> For the complete documentation index, see [llms.txt](https://wiki.zacheller.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://wiki.zacheller.dev/ctf/forensics.md).

# Forensics

## File Categorization

### File Extension

There will be challenges that involve a file upload that checks the extension of the file based on some form of RegEx (e.g. with some `substr()` , `strpos()` ,`preg_match()`). 

* If the validator is just looking for the name to include `.pdf` then you can use double extensions, like `reverse_shell.pdf.php`. 
* You can use Burp Suite's Intruder on Sniper mode with a wordlist of extensions to check what extensions are allowed, e.g. `.php`, `.php2`, `.php3`, `.php4`, `.php5`,`.php6`, `.php7`,  `.phtm`, `.phtml`, `.phps`, `.php-s`, `.pht`, `.phar`.

### Media Type

Some servers will trust the `Content-Type` specified by the user, e.g.:

```php
<?php
$mime = $_SERVER["CONTENT_TYPE"];
if (strcasecmp($mime, "image/png") == 0){
    echo "photo"
} else {
    echo "not a photo"
}
```

```bash
$ curl 127.0.0.1:80/upload.php
not a photo%
$ curl 127.0.0.1:80/upload.php -H "Content-Type: image/png"
photo%
```

You can also change the `Content-Type` in Burp.

### Structure

![PNG Structure](/files/-MEy8M3YTwB4J3W-BveP)

If the server is checking the structure of the file, consider Polyglot files ([link](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)). Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a [GIFAR](https://en.wikipedia.org/wiki/Gifar) is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc. Most famous one is PHAR-JPG ([link](https://github.com/kunte0/phar-jpg-polyglot)).<br>

### Magic Bytes

File starting with specific leading bytes will usually be read as that type of file by utilities.

&#x20;A file might be corrupted. Use a hex editor `xd filename.png|head` and you may be able to guess the actual filetype from the contents (e.g. `IDAT` means PNG) and change the leading bytes to recover it.

{% embed url="<https://en.wikipedia.org/wiki/List_of_file_signatures>" %}

### Known-plaintext attack ([link](https://en.wikipedia.org/wiki/Known-plaintext_attack))

If you have an encrypted file of a known type. If you XOR the encrypted file with the known magic bytes, you can potentially recover a key. Then, XOR the encrypted file with the key to decrypt and recover the image.

## Binwalk

```
$ binwalk --dd='.*' <file to extract>
```

## Field Guide

{% embed url="<https://trailofbits.github.io/ctf/forensics/>" %}

## Windows

{% embed url="<https://blog.cyberhacktics.com/memory-forensics-on-windows-10-with-volatility/>" %}

{% embed url="<https://blog.cyberhacktics.com/carving-files-from-memory-with-volatility/>" %}

{% embed url="<https://www.nirsoft.net/utils/win_prefetch_view.html>" %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://wiki.zacheller.dev/ctf/forensics.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.