# Forensics

## File Categorization

### File Extension

There will be challenges that involve a file upload that checks the extension of the file based on some form of RegEx (e.g. with some `substr()` , `strpos()` ,`preg_match()`). 

* If the validator is just looking for the name to include `.pdf` then you can use double extensions, like `reverse_shell.pdf.php`. 
* You can use Burp Suite's Intruder on Sniper mode with a wordlist of extensions to check what extensions are allowed, e.g. `.php`, `.php2`, `.php3`, `.php4`, `.php5`,`.php6`, `.php7`,  `.phtm`, `.phtml`, `.phps`, `.php-s`, `.pht`, `.phar`.

### Media Type

Some servers will trust the `Content-Type` specified by the user, e.g.:

```php
<?php
$mime = $_SERVER["CONTENT_TYPE"];
if (strcasecmp($mime, "image/png") == 0){
    echo "photo"
} else {
    echo "not a photo"
}
```

```bash
$ curl 127.0.0.1:80/upload.php
not a photo%
$ curl 127.0.0.1:80/upload.php -H "Content-Type: image/png"
photo%
```

You can also change the `Content-Type` in Burp.

### Structure

![PNG Structure](/files/-MEy8M3YTwB4J3W-BveP)

If the server is checking the structure of the file, consider Polyglot files ([link](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)). Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a [GIFAR](https://en.wikipedia.org/wiki/Gifar) is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc. Most famous one is PHAR-JPG ([link](https://github.com/kunte0/phar-jpg-polyglot)).<br>

### Magic Bytes

File starting with specific leading bytes will usually be read as that type of file by utilities.

&#x20;A file might be corrupted. Use a hex editor `xd filename.png|head` and you may be able to guess the actual filetype from the contents (e.g. `IDAT` means PNG) and change the leading bytes to recover it.

{% embed url="<https://en.wikipedia.org/wiki/List_of_file_signatures>" %}

### Known-plaintext attack ([link](https://en.wikipedia.org/wiki/Known-plaintext_attack))

If you have an encrypted file of a known type. If you XOR the encrypted file with the known magic bytes, you can potentially recover a key. Then, XOR the encrypted file with the key to decrypt and recover the image.

## Binwalk

```
$ binwalk --dd='.*' <file to extract>
```

## Field Guide

{% embed url="<https://trailofbits.github.io/ctf/forensics/>" %}

## Windows

{% embed url="<https://blog.cyberhacktics.com/memory-forensics-on-windows-10-with-volatility/>" %}

{% embed url="<https://blog.cyberhacktics.com/carving-files-from-memory-with-volatility/>" %}

{% embed url="<https://www.nirsoft.net/utils/win_prefetch_view.html>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://wiki.zacheller.dev/ctf/forensics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.