Before Forensics

4 min readOct 7, 2023

This blog is just for a roadmap that I created for folks who want to start their careers in forensics.


Note: technically I know that is not forensics, but I believe it’s essential to know this stuff before starting :”

let’s start.


Steganography is the practice of concealing information within another message or physical object to avoid detection. Steganography can be used to hide virtually any type of digital content, including text, image, video, or audio content. That hidden data is then extracted at its destination.

That’s why attacker’s use steganography to hide data, either through exploits, payloads, messages, or even when they are stealing data, and because they want to evade detection, they use it to exfiltrate this data.

Image steganography

To embed a secret into the image:steghide embed -cf image.jpg -ef secret.txt

To extract the secret:steghide extract -sf image.jpg

If there is a password and you want to crack it, you can use stegcracker: stegracker <file> <wordlist> OR stegseek <file> <wordlist> which is way faster.

Note: steghide only works with jpg files

For PNG files, there is zsteg to extract data from them:zsteg -a <file.png>

If you have a corrupted PNG file, you can use pngcheck to see which part is not exactly right. pngcheck -v filename.png

Also, there is stegsolve to play with LSB (least significant bit) and changeing colors moving layers etc…

To extract the metadata of an image, like dimensions, locations, create date, etc.: exiftool <filename>

To check files embedded or appended to a file: binwalk -e <filename> or for more intensive mode binwalk -M --dd=.* <filename> There is another tool here, which is foremost <filename>

There is a tool that automate all of that for you and it works perfectly fine. Apreisolve

Audio Steganography

The art of hiding information in an audio or video file.

Here you got tools like Audacity, Sonic Visualizer, Deep Sound.

With Sonic Visualizer you can only hide strings not large files, in the opposite you have Deep Sound which you can hide zip, pdf files in there.

Most of the challenges you going to see that requires using Sonic Visualizer, you just need to add a Spectrum layer and you going to see the flag (there are other technique but this one is just common)

Also, you need to be aware of header magic bytes , as you will face some files, images, zip files that is corrupted and you have to deal with. You can use any hex editor to see the headers like hexedit or xxd then compare what you are seeing to the correct file header and edit it.

If you have a document that you want to check to see if it contains MACROS, you can use tools called oletools to use with a document file you can do this olevba -c document.docx.

In Word, you can automate frequently used tasks by creating and running macros. A macro is a series of commands and instructions that you group together as a single command to accomplish a task automatically. Attackers use macros to execute malicious commands on the victim system.

Also, PDFs can contain scripts, and attackers take advantage of that. You can analyze PDFs by looking for Java script code inside them and stuff using

The last thing is bash. I will just show you the most commonly used commands that I use when dealing with files and stuff.

stringsYou don’t know how important strings command is; just keep it in mind whenever you are stuck in a CTF or smth, and try to grep for unique keywords. strings file.txt | grep -i ‘flag{‘

-i for searching for both uppercase and lowercase

fileWhich will read the file header and identify it’s type for you.

To cut specific field in the command line, you should use cut command like:cut -d ' ' -f2,4 this command will separate the line to fields using space then return the second and the fourth field.

sort for just sorting the data and uniq for removing the duplicate: cat file.txt | sort | uniq

tr for replacing a text with another echo “I am the real batman” | tr “real” “fake” //I am the fake batman. Also, tr -d ' ' will remove all the spaces.

I will add the link for the roadmap once I finish it.

That’s it for now.
Cya geeks