Skip to content

Latest commit

 

History

History
177 lines (119 loc) · 3.21 KB

0-Forensics.md

File metadata and controls

177 lines (119 loc) · 3.21 KB

Forensics

File analysis

File format

file <file_name>
xxd <file_name>
hd <file_name>
hexedit <file_name>
hexeditor <file_name>

Tools:

Readable content

strings <file_name>
grep "something" <file_name>
bgrep "binary" <file_name>

Image analysis

Metadata

exiftool <file_name>

Extract gif

ffmpeg -i file.gif -vsync 0 output/file%d.png

Tools:

Stegography

steghide extract -sf <file_name>
stegcracker <file_name> /usr/share/wordlists/rockyou.txt
zsteg <file_name>

Tools:

Network analysis

# over analysis
tshark -z io,phs -r <file_name>
# export object
tshark -r <file_name> --export-objects "http,object" -2

Tools:

Office file

Extract VBA macro

olevba <file_name>

Extract PDF images

pdfimages -all <file_name> img

Audio file

Tools:

File System analysis

binary image analysis

binwalk <file_name>
binwalk -e <file_name>
bulk_extractor -o <file_name>

Tools:

Windows event analysis

Tools:

Memory dump analysis

# overview os image
volatility -f <file_name> imageinfo
# check process list
volatility -f <file_name> --profile=PROFILE pslist
# last directory shellbag
volatility -f <file_name> --profile=PROFILE shellbags
# scan network
volatility -f <file_name> --profile=PROFILE netscan
# scan hidden processes
volatility -f <file_name> --profile=PROFILE psxview
# scan malicious process
volatility -f <file_name> --profile=PROFILE ldrmodules
# view DLL unexpected patches
volatility -f <file_name> --profile=PROFILE apihooks
# check environmental variable of process
volatility -f <file_name> --profile=PROFILE envars --pid=584
# find malware code
volatility -f <file_name> --profile=PROFILE malfind
# dump malware code of process to folder
volatility -f <file_name> --profile=PROFILE memdump --pid=584 -D .
# list DLL in memory
volatility -f <file_name> --profile=PROFILE dlllist
# dump DLL of process to folder
volatility -f <file_name> --profile=PROFILE dlldump --pid=584 -D .

PE Headers analysis

pe-tree <file_name>
capa <file_name

Tools: