File investigation
Any file you find, be it during Digital forensics or during the red team activities, may have:
- π Hidden content in a file
- A file inside another file
- A text inside an image
- π Username/Name of the one that created the file
- π« Information generated by the application that created the file
- ...
This is why you should investigate any file you get your hands on.
β‘οΈ For instance, if you notice a "big" image (usually >1 MB), you may want to check if this is really an image.
Metadata
Any file has metadata, which is data that provides information on the file, such as the author, the creation date...
PDF metadata
You can use online tools, your PDF reader "details" menu, or pdfinfo.
$ sudo apt install poppler-utils
$ pdfinfo xxx.pdf
Author: XXX
Creator: Microsoft Word
CreationDate: Sun Aug 28 22:12:17 2022 EDT
ModDate: Sun Aug 28 22:12:17 2022 EDT
[...]
PDF version: 1.7
Image metadata
You can use exiftool, jimpl, IMV... Also, do a reverse image search π§΅.
$ sudo apt install libimage-exiftool-perl
$ exiftool xxx.png
[...]
File Modification Date/Time : 2022:10:22 18:01:32-04:00
[...]
File Type : PNG
File Type Extension : png
MIME Type : image/png
[...]
Software : www.inkscape.org
[...]
Steganography
Steganography is a technique in which a person hides data inside the pixels of an image. It's used to secretly transfer data.
If the hidden content is not protected by a password, you can extract it using the steghide command or zsteg/stegoveritas for PNGs:
$ steghide info file # check
$ steghide extract -sf file # extract
$ zsteg file # refer to the help
$ stegoveritas file # refer to the help
β οΈ If prompted for a password, try a blank password.
π It's possible that when using the strings command we see some interesting parts of the hidden content.
Otherwise, you may try to brute force the password using tools such as stegseek (0.8k β) or StegCracker (0.5k β, 2020 πͺ¦).
# https://github.com/RickdeJager/stegseek
$ stegseek file wordlist
$ stegcracker file wordlist
Additional tools π»
- See also futureboy steg tools.
- See also 330k encoders (Unicode Steganography)
- See also steganographr (zero-width characters)
File steganography
File steganography is a subcategory of steganography in which a file is hidden in another file. Using binwalk (10.0k β) you can investigate:
$ binwalk file.png
# from xxx to yyy: PNG
# from zzz to ttt: ZIP
And you can extract files using -e
$ binwalk -e file.png
If the image is a thumbnail, you could also use:
$ exiftool -b -ThumbnailImage file.jpg > extracted.jpg
You can alternatively use dd to extract a file:
# extract the size by skipping the 34562 bytes
$ dd bs=34562 skip=1 if=file.png of=file.zip
$ ls
file.png file.zip
π If there was a ZIP inside the PNG, and you can't unzip it, try with 7z x xxx.zip or use dd to extract the file.
Audio files
Audacity
You can use Audacity to analyze audio files.
$ sudo apt install audacity
$ audacity file.wav
Click on the filename, and select "spectrogram." If the text is not readable, you will have to zoom. You can either or both:
-
Reduce the frequency interval, by clicking on the filename again, selecting "spectrogram settings", and setting the min/max frequency (the current scale is shown at the start of the track window)
-
Increase the height of the track window
sonic-visualiser
You can also use sonic-visualiser (0.4k β):
$ sudo apt install sonic-visualiser
$ sonic-visualiser file.wav
Right-click on the track and in "Layers," select "Spectrogram." Use your mouse to zoom in.
Others
Additional Notes
APNG - PNG GIF
An image similar to a GIF that contains images and delays between each. It loads the next image after the delay.
$ sudo apt-get install apngdis
$ apngdis image.apng
$ cat *.txt | cut -d '=' -f2 | cut -d '/' -f1 | xargs | tr ' ' ','
π» To-do π»
Stuff that I found, but never read/used yet.
- Stegosploit
- reverse search