Analyzing data / forensic

General tools

strings
- (!) Uses UTF‑8 per default to detect “printable” characters When analyzing a system / file from a different language, you may also need to perform strings with another encoding to detect also strings in another language.
ltrace ./bin.elf
- Maybe as well strace ./bin.elf
- If you see that a binary is called without path: Create a file with this name in the current directory…
radare2 / r2 (See below)
binwalk nineveh.png
- Extract parts from a file with binwalk -Me nineveh.png
steghide
- Check if a file contains other infos: steghide info file
- Extract files: steghide extract -sf file
oledump
- Use oledump.py to extract macros. List the file contents with python oledump.py $file
- See the section below in this article.
CyberChef
- Various transformation / analyzation of data
scDBG
- Assume you have a Windows binary payload and you don’t know the language. Try to store the binary payload into a file and let scDBG analyse it.
shellcode2exe.py
- You can also try to create an EXE file out of a binary dump with shellcode2exe.py to dissemble it in IDA, Immuity, etc.

Imaging tools

dd, of course.

Note that it makes sense to set the proper block size (sometimes 4k, but most hard drives are using 512), so that, when an error occued, the exact sector is shown which can afterwards be skipped.

dd if=/dev/sda of=/external/file.md5 bs=512

ewfacquire

sudo ewfacquire /dev/sda

Advantages:

Uses compression
Stored only used blocks / not the whole hard drive of 1TB, when only 4GB are used
Splits files in chunks which can be easier handled
Calculates checksums
enabled virtual file mount for direct (read-only) access in Linux

aff4 advanced forensic framework

Image analysis

If you have an image in one or multiple files: Check the content
mmls -B win*

Get meta information
ewfinfo win*

File system information:
fsstat -o file.E01

Load the image
ewfacquire win*

Show all entries from the file system table
ils -o 2048 -em image.E01

Show all files from the file system table (without r flag, it shows the root directory, also with special (NTFS-) files.)

Only Root:
fls -o 2048 -p image.E01
Recursive from root:
fls -o 2048 -pr image.E01
Only a subdirectory: (fls shows in the second column a number — this is here the 60 for the program files directory.)
fls -o 2048 -pr image.E01 60

Explanation of an output:
r/r 103399-128-4 ...
Here, 103399 is the entry in the file table, 4 is the data stream.

Show attributes of a file (file 103399 of the file table, see above):
istat -s 2048 image.E01 103399

Show the content of a data stream:

Show text on the console:
icat -o 2048 image.E01 103399-128-9
Write out a data stream into a file:
icat -o 2048 image.E01 103399-128-4 | dd of=/tmp/file.doc

Timestamps

Modification
Access
Change
Birth

Get real timestamps from alternative data streams:

Note to the previous image: The file dates from the alternative DOS file stream are normally never changed after the initial access! Therefore, if there are different dates in this entry, this is probably the “correct” original date. But be aware that there are some pitfalls; e.g.files can retain the modified data, but if there moved, then the created at date could be later. Also, files which are extracted from an archive or a synchronization software could also have “strange” timestamp combinations.

Search for specific files:
ils -o 2048 -em win.E01 | grep -F .docx

Create a timeline of files:

Create a list of timestamps:
- If you have an image:
  - fls -o 2048 -rm '' win.E01 > /tmp/timestamps
- If you have only shell access (caution: this changes the access file — not so good from a forensic standpoint, but if this is not important or there is no other way):
  - find / -print "|%p|%i|%M|%U|%G|%s|%A@|%C@|%T@|-1\n" > /tmp/timestamps
Create a timeline:
mactime -b /tmp/timestamps -d -h > /tmp/timeline.txt

Other notes:

Scan large file listings for interesting files, e.g. vbs files, mimikatz file names.

File carving

If you are looking for a specific file type or you don’t know the file system type of an image, you can try to find files within an image. File carving tools are using magic bytes, known patters etc. to extract files from an image.

Tools:

tsk_recover (Sleuthkit)
foremost
photorec/testdisk
bulk_extractor
scalpel

Radare2

Disassembler. Start it with radare2 or r2 and the binary as argument.

First, analyse the binary:

aaa

Show all functions:

afl

Go to visualization mode:

vvv

Go to an address:

g 0x... vvv

General links

Analyzing Windows malware

Tools for file formats

DOC
- DOCs are zipped files. Rename it into ZIP and extract it.
ZIP
- zipdump.py can analyse ZIP content and show also hidden parts.
- Use also zipinfo and zipdetails.
JPEG
- jpegdump can analyse parts of JPEG files

HPA Host Protected Area

(From the March 2025 Incident Response workshop.)

A part of a hard disk / storage device, which is only visible after a SATA command.
This is used for rescue partitions.
During normal operations, the data storaged there is not accessible.

DCO Disc Configuration Overlay