Forensic

Identify a file

Identifying the type of a file is usually done by looking at the file extension.
.zip: compressed archives in zip format.
.doc: Words files.

Sometimes the extension does not match, or the file does not have one.
The 'file' command examines the contents of the file, looking for well known headers.

file secret.zip
Encrypted Zip

Brute force an encrypted zip with a list of passwords

fcrackzip -u -v -D -p rockyou.txt secret.zip
Mdb - Microsoft Access Database

Check file format:

$ file backup.mdb
backup.mdb: Microsoft Access Database

If needed,install tools:

apt-get install mdbtools

List tables, then dump.

mdb-tables backup.mdb 
mdb-export backup.mdp  users passwd
Pst - Outlook email file

Check file format:

$ file mails.pst
mails.pst: Microsoft Outlook email folder

If needed,install tools:

apt-get install pst-utils

Extract mailboxes, then read them.

readpst mails.pst 
cat mails.mbox
Odt - OpenOffice/LibreOffice word

An Odt file is a text document created by OpenOffice and LibreOffice.
Odt files are similar to Word .docx files.

Check file format:

$ file doc.odt
doc.odt: OpenDocument Text

An Odt file is a Zip archive containing xml files.
Let unzip it, and read content.xml file.

unzip doc.odt    
cat content.xml

Or use odt2txt to extract text:

odt2txt doc.odt
Wireshark - Extract TCP datas

Method 1:
Use the tool: Statistics/Conversations Select the IP tab Select the TCP tab, click on a TCP stream and then the 'follow stream' button

Method 2:
For experienced plux, hover over the packets, identify the TCP stream, and right click on a TCP packet, and 'Follow/TCP Stream'.

Tshark - Extract TCP datas

Uses tshark to identify TCP connections 

tshark -nlr FILENAME -Y tcp.flags.syn==1 -T fields -e tcp.stream

tshark looks for TCP connections and gives them an ID: 0, 1,...

Dump the contents of each stream by replacing ID with the stream ID: 0, 1,... 

tshark -nlr FILENAME -qz "follow,tcp,ascii,ID"
Steghide - Hiding a file in an image

Hiding a file in an image

steghide embed -cf IMAGEFILE -ef FILETOHIDE

Extract the file

steghide extract -sf IMAGEFILE -p PASSWORD

Bruteforce

ROCKYOUFILE=/usr/share/wordlists/rockyou.txt
ROCKYOULIST=`cat /usr/share/wordlists/rockyou.txt`
for word in $ROCKYOULIST
do
    echo $word
    ret=`steghide extract -sf $1 -p $word`
    if [ $? -eq 0 ]
    then
        echo Found 
        exit 0
    fi
done
Read a raw disk image

Mounter filesystem on directory /tmp

mkdir /tmp/tmpmnt
sudo mount disk.img /tmp/tmpmnt
ls -al /tmp/tmpmnt

Umount filesystem 

sudo umount /tmp/tmpmnt
Photorec - Recovering deleted files 
photorec ~/forensic/usb1.img
TrueCrypt/Veracrypt - Cyphered disk image

Let's create a mount point on the disk. 

mkdir /tmp/tmpmnt

Let's use Veracrypt in TrueCrypt compatibility mode (option -tc) and without acceleration (-m=nokernelcrypto) to mount the disk. 

sudo veracrypt -tc -m=nokernelcrypto  --mount truecrypt_safe.img /tmp/tmpmnt
Enter password for truecrypt_safe.img:
Enter keyfile [none]:
Protect hidden volume (if any)? (y=Yes/n=No) [No]:

TrueCrypt - Bruteforce password

Extracting the Hash 

$ truecrypt2john.py truecrypt_safe.img > hash

Breaking the Hash 

$ john --format=tc_ripemd160 hash