File investigation

Any file you find, be it during Digital forensics or during the red team activities, may have:

  • 🐟 Hidden content in a file
    • A file inside another file
    • A text inside an image
  • πŸ‘€ Username/Name of the one that created the file
  • 🍫 Information generated by the application that created the file
  • ...

This is why you should investigate any file you get your hands on.

➑️ For instance, if you notice a "big" image (usually >1 MB), you may want to check if this is really an image.



Any file has metadata, which is data that provides information on the file, such as the author, the creation date...

PDF metadata

You can use online tools, your PDF reader "details" menu, or pdfinfo.

$ sudo apt install poppler-utils
$ pdfinfo xxx.pdf
Author:         XXX
Creator:        Microsoft Word
CreationDate:   Sun Aug 28 22:12:17 2022 EDT
ModDate:        Sun Aug 28 22:12:17 2022 EDT
PDF version:    1.7

Image metadata

agentsudoctf exif_metadata

You can use exiftool, jimpl, IMV... Also, do a reverse image search 🧡.

$ sudo apt install libimage-exiftool-perl
$ exiftool xxx.png
File Modification Date/Time     : 2022:10:22 18:01:32-04:00
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Software                        :


agentsudoctf c4ptur3th3fl4g chillhack

Steganography is a technique in which a person hides data inside the pixels of an image. It's used to secretly transfer data.

If the hidden content is not protected by a password, you can extract it using the steghide command or zsteg/stegoveritas for PNGs:

$ steghide info file        # check
$ steghide extract -sf file # extract
$ zsteg file                # refer to the help
$ stegoveritas file         # refer to the help

⚠️ If prompted for a password, try a blank password.

πŸ’Ž It's possible that when using the strings command we see some interesting parts of the hidden content.

Otherwise, you may try to brute force the password using tools such as stegseek (0.8k ⭐) or StegCracker (0.5k ⭐, 2020 πŸͺ¦).

$ stegseek file wordlist
$ stegcracker file wordlist

Additional tools πŸ‘»

File steganography

agentsudoctf exif_thumbnail

File steganography is a subcategory of steganography in which a file is hidden in another file. Using binwalk (10.0k ⭐) you can investigate:

$ binwalk file.png
# from xxx to yyy: PNG
# from zzz to ttt: ZIP

And you can extract files using -e

$ binwalk -e file.png

If the image is a thumbnail, you could also use:

$ exiftool -b -ThumbnailImage file.jpg > extracted.jpg

You can alternatively use dd to extract a file:

# extract the size by skipping the 34562 bytes
$ dd bs=34562 skip=1 if=file.png
$ ls

πŸ‘‰ If there was a ZIP inside the PNG, and you can't unzip it, try with 7z x or use dd to extract the file.

Audio files

c4ptur3th3fl4g wav_spectral_analysis


You can use Audacity to analyze audio files.

$ sudo apt install audacity
$ audacity file.wav

Click on the filename, and select "spectrogram." If the text is not readable, you will have to zoom. You can either or both:

  • Reduce the frequency interval, by clicking on the filename again, selecting "spectrogram settings", and setting the min/max frequency (the current scale is shown at the start of the track window)

  • Increase the height of the track window


You can also use sonic-visualiser (0.4k ⭐):

$ sudo apt install sonic-visualiser
$ sonic-visualiser file.wav

Right-click on the track and in "Layers," select "Spectrogram." Use your mouse to zoom in.


Additional Notes



An image similar to a GIF that contains images and delays between each. It loads the next image after the delay.

$ sudo apt-get install apngdis
$ apngdis image.apng
$ cat *.txt | cut -d '=' -f2 | cut -d '/' -f1 | xargs | tr ' ' ','

πŸ‘» To-do πŸ‘»

Stuff that I found, but never read/used yet.

  • Stegosploit
  • reverse search