Stego
Text
Look at the raw bytes and see if anything stands out.
Image
AperiSolve and pray
Video
Audio
Listen to the audio. If it sounds robotic, refer to signal references or spectrogram. If it seems like normal audio, try LSB.
Signal References
Quick references to common audio signals encountered before.
Cryptography
Forensics
Packet Captures
Open the PCAP in Wireshark and see what traffic is happening. Quick win: “Export Objects”, otherwise, check things like timing, packet data, etc.
Memory Dumps
Vol3 Cheatsheet: https://blog.onfvp.com/post/volatility-cheatsheet/
Repository Description volatility3 An advanced memory forensics framework vol3-plugins Notepad, sticky notes, and evtx plugins for vol3
Disk Images
Use Autopsy or FTK Imager to mount and see the contents of the file system. Run tree to quickly see files/directories of interest
Repository Description Autopsy Digital forensics platform and graphical interface for disk images FTK Imager Digital forensics platform and graphical interface for disk images Binwalk Carves files out of other files
Corrupted Files
Look at the bytes for any identifiers of common file types: IEND, IDAT, PDF, etc. Look up the magic bytes for that file type and recover.
Repository Description magika Detect file content types with deep learning Imhex Hex Editor with patterns
Web Exploitation
Repository Description burpsuite full web testing suite, including proxied requests dotGit A Firefox and Chrome extension that shows you if there is an exposed .git directory feroxbuster Web application directory/file fuzzer to find other pages or files worth looking at. Written in Rust. flask-unsign Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application gobuster Web application directory/file fuzzer to find other pages or files worth looking at. Also supports DNS busting (such as subdomains). Written in Go. PayloadsAllTheThings Useful payloads for a variety of attacks such as SQLi, IDOR, XSS, etc. sqlmap Performs automated SQL injection tests on GET and POST requests. wpscan Automatic WordPress scanner to identify information about a WordPress site and possible vulnerabilities.
Reverse Engineering
APK
Convert APK to JAR and then decompile the JAR
Repository Description JADX JAR, APK, DEX, AAR, AAB, and ZIP decompiler. dex2jar .APK to .JAR
Binaries
Run strings to quickly help determine the functionality of the program. If we see references of a specific compiler (ie: Rust, Go) make sure we set the language in Ghidra for best decompilation support.
Repository Description Binary Ninja Decompiler, disassembler, and debugger GUI. Cerberus Unstrips Rust and Go binaries. cutter Decompiler, disassembler, and debugger GUI based on Rizin Floss Extract obfuscated strings from Windows binaries dnSpy .NET debugger and editor. dotPeak .NET Decompiler and assembly browser GDB CLI debugger for Linux executables. ghidra Decompiler and disassembler GUI Ghidra Go Scripts Scripts for helping with go decompilation IDA Decompiler and disassembler GUI OllyDbg GUI debugger for Windows executables. PwnDbg Plugin for GDB and LLDB offering advanced capabilities redress Analyzes stripped Go binaries rizin Disassembler and debugger CLI UPX Executable (un)packer - look for UPX0 section WinDBG GUI debugger for Windows executables x64dbg GUI debugger for Windows executables XPEViewer PE file viewer (headers, libraries, strings, etc)
Python
Repository Description pycdc Decompile .pyc files into Python source code. pyinstxtractor Extract .pyc files from PyInstaller compiled executables. PyLingual Decompile .pyc files into Python source code.