File/Data Carving & Recovery Tools
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
More tools in
The most common tool used in forensics to extract files from images is . Download it, install it and make it ingest the file to find "hidden" files. Note that Autopsy is built to support disk images and other kinds of images, but not simple files.
Binwalk is a tool for analyzing binary files to find embedded content. It's installable via apt
and its source is on .
Useful commands:
Another common tool to find hidden files is foremost. You can find the configuration file of foremost in /etc/foremost.conf
. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for its default configured file types.
Scalpel is another tool that can be used to find and extract files embedded in a file. In this case, you will need to uncomment from the configuration file (/etc/scalpel/scalpel.conf) the file types you want it to extract.
This tool can scan an image and will extract pcaps inside it, network information (URLs, domains, IPs, MACs, mails) and more files. You only have to do:
It comes with GUI and CLI versions. You can select the file-types you want PhotoRec to search for.
Visual and active structure viewer
Multiple plots for different focus points
Focusing on portions of a sample
Seeing stings and resources, in PE or ELF executables e. g.
Getting patterns for cryptanalysis on files
Spotting packer or encoder algorithms
Identify Steganography by patterns
Visual binary-diffing
BinVis is a great start-point to get familiar with an unknown target in a black-boxing scenario.
Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker.
This tool comes inside kali but you can find it here:
Navigate through all the information that the tool has gathered (passwords?), analyse the packets (read), search for weird domains (domains related to malware or non-existent).
You can find it in
Check the and the .
Download .
You can use to see images from the terminal. You can use the linux command line tool pdftotext to transform a pdf into text and read it.
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.