Identifying the type of a file is usually done by looking at the file extension.
.zip: compressed archives in zip format.
.doc: Words files.

Sometimes the extension does not match, or the file does not have one.
The 'file' command examines the contents of the file, looking for well known headers.


Brute force an encrypted zip with a list of passwords

fcrackzip -u -v -D -p rockyou.txt

Check file format:

$ file backup.mdb
backup.mdb: Microsoft Access Database

If needed,install tools:

apt-get install mdbtools

List tables, then dump.

mdb-tables backup.mdb 
mdb-export backup.mdp  users passwd

Check file format:

$ file mails.pst
mails.pst: Microsoft Outlook email folder

If needed,install tools:

apt-get install pst-utils

Extract mailboxes, then read them.

readpst mails.pst 
cat mails.mbox

An Odt file is a text document created by OpenOffice and LibreOffice.
Odt files are similar to Word .docx files.

Check file format:

$ file doc.odt
doc.odt: OpenDocument Text

An Odt file is a Zip archive containing xml files.
Let unzip it, and read content.xml file.

unzip doc.odt    
cat content.xml

Or use odt2txt to extract text:

odt2txt doc.odt

Method 1:
Use the tool: Statistics/Conversations Select the IP tab Select the TCP tab, click on a TCP stream and then the 'follow stream' button

Method 2:
For experienced plux, hover over the packets, identify the TCP stream, and right click on a TCP packet, and 'Follow/TCP Stream'.

Uses tshark to identify TCP connections

tshark -nlr FILENAME -Y tcp.flags.syn==1 -T fields -e

tshark looks for TCP connections and gives them an ID: 0, 1,...

Dump the contents of each stream by replacing ID with the stream ID: 0, 1,...

tshark -nlr FILENAME -qz "follow,tcp,ascii,ID"

Hiding a file in an image

steghide embed -cf IMAGEFILE -ef FILETOHIDE 

Extract the file

steghide extract -sf IMAGEFILE -p PASSWORD


ROCKYOULIST=`cat /usr/share/wordlists/rockyou.txt`
for word in $ROCKYOULIST
    echo $word
    ret=`steghide extract -sf $1 -p $word`
    if [ $? -eq 0 ]
        echo Found 
        exit 0

Mounter filesystem on directory /tmp

mkdir /tmp/tmpmnt
sudo mount disk.img /tmp/tmpmnt
ls -al /tmp/tmpmnt

Umount filesystem

sudo umount /tmp/tmpmnt 
photorec ~/forensic/usb1.img    

Let's create a mount point on the disk.

mkdir /tmp/tmpmnt

Let's use Veracrypt in TrueCrypt compatibility mode (option -tc) and without acceleration (-m=nokernelcrypto) to mount the disk.

sudo veracrypt -tc -m=nokernelcrypto  --mount truecrypt_safe.img /tmp/tmpmnt
Enter password for truecrypt_safe.img:
Enter keyfile [none]:
Protect hidden volume (if any)? (y=Yes/n=No) [No]:

Extracting the Hash

$ truecrypt_safe.img > hash

Breaking the Hash

$ john --format=tc_ripemd160 hash