# Scan for embedded files
binwalk suspicious.bin

# Extract all found files
binwalk -e suspicious.bin

# Extract with signature scan
binwalk --dd='.*' suspicious.bin

# Scan for specific file types
binwalk --signature image.png

# Extract bytes from offset to end
dd if=input.bin of=output.bin skip=1024 bs=1

# Extract specific byte range
dd if=input.bin of=output.bin skip=1024 count=2048 bs=1

# Find PNG signature and extract
grep --only-matching --byte-offset --binary --text $'\x89PNG' file.bin

# Extract ASCII strings
strings suspicious.bin

# Extract with minimum length
strings -n 10 suspicious.bin

# Search for specific patterns
strings suspicious.bin | grep -i "flag\|password\|key"

# Unicode strings (16-bit little-endian)
strings -el suspicious.bin

# With file offsets
strings -t x suspicious.bin

#!/usr/bin/env python3
"""Quick steganography checks"""
from PIL import Image
import numpy as np

def check_lsb(image_path):
    """Check LSB (Least Significant Bit) steganography"""
    img = Image.open(image_path)
    pixels = np.array(img)
    
    # Extract LSBs
    lsb = pixels & 1
    
    # Visualize LSBs (amplify for visibility)
    lsb_img = Image.fromarray((lsb * 255).astype('uint8'))
    lsb_img.save('lsb_analysis.png')
    print("[+] LSB analysis saved to lsb_analysis.png")

def extract_lsb_data(image_path):
    """Extract data from LSBs"""
    img = Image.open(image_path)
    pixels = np.array(img).flatten()
    
    # Extract LSBs as bits
    bits = ''.join([str(p & 1) for p in pixels])
    
    # Convert to bytes
    data = bytearray()
    for i in range(0, len(bits), 8):
        byte = bits[i:i+8]
        if len(byte) == 8:
            data.append(int(byte, 2))
    
    return bytes(data)

# Usage
check_lsb('suspicious.png')
data = extract_lsb_data('suspicious.png')
print(data[:100])  # First 100 bytes

# Steghide (JPEG, BMP, WAV, AU)
steghide info suspicious.jpg
steghide extract -sf suspicious.jpg

# StegSolve (GUI tool for image analysis)
java -jar stegsolve.jar

# Zsteg (PNG, BMP)
zsteg suspicious.png
zsteg -a suspicious.png  # All checks

# Exiftool (metadata analysis)
exiftool suspicious.jpg
exiftool -all suspicious.jpg

# Foremost (file carving)
foremost -i suspicious.bin -o output/

# Spectogram analysis with Sox
sox audio.wav -n spectrogram -o spectro.png

# Or with Python
python3 helpers/spectrogram.py audio.wav

# Audacity (GUI)
# File -> Open -> Analyze -> Plot Spectrum

# Basic statistics
tshark -r capture.pcap -q -z io,phs

# Extract HTTP objects
tshark -r capture.pcap --export-objects http,output/

# Filter by protocol
tshark -r capture.pcap -Y "http"
tshark -r capture.pcap -Y "dns"
tshark -r capture.pcap -Y "tcp.port == 80"

# Extract HTTP requests
tshark -r capture.pcap -Y "http.request" -T fields -e http.request.full_uri

# Extract HTTP POST data
tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data

# Follow TCP stream
tshark -r capture.pcap -z follow,tcp,ascii,0

# Extract files
tshark -r capture.pcap --export-objects http,extracted/
tshark -r capture.pcap --export-objects smb,extracted/

#!/usr/bin/env python3
"""Extract HTTP traffic from PCAP"""
from scapy.all import *

def extract_http(pcap_file):
    """Extract HTTP requests and responses"""
    packets = rdpcap(pcap_file)
    
    for pkt in packets:
        if pkt.haslayer(TCP) and pkt.haslayer(Raw):
            payload = pkt[Raw].load
            
            # Check for HTTP
            if payload.startswith(b'GET') or payload.startswith(b'POST'):
                print("[HTTP Request]")
                print(payload.decode('latin-1', errors='ignore'))
                print("-" * 60)
            
            elif payload.startswith(b'HTTP/'):
                print("[HTTP Response]")
                print(payload.decode('latin-1', errors='ignore')[:200])
                print("-" * 60)

extract_http('capture.pcap')

# NetworkMiner (Windows/Linux with Mono)
mono NetworkMiner.exe --nogui -r capture.pcap -o output/

# tcpflow - Reconstruct TCP sessions
tcpflow -r capture.pcap -o output/

# Wireshark export
# File -> Export Objects -> HTTP/SMB/TFTP

#!/usr/bin/env python3
"""Scan file for high-entropy regions"""
import math
from collections import Counter

def calculate_entropy(data):
    """Calculate Shannon entropy"""
    if not data:
        return 0
    
    entropy = 0
    counter = Counter(data)
    length = len(data)
    
    for count in counter.values():
        probability = count / length
        entropy -= probability * math.log2(probability)
    
    return entropy

def scan_entropy(filename, block_size=256):
    """Scan file for high-entropy blocks"""
    with open(filename, 'rb') as f:
        data = f.read()
    
    print(f"Scanning {filename} for high-entropy regions...")
    print(f"Block size: {block_size} bytes")
    print("-" * 60)
    
    for i in range(0, len(data), block_size):
        block = data[i:i+block_size]
        if len(block) < block_size // 2:
            continue
        
        entropy = calculate_entropy(block)
        
        # High entropy (> 7.5) indicates encryption/compression
        if entropy > 7.5:
            print(f"Offset 0x{i:08x}: Entropy = {entropy:.4f} [HIGH]")

# Usage
scan_entropy('suspicious.bin', block_size=512)

# Identify profile
volatility -f memory.dmp imageinfo

# List processes
volatility -f memory.dmp --profile=Win7SP1x64 pslist

# Dump process memory
volatility -f memory.dmp --profile=Win7SP1x64 memdump -p 1234 -D output/

# Extract files
volatility -f memory.dmp --profile=Win7SP1x64 filescan
volatility -f memory.dmp --profile=Win7SP1x64 dumpfiles -Q 0x000000003e8b6f20 -D output/

# Install common forensics tools
sudo apt install binwalk foremost steghide exiftool

# Python tools
pip install pillow numpy scapy

# Specialized tools
# - StegSolve: https://github.com/zardus/ctf-tools (Java-based)
# - Audacity: https://www.audacityteam.org/ (audio analysis)
# - Wireshark: https://www.wireshark.org/ (PCAP GUI analysis)