Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/
Encoding errors --> https://ftfy.now.sh/
File Signatures List --> Click here
PCAP Analysis: --> https://www.packettotal.com/

Online Cipher Decryptors:

CyberChef  - Cipher Decoder  Crack Station-Hash Cracker Decrypt Any Kind of Hash

1) Cipher Statistics
2) Index of Coincidence Calculator - Online IC Cryptanalysis Tool
3) Tools List (Awesome and Fantastic Tools) Available on dCode
4) Solve an Aristocrat or Patristocrat
5) RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data
5-1) RSA - Find PQ using N
6) BertNase's Own Hide content in a Image made of blocks - npiet fun!
7) Vigenere Solver - www.guballa.de
8) Fernet (Decode)
9) Unicode Text Steganography Encoders/Decoders
10) All in ONE encoders and Decoders Tool
11) Cryptii - Decoder

Image Forensics:

1) Forensically, free online photo forensics tools - 29a.ch
2) StegSolve to decryt data in image files

Online Stegnographic tools

1) https://osric.com/chris/steganography/decode.html
2) http://stylesuxx.github.io/steganography/
3) https://futureboy.us/stegano/decinput.html
4) https://www.pdf-online.com/osa/extract.aspx --> For PDF


Audio Forensics:

1) Decrypt Old tapes with software for Atari 8-bit computers (Software - Download Required)

strings filename | awk 'length($0)>15' | sort -u
                                     /\
                      Setting the minimum length
                      for a string can help clean
                      out a lot of the garbage.
                      this will only print strings
                      with 15 or more chars.
# strings -a -n 15 filename

grep -rnw '/' -ie 'password' --color=always  

    --> Print files with line numbers where string is found

# Grep for words starting with "co"

egrep "^co" common.txt > /cp.txt

#Hex Decode a file 

cat key| xxd -r -p  > key.bin 

fcrackzip -D -p rockyou.txt -u   --> crack a zip file using        wordlist


Download John the Ripper Community Version (Lot of Plugins are Available)

zip2john filename.zip > filehash.txt    --> creates a hash

john filehash.txt -> cracks the password using default wordlist 

john -wordlist=/usr/share/wordlists/rockyou.txt.gz filehash.txt 

pdfcrack -f file.pdf -w ../stego/rockyou.txt  --> crack PDF Files using wordlist 

Analyzing Event logs for finding violations 

sudo usbrip events violations auth.json -f syslog  

python latex.py --files file.7z --wordlist rockyou.txt

Brute Force 7z Zip files -- 7z Zip Brute Force Github

String -a 'filename.png'  --> scans the whole file instead of the data section.

binwalk -e 'filename.png' --> Automatically extracts all files. For this specific file this did not do us any good.

steghide info filename.png  --> check the embedded data inside an image; you need a passkey to get the embedded data information

steghide extract -sf filename.png --> extract the embedded data;you need a passkey to get the embedded data extracted into a file

xxd filename    --> Hex viewer 

xxd -p -c 10000 FILENAME --> Dump all the data in a single lin

xxd -p -r hex.txt > meow --> reversing a file into binary; then file meow                --> know the file details 

python RsaCtfTool.py -n 2227212908056272288661402263220544270835000977233668976511 -e 3 --uncipher 56274920108122478990888092521371739605513959053

Decrypy the cipher text when n,e and c are given in RSA

cat file.csv | sed -e 's/,,/, ,/g' | column -s, -t | less -#5 -N -S  

Read CSV files in linux  Properly

echo "whateverthehellTheTextIsAddSpacesToYourText" | sed 's/\(.\{5\}\)/\1 /g'

Add a Space after every 5 Characters

#stegnography deccrypter    
gem install zsteg

Imaging and Recovery:


sudo dcfldd if=/dev/sdb of=/home/recovery.dd
             if=input location; of=output location


scp user@10.10.10.48:/home/recovery.dd /location/filename.dd
      similar to ssh; used to copy the file into our location

xxd filename 
               open with hex editor to view the contents.

Imaging for Forensics

dd if=\\.\d: of=c:\test.dd bs=1G --size --process

pngcheck -v filename.png --> PNGs can contain a variety of data ‘chunks’ that are optional (non-critical) as far as rendering is concerned.

exiftool filename.png --> meta data viewer; check if there are any hash values in it.

file filename.gif --> shows the actual file extension

strings ./filename  -- > find the interesting strings any file

ltrace ./filename   -->  Intercept the functions that are being called.

Unzipping a lopp of files

ZIPFILE=$1
RESULT=0
while [ $RESULT -eq 0 ]
do
PASSWORD=$( unzip -l $ZIPFILE | grep -E "^\s+[0-9]+" | grep -Eo "[0-9]+\.zip" | grep -Eo "[0-9]+" )
unzip -P "$PASSWORD" "$ZIPFILE"
RESULT=$?
echo "Unzipped $ZIPFILE using password $PASSWORD ($RESULT)"
ZIPFILE="$PASSWORD.zip"
done 

find / -size 33c -user bandit7 -group bandit6 2>/dev/null

Image Signature: 

JPG: Both images above show that a regular JPG begins with 0xFFD8 and ends with 0xFFD9
PNG: This shows that PNG images should begin with hex value 0x89504E47 and end with 0xAE426082
BMP: Bitmap images have an inconsistency in their end values from my study, but their beginning hex values are 0x424D36
GIF: Similar to bitmaps, end values for gif images vary, but they usually begin with 0x47494638

Data Recovery when you accidentally Delete a Partition

https://dmde.com/