Digital Forensics Tools

数字取证工具

When to Use

适用场景

Load this skill when:

Analyzing suspicious files or unknown file formats
Extracting hidden data or carved files
Detecting steganography in images/audio
Analyzing network PCAP files
Scanning for high-entropy (encrypted/compressed) data
Working with file signatures and magic bytes

在以下场景中加载本技能：

分析可疑文件或未知文件格式
提取隐藏数据或雕刻文件
检测图像/音频中的隐写术
分析网络PCAP文件
扫描高熵（加密/压缩）数据
处理文件签名与魔术字节

File Analysis and Carving

文件分析与雕刻

Binwalk - Extract Embedded Files

Binwalk - 提取嵌入文件

bash

undefined

bash

undefined

Scan for embedded files

binwalk suspicious.bin

Extract all found files

binwalk -e suspicious.bin

Extract with signature scan

binwalk --dd='.*' suspicious.bin

Scan for specific file types

binwalk --signature image.png

undefined

binwalk --signature image.png

undefined

Common File Signatures (Magic Bytes)

常见文件签名（魔术字节）

File Type	Signature (Hex)	Signature (ASCII)
PNG	`89 50 4E 47 0D 0A 1A 0A`	`.PNG....`
JPEG	`FF D8 FF E0/E1`	`ÿØÿà`
GIF	`47 49 46 38 37/39 61`	`GIF87a/GIF89a`
ZIP	`50 4B 03 04`	`PK..`
PDF	`25 50 44 46`	`%PDF`
ELF	`7F 45 4C 46`	`.ELF`
RAR	`52 61 72 21 1A 07`	`Rar!..`

文件类型	十六进制签名	ASCII签名
PNG	`89 50 4E 47 0D 0A 1A 0A`	`.PNG....`
JPEG	`FF D8 FF E0/E1`	`ÿØÿà`
GIF	`47 49 46 38 37/39 61`	`GIF87a/GIF89a`
ZIP	`50 4B 03 04`	`PK..`
PDF	`25 50 44 46`	`%PDF`
ELF	`7F 45 4C 46`	`.ELF`
RAR	`52 61 72 21 1A 07`	`Rar!..`

Manual File Carving with dd

使用dd手动雕刻文件

bash

undefined

bash

undefined

Extract bytes from offset to end

dd if=input.bin of=output.bin skip=1024 bs=1

Extract specific byte range

dd if=input.bin of=output.bin skip=1024 count=2048 bs=1

Find PNG signature and extract

grep --only-matching --byte-offset --binary --text $'\x89PNG' file.bin

undefined

grep --only-matching --byte-offset --binary --text $'\x89PNG' file.bin

undefined

Strings Analysis

字符串分析

bash

undefined

bash

undefined

Extract ASCII strings

strings suspicious.bin

Extract with minimum length

strings -n 10 suspicious.bin

Search for specific patterns

strings suspicious.bin | grep -i "flag|password|key"

Unicode strings (16-bit little-endian)

strings -el suspicious.bin

With file offsets

strings -t x suspicious.bin

undefined

strings -t x suspicious.bin

undefined

Steganography Detection

隐写术检测

Image Steganography

图像隐写术

python

#!/usr/bin/env python3
"""Quick steganography checks"""
from PIL import Image
import numpy as np

def check_lsb(image_path):
    """Check LSB (Least Significant Bit) steganography"""
    img = Image.open(image_path)
    pixels = np.array(img)
    
    # Extract LSBs
    lsb = pixels & 1
    
    # Visualize LSBs (amplify for visibility)
    lsb_img = Image.fromarray((lsb * 255).astype('uint8'))
    lsb_img.save('lsb_analysis.png')
    print("[+] LSB analysis saved to lsb_analysis.png")

def extract_lsb_data(image_path):
    """Extract data from LSBs"""
    img = Image.open(image_path)
    pixels = np.array(img).flatten()
    
    # Extract LSBs as bits
    bits = ''.join([str(p & 1) for p in pixels])
    
    # Convert to bytes
    data = bytearray()
    for i in range(0, len(bits), 8):
        byte = bits[i:i+8]
        if len(byte) == 8:
            data.append(int(byte, 2))
    
    return bytes(data)

python

#!/usr/bin/env python3
"""Quick steganography checks"""
from PIL import Image
import numpy as np

def check_lsb(image_path):
    """Check LSB (Least Significant Bit) steganography"""
    img = Image.open(image_path)
    pixels = np.array(img)
    
    # Extract LSBs
    lsb = pixels & 1
    
    # Visualize LSBs (amplify for visibility)
    lsb_img = Image.fromarray((lsb * 255).astype('uint8'))
    lsb_img.save('lsb_analysis.png')
    print("[+] LSB analysis saved to lsb_analysis.png")

def extract_lsb_data(image_path):
    """Extract data from LSBs"""
    img = Image.open(image_path)
    pixels = np.array(img).flatten()
    
    # Extract LSBs as bits
    bits = ''.join([str(p & 1) for p in pixels])
    
    # Convert to bytes
    data = bytearray()
    for i in range(0, len(bits), 8):
        byte = bits[i:i+8]
        if len(byte) == 8:
            data.append(int(byte, 2))
    
    return bytes(data)

Usage

check_lsb('suspicious.png') data = extract_lsb_data('suspicious.png') print(data[:100]) # First 100 bytes

undefined

check_lsb('suspicious.png') data = extract_lsb_data('suspicious.png') print(data[:100]) # First 100 bytes

undefined

Common Steganography Tools

常用隐写术工具

bash

undefined

bash

undefined

Steghide (JPEG, BMP, WAV, AU)

steghide info suspicious.jpg steghide extract -sf suspicious.jpg

StegSolve (GUI tool for image analysis)

java -jar stegsolve.jar

Zsteg (PNG, BMP)

zsteg suspicious.png zsteg -a suspicious.png # All checks

Exiftool (metadata analysis)

exiftool suspicious.jpg exiftool -all suspicious.jpg

Foremost (file carving)

foremost -i suspicious.bin -o output/

undefined

foremost -i suspicious.bin -o output/

undefined

Audio Steganography

音频隐写术

bash

undefined

bash

undefined

Spectogram analysis with Sox

sox audio.wav -n spectrogram -o spectro.png

Or with Python

python3 helpers/spectrogram.py audio.wav

Audacity (GUI)

File -> Open -> Analyze -> Plot Spectrum

undefined

undefined

Network Forensics

网络取证

PCAP Analysis with tshark

使用tshark分析PCAP

bash

undefined

bash

undefined

Basic statistics

tshark -r capture.pcap -q -z io,phs

Extract HTTP objects

tshark -r capture.pcap --export-objects http,output/

Filter by protocol

tshark -r capture.pcap -Y "http" tshark -r capture.pcap -Y "dns" tshark -r capture.pcap -Y "tcp.port == 80"

Extract HTTP requests

tshark -r capture.pcap -Y "http.request" -T fields -e http.request.full_uri

Extract HTTP POST data

tshark -r capture.pcap -Y "http.request.method == POST" -T fields -e http.file_data

Follow TCP stream

tshark -r capture.pcap -z follow,tcp,ascii,0

Extract files

tshark -r capture.pcap --export-objects http,extracted/ tshark -r capture.pcap --export-objects smb,extracted/

undefined

tshark -r capture.pcap --export-objects http,extracted/ tshark -r capture.pcap --export-objects smb,extracted/

undefined

Extract HTTP Traffic

提取HTTP流量

python

#!/usr/bin/env python3
"""Extract HTTP traffic from PCAP"""
from scapy.all import *

def extract_http(pcap_file):
    """Extract HTTP requests and responses"""
    packets = rdpcap(pcap_file)
    
    for pkt in packets:
        if pkt.haslayer(TCP) and pkt.haslayer(Raw):
            payload = pkt[Raw].load
            
            # Check for HTTP
            if payload.startswith(b'GET') or payload.startswith(b'POST'):
                print("[HTTP Request]")
                print(payload.decode('latin-1', errors='ignore'))
                print("-" * 60)
            
            elif payload.startswith(b'HTTP/'):
                print("[HTTP Response]")
                print(payload.decode('latin-1', errors='ignore')[:200])
                print("-" * 60)

extract_http('capture.pcap')

python

#!/usr/bin/env python3
"""Extract HTTP traffic from PCAP"""
from scapy.all import *

def extract_http(pcap_file):
    """Extract HTTP requests and responses"""
    packets = rdpcap(pcap_file)
    
    for pkt in packets:
        if pkt.haslayer(TCP) and pkt.haslayer(Raw):
            payload = pkt[Raw].load
            
            # Check for HTTP
            if payload.startswith(b'GET') or payload.startswith(b'POST'):
                print("[HTTP Request]")
                print(payload.decode('latin-1', errors='ignore'))
                print("-" * 60)
            
            elif payload.startswith(b'HTTP/'):
                print("[HTTP Response]")
                print(payload.decode('latin-1', errors='ignore')[:200])
                print("-" * 60)

extract_http('capture.pcap')

Reconstruct Files from PCAP

从PCAP中重建文件

bash

undefined

bash

undefined

NetworkMiner (Windows/Linux with Mono)

mono NetworkMiner.exe --nogui -r capture.pcap -o output/

tcpflow - Reconstruct TCP sessions

tcpflow -r capture.pcap -o output/

Wireshark export

File -> Export Objects -> HTTP/SMB/TFTP

undefined

undefined

Entropy Analysis

熵分析

Detect Encrypted/Compressed Data

检测加密/压缩数据

python

#!/usr/bin/env python3
"""Scan file for high-entropy regions"""
import math
from collections import Counter

def calculate_entropy(data):
    """Calculate Shannon entropy"""
    if not data:
        return 0
    
    entropy = 0
    counter = Counter(data)
    length = len(data)
    
    for count in counter.values():
        probability = count / length
        entropy -= probability * math.log2(probability)
    
    return entropy

def scan_entropy(filename, block_size=256):
    """Scan file for high-entropy blocks"""
    with open(filename, 'rb') as f:
        data = f.read()
    
    print(f"Scanning {filename} for high-entropy regions...")
    print(f"Block size: {block_size} bytes")
    print("-" * 60)
    
    for i in range(0, len(data), block_size):
        block = data[i:i+block_size]
        if len(block) < block_size // 2:
            continue
        
        entropy = calculate_entropy(block)
        
        # High entropy (> 7.5) indicates encryption/compression
        if entropy > 7.5:
            print(f"Offset 0x{i:08x}: Entropy = {entropy:.4f} [HIGH]")

python

#!/usr/bin/env python3
"""Scan file for high-entropy regions"""
import math
from collections import Counter

def calculate_entropy(data):
    """Calculate Shannon entropy"""
    if not data:
        return 0
    
    entropy = 0
    counter = Counter(data)
    length = len(data)
    
    for count in counter.values():
        probability = count / length
        entropy -= probability * math.log2(probability)
    
    return entropy

def scan_entropy(filename, block_size=256):
    """Scan file for high-entropy blocks"""
    with open(filename, 'rb') as f:
        data = f.read()
    
    print(f"Scanning {filename} for high-entropy regions...")
    print(f"Block size: {block_size} bytes")
    print("-" * 60)
    
    for i in range(0, len(data), block_size):
        block = data[i:i+block_size]
        if len(block) < block_size // 2:
            continue
        
        entropy = calculate_entropy(block)
        
        # High entropy (> 7.5) indicates encryption/compression
        if entropy > 7.5:
            print(f"Offset 0x{i:08x}: Entropy = {entropy:.4f} [HIGH]")

Usage

scan_entropy('suspicious.bin', block_size=512)

undefined

scan_entropy('suspicious.bin', block_size=512)

undefined

Memory Forensics

内存取证

Volatility (if applicable in CTF)

Volatility（适用于CTF场景）

bash

undefined

bash

undefined

Identify profile

volatility -f memory.dmp imageinfo

List processes

volatility -f memory.dmp --profile=Win7SP1x64 pslist

Dump process memory

volatility -f memory.dmp --profile=Win7SP1x64 memdump -p 1234 -D output/

Extract files

volatility -f memory.dmp --profile=Win7SP1x64 filescan volatility -f memory.dmp --profile=Win7SP1x64 dumpfiles -Q 0x000000003e8b6f20 -D output/

undefined

volatility -f memory.dmp --profile=Win7SP1x64 filescan volatility -f memory.dmp --profile=Win7SP1x64 dumpfiles -Q 0x000000003e8b6f20 -D output/

undefined

Quick Reference

快速参考

Task	Tool	Command
File carving	binwalk	`binwalk -e file.bin`
Strings	strings	`strings -n 10 file.bin`
Image LSB	zsteg	`zsteg -a image.png`
JPEG steg	steghide	`steghide extract -sf image.jpg`
Metadata	exiftool	`exiftool image.jpg`
PCAP HTTP	tshark	`tshark -r file.pcap --export-objects http,out/`
TCP stream	tshark	`tshark -r file.pcap -z follow,tcp,ascii,0`
Spectrogram	sox	`sox audio.wav -n spectrogram -o spec.png`
Entropy	custom	`python3 helpers/entropy_scan.py file.bin`

任务	工具	命令
文件雕刻	binwalk	`binwalk -e file.bin`
字符串提取	strings	`strings -n 10 file.bin`
图像LSB分析	zsteg	`zsteg -a image.png`
JPEG隐写提取	steghide	`steghide extract -sf image.jpg`
元数据分析	exiftool	`exiftool image.jpg`
PCAP HTTP提取	tshark	`tshark -r file.pcap --export-objects http,out/`
TCP流追踪	tshark	`tshark -r file.pcap -z follow,tcp,ascii,0`
频谱图分析	sox	`sox audio.wav -n spectrogram -o spec.png`
熵扫描	自定义脚本	`python3 helpers/entropy_scan.py file.bin`

Bundled Resources

配套资源

File Analysis

文件分析

```
file_analysis/binwalk_extract.sh
```
- Wrapper for binwalk extraction

```
file_analysis/binwalk_extract.sh
```
- binwalk提取的封装脚本

Steganography

隐写术

```
steganography/steg_quickcheck.py
```
- Automated steg detection
- LSB analysis
- Metadata extraction
- Entropy visualization

```
steganography/steg_quickcheck.py
```
- 自动化隐写检测脚本
- LSB分析
- 元数据提取
- 熵可视化

Network Forensics

网络取证

```
network_forensics/pcap_extract_http.py
```
- Extract HTTP from PCAP
```
network_forensics/pcap_extract_files.py
```
- Reconstruct files from PCAP

```
network_forensics/pcap_extract_http.py
```
- 从PCAP提取HTTP流量
```
network_forensics/pcap_extract_files.py
```
- 从PCAP重建文件

Helpers

辅助工具

```
helpers/entropy_scan.py
```
- Scan files for high-entropy regions
```
helpers/file_signature_check.py
```
- Verify file signatures
```
helpers/strings_smart.py
```
- Enhanced string extraction

```
helpers/entropy_scan.py
```
- 扫描文件高熵区域
```
helpers/file_signature_check.py
```
- 验证文件签名
```
helpers/strings_smart.py
```
- 增强型字符串提取

External Tools

外部工具

bash

undefined

bash

undefined

Install common forensics tools

安装常用取证工具

sudo apt install binwalk foremost steghide exiftool

Python tools

Python工具

pip install pillow numpy scapy

Specialized tools

专用工具

- StegSolve: https://github.com/zardus/ctf-tools (Java-based)

- Audacity: https://www.audacityteam.org/ (audio analysis)

- Audacity: https://www.audacityteam.org/ (音频分析)

- Wireshark: https://www.wireshark.org/ (PCAP GUI analysis)

- Wireshark: https://www.wireshark.org/ (PCAP图形化分析)

undefined

undefined

Keywords

关键词

forensics, digital forensics, file carving, binwalk, steganography, steg, LSB, least significant bit, PCAP, packet capture, network forensics, tshark, wireshark, entropy analysis, strings, metadata, exiftool, file signatures, magic bytes, audio steganography, spectrogram, image analysis, data extraction, hidden data

取证, 数字取证, 文件雕刻, binwalk, 隐写术, steg, LSB, 最低有效位, PCAP, 数据包捕获, 网络取证, tshark, wireshark, 熵分析, strings, 元数据, exiftool, 文件签名, 魔术字节, 音频隐写术, 频谱图, 图像分析, 数据提取, 隐藏数据

forensics-tools

Original

Translation

Digital Forensics Tools

数字取证工具

When to Use

适用场景

File Analysis and Carving

文件分析与雕刻

Binwalk - Extract Embedded Files

Binwalk - 提取嵌入文件

Scan for embedded files

Scan for embedded files

Extract all found files

Extract all found files

Extract with signature scan

Extract with signature scan

Scan for specific file types

Scan for specific file types

Common File Signatures (Magic Bytes)

常见文件签名（魔术字节）

Manual File Carving with dd

使用dd手动雕刻文件

Extract bytes from offset to end

Extract bytes from offset to end

Extract specific byte range

Extract specific byte range

Find PNG signature and extract

Find PNG signature and extract

Strings Analysis

字符串分析

Extract ASCII strings

Extract ASCII strings

Extract with minimum length

Extract with minimum length

Search for specific patterns

Search for specific patterns

Unicode strings (16-bit little-endian)

Unicode strings (16-bit little-endian)

With file offsets

With file offsets

Steganography Detection

隐写术检测

Image Steganography

图像隐写术

Usage

Usage

Common Steganography Tools

常用隐写术工具

Steghide (JPEG, BMP, WAV, AU)

Steghide (JPEG, BMP, WAV, AU)

StegSolve (GUI tool for image analysis)

StegSolve (GUI tool for image analysis)

Zsteg (PNG, BMP)

Zsteg (PNG, BMP)

Exiftool (metadata analysis)

Exiftool (metadata analysis)

Foremost (file carving)

Foremost (file carving)

Audio Steganography

音频隐写术

Spectogram analysis with Sox

Spectogram analysis with Sox

Or with Python

Or with Python

Audacity (GUI)

Audacity (GUI)

File -> Open -> Analyze -> Plot Spectrum

File -> Open -> Analyze -> Plot Spectrum

Network Forensics

网络取证

PCAP Analysis with tshark

使用tshark分析PCAP

Basic statistics

Basic statistics

Extract HTTP objects

Extract HTTP objects

Filter by protocol

Filter by protocol

Extract HTTP requests