file suspicious_file
xxd suspicious_file | head
hexdump -C suspicious_file | head

# Check for embedded files
binwalk suspicious_file
binwalk -e suspicious_file  # Extract

strings suspicious_file | grep -i flag
strings -n 8 suspicious_file
strings -el suspicious_file  # Unicode

exiftool image.png
exiftool -v image.jpg
identify -verbose image.png  # ImageMagick

# Open in image viewer
# Check each color channel
# Look for LSB patterns
# Compare to original if available

# Extract with password
steghide extract -sf image.jpg
steghide extract -sf image.jpg -p password

# Get info
steghide info image.jpg

# Embed (for testing)
steghide embed -cf cover.jpg -ef secret.txt

# Quick check
zsteg image.png

# All options
zsteg -a image.png

# Specific bit plane
zsteg image.png -b 1b

1. Open image in Stegsolve
2. Use < > arrows to cycle through planes
3. Check color channels (R, G, B)
4. Try bit plane modes
5. Use "Analyse" > "Data Extract"

# Check chunks
pngcheck -v image.png

# Extract hidden data
pngcheck image.png
zlib-flate -uncompress < hidden_chunk

from PIL import Image

img = Image.open("image.png")
pixels = list(img.getdata())

# Extract LSB of each pixel
binary = ""
for pixel in pixels:
    for value in pixel[:3]:  # RGB
        binary += str(value & 1)

# Convert to ASCII
chars = [chr(int(binary[i:i+8], 2)) for i in range(0, len(binary), 8)]
print(''.join(chars))

# Check for hidden data in palette
from PIL import Image
img = Image.open("image.png")
print(img.getpalette())

# Audacity: Analyze → Spectrogram
# Sonic Visualiser
# Look for hidden images/text in frequency

# Command line
sox audio.wav -n spectrogram

# Decode SSTV signal to image
qsstv
# Or use online decoder

# Python with wave module
import wave

with wave.open('audio.wav', 'rb') as wav:
    frames = bytearray(wav.readframes(wav.getnframes()))
    
# Extract LSB from frames
binary = ''.join(str(frame & 1) for frame in frames[:8000])

# Listen for beeps
# Use Audacity to visualize
# Online Morse decoder

# Windows tool for audio stego
# Try with password: empty, common passwords

# Zero-width characters
# Trailing spaces
# Tab vs space patterns

# Check for hidden chars
cat -A file.txt
xxd file.txt | grep -E "09|20"

# Zero-width joiners (U+200B, U+200C, U+200D, U+FEFF)
# Extract zero-width chars
python3 -c "print([hex(ord(c)) for c in open('file.txt').read() if ord(c) > 127])"

# Whitespace steganography tool
snow -C -p password secret.txt

# Read first letter of each line
# Read first letter of each word
# Read nth character of each word

# Image + ZIP
binwalk image.png
unzip image.png

# Check end of file
xxd image.png | tail

file mysterious_file
# Rename with correct extension

# Data after image end marker
# JPEG: FF D9
# PNG: IEND chunk
# GIF: 3B

xxd image.png | tail -50

# File that is valid as multiple formats
file polyglot.pdf
# Try opening as different formats

# Check embedded files
pdfinfo file.pdf
pdftotext file.pdf

# Extract objects
qpdf --show-object=N file.pdf
pdf-parser.py file.pdf

# DOCX/XLSX/PPTX are ZIP
unzip document.docx -d extracted/

# Check XML files for hidden data
grep -r "flag" extracted/

# Look for unusual protocols
# Check ICMP data
# DNS TXT records
# HTTP headers/cookies

tshark -r file.pcap -T fields -e data

# Extract DNS queries
tshark -r file.pcap -Y "dns" -T fields -e dns.qry.name

1. file - Identify type
2. strings - Quick flag search
3. exiftool - Metadata
4. binwalk - Embedded files
5. xxd/hexdump - Manual inspection
6. Tool specific to format

Try these for password-protected stego:
- (empty)
- password
- stego
- secret
- hidden
- flag
- ctf
- (challenge name)