{"id":1132,"date":"2020-04-04T21:47:38","date_gmt":"2020-04-04T19:47:38","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1132"},"modified":"2025-03-20T12:57:49","modified_gmt":"2025-03-20T11:57:49","slug":"file-forensic","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1132","title":{"rendered":"Analyzing data \/ forensic"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">General tools<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>strings\n<ul class=\"wp-block-list\">\n<li>(!) Uses <span class=\"caps\">UTF<\/span>\u20118 per default to detect \u201cprint\u00adable\u201d char\u00adac\u00adters When ana\u00adlyz\u00ading a sys\u00adtem \/ file from a dif\u00adfer\u00adent lan\u00adguage, you may also need to per\u00adform strings with anoth\u00ader encod\u00ading to detect also strings in anoth\u00ader language.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>l<\/strong>trace .\/bin.elf\n<ul class=\"wp-block-list\">\n<li>Maybe as well <code>strace .\/bin.elf<\/code><\/li>\n\n\n\n<li>If you see that a bina\u00adry is called with\u00adout path: Cre\u00adate a file with this name in the cur\u00adrent directory\u2026<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>radare2 \/ r2 (See&nbsp;below)<\/li>\n\n\n\n<li>bin\u00adwalk nineveh.png\n<ul class=\"wp-block-list\">\n<li>Extract parts from a file with <code>binwalk -Me nineveh.png<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>steghide\n<ul class=\"wp-block-list\">\n<li>Check if a file con\u00adtains oth\u00ader infos: <code>steghide info file<\/code><\/li>\n\n\n\n<li>Extract files: <code>steghide extract -sf file<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>ole\u00addump\n<ul class=\"wp-block-list\">\n<li>Use <a href=\"https:\/\/github.com\/DidierStevens\/DidierStevensSuite\/blob\/master\/oledump.py\">oledump.py<\/a> to extract macros. List the file con\u00adtents with <code>python oledump.py $file<\/code><\/li>\n\n\n\n<li>See the sec\u00adtion below in this article.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><a href=\"https:\/\/gchq.github.io\/CyberChef\/\">CyberChef<\/a>\n<ul class=\"wp-block-list\">\n<li>Var\u00adi\u00adous trans\u00adfor\u00adma\u00adtion \/ ana\u00adlyza\u00adtion of&nbsp;data<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>scD\u00adBG\n<ul class=\"wp-block-list\">\n<li>Assume you have a Win\u00addows bina\u00adry pay\u00adload and you don\u2019t know the lan\u00adguage. Try to store the bina\u00adry pay\u00adload into a file and let <a href=\"http:\/\/sandsprite.com\/blogs\/index.php?uid=7&amp;pid=152\">scD\u00adBG<\/a> analyse it.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>shellcode2exe.py\n<ul class=\"wp-block-list\">\n<li>You can also try to cre\u00adate an <span class=\"caps\">EXE<\/span> file out of a bina\u00adry dump with <a href=\"https:\/\/github.com\/MarioVilas\/shellcode_tools\/blob\/master\/shellcode2exe.py\">shellcode2exe.py<\/a> to dis\u00adsem\u00adble it in <span class=\"caps\">IDA<\/span>, Immuity, etc.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Imaging tools<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">dd, of course.<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Note that it makes sense to set the prop\u00ader block size (some\u00adtimes 4k, but most hard dri\u00adves are using 512), so that, when an error occued, the exact sec\u00adtor is shown which can after\u00adwards be skipped.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">dd if=\/dev\/sda of=\/external\/file.md5 bs=512<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">ewfacquire<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">sudo ewfac\u00adquire \/dev\/sda<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Advan\u00adtages:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Uses com\u00adpres\u00adsion<\/li>\n\n\n\n<li>Stored only used blocks \/ not the whole hard dri\u00adve of <span class=\"caps\">1TB<\/span>, when only <span class=\"caps\">4GB<\/span> are&nbsp;used<\/li>\n\n\n\n<li>Splits files in chunks which can be eas\u00adi\u00ader handled<\/li>\n\n\n\n<li>Cal\u00adcu\u00adlates checksums<\/li>\n\n\n\n<li>enabled vir\u00adtu\u00adal file mount for direct (read-only) access in&nbsp;Linux<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">aff4 advanced forensic framework<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Image analysis<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you have an image in one or mul\u00adti\u00adple files: Check the con\u00adtent<br><code>mmls -B win*<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Get meta infor\u00adma\u00adtion<br><code>ewfinfo win*<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">File sys\u00adtem infor\u00adma\u00adtion:<br><code>fsstat -o file.E01<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Load the image<br><code>ewfacquire win*<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Show all <em>entries <\/em>from the file sys\u00adtem table<br><code>ils -o 2048 -em image.E01<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Show all files from the file sys\u00adtem table (with\u00adout r flag, it shows the root direc\u00adto\u00adry, also with spe\u00adcial (<span class=\"caps\">NTFS-<\/span>) files.)<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Only Root:<br><code>fls -o 2048 -p image.E01<\/code><\/li>\n\n\n\n<li>Recur\u00adsive from root:<br><code>fls -o 2048 -pr image.E01<\/code><\/li>\n\n\n\n<li>Only a sub\u00addi\u00adrec\u00adto\u00adry: (fls shows in the sec\u00adond col\u00adumn a num\u00adber \u2014 this is here the 60 for the pro\u00adgram files direc\u00adto\u00adry.)<br><code>fls -o 2048 -pr image.E01 60<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Expla\u00adna\u00adtion of an out\u00adput:<br><code>r\/r 103399-128-4 ...<\/code><br>Here, 103399 is the entry in the file table, 4 is the data stream.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Show attrib\u00adut\u00ades of a file (file 103399 of the file table, see above):<br><code>istat -s 2048 image.E01 103399<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Show the con\u00adtent of a data stream:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Show text on the con\u00adsole:<br><code>icat -o 2048 image.E01 103399-128-9<\/code><\/li>\n\n\n\n<li>Write out a data stream into a file:<br><code>icat -o 2048 image.E01 103399-128-4 | dd of=\/tmp\/file.doc<\/code><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Time\u00adstamps<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>M<\/strong>odi\u00adfi\u00adca\u00adtion<\/li>\n\n\n\n<li><strong>A<\/strong>ccess<\/li>\n\n\n\n<li><strong>C<\/strong>hange<\/li>\n\n\n\n<li><strong>B<\/strong>irth<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Get real time\u00adstamps from alter\u00adna\u00adtive data streams:<\/p>\n\n\n\n<figure class=\"wp-block-image size-medium\"><img loading=\"lazy\" decoding=\"async\" width=\"300\" height=\"243\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2020\/04\/aaa-300x243.png\" alt class=\"wp-image-4619\" srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2020\/04\/aaa-300x243.png 300w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2020\/04\/aaa-768x621.png 768w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2020\/04\/aaa.png 831w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\"><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">Note to the pre\u00advi\u00adous image: The file dates from the alter\u00adna\u00adtive <span class=\"caps\">DOS<\/span> file stream are nor\u00admal\u00adly nev\u00ader changed after the ini\u00adtial access! There\u00adfore, if there are dif\u00adfer\u00adent dates in this entry, this is prob\u00ada\u00adbly the \u201ccor\u00adrect\u201d orig\u00adi\u00adnal date. But be aware that there are some pit\u00adfalls; e.g.files can retain the mod\u00adi\u00adfied data, but if there moved, then the cre\u00adat\u00aded at date could be lat\u00ader. Also, files which are extract\u00aded from an archive or a syn\u00adchro\u00adniza\u00adtion soft\u00adware could also have \u201cstrange\u201d time\u00adstamp combinations.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Search for spe\u00adcif\u00adic files:<br><code>ils -o 2048 -em win.E01 | grep -F .docx<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a time\u00adline of&nbsp;files:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Cre\u00adate a list of timestamps:&nbsp;<ul class=\"wp-block-list\">\n<li>If you have an&nbsp;image:&nbsp;<ul class=\"wp-block-list\">\n<li><code>fls -o 2048 -rm '' win.E01 &gt; \/tmp\/timestamps<\/code><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>If you have only shell access (cau\u00adtion: this changes the access file \u2014 not so good from a foren\u00adsic stand\u00adpoint, but if this is not impor\u00adtant or there is no oth\u00ader&nbsp;way):&nbsp;<ul class=\"wp-block-list\">\n<li><code>find \/ -print \"|%p|%i|%M|%U|%G|%s|%A@|%C@|%T@|-1\\n\" &gt; \/tmp\/timestamps<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Cre\u00adate a time\u00adline:<br><code>mactime -b \/tmp\/timestamps -d -h &gt; \/tmp\/timeline.txt<\/code><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Oth\u00ader&nbsp;notes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scan large file list\u00adings for inter\u00adest\u00ading files, e.g. vbs files, mimikatz file&nbsp;names.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">File carving<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">If you are look\u00ading for a spe\u00adcif\u00adic file type or you don\u2019t know the file sys\u00adtem type of an image, you can try to find files with\u00adin an image. File carv\u00ading tools are using mag\u00adic bytes, known pat\u00adters etc. to extract files from an&nbsp;image.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Tools:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>tsk_recover (<a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=4601\" data-type=\"post\" data-id=\"4601\">Sleuth\u00adki<\/a>t)<\/li>\n\n\n\n<li>fore\u00admost<\/li>\n\n\n\n<li>photorec\/testdisk<\/li>\n\n\n\n<li>bulk_extractor<\/li>\n\n\n\n<li>scalpel<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><\/h2>\n\n\n\n<h2 class=\"wp-block-heading\">Radare2<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Dis\u00adas\u00adsem\u00adbler. Start it with <code>radare2<\/code> or <code>r2<\/code> and the bina\u00adry as argument.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">First, analyse the binary:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">aaa<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Show all functions:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">afl<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Go to visu\u00adal\u00adiza\u00adtion&nbsp;mode:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vvv<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Go to an address:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>g 0x...<br>vvv<\/code><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">General links<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/rinseandrepeatanalysis.blogspot.com\/2018\/12\/analyzing-windows-shellcode-triage.html\">Ana\u00adlyz\u00ading Win\u00addows malware<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Tools for file formats<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><span class=\"caps\">DOC<\/span>\n<ul class=\"wp-block-list\">\n<li>DOCs are zipped files. Rename it into <span class=\"caps\">ZIP<\/span> and extract it.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><span class=\"caps\">ZIP<\/span>\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/blog.didierstevens.com\/2020\/01\/06\/analysis-of-unusual-zip-files\/\">zipdump.py<\/a> can analyse <span class=\"caps\">ZIP<\/span> con\u00adtent and show also hid\u00adden&nbsp;parts.<\/li>\n\n\n\n<li>Use also zip\u00adin\u00adfo and zipdetails.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><span class=\"caps\">JPEG<\/span>\n<ul class=\"wp-block-list\">\n<li><a href=\"http:\/\/didierstevens.com\/files\/software\/jpegdump_V0_0_3.zip\">jpeg\u00addump<\/a> can analyse parts of <span class=\"caps\">JPEG<\/span>&nbsp;files<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">HPA<\/span> Host Protected Area<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">(From the March 2025 Inci\u00addent Response workshop.)<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A part of a hard disk \/ stor\u00adage device, which is only vis\u00adi\u00adble after a <span class=\"caps\">SATA<\/span> command.<\/li>\n\n\n\n<li>This is used for res\u00adcue partitions.<\/li>\n\n\n\n<li>Dur\u00ading nor\u00admal oper\u00ada\u00adtions, the data stor\u00adaged there is not accessible.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">DCO<\/span> Disc Configuration Overlay<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">(From the March 2025 Inci\u00addent Response workshop.)<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A \u201cwrap\u00adper\u201d which disc man\u00adu\u00adfac\u00adtors some\u00adtimes uses to change the char\u00adac\u00adter\u00adis\u00adtics of a hard&nbsp;drive.<\/li>\n\n\n\n<li>For exam\u00adple, a man\u00adu\u00adfac\u00adtor uses slight\u00adly dif\u00adfer\u00adent disc sizes inter\u00adnal\u00adly. But the hard dri\u00adve should have the same capac\u00adi\u00adty. So, the man\u00adu\u00adfac\u00adtor can set the size via <span class=\"caps\">DCO<\/span>. For all <span class=\"caps\">OS<\/span>, this is the \u201cphys\u00adi\u00adcal\u201d size. How\u00adev\u00ader, the dri\u00adve could store some more data which can only be accessed if the <span class=\"caps\">DCO<\/span> was changed.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An attack\u00ader could set a region of a disk as defect (eg. in <span class=\"caps\">NTFS<\/span>). Then, he could write data into this area with low-lev\u00adel tools. Then, he could hide data there with\u00adout a user would ever find&nbsp;it.<\/li>\n\n\n\n<li><span class=\"caps\">NTFS<\/span> uses a file entry table which uses 980\/1000 byte for an file entry. Nor\u00admal\u00adly, a file is ref\u00ader\u00adenced in this file entry. But if the file is very small, it could be that the data of a file is direct\u00adly stored with\u00adin the file&nbsp;entry.<\/li>\n\n\n\n<li>See <a href=\"https:\/\/andreas-klingler.de\/infosec\/?p=1263\" data-type=\"post\" data-id=\"1263\"><span class=\"caps\">MS<\/span> Office doc\u00adu\u00adments<\/a> for <span class=\"caps\">OLE<\/span> analysis<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Gen\u00ader\u00adal tools Imag\u00ading tools dd, of course. Note that it makes sense to set the prop\u00ader block size (some\u00adtimes 4k, but most hard dri\u00adves are using 512), so that, when an error occued, the exact sec\u00adtor is shown which can after\u00adwards be skipped. dd if=\/dev\/sda of=\/external\/file.md5 bs=512 ewfac\u00adquire sudo ewfac\u00adquire \/dev\/sda Advan\u00adtages: aff4 advanced forensic&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[512,355],"tags":[243,244,61,242,241,239,245,240,280],"class_list":["post-1132","post","type-post","status-publish","format-standard","hentry","category-incident-response","category-reverse-engineering","tag-doc","tag-docx","tag-forensic","tag-microsoft-office","tag-microsoft-word","tag-oledump","tag-scdbg","tag-word","tag-zip"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1132"}],"version-history":[{"count":45,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1132\/revisions"}],"predecessor-version":[{"id":4775,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1132\/revisions\/4775"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}