Offline Digital Forensics Tool for Binary Files This tool can be used for (offline) digital forensics and malware analysis as it shows all raw bytes of a file and also the ASCII representations. As you can see from the screenshots, I have used it on a few different file types, TXT, PNG, Compiled C code, and even a packet capture file. It has three columns, one to show the byte count on the far left. Then, in the middle the hexadecimal bytes of the file, and on the right the ASCII representations (if there are any) of the hexadecimal bytes.

Screenshot: ByteForce reading a binary file

For the colored output, you will need a 256-color capable terminal emulator. I am using Gnome-Terminal with Weakerthan Linux 7 BETA in the screenshots.

ByteForce has some features that were unexpectedly added. After reading a few sites about malware, including the MalwareByte's weblog, here http://blog.malwarebytes.org/intelligence/2013/03/obfuscation-malwares-best-friend I decided to implement a few of the ideas shared in the article into the code.

ByteForce will search Binary files for case-insensitive, plain-text HTTP strings.

The XOR brute force attack will try every byte from 0x01 to 0x1f as a XOR key against the byte found in the file. If the result equals the ASCII value of an "H" or "h" I grab the next byte in the file, perform the XOR and look for a "T" ot "t". I continue until I find "[Hh][Tt]{2}[pP]" and if found, I print the bytes until I get a non printable character. The algorithm I wrote will trace steps back into the opened file's bytes accordingly if a non http ASCII value is found.

This will perform a simple ROT13() function that I made on the byte before checking it's value for the "[Hh][tT]{2}[pP]" ASCII values that I searched for in the XOR segment above.

This will perform the brute-force XOR attack after performing the ROT13() function I made on the file's byte before checking it for the "[Hh][tT]{2}[pP]" ASCII values.

ByteForce has the ability to check the document for a valid PDF header and also to search for plain-text case-insensitive executable file names. This does not deflate/inflate data streams. This is a simple string check on the file.

Screenshot: ByteForce showing a potentially dangerous PDF file made using Metasploit

Screenshot: ByteForce reading a PNG file

Screenshot: ByteForce reading a 802.11 WiFi network PCAP file

• ROT13: https://en.wikipedia.org/wiki/ROT13
• MalwareByte's Weblog: https://blog.malwarebytes.com/threat-analysis/2013/03/obfuscation-malwares-best-friend/
• XOR: https://en.wikipedia.org/wiki/Exclusive_or
• Gnome-Terminal: https://en.wikipedia.org/wiki/GNOME_Terminal
• Weakerthan Linux 7 BETA: http://www.weaknetlabs.com/2016/05/weakerthan-linux-7-beta-2-release.html
• ASCII Table: http://www.asciitable.com/
• PDF Headers: http://resources.infosecinstitute.com/pdf-file-format-basic-structure/