As promised,
I am back with another blog today.
I don’t wanna bore my audience with same subdomain topics daily..
I want my readers to become
“JACK OF ALL TRADES” [Just like me 😉]
So, our today’s topic is all about solving Forensics CTF Challenges like a Pro.
Let me tell you, one thing I am not a CTF girl.
But, due to some competitions I have to learn without any choice.
What will be in Forensics Challenges?
Forensics in CTF means analyzing files, memory dumps, network traffic, or hidden data to uncover flags.
Common challenge types:
- File analysis (images, PDFs, ZIPs)
- Network traffic (PCAP files)
- Memory forensics
- Disk forensics
- Steganography
These are the few commands and tools which I noted noted in by notebook..
Identify File Type
$ file image
Helps detect:
- Fake extensions
- Real file format
Change File Extensions
$ mv a.pdf a.png
Sometimes files are disguised.
Changing extensions can reveal:
- Hidden images
- Corrupted files
Extract Metadata from Files
$ exiftool file.pdf
Use ExifTool to:
- Find hidden author names
- Detect timestamps
- Reveal embedded clues
Find Hidden Strings
One of my favorite command, because it is easy.
$ strings image.png | grep "flag{"
One of the fastest ways to:
- Locate flags
- Detect readable hidden text
Extract Hidden Data from Images
$ steghide --extract -sf image.jpg
Using Steghide:
- Extract hidden files from images
- May require a password
Extract Embedded Files
Sometimes, files will be hidden or embedded within another file.
$ binwalk -e flag.png
With binwalk:
- Finds hidden files inside binaries/images
- Automatically extracts them
Analyze APK Files (Android Forensics)
This is just a beginner level .apk forensics.
$ unzip malicious.apk
Then:
- Search for sensitive files like flag.txt
- Explore assets, resources, and code
Magic Bytes (File Signatures)
Magic Bytes are specific, constant bytes at the beginning of a file used to identify its format and type, regardless of its extension.
Magic bytes help identify real file types:
Type Magic Bytes
JPEG FF D8 FF E0
PNG 89 50 4E 47
PDF 25 50 44 46
ZIP 50 4B
Use a hex editor to inspect:
$ hexeditor file
If the extension is showing .jpeg and the first magic bytes are not matching with the standard bytes use hexeditor to change the first 4 bytes
Advanced Steganography Analysis
$ zsteg -a red.png
Using zsteg:
- Detects hidden data in images
- Works on LSB (Least Significant Bit) encoding
MSB Steganography [Most Significant Bit]
For this:
- Use online tools like StegOnline
- Open StegOnline > Extract File > Set 7 for RGB and extract
Ha, guys thats it for today and
Hoping to see you tomorrow 🙌
Feel free to connect - https://www.linkedin.com/in/chitra-karanam-417999237/
