Skip to content

Forensics & Steganography

Both of these are pretty similar atleast in CTF. Forensics is a really good field but can be very frustrating sometimes. These are the things I have learned till now about this field.

Everything that I've learned in the field of Forensics is from @UnblvR His knowledge in this field is God level and mostly I solve this category of challenges with him.

Initiation

These are the some tools/command you should always start with or atleast test for forensics challenge

Checking the strings in that image

>>> strings <file_name>

strings is a Linux command that gives you all the string present in the image. Most of the time you'll find the flag here in normal or base64 format. To make your work easy you can use it with grep

    >>> strings <file_name> | grep -i <string_to_be_searched>
The `-i` flag is for `ignoring the case(lower/upper)`

Check the Metadata

Always check the metadata of the file you are given(unless the file is of unknown type). Exiftool is basically the best tool for this job. Metadata can give you lots of things like maybe there's an author note or comment or base64 strings. Sometimes images/files can have location headers in metadata, so say you are asked to find the location of some bogus HQ, start with metadata and see if there are any longitude or latitude header in there if yes then that might be the location which you are looking for.

Things might not be that easy always but it's really helpful to check the metadata.

Extraction

Most of the time forensics challenges involve extracting files from an image or random data files. So here are the tricks/tools you can use to do so

Binwalk or foremost

Both of these tools are almost the same and they are used to extract hidden files(if any) in the image or any other file.

>>> binwalk -e <filename>
>>> foremost -i <filename>

You can use any of those commands and you'll get all the files that could be extracted.

If you are using binwalk then you'll notice that binwalk almost every time gives you some .zlib file which actually isn't useful most of the time but you still wanna grep that file with flag format

grep -i flag *

You can run that command in the recovered files directory just to be sure.

Steghide

I don't use this tool very often but sometimes the challenge is purely focused on this tool so I use it for simple extraction of a file. Sometimes using binwalk/foremost won't extract any file even if it's there because those files aren't hidden in a normal way. Steghide takes passphrase to extract the file, so if any challenge mention something about the passphrase or it hint's you in a way that steghide is involved then you'll need the passphrase.

 steghide extract -sf fixed.bmp

With the command mentioned above, you can extract files hidden inside.

Where to find the PassPhrase?

Well this can vary from the difficulty of the challenge like if it's an easy challenge then there will be some hint provided in the problem statement itself, say the you are given an image of guys sitting with laptops and the hint says what are they? then you can guess with words like geeks, hackers and stuff.

Other than that the passphrase could be present in the metadata of that file. For that, you might wanna use exiftool and check for something different maybe author's note or comment or maybe a base64 string present.

Also if the challenge is difficult then surely there would be other hints/statement provide. Sometimes there are challenges that have to be brute forced in that case you can use scripts like steg_brute or stegcracker or simple code like

for passphrase in $(cat $2); do
  response=$(steghide extract -sf $1 -p "$passphrase" 2>&1);
  if [[ ! $response == *"could not extract"* ]]; then
    printf "%s\n\n" "$response";
    exit
  fi
done

NOTE There is rarely any challenge that will ask you to brute force steghide, so instead of direct brute-forcing, it tries to figure out the password from whatever you are given.

StegoVeritas

I recently came to know about this tool(thanks to UnblvR) and started using this, mostly for LSB extraction and some time for normal file extraction. There can be a challenge which might be hiding stuff in LSB so you can simply use this script like

python stegoVeritas <filename>

This will generate a lot of images with all the different pixels in different shades and stuff. Also, it makes a folder name result which sometimes contains any kind of hidden file.

Zsteg

I don't use this tool anymore but this tool is worth a try. The problem with this tool is that it doesn't support jpeg and different type of extensions(only supports PNG). I used this tool for a while but now for LSB and stuff you can use StegoVeritas.

Audio analysis

This is a category of forensics challenges are the weird ones or at least that's how I feel ๐Ÿ˜„

For most of the audio file, you can use audacity or Sonic Visualiser.

Now there isn't anything fixed but most of the time challenge creator puts the flag in the spectrogram and for that, I have found Sonic visualizer more helpful then audacity, but that's just a personal preference you can get that in both(audacity or sonic). Just get the Spectogram and try to change the color or width of the spectrogram.

In many audio files, there would be some high pitch, in that case, you can try the audio morse decoder. Just upload the file and try to change the speed(only if you are sure that it's a morse code).

Data/Broken files

Now, this is the most difficult category of challenges. They are difficult because they are totally vague.

What kind of challenges are involved in this?

Well a file will be provided and if you try to check the type using file command you'll nothing like

file <filename>
>>> file: data

As you can see the file command doesn't show anything. Also, you won't be able to open the file in anything like when you double click the file system will ask you with which application you'll like to open the file.

How to tackle them?

Well, this is not as easy as using binwalk or string. I am also currently in the process of learning but I'll share what I know.

1) It could be as easy as using binwalk on it ๐Ÿ˜„

Sometime someone might have just hidden the stuff and that "stuff" could be extracted using binwalk or foremost or any other extraction tool. In that case, it would totally depend on what you get after extraction.

2) When the headers are messed up

As I said in the starting that even the file command may also fail, that's because file command looks for specific headers in the starting of the file and if those are recognized it reports the file type.

NOTE file command doesn't only looks for the header it also finds some other magic number at specific positions. You can read more: https://en.wikipedia.org/wiki/File_(command)

Now, this type can vary from very easy to difficult.

The easy ones could be checking the header with xxd or hexyl to find the header

>>> xxd -l8 <filename>

or

>>> hexyl -n8 <filename>

In both of the command, the number 8 gives the first 8 octets bytes of the file(the headers). If the headers are messed up you can look for similar kind of headers of wikipedia or filesignature.net and try fixing it.

Example:

Say we are given an image called hack.png using xxd

>>> xxd -l8 hack.png
45 65 4E 47 0D 0A 1A 0A

These aren't any valid headers but if you replace the 45 with 89 and replace the 65 with 50 i.e the headers become

89 50 4E 47 0D 0A 1A 0A

That would make it a valid PNG file and then you can see what's in it.

This same challenge could be made difficult by keeping the headers of a valid file and the other remaining content/data of different file type which can confuse you.

Example:

We are given a file which is of say .PNG extension. Using file command on it confirms that it's PNG but when we try to open the file in any viewer we can't see anything or the viewer gives an error like Cannot open the file etc That can be very confusing.

The real game could be that creator of the challenge took a ZIP file and replaced the header of that ZIP file with the headers of PNG so tools are reporting it as PNG. But the problem with these kinds of challenges is that they are totally based on how much experience you have with file and stuff. Because to solve these kinds of challenge you'll have to open the file in a hex editor(I use okteta on arch) and then try to recognize the file with the other bytes in the file. Then figure out which byte is messed up and fix that one.

Memory forensics

I just love these kinds of challenges, even though I am very bad at them but I really enjoy working on them.

What type of challenges are included in this category?

Basically you are provided with a memory dump of a hard drive and then you have to answer questions based on them.

I first came across this type of challenges in OtterCTF 2018 (read my writeups).

How to tackle them?

Volatility is your answer. It's a collection of a tool which basically helps you figure stuff out.

You can refer to the following resources for volatility usage:

1) PDF

2) SANS Cheatsheet

3) Command reference

4) aldeid examples

Most common type of questions that are asked :=

1) hostname and computer name of the user

For hostname - Read https://www.aldeid.com/wiki/Volatility/Retrieve-hostname For Password - Read https://www.aldeid.com/wiki/Volatility/Retrieve-password

You can also use mimkatz

volatility โ€Šโ€”โ€Šplugins=<path-to-mimkatz-file> โ€”โ€Šprofile=<profile-name> -f <memory dump> mimikatz

Sometime mimikatz doesn't give any output in that case you can just follow the first method.

2) Find the IP and port for computer:

Just run the netscan command and go through the output.

3) Find the content clipboard

Again use the simple `clipboard` command to get the content of the clipboard.

4) Finding out the malware

This is the real reason these kinds of challenges are made.
In real life scenario, people take memory dumps just to analyze for malware.

Finding malware could be confusing if you don't know what files stays in what place and what they do. For that kind of information, you can read:

1) https://www.sans.org/security-resources/posters/dfir-find-evil/35/download

2) https://www.sans.org/security-resources/posters/windows-forensics-evidence-of/75/download

Basically, you have to go through the pstree and see which process is the child to some weird parent process. Say there is a process named iexplorer.exe running but it has a child process named cmd.exe which is weird because if you think about it why would iexplorer run cmd for anything. So then you can start looking deeply into those process.

Also sometime you might have to extract out those files and try to run those malware(please do that in VM ๐Ÿ˜‰)


Another type memory forensics challenge I came across was in one CTF where we were given the memory dump along with a .dwarf & system.map file. If you see these files provided with the memory dump then it's the profile for that memory dump. Basically if you run volatility on that memory dump it won't be able to suggest the profile of that dump. That is where those other two files come in handy.

Step to use those files:

1) Zip .dwarf and system.map file together. 2) Put that zip file in a folder 3) Pass that folder to the --plugin argument in volatility.

Ex:

vol.py --plugins=/path/to/zip/containing/folder -f <memdump name> imageinfo

Note - It's important that you keep the zip file into a folder and pass that folder to the plugin argument

Nothing much can be said about this field because things are pretty fixed like you know the command are known and all it needs is patience to figure out stuff.

PCAP files

These ones are again some pretty vague and there isn't anything fixed here. Basically, you are provided with a PCAP file and that would have what you are looking for. Best way to analyze them is Wireshark. After opening you can see the protocols, if there are any HTTP or SMTP type then best is to export all the objects that could be exported and try looking into them. If it has some weird(not very common) protocol then it's just best to try analyzing the requests and find some pattern.

Sometime you'll have to trim all the PDUs with some specific size to actually get the correct PCAP sometime you'll have to see hidden stuff in the Stream.

Also you might be asked question like Ip of the attacker or Ip of the host or Which port was open etc for these kind of things you can use tshark like

โžœ tshark -r capture.pcap -z conv,tcp -q

This will give you a list of ports along with IP.

You can also use scapy to grab some data that might not be clear with wireshark or couldn't be extracted using wireshark. For example protocols like ICMP.

Another great tool for PCAP is ngrep

File System

These kind of challenges involve .img or similar files from which you are expected to extract content or deleted files and do the stuff. Most of these challenges are pretty straight forward(unless bytes of those files are messed up).

You can use testdisk or photorec. These tools extracts most of the files so you don't have to mount the image etc.But sometime(when size is large) you should mount the file and then analyse everything. Start looking from the /home and then follow the trail.

You can then focus on logs like auth.log that will tell you who has logged in and on what time. That can be then used to find files after that period of time.

โžœ find . -type f -newermt "Feb 17 00:06:04"

The above command find all the files that were changed on 17 Feb at 00:06:04

This is just the example, but point to keep in mind is that if the filesystem in big in size just mount it.

Sometime you might end up having an ecrypted file system which you have to decrypt first using a password. Now if some other info is given about the password use that but if you are expected to bruteforce that password then the best and maybe the only possible way is to dump the header of that file which will contain the hashes of the password and then use that dump with hashcat to crack it.

You can use dd command to dump the headers(you need offset for that).

Tools

Some other tools that can be used are:

1) https://29a.ch/photo-forensics/#forensic-magnifier

This can be used in the type of challenges in which an image is made of multiple layers and you have to look into that. Ex: [PicoCTF's Now you don't](https://github.com/mzfr/ctf-writeups/tree/master/picoCTF-2018/Forensics/now you don't )

2) SleuthKit

This is a very powerful tool but you must have some knowledge about file stuff like bytes etc.

3) crontab expression decoder

Basically there are some stars * and stuff in crontab file so that could be changed using this.