Skip to content
CTF

CTF File Analysis & Steganography

Complete reference for CTF file analysis, forensics, and steganography

Initial Analysis

File Identification

BASH 
# Identify file type
file image.png
file unknown_file

# Check magic bytes
xxd image.png | head -5
hexdump -C image.png | head -10

# File signature reference
# PNG: 89 50 4E 47 0D 0A 1A 0A
# JPG: FF D8 FF
# GIF: 47 49 46 38
# PDF: 25 50 44 46
# ZIP: 50 4B 03 04
# RAR: 52 61 72 21

Basic String Extraction

BASH 
# Extract strings
strings image.png
strings -n 8 image.png  # Minimum 8 characters

# Search for flags
strings image.png | grep -i "flag"
strings image.png | grep -i "ctf"
strings image.png | grep -iE "[a-zA-Z0-9]{32}"  # Hash-like

# Different encodings
strings -e l image.png  # 16-bit little-endian
strings -e b image.png  # 16-bit big-endian

Image Analysis

Exiftool (Metadata)

BASH 
# View all metadata
exiftool image.png

# Specific fields
exiftool -Comment image.png
exiftool -Artist image.png
exiftool -Copyright image.png

# All metadata including hex
exiftool -v image.png

# Remove metadata
exiftool -all= image.png

Binwalk (Embedded Files)

BASH 
# Scan for embedded files
binwalk image.png

# Extract embedded files
binwalk -e image.png
binwalk --dd='.*' image.png

# Recursive extraction
binwalk -eM image.png

# Specific signature
binwalk -D 'png image:png' file

Foremost (Carving)

BASH 
# Carve files
foremost -i image.png -o output/

# Specific types
foremost -t jpg,png,gif -i image.png -o output/

# All types
foremost -t all -i image.png -o output/

Steghide

BASH 
# Extract hidden data
steghide extract -sf image.jpg

# With password
steghide extract -sf image.jpg -p password

# Get info
steghide info image.jpg

# Hide data
steghide embed -cf image.jpg -ef secret.txt

Zsteg (PNG/BMP)

BASH 
# Check all
zsteg image.png

# All channels
zsteg -a image.png

# Specific bits
zsteg image.png -b 1

# Extract
zsteg -E "b1,r,lsb,xy" image.png > extracted.txt

Stegsolve

BASH 
# GUI application
java -jar stegsolve.jar

# Features:
# - Bit plane analysis
# - Color channel analysis
# - XOR/combine images
# - Data extraction

pngcheck

BASH 
# Verify PNG integrity
pngcheck -v image.png

# Check for errors
pngcheck -t image.png

ImageMagick

BASH 
# Image info
identify -verbose image.png

# Compare images
compare image1.png image2.png diff.png

# Extract specific color
convert image.png -channel R -separate red.png

Audio Analysis

Sonic Visualiser

BASH 
# Spectrogram analysis
# Look for hidden messages in frequency domain
# Check Layer → Add Spectrogram

Audacity

BASH 
# Spectrogram: View → Spectrogram
# Reverse audio: Effect → Reverse
# Change speed: Effect → Change Speed

sox

BASH 
# Info
sox --info audio.wav

# Spectrogram
sox audio.wav -n spectrogram -o spec.png

# Reverse
sox audio.wav reversed.wav reverse

SSTV (Slow-Scan Television)

BASH 
# Decode SSTV
qsstv  # GUI tool

Morse Code

BASH 
# Online decoders available
# Listen for dots and dashes in audio
# Check spectrogram for visual morse

PDF Analysis

pdfinfo

BASH 
pdfinfo document.pdf

pdftotext

BASH 
pdftotext document.pdf output.txt

pdf-parser

BASH 
# Analyze structure
pdf-parser.py document.pdf

# Extract JavaScript
pdf-parser.py --search javascript document.pdf

# Objects
pdf-parser.py --object 5 document.pdf

qpdf

BASH 
# Decrypt PDF
qpdf --decrypt encrypted.pdf output.pdf

# Show encrypted status
qpdf --show-encryption document.pdf

peepdf

BASH 
# Interactive analysis
peepdf -i document.pdf

Archive Analysis

ZIP

BASH 
# List contents
unzip -l archive.zip

# Test integrity
unzip -t archive.zip

# Extract
unzip archive.zip

# Crack password
fcrackzip -u -D -p wordlist.txt archive.zip
zip2john archive.zip > hash.txt
john hash.txt

RAR

BASH 
# Extract
unrar x archive.rar

# Test
unrar t archive.rar

# Crack
rar2john archive.rar > hash.txt
john hash.txt

7z

BASH 
# Extract
7z x archive.7z

# List
7z l archive.7z

Memory/Binary Analysis

Volatility (Memory Forensics)

BASH 
# Identify profile
volatility -f memory.raw imageinfo

# Process list
volatility -f memory.raw --profile=Win7SP1x64 pslist

# Command history
volatility -f memory.raw --profile=Win7SP1x64 cmdscan

# Files
volatility -f memory.raw --profile=Win7SP1x64 filescan

# Dump file
volatility -f memory.raw --profile=Win7SP1x64 dumpfiles -Q 0x123456 -D output/

GDB

BASH 
# Start debugging
gdb ./binary

# Run
run

# Disassemble
disas main

# Set breakpoint
break main

# Examine memory
x/s 0x12345678
x/10wx $esp

objdump

BASH 
# Disassemble
objdump -d binary

# All sections
objdump -D binary

# Headers
objdump -x binary

radare2

BASH 
# Analyze
r2 -A binary

# Print functions
afl

# Disassemble main
pdf @ main

# Strings
iz

Encoding/Decoding

Base64

BASH 
# Decode
echo "SGVsbG8=" | base64 -d
base64 -d encoded.txt

# Encode
echo "Hello" | base64

Hex

BASH 
# Decode
echo "48656c6c6f" | xxd -r -p

# Encode
echo "Hello" | xxd -p

ROT13

BASH 
echo "Uryyb" | tr 'A-Za-z' 'N-ZA-Mn-za-m'

Binary

BASH 
# Binary to ASCII
echo "01001000" | perl -lpe '$_=pack"B*",$_'

KeySec

TEXT 
# Online tool for complex encoding chains
https://keysec.in/

Common CTF Patterns

Check These First

BASH 
1. strings file | grep -i flag
2. file file
3. exiftool file
4. binwalk -e file
5. xxd file | head
6. Check online hash databases if hash found

Image Specific

BASH 
1. Check metadata (exiftool)
2. Look for hidden files (binwalk)
3. LSB steganography (zsteg, stegsolve)
4. Steghide if JPEG
5. Check for appended data
6. Analyze color channels

Common Flag Formats

TEXT 
flag{...}
FLAG{...}
CTF{...}
picoCTF{...}
HTB{...}
thm{...}

Useful Online Tools

TEXT 
- KeySec: Encoding/decoding chains
- Aperi'Solve: Image stego analysis
- StegOnline: Online stego tools
- dCode: Multiple cipher decoders
- Crackstation: Hash lookup
Back to Cheatsheets
On this page