-
Notifications
You must be signed in to change notification settings - Fork 9
/
forensics_steganography
140 lines (63 loc) · 2.24 KB
/
forensics_steganography
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
-----------========= Linux ========----------
Display strings of a file eg. a binary file or an image
strings <filename>
strings stegano.jpg
strings /dev/sdb
strings winfile.exe | grep -i pass
strings -e b <filename>
strings -e s <filename>
strings -e l <filename>
binwalk <filename>
Extracting hidden files from the actual file
steghide extract -sf <filename>
steghide extract -sf stegano.jpg
Hexeditor:
xxd <filename>
xxd /dev/sdb
Grep something from a binary file (e.g. a flag or sth in a deleted file on a device)
-> grep a flag from a deleted file on device /sdb
grep -a '[a-z0-9]\{32\}' /dev/sdb
Adding lines before and after the grep line using -B<n> and -A<n> (e.g. to recover the entire deleted files from a device)
grep -B2 -A2 -a '[a-z0-9]\{32\}' /dev/sdb
======= Arcives and compressed files
Cracking the password of a zip file:
Getting the password hash
zip2john BHWS_Backup.zip
Storing the hash in a file and use john to crack it
john --wordlist=/usr/share/wordlists/rockyou.txt bhws.encr
Extract the files providing the cracked password
7z x BHWS_Backup.zip
======= File META Data
Inspect Meta Date of a file
exiftool Presentation.pdf
======= disk images
show disks
df -lh
creating disk images:
dd
enhanced forensic version of dd:
dcfldd
dcfldd if=/dev/sdb1 of=/media/disk/test_image.dd
Creating and transferring a ziped disc image via ssh to the local computer:
ssh [email protected] "sudo dcfldd if=/dev/sdb | gzip -1 -" | dcfldd of=dev_sdb_output.dd.gz
Extracting the file
gunzip -d dev_sdb_output.dd.gz
Image inspection
binwalk dev_sdb_output.dd
Using -Me to extract the files from the image
binwalk -Me dev_sdb_output.dd
Inspect the image and extract single or group of files or recover deleted files
testdisk dev_sdb_output.dd
photorec dev_sdb_output.dd
======= Decrypt luks encrypted file
Get the Payload offset:
sudo cryptsetup luksDump backup.img
Get the header hash, where count is the offset value:
dd if=backup.img of=luks-header bs=512 count=4097
Use the haeaderfile to crack the password using hashcat:
hashcat -m 14600 luks-header /opt/wordlist/rockyou.txt
Decrypt the file
sudo cryptsetup luksOpen backup.img decrypted
Mount the file
ls /dev/mapper
sudo mount /dev/mapper/decrypted /mnt