返回 Skill 列表
extension
分类: 内容与媒体无需 API Key

forensics

从文件中提取隐藏数据并分析取证工件。在处理图像、内存转储、磁盘映像、隐写术、文件雕刻或在文件中搜索隐藏标志时使用。

person作者: jakexiaohubgithub

Forensics Analysis Skill

Quick Workflow

Progress:
- [ ] Identify file type (file, xxd)
- [ ] Check metadata (exiftool)
- [ ] Search strings for flag
- [ ] Check for embedded data (binwalk)
- [ ] Try steganography tools
- [ ] Extract hidden content

Step 1: Quick Analysis

file suspicious_file
exiftool suspicious_file
strings suspicious_file | grep -iE "flag|ctf|secret|key"
binwalk suspicious_file

Step 2: Identify Challenge Type

| File Type | Approach | Reference | |-----------|----------|-----------| | Image (PNG/JPG) | Steganography | reference/steganography.md | | Memory dump | Volatility | reference/memory.md | | Unknown/corrupted | File analysis | reference/file-analysis.md | | PCAP | Network skill | Use networking skill |

Image Stego - Quick Start

# Try AperiSolve first (online)
# https://www.aperisolve.com/

# PNG
zsteg image.png
zsteg -a image.png

# JPEG
steghide extract -sf image.jpg
stegseek image.jpg rockyou.txt  # Brute force

Full techniques: reference/steganography.md

Memory Dump - Quick Start

# Volatility 3
vol -f memory.dmp windows.info
vol -f memory.dmp windows.pslist
vol -f memory.dmp windows.filescan | grep -i flag

Full techniques: reference/memory.md

File Carving - Quick Start

binwalk -e suspicious_file      # Extract embedded files
foremost -i file -o output/     # Carve files

# Fix corrupted header
xxd file | head -10             # Check magic bytes

Full techniques: reference/file-analysis.md

Online Tools

| Tool | URL | Purpose | |------|-----|---------| | AperiSolve | aperisolve.com | All-in-one stego | | StegOnline | stegonline.georgeom.net | Image analysis | | CyberChef | gchq.github.io/CyberChef | Data transform |

Reference Files