Practical Image Forensics Guide


practical image forensics

This weekend I completed some beginner level forensic challenges in a CTF event, where I encountered a lot of steganographic images, spoofed extensions, broken file headers and more menacing challenges, and thus I prepared this article as a compilation of what I had learned.

This article will teach you enough image steganography and forensics to solve at least "beginner" level image forensic challenges in CTFs. This blog isn't concerned with legal forensic practices, and thus data integrity is out of concern. 

The topics which will be covered throughout this article are mentioned in the index of contents below, you can have a glimpse and directly jump to a specific topic if you'd like to.


Metadata Analysis
MIME Type Analysis
Analysing File Headers
Fixing File Headers
File Carving
Adventure Time!!
EndNote and Resources

Metadata Analysis

The very "first" step to solving an image forensic challenge is to view and analyse the metadata and lookout for something that might interest us, or aid the further process. If you do not know, or do not know "well" what metadata is, then this is the simplest explanation you could find —

a set of data that describes and gives information about other data.
#definition from google

To achieve our purpose of metadata analysis, we utilise the exiftool utility on kali. The syntax is to use the exiftool command, followed by the name of the file.

exiftool filename

exiftool tutorial


The next step in our approach is to use the strings command, which helps us to determine the contents of a non-text file. 

strings filename | grep -i "flag"

Using strings command on an ordinary image, or other ordinary non-text files would return output similar to this -

strings tool linux

And a file with embedded raw text would look something like this -

strings tool linux

MIME Analysis

MIME - Short for Multipurpose Internet Mail Extensions, is a standard that defines the nature and format of different files and documents. While doing forensics, you'll often encounter files with spoofed extensions, i.e. the extension of files will be intentionally changed to something other than what you'd normally expect it to be.

To confirm that we're dealing with the correct file type, and the extension is not spoofed, we use the file command on linux. If a file has a spoofed extension, the MIME-type will still remain the same, unless the file headers aren't maliciously forged too.

file filename

file tool linux

File Header Analysis

After we confirm the MIME type, the next move is to verify file signatures and fix them if they're spoofed or changed too. File signatures (headers) or what people refer to as "Magic Numbers" are the initial data blocks of a file, used to identify its format. These magic numbers or headers are the reason how we're able to identify file formats, even if the extensions are changed or spoofed.
For instance, all jpeg files have the same signature, i.e. "FF D8 FF E0".

To view headers of a file, we can use the hexdump tool on kali.

hexdump -C -n 8 filename

NOTE: -n argument is to limit the output to initial 8 bytes.

hexdump tutorial

Fixing File Headers

Now that we've some idea about file signatures, our concern is to fix these headers if they're tampered too. We can look online for valid file signatures of various file formats, and fix the headers of our file. To edit file headers, we can use the hexeditor tool on kali.
hexeditor filename

hexeditor tutorial

This is what the tool looks like, when you open a file with it:

hexeditor tutorial

NOTE: Do not freak out with how it looks, think you're using nano editor, and change the signature with a valid value.


Moving ahead of basic operations, we try to detect if the image is stenographic. For this purpose, we can use multiple tools. The first tool in our pocket is steghide. The tool can also be utilised for detecting steganographic data in images, and extract it, if possible. The tool can be directly installed from apt-repository or GitHub.

steghide extract -sf picture.jpg

steghide tutorial

Lets look at another popular tool, zsteg. Zsteg can detect different steganography techniques on PNG and Bitmap Images. The tool can be installed with ruby gems or from its github repository.

zsteg --all filename

The third and last tool I'll mention in this section is stegsolve. Another great tool to pick up menacing steganography tricks on images. The jar file of the tool can be downloaded from its github repository.

java -jar stegsolve.jar

stegsolve tutorial

NOTE: Discover more, resources are mentioned at the end of the post.

File Carving

File Carving is the base for many classical forensic based CTF challenges. File carving refers to embedding files inside files, and believe me this is the most frustrating job you could think of. If files are embedded multiple times, it gets difficult to keep track of all those extracted files. To put it simply, it creates a colossal heap of trash images, and you may have to repeat all previous steps on each image. This is less likely to be the case, however, you may encounter this once in a while.
To detect embedded data on images (or other files) we can use binwalk and foremost tool on kali.

binwalk filename

binwalk tutorial

To extract embedded files (if any), with binwalk -

binwalk --extract filename

Binwalk is great, but Foremost is even greater, faster, and simple to use. Foremost automatically extract embedded data out of files(if any), and saves the output in the present working directory with the name "output", and creates an audit file too.

foremost filename

foremost tutorial

Adventure Time!!

If you have made this far, congratulations. Now it is time to set off for an adventure! I've prepared three easy challenges for you to attempt and solve. All 3 challenges contain a flag, which you've to submit to me. To submit your flags, you can either send me a message on telegram or twitter
NOTE: Do not submit the flags in comments.

This marks the end of my practical image forensics guide, if you learnt something new and or useful, share it with others and consider leaving a nice comment.  Read the endnotes for some more useful resources, and keep learning, keep exploring.


A big thank you to CyberPJ, for recommending some great tools and sharing his methodology.
  • Use this site to detect basic steganography or file carving techniques on images.

Some more resources to continue learning:
Practice whatever you learnt from this article on picoctf gym.

If you found trouble following along, or want to give feedback on my writings, you can reach out to me on Twitter (might as well follow).

Post a Comment

* Please Don't Spam Here. All the Comments are Reviewed by Admin.
Post a Comment
Our website uses cookies to enhance your experience. Learn More
Accept !