# Forensics

## File Categorization

### File Extension

There will be challenges that involve a file upload that checks the extension of the file based on some form of RegEx (e.g. with some `substr()` , `strpos()` ,`preg_match()`). 

* If the validator is just looking for the name to include `.pdf` then you can use double extensions, like `reverse_shell.pdf.php`. 
* You can use Burp Suite's Intruder on Sniper mode with a wordlist of extensions to check what extensions are allowed, e.g. `.php`, `.php2`, `.php3`, `.php4`, `.php5`,`.php6`, `.php7`,  `.phtm`, `.phtml`, `.phps`, `.php-s`, `.pht`, `.phar`.

### Media Type

Some servers will trust the `Content-Type` specified by the user, e.g.:

```php
<?php
$mime = $_SERVER["CONTENT_TYPE"];
if (strcasecmp($mime, "image/png") == 0){
    echo "photo"
} else {
    echo "not a photo"
}
```

```bash
$ curl 127.0.0.1:80/upload.php
not a photo%
$ curl 127.0.0.1:80/upload.php -H "Content-Type: image/png"
photo%
```

You can also change the `Content-Type` in Burp.

### Structure

![PNG Structure](https://1094113337-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-M3hoduT4ByoNaznkzhG%2F-MEy7Yl7cl0TA7Pu40dQ%2F-MEy8M3YTwB4J3W-BveP%2Fimage.png?alt=media\&token=1c91ca5e-7319-454c-9d4f-818c7d4fdc07)

If the server is checking the structure of the file, consider Polyglot files ([link](https://medium.com/swlh/polyglot-files-a-hackers-best-friend-850bf812dd8a)). Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a [GIFAR](https://en.wikipedia.org/wiki/Gifar) is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc. Most famous one is PHAR-JPG ([link](https://github.com/kunte0/phar-jpg-polyglot)).<br>

### Magic Bytes

File starting with specific leading bytes will usually be read as that type of file by utilities.

&#x20;A file might be corrupted. Use a hex editor `xd filename.png|head` and you may be able to guess the actual filetype from the contents (e.g. `IDAT` means PNG) and change the leading bytes to recover it.

{% embed url="<https://en.wikipedia.org/wiki/List_of_file_signatures>" %}

### Known-plaintext attack ([link](https://en.wikipedia.org/wiki/Known-plaintext_attack))

If you have an encrypted file of a known type. If you XOR the encrypted file with the known magic bytes, you can potentially recover a key. Then, XOR the encrypted file with the key to decrypt and recover the image.

## Binwalk

```
$ binwalk --dd='.*' <file to extract>
```

## Field Guide

{% embed url="<https://trailofbits.github.io/ctf/forensics/>" %}

## Windows

{% embed url="<https://blog.cyberhacktics.com/memory-forensics-on-windows-10-with-volatility/>" %}

{% embed url="<https://blog.cyberhacktics.com/carving-files-from-memory-with-volatility/>" %}

{% embed url="<https://www.nirsoft.net/utils/win_prefetch_view.html>" %}