Forensics 101: Basic Approach to File Analysis

in technology •  7 years ago 

What is Forensics?

Forensics is the science encompassing the recovery and investigation of a data file. In the case of CTFs (WTF is CTF?), Forensics usually refers to the process of finding hidden pieces of information (called Flags) out of static data files. This may be done through file format identification, file analysis, memory dump analysis, and even network packet analysis.

File Format Identification

The first thing anyone should do before doing an in-depth analysis of the file is to determine what kind of file it is. Just because a file has a *.jpg extension does not necessarily mean you can open the file through any image viewer. The easiest way to do this is by using the Linux "file" command.


Normally when you see a file with a *.jpg extension, you would immediately assume the file is of image type. However, as seen above, this is not the case. The file is simply a .txt file masquerading as an image file. In CTFs, this is usually done to prevent users from opening the file to get the flag. An easy fix to this is to simpy change the extension to the correct one.

Files-within-a-file

The next thing anyone should do is to check for hidden files within the file. The best tool for this is Binwalk and Foremost. These two are two of the most popular data carvers around. Data carving refers to the identification and extraction of file types using file signatures.

Binwalk Example:

As seen above, aside from the "jpeg" file which is what we see when we open the file, a hidden "png" file seems to be in it as well. Binwalk is mainly used to look for files embedded in the file. It also have the capability to extract all or a specific file type.

Initial Analysis

Depending on your purpose this may vary, but most people usually start by skimming the entire file. What exactly does that mean?

Take this picture as an example, taken from one of the problems from CTFLearn.

At first glance, it looks just like an ordinary picture. But what exactly is in there that makes this picture a challenge? Since this is a CTF problem, let's try to find out the flag.(You all probably know what flag means by now).

Assuming we already did the first two steps and didn't find anything strange. Next step is the analysis. What I usually do is skim the entrire file to look for the flag. To do this we need Hacker's View or simply Hiew. Hiew is a popular console hex editor for Windows with the ability to view files in text, hex and disassembly code.

Since this is a relatively easy Forensics challenge, a little scroll and page down here and there will make you eventually find the flag. The general idea of the initial analysis is to give idea what the file does. A simple search of all plain-texts would achieve this and we don't need to squint our eyes just to find visible plain-texts :) To do this we have at least two option.

Using the "strings" command:

Using Bintext:

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Thanks! Really good approach. I've seen many forensics tutorials that are encase or ftk tutorials and you actually don't learn what's happening behind the scenes.
Good work!

Thanks! :)

Good job. Thanks.

As a follower of @followforupvotes this post has been randomly selected and upvoted! Enjoy your upvote and have a great day!

Congratulations! This post has been upvoted from the communal account, @minnowsupport, by jlordc from the Minnow Support Project. It's a witness project run by aggroed, ausbitbank, teamsteem, theprophet0, someguy123, neoxian, followbtcnews, and netuoso. The goal is to help Steemit grow by supporting Minnows. Please find us at the Peace, Abundance, and Liberty Network (PALnet) Discord Channel. It's a completely public and open space to all members of the Steemit community who voluntarily choose to be there.

If you would like to delegate to the Minnow Support Project you can do so by clicking on the following links: 50SP, 100SP, 250SP, 500SP, 1000SP, 5000SP.
Be sure to leave at least 50SP undelegated on your account.

Your Post Has Been Featured on @Resteemable!
Feature any Steemit post using resteemit.com!
How It Works:
1. Take Any Steemit URL
2. Erase https://
3. Type re
Get Featured Instantly – Featured Posts are voted every 2.4hrs
Join the Curation Team Here

This post has received a 1.56 % upvote from @drotto thanks to: @jlordc.