File investigation

Any file you find, be it during Digital forensics or during the red team activities, may have:

🐟 Hidden content in a file
- A file inside another file
- A text inside an image
👀 Username/Name of the one that created the file
🍫 Information generated by the application that created the file
...

This is why you should investigate any file you get your hands on.

➡️ For instance, if you notice a "big" image (usually >1 MB), you may want to check if this is really an image.

Metadata

Any file has metadata, which is data that provides information on the file, such as the author, the creation date...

See also: Get-FileMetaData.ps1 on Windows (👻).

PDF metadata

You can use online tools, your PDF reader "details" menu, or pdfinfo.

$ sudo apt install poppler-utils
$ pdfinfo xxx.pdf
Author:         XXX
Creator:        Microsoft Word
CreationDate:   Sun Aug 28 22:12:17 2022 EDT
ModDate:        Sun Aug 28 22:12:17 2022 EDT
[...]
PDF version:    1.7

Image metadata

You can use exiftool, jimpl, IMV, exif.regex...

$ sudo apt install libimage-exiftool-perl
$ exiftool xxx.png
[...]
File Modification Date/Time     : 2022:10:22 18:01:32-04:00
[...]
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
[...]
Software                        : www.inkscape.org
[...]

Also try to perform a reverse image search 🧵.

Steganography

Steganography is a technique in which a person hides data inside the pixels of an image. It's used to secretly transfer data.

Extract Data From An Image

If the hidden content is not protected by a password, you can extract it using the steghide command or zsteg/stegoveritas for PNGs:

$ steghide info file.jpg        # check
$ steghide extract -sf file.jpg # extract

$ export PATH=$(ruby -e 'print Gem.user_dir')/bin:$PATH
$ gem install zsteg --user-install
$ zsteg file.png                # refer to the help

$ pipx install git+https://github.com/bannsec/stegoVeritas
$ stegoveritas_install_deps
$ stegoveritas file.png

⚠️ If prompted for a password, try a blank password.

Otherwise, you may try to brute force the password using tools such as stegseek (0.9k ⭐) or StegCracker (0.5k ⭐, 2020 🪦).

$ stegseek file wordlist

$ stegcracker file wordlist

💎 It's possible that when using the strings command we see some interesting parts of the hidden content.

Extract Files Nested In Other Files

Using binwalk (10.1k ⭐) you can investigate nested files:

$ binwalk file.png
# from xxx to yyy: PNG
# from zzz to ttt: ZIP
$ binwalk -e file.png
$ binwalk -dd="*" file.png

You can alternatively use dd:

# extract the file by skipping the zzz first bytes
$ dd bs=zzz skip=1 if=file.png of=file.zip
<output is file.zip>

If the image is a thumbnail, you could alternatively use:

$ exiftool -b -ThumbnailImage file.jpg > extracted.jpg

Additional Steganography Tools

See also futureboy steg tools.
See also 330k encoders (Unicode Steganography)
See also steganographr (zero-width characters)
See also: stegsolve (hidden text, similar to stegoveritas)
See also: AperiSolve (similar to stegoveritas, include many tools)
See also: Steganography (content hidden using LSB Steganography)
See also: lsb-steganography (Images hidden using LSB Steganography)
See also: openstego (Hide something)

Audio files

Audacity

You can use Audacity to analyze audio files.

$ sudo apt install audacity
$ audacity file.wav

Click on the filename, and select "spectrogram." If the text is not readable, you will have to zoom. You can either or both:

Reduce the frequency interval, by clicking on the filename again, selecting "spectrogram settings", and setting the min/max frequency (the current scale is shown at the start of the track window)
Increase the height of the track window

sonic-visualiser

You can also use sonic-visualiser (0.4k ⭐):

$ sudo apt install sonic-visualiser
$ sonic-visualiser file.wav

Right-click on the track and in "Layers," select "Spectrogram." Use your mouse to zoom in.

Others

Additional Notes

APNG - PNG GIF

An image similar to a GIF that contains images and delays between each. It loads the next image after the delay.

$ sudo apt-get install apngdis
$ apngdis image.apng
$ cat *.txt | cut -d '=' -f2 | cut -d '/' -f1 | xargs | tr ' ' ','

Piet Graphical language

Weird niche thing. Code stored as an image.

$ DEST="$HOME/tools/repiet"    
$ git clone -b "master" https://github.com/boothby/repiet $DEST
$ cd $DEST && wget "https://raw.githubusercontent.com/QuentinRa/blog.quentinra.dev/master/cybersecurity/purple-team/files/_files/repiet.patch" && git apply repiet.patch && cd -
$ pipx install $DEST
$ repiet image --codel_size <identified_by_zsteg> # and execute the code

👻 To-do 👻

Stuff that I found, but never read/used yet.

Stegosploit
reverse search
zcat xxx or gunzip -c xxx and | cpio -idmv
pngcheck img.png
peepdf

File investigation ¶

Metadata ¶

PDF metadata ¶

Image metadata ¶

Steganography ¶

Extract Data From An Image ¶

Extract Files Nested In Other Files ¶

Additional Steganography Tools ¶

Audio files ¶

Audacity ¶

sonic-visualiser ¶

Others ¶

Additional Notes ¶

APNG - PNG GIF ¶

Piet Graphical language ¶

👻 To-do 👻 ¶