File Forensics
Challenge Gallery
Quick Reference
| Command | What It Does |
|---|---|
file mysterious |
Identify true file type |
xxd mysterious \| head |
View hex bytes |
strings mysterious |
Extract readable text |
binwalk mysterious |
Scan for embedded files |
binwalk -e mysterious |
Extract embedded files |
foremost -i disk.img |
Carve files from disk image |
Magic Bytes
| Hex | ASCII | File Type |
|---|---|---|
89 50 4E 47 |
.PNG |
PNG |
FF D8 FF |
JPEG | |
25 50 44 46 |
%PDF |
|
50 4B 03 04 |
PK.. |
ZIP/DOCX/XLSX |
47 49 46 38 |
GIF8 |
GIF |
7F 45 4C 46 |
.ELF |
Linux executable |
4D 5A |
MZ |
Windows executable |
Volatility Cheat Sheet
volatility -f dump.mem imageinfo # ID the OS
volatility -f dump.mem --profile=X pslist # List processes
volatility -f dump.mem --profile=X hashdump # Password hashes
volatility -f dump.mem --profile=X netscan # Network connections
volatility -f dump.mem --profile=X filescan # Open files