---

name: forensics description: Extracts hidden data from files and analyzes forensic artifacts. Use when working with images, memory dumps, disk images, steganography, file carving, or when searching for hidden flags in files. allowed-tools: Bash, Read, Write, Grep, Glob

Forensics Analysis Skill

Quick Workflow

CopyProgress:
- [ ] Identify file type (file, xxd)
- [ ] Check metadata (exiftool)
- [ ] Search strings for flag
- [ ] Check for embedded data (binwalk)
- [ ] Try steganography tools
- [ ] Extract hidden content

Step 1: Quick Analysis

Copyfile suspicious_file
exiftool suspicious_file
strings suspicious_file | grep -iE "flag|ctf|secret|key"
binwalk suspicious_file

Step 2: Identify Challenge Type

Image Stego - Quick Start

Copy# Try AperiSolve first (online)
# https://www.aperisolve.com/

# PNG
zsteg image.png
zsteg -a image.png

# JPEG
steghide extract -sf image.jpg
stegseek image.jpg rockyou.txt  # Brute force

Full techniques: reference/steganography.md

Memory Dump - Quick Start

Copy# Volatility 3
vol -f memory.dmp windows.info
vol -f memory.dmp windows.pslist
vol -f memory.dmp windows.filescan | grep -i flag

Full techniques: reference/memory.md

File Carving - Quick Start

Copybinwalk -e suspicious_file      # Extract embedded files
foremost -i file -o output/     # Carve files

# Fix corrupted header
xxd file | head -10             # Check magic bytes

Full techniques: reference/file-analysis.md

Online Tools

Reference Files

• Steganography: Image/audio stego, LSB, AperiSolve
• Memory: Volatility 2/3, process analysis
• File Analysis: Magic bytes, binwalk, password cracking