CyberChef & DFIR

I have a confession to make. I am part of the CyberChef cult. When you join a cult you find yourself saying things like, “Woah! How come I didn’t know about this before?” and “Where have you been all my life!” You also spend a lot of your time proselytising to other, random people about your ‘fantastic’ new life.

However, most cults take your time, soul, and money, and only give you a glass of Kool Aid in return. CyberChef is different; CyberChef delivers. The best part is no matter what role you perform in the DFIR world, CyberChef can help you.

CyberChef is an open source tool maintained by GCHQ. It provides a drag and drop interface via a web browser (Firefox & Chrome) to quickly perform a wide range of data manipulation functions called ‘operations’. A sequence of operations is called a ‘recipe’.

As all the processing is client-side, CyberChef can be downloaded and used offline or in an air-gapped forensic network. CyberChef has operations useful for disk forensics, malware & network analysts, and even OSINT researchers.

Some (of the many) useful operations include:

Analyse Hash

There is a range of hashing functions available in CyberChef, from MD5 and SHA1 to more esoteric options. But one great operation is ‘Analyse Hash’ which examines a provided hash and provides possible functions that created it. One possible use case is exploring databases where developers may obfuscate user data through a hash. While it cannot provide the exact hash due to the lack of overall context, this can give you a lead on what hash function was used.

sha-3-hash-example

Extract & Remove EXIF

There are plenty of tools to extract EXIF data, my go-to option is usually exiftool. However, for simple, one-off operations CyberChef can pull EXIF from a file. OSINT researchers might find this useful as well as DFIR.

cyberchef---exif-data

What’s also useful is the ‘remove EXIF’ operation. This is handy if you quickly want to ensure a photo or document doesn’t have any identifying EXIF data before you send it out.

To & From Base64 (et al.)

Base64 is widespread throughout DFIR. Other types of encoding, such as Base32, have been seen in malware and some P2P applications. CyberChef has Base64/32/58 options which also allow you to enter a custom character set. This is useful for web URL data, malware, or encoding that uses its own variants.

cyberchef---base58

Data Extraction Functions

CyberChef can extract IPs, email addresses, MAC addresses, URLs, domains, file paths, and EXIF data which is great for processing one-off text dumps.

Extracting data from pastebin is a breeze:

pastebin-redacted
pastebin-cyberchef

Forks

One less obvious task is to apply an operation to a ‘list’ or delimited input. CyberChef uses the term ‘fork’, whereby you can add a delimiter for the tool to apply each operation (e.g. line by line). Below we have a list of UNIX timestamps, but only one is being converted.

CyberChef-no-fork

Adding the ‘fork’ operation, fixes up the data output.

cyberchef---fork

Comments

Just like normal code, comments are available to aid sharing a recipe, or simply to remind yourself how you arrived at a certain combination of operations.

cyberchef---comments

Longer Recipes

More powerful use cases are stringing operations together. CyberChef provides a full range of options to create recipes which are essentially small code blocks. So you could unzip, decode Base64, and then extract certain data (e.g. IP addresses). Some great work using CyberChef recipes is explored by Ryan Benson in his Chrome forensics presentation. While the whole presentation is worth watching, his use of CyberChef starts at 11:50.

Google ei dates

Another small example of chaining operations together is converting Google ‘ei’ encoded strings into usable date formats. As a background, Google ei dates are an encoded Base64 string containing various parameters including a Unix timestamp as recorded by Google. An example is below.

google-url-with-ei

It’s already parsed by a number of tools, but if you understand the encoding steps the recipe can be written in CyberChef.

The decoding is as follows:

  1. Convert from URL-safe Base641;
  2. Convert to hexadecimal;
  3. Take the first four hex bytes;
  4. Convert the hex bytes to little endian;
  5. Convert to decimal; and
  6. Convert from UNIX timestamp to a usable format.
cyberchef---ei-dates

These recipes can be saved for re-use in ‘Cyberchef format’ or JSON as follows:

[
  { "op": "Comment",
    "args": ["1. Convert from URL-safe Base64\n2. Convert to hexadecimal\n3. Take first 4 bytes\n4. Switch to Little Endian format\n5. Convert from hexadecimal to decimal\n6. Convert to UNIX timestamp"] },
  { "op": "Fork",
    "args": ["\\n", "\\n", false] },
  { "op": "From Base64",
    "args": ["A-Za-z0-9-_=", true] },
  { "op": "To Hex",
    "args": ["None"] },
  { "op": "Take bytes",
    "args": [0, 8, false] },
  { "op": "Swap endianness",
    "args": ["Hex", 4, true] },
  { "op": "From Base",
    "args": [16] },
  { "op": "From UNIX Timestamp",
    "args": ["Seconds (s)"] }
]

Final Thoughts

This overview barely scratches the surface of CyberChef. Deobfuscating malware scripts, a quick regex, one-off log file analysis, or text normalisation are all possible. If I haven’t converted you to a CyberChef devotee, then don’t trust me! Look here, or here. Like any good cult member, I’ll point out other satisfied customers!

Thanks for reading. If you have any questions, comments or suggestions please let me know at [email protected] or on Twitter at @mattnotmax

Related Links

CyberChef


  1. Google strips the ‘=’ padding from the Base64 in the URL data. As we are only using the first four bytes, it is not necessary to add the padding, although this could be done for completeness by converting back to standard Base64. Of course, CyberChef can show this using the ‘Show Base64 offsets’ operation. Check it out! ↩︎