Tags: forensics
Rating:
Shuffle - Forensics
I was provided with a file.
I tried to identify what this file is.
I tried foremost, binwalk and maybe other tools but nothing was of help.
I opened it in Notepad++:
Oh, it looks like PNG (we can understand from the beginning of the file), but something is broken. The "PNG" text should be one word. After trying to change it manually without success I opened the file in 010 Editor.
Let's examine the correct hexadecimal sequence for the beginning of a PNG file and identify any discrepancies. The sequence is: 89 50 4E 47 0D 0A 1A 0A 00 00 00 0D 49 48 44 52.
A PNG file should always begin with this hexadecimal sequence. Why? Because a PNG file consists of a signature that allows software to recognize it as a PNG file, as well as chunks that are responsible for various aspects of the file or image. The initial sequence always remains the same. However, in this case, it appears to be shuffled. The bytes are not in the order they should be.
Initially, I attempted to manually correct the sequence, but the image remained corrupted.
I realized I might have to correct the entire hexadecimal sequence. But I can't determine the original sequence unless there's a pattern. Maybe some of the hexadecimal values were swapped with each other. Let's see if there's a clear pattern in the shuffling:
The orange text marks the hex that I manually changed (to fix the file).
It seems that the shuffle goes in this pattern:
Keep the first 2 bytes as they are.
Replace the 3rd byte with the 5th.
Replace the 4th byte with the 6th.
Continue this pattern for the entire file.
I asked ChatGPT to create a script for me while shuffling the bytes using the pattern I provided:
And I got the original file
