Toggle Dark Mode There are various tools that one can use to find hidden information in files (e.g. a text document hidden within an image file). These can be invaluable in Digital Forensics and Incident Response (DFIR) scenarios.

My experience (thus far) is that quite a few of these tools are not that difficult to use, so I'll be outlining some of them in this post.

I'm by no means an expert in these areas; so, perhaps I will update this post as time goes on!

Content


File Analysis

Back to Content

file

The file command is used to determine the type of a file. This is particularly useful when you need to identify files with ambiguous or missing extensions.

file command output

strings

The strings command can be used to extract any printable strings in the binary file. This can be useful to see some text data, function names, or other strings embedded in the binary.

strings command output

hexedit

hexedit is a hex editor that allows you to view and edit the raw binary data of files. It's useful for tasks like modifying file headers, performing manual patching, or inspecting binary content.

In the images below you can see that we've changed the hex code for this .png file and now the 'file' command thinks it's a PDF file!

hexedit command output

hexedit command output

hexedit command output

hexedit command output

Oletools

Oletools is a collection of Python tools for analysing Microsoft OLE2 files (e.g., Office files). It’s useful for detecting embedded objects, macros, or hidden content.

olevba (part of oletools)


Binary Analysis & Reverse Engineering

Back to Content

binwalk

binwalk is a tool for analysing binary files to detect embedded files, firmware, and other data. It’s commonly used in reverse engineering to extract data from binary files.

binwalk command output binwalk command output

binwalk command output

readelf

The readelf command is a tool that displays information about ELF files. It can show you headers, sections, symbols, and more.

readelf command output

radare2

radare2 is a powerful open-source framework for reverse engineering and analysing binaries. It includes a wide range of tools for disassembling, debugging, and decompilation.

radare2 command output

Ghidra

Ghidra is a powerful reverse engineering tool developed by the NSA. It disassembles and decompiles binary code, allowing users to analyse programs for hidden functionality, malware, or vulnerabilities.

ghidra command output

PeStudio

PEstudio is used for inspecting PE (Portable Executable) files on Windows. It provides detailed information about potential risks, indicators of malware, and can help with reverse engineering and binary analysis.

pestudio

Jadx-Gui

Jadx decompiles Android APK files to Java code to help with reverse engineering.

jadx


Debugging Tools

Back to Content

GDB (GNU Debugger)

GDB is a debugger for programs written in languages like C, C++, and more compiled binaries. Allows for real-time inspection (interactive) and control over program execution in order to find bugs and hidden behaviour.

gdb command output


System Tracing & Monitoring

Back to Content

lsof (List Open Files)

lsof lists information about files opened by processes. This can be useful for tracking which files a program is using or analysing potential malware that might be interacting with the file system.

lsof command output

ltrace

ltrace helps you track library function calls made by programs.

ltrace command output

strace

strace helps you monitor system calls and signals received by programs.

strace command output


Steganography

Back to Content

exiftool

exiftool is a powerful tool used to read, write, and manipulate metadata in a wide variety of file formats, including images, videos, audio files, and documents. It’s commonly used to view or edit EXIF data in images, which includes details like camera settings, timestamps, and GPS coordinates.

exiftool command output

steghide

steghide is a steganography tool that allows you to embed (hide) and extract data within image or audio files. The tool supports various file formats and can also encrypt the embedded data. It’s often used in security and forensics to conceal or detect hidden information within multimedia files.

steghide command output


Notable Mentions: File Carving & Digital Forensics

Back to Content

Foremost

foremost is a console program to recover files based on their headers, footers, and internal data structures. It can be used for extracting hidden files from disk images or memory dumps, where the file system might be corrupted or missing.

foremost

Autopsy

Autopsy is a comprehensive digital forensics platform used to analyse hard drives, smartphones, and other data sources. It features file carving, metadata extraction, timeline analysis, keyword searching, and more. Investigators use it to recover deleted files, analyse disk images, and uncover hidden or obscured data.

autopsy

EnCase

EnCase is a digital forensics tool primarily used for forensic investigation, data recovery, and analysis of digital devices and storage media.

encase

Shellbags Explorer

Shellbags Explorer analyses user activity on Windows by tracking accessed files and folders logged in the Windows registry.

shellbags explorer

Remnux VM

Remnux is a Linux-based virtual machine tailored for reverse engineering and malware analysis. It includes tools for file analysis, binary inspection, and forensics.

remnux VM