File format
file <file_name>
xxd <file_name>
hd <file_name>
hexedit <file_name>
hexeditor <file_name>
Tools:
Readable content
strings <file_name>
grep "something" <file_name>
bgrep "binary" <file_name>
Metadata
exiftool <file_name>
Extract gif
ffmpeg -i file.gif -vsync 0 output/file%d.png
Tools:
steghide extract -sf <file_name>
stegcracker <file_name> /usr/share/wordlists/rockyou.txt
zsteg <file_name>
Tools:
# over analysis
tshark -z io,phs -r <file_name>
# export object
tshark -r <file_name> --export-objects "http,object" -2
Tools:
Extract VBA macro
olevba <file_name>
Extract PDF images
pdfimages -all <file_name> img
Tools:
binary image analysis
binwalk <file_name>
binwalk -e <file_name>
bulk_extractor -o <file_name>
Tools:
Tools:
# overview os image
volatility -f <file_name> imageinfo
# check process list
volatility -f <file_name> --profile=PROFILE pslist
# last directory shellbag
volatility -f <file_name> --profile=PROFILE shellbags
# scan network
volatility -f <file_name> --profile=PROFILE netscan
# scan hidden processes
volatility -f <file_name> --profile=PROFILE psxview
# scan malicious process
volatility -f <file_name> --profile=PROFILE ldrmodules
# view DLL unexpected patches
volatility -f <file_name> --profile=PROFILE apihooks
# check environmental variable of process
volatility -f <file_name> --profile=PROFILE envars --pid=584
# find malware code
volatility -f <file_name> --profile=PROFILE malfind
# dump malware code of process to folder
volatility -f <file_name> --profile=PROFILE memdump --pid=584 -D .
# list DLL in memory
volatility -f <file_name> --profile=PROFILE dlllist
# dump DLL of process to folder
volatility -f <file_name> --profile=PROFILE dlldump --pid=584 -D .
pe-tree <file_name>
capa <file_name
Tools: