Forensics Analysis Skill

Quick Workflow

Progress:

• Identify file type (file, xxd)
• Check metadata (exiftool)
• Search strings for flag
• Check for embedded data (binwalk)
• Try steganography tools
• Extract hidden content

Step 1: Quick Analysis

file suspicious_file exiftool suspicious_file strings suspicious_file | grep -iE "flag|ctf|secret|key" binwalk suspicious_file

Step 2: Identify Challenge Type

File Type Approach Reference

Image (PNG/JPG) Steganography reference/steganography.md

Memory dump Volatility reference/memory.md

Unknown/corrupted File analysis reference/file-analysis.md

PCAP Network skill Use networking skill

Image Stego - Quick Start

Try AperiSolve first (online)

https://www.aperisolve.com/

PNG

zsteg image.png zsteg -a image.png

JPEG

steghide extract -sf image.jpg stegseek image.jpg rockyou.txt # Brute force

Full techniques: reference/steganography.md

Memory Dump - Quick Start

Volatility 3

vol -f memory.dmp windows.info vol -f memory.dmp windows.pslist vol -f memory.dmp windows.filescan | grep -i flag

Full techniques: reference/memory.md

File Carving - Quick Start

binwalk -e suspicious_file # Extract embedded files foremost -i file -o output/ # Carve files

Fix corrupted header

xxd file | head -10 # Check magic bytes

Full techniques: reference/file-analysis.md

Online Tools

Tool URL Purpose

AperiSolve aperisolve.com All-in-one stego

StegOnline stegonline.georgeom.net Image analysis

CyberChef gchq.github.io/CyberChef Data transform

Reference Files

• Steganography: Image/audio stego, LSB, AperiSolve

• Memory: Volatility 2/3, process analysis

• File Analysis: Magic bytes, binwalk, password cracking