• File Analysis
• Binary Analysis & Reverse Engineering
• Debugging Tools
• System Tracing & Monitoring
• Steganography
• Notable Mentions: File Carving & Digital Forensics

There are various tools that one can use to find hidden information in files (e.g. a text document hidden within an image file). These can be invaluable in Digital Forensics and Incident Response (DFIR) scenarios.

My experience (thus far) is that quite a few of these tools are not that difficult to use, so I'll be outlining some of them in this post.

I'm by no means an expert in these areas; so, perhaps I will update this post as time goes on!

Content

• File Analysis
• Binary Analysis & Reverse Engineering
• Debugging Tools
• System Tracing & Monitoring
• Steganography
• Notable Mentions: File Carving & Digital Forensics

File Analysis

Back to Content

file

The file command is used to determine the type of a file. This is particularly useful when you need to identify files with ambiguous or missing extensions.

strings

The strings command can be used to extract any printable strings in the binary file. This can be useful to see some text data, function names, or other strings embedded in the binary.

hexedit

hexedit is a hex editor that allows you to view and edit the raw binary data of files. It's useful for tasks like modifying file headers, performing manual patching, or inspecting binary content.

In the images below you can see that we've changed the hex code for this .png file and now the 'file' command thinks it's a PDF file!

Oletools

Oletools is a collection of Python tools for analysing Microsoft OLE2 files (e.g., Office files). It’s useful for detecting embedded objects, macros, or hidden content.

Binary Analysis & Reverse Engineering

Back to Content

binwalk

binwalk is a tool for analysing binary files to detect embedded files, firmware, and other data. It’s commonly used in reverse engineering to extract data from binary files.

readelf

The readelf command is a tool that displays information about ELF files. It can show you headers, sections, symbols, and more.

radare2

radare2 is a powerful open-source framework for reverse engineering and analysing binaries. It includes a wide range of tools for disassembling, debugging, and decompilation.

Ghidra

Ghidra is a powerful reverse engineering tool developed by the NSA. It disassembles and decompiles binary code, allowing users to analyse programs for hidden functionality, malware, or vulnerabilities.

PeStudio

PEstudio is used for inspecting PE (Portable Executable) files on Windows. It provides detailed information about potential risks, indicators of malware, and can help with reverse engineering and binary analysis.

Jadx-Gui

Jadx decompiles Android APK files to Java code to help with reverse engineering.

Debugging Tools

Back to Content

GDB (GNU Debugger)

GDB is a debugger for programs written in languages like C, C++, and more compiled binaries. Allows for real-time inspection (interactive) and control over program execution in order to find bugs and hidden behaviour.

System Tracing & Monitoring

Back to Content

lsof (List Open Files)

lsof lists information about files opened by processes. This can be useful for tracking which files a program is using or analysing potential malware that might be interacting with the file system.

ltrace

ltrace helps you track library function calls made by programs.

strace

strace helps you monitor system calls and signals received by programs.

Steganography

Back to Content

exiftool

exiftool is a powerful tool used to read, write, and manipulate metadata in a wide variety of file formats, including images, videos, audio files, and documents. It’s commonly used to view or edit EXIF data in images, which includes details like camera settings, timestamps, and GPS coordinates.

steghide

steghide is a steganography tool that allows you to embed (hide) and extract data within image or audio files. The tool supports various file formats and can also encrypt the embedded data. It’s often used in security and forensics to conceal or detect hidden information within multimedia files.

Notable Mentions: File Carving & Digital Forensics

Back to Content

Foremost

foremost is a console program to recover files based on their headers, footers, and internal data structures. It can be used for extracting hidden files from disk images or memory dumps, where the file system might be corrupted or missing.

Autopsy

Autopsy is a comprehensive digital forensics platform used to analyse hard drives, smartphones, and other data sources. It features file carving, metadata extraction, timeline analysis, keyword searching, and more. Investigators use it to recover deleted files, analyse disk images, and uncover hidden or obscured data.

EnCase

EnCase is a digital forensics tool primarily used for forensic investigation, data recovery, and analysis of digital devices and storage media.

Shellbags Explorer

Shellbags Explorer analyses user activity on Windows by tracking accessed files and folders logged in the Windows registry.

Remnux VM

Remnux is a Linux-based virtual machine tailored for reverse engineering and malware analysis. It includes tools for file analysis, binary inspection, and forensics.