireshark export

Wireshark export

File -> Export Objects -> HTTP/SMB/TFTP

File -> Export Objects -> HTTP/SMB/TFTP

undefined
undefined

Entropy Analysis

熵分析

Detect Encrypted/Compressed Data

检测加密/压缩数据

python
#!/usr/bin/env python3
"""Scan file for high-entropy regions"""
import math
from collections import Counter

def calculate_entropy(data):
    """Calculate Shannon entropy"""
    if not data:
        return 0
    
    entropy = 0
    counter = Counter(data)
    length = len(data)
    
    for count in counter.values():
        probability = count / length
        entropy -= probability * math.log2(probability)
    
    return entropy

def scan_entropy(filename, block_size=256):
    """Scan file for high-entropy blocks"""
    with open(filename, 'rb') as f:
        data = f.read()
    
    print(f"Scanning {filename} for high-entropy regions...")
    print(f"Block size: {block_size} bytes")
    print("-" * 60)
    
    for i in range(0, len(data), block_size):
        block = data[i:i+block_size]
        if len(block) < block_size // 2:
            continue
        
        entropy = calculate_entropy(block)
        
        # High entropy (> 7.5) indicates encryption/compression
        if entropy > 7.5:
            print(f"Offset 0x{i:08x}: Entropy = {entropy:.4f} [HIGH]")
python
#!/usr/bin/env python3
"""Scan file for high-entropy regions"""
import math
from collections import Counter

def calculate_entropy(data):
    """Calculate Shannon entropy"""
    if not data:
        return 0
    
    entropy = 0
    counter = Counter(data)
    length = len(data)
    
    for count in counter.values():
        probability = count / length
        entropy -= probability * math.log2(probability)
    
    return entropy

def scan_entropy(filename, block_size=256):
    """Scan file for high-entropy blocks"""
    with open(filename, 'rb') as f:
        data = f.read()
    
    print(f"Scanning {filename} for high-entropy regions...")
    print(f"Block size: {block_size} bytes")
    print("-" * 60)
    
    for i in range(0, len(data), block_size):
        block = data[i:i+block_size]
        if len(block) < block_size // 2:
            continue
        
        entropy = calculate_entropy(block)
        
        # High entropy (> 7.5) indicates encryption/compression
        if entropy > 7.5:
            print(f"Offset 0x{i:08x}: Entropy = {entropy:.4f} [HIGH]")

Usage

Usage

scan_entropy('suspicious.bin', block_size=512)
undefined
scan_entropy('suspicious.bin', block_size=512)
undefined

Memory Forensics

内存取证

Volatility (if applicable in CTF)

Volatility(适用于CTF场景)

bash
undefined
bash
undefined

Identify profile

Identify profile

volatility -f memory.dmp imageinfo
volatility -f memory.dmp imageinfo

List processes

List processes

volatility -f memory.dmp --profile=Win7SP1x64 pslist
volatility -f memory.dmp --profile=Win7SP1x64 pslist

Dump process memory

Dump process memory

volatility -f memory.dmp --profile=Win7SP1x64 memdump -p 1234 -D output/
volatility -f memory.dmp --profile=Win7SP1x64 memdump -p 1234 -D output/

Extract files

Extract files

volatility -f memory.dmp --profile=Win7SP1x64 filescan volatility -f memory.dmp --profile=Win7SP1x64 dumpfiles -Q 0x000000003e8b6f20 -D output/
undefined
volatility -f memory.dmp --profile=Win7SP1x64 filescan volatility -f memory.dmp --profile=Win7SP1x64 dumpfiles -Q 0x000000003e8b6f20 -D output/
undefined

Quick Reference

快速参考

TaskToolCommand
File carvingbinwalk
binwalk -e file.bin
Stringsstrings
strings -n 10 file.bin
Image LSBzsteg
zsteg -a image.png
JPEG stegsteghide
steghide extract -sf image.jpg
Metadataexiftool
exiftool image.jpg
PCAP HTTPtshark
tshark -r file.pcap --export-objects http,out/
TCP streamtshark
tshark -r file.pcap -z follow,tcp,ascii,0
Spectrogramsox
sox audio.wav -n spectrogram -o spec.png
Entropycustom
python3 helpers/entropy_scan.py file.bin
任务工具命令
文件雕刻binwalk
binwalk -e file.bin
字符串提取strings
strings -n 10 file.bin
图像LSB分析zsteg
zsteg -a image.png
JPEG隐写提取steghide
steghide extract -sf image.jpg
元数据分析exiftool
exiftool image.jpg
PCAP HTTP提取tshark
tshark -r file.pcap --export-objects http,out/
TCP流追踪tshark
tshark -r file.pcap -z follow,tcp,ascii,0
频谱图分析sox
sox audio.wav -n spectrogram -o spec.png
熵扫描自定义脚本
python3 helpers/entropy_scan.py file.bin

Bundled Resources

配套资源

File Analysis

文件分析

  • file_analysis/binwalk_extract.sh
    - Wrapper for binwalk extraction
  • file_analysis/binwalk_extract.sh
    - binwalk提取的封装脚本

Steganography

隐写术

  • steganography/steg_quickcheck.py
    - Automated steg detection
    • LSB analysis
    • Metadata extraction
    • Entropy visualization
  • steganography/steg_quickcheck.py
    - 自动化隐写检测脚本
    • LSB分析
    • 元数据提取
    • 熵可视化

Network Forensics

网络取证

  • network_forensics/pcap_extract_http.py
    - Extract HTTP from PCAP
  • network_forensics/pcap_extract_files.py
    - Reconstruct files from PCAP
  • network_forensics/pcap_extract_http.py
    - 从PCAP提取HTTP流量
  • network_forensics/pcap_extract_files.py
    - 从PCAP重建文件

Helpers

辅助工具

  • helpers/entropy_scan.py
    - Scan files for high-entropy regions
  • helpers/file_signature_check.py
    - Verify file signatures
  • helpers/strings_smart.py
    - Enhanced string extraction
  • helpers/entropy_scan.py
    - 扫描文件高熵区域
  • helpers/file_signature_check.py
    - 验证文件签名
  • helpers/strings_smart.py
    - 增强型字符串提取

External Tools

外部工具

bash
undefined
bash
undefined

Install common forensics tools

安装常用取证工具

sudo apt install binwalk foremost steghide exiftool
sudo apt install binwalk foremost steghide exiftool

Python tools

Python工具

pip install pillow numpy scapy
pip install pillow numpy scapy

Specialized tools

专用工具

- StegSolve: https://github.com/zardus/ctf-tools (Java-based)

- StegSolve: https://github.com/zardus/ctf-tools (Java-based)

- Audacity: https://www.audacityteam.org/ (audio analysis)

- Audacity: https://www.audacityteam.org/ (音频分析)

- Wireshark: https://www.wireshark.org/ (PCAP GUI analysis)

- Wireshark: https://www.wireshark.org/ (PCAP图形化分析)

undefined
undefined

Keywords

关键词

forensics, digital forensics, file carving, binwalk, steganography, steg, LSB, least significant bit, PCAP, packet capture, network forensics, tshark, wireshark, entropy analysis, strings, metadata, exiftool, file signatures, magic bytes, audio steganography, spectrogram, image analysis, data extraction, hidden data
取证, 数字取证, 文件雕刻, binwalk, 隐写术, steg, LSB, 最低有效位, PCAP, 数据包捕获, 网络取证, tshark, wireshark, 熵分析, strings, 元数据, exiftool, 文件签名, 魔术字节, 音频隐写术, 频谱图, 图像分析, 数据提取, 隐藏数据