Skip to main content

Automated analysis and suggestion tool for CTF forensics challenges

Project description

Forensics Copilot

A command-line assistant for CTF forensics challenges. To use it, users need to point it at a file or a directory. It will:

  • Identify the real file type (not rely on the extension)
  • Mark extension/MIME mismatches
  • Detect trailing/appended data in PNG, JPEG and ZIP files
  • Recursively extract nested archives (zip/tar/gz/bz2/xz) with a depth limit and handling of password-protected zip
  • scan every file's raw bytes for flags in plain text with two built-in flag format flag{...} / CTF{...}. Users could also use custom flag formats
  • Generate a prioritized list of next-step suggestions with the tools that users can use by themselves
  • Optionally run those tools for you, one at a time, with yes/no per suggestion

It does not auto-solve challenges, but it lets users skip some boring and repetitive steps.


Install

Requires Python 3.9+.

pip install -e

This installs the 'forensics-copilot' command.

System Dependencies

The core analysis (file identification, anomaly detection, archive extraction, flag scanning) is pure Python and has no system dependencies beyond "python-magic" (installed automatically) which itself depends on "libmagic." To install:

# Debian/Ubuntu
apt install libmagic1
# macOS
brew install libmagic

The --interactive flag can additionally run a small set of external tools (see Tools used by --interactive below). None of them are required just to get a report. They're only needed if you want to execute the suggestions Forensics Copilot generates.


Quick Start

forsensic-copilot path/to/challenge_file

This prints a report: every file found (including everything recursively extracted from nested archives), any anomalies detected and a prioritized suggestion list.

forensics-copilot path/to/challenge_folder/

Works the same way on a directory. Every file inside is analyzed.


CLI Parameters

Parameters Description
--json OUT_FILE Save the full report (including any results from --interactive) as JSON to OUT_FILE.
--flag-pattern [NAME=]REGEX Add a custom flag-format regex, in addition to the built-in flag{} / ctf{} patterns. Matched against raw bytes, case-insensitive. Repeatable pass it multiple times for multiple custom formats. The NAME= prefix is optional and only affects how the match is labeled in the report.
--interactive After the report, ask once per suggestion whether to run its tool (y/n/q). Nothing executes without explicit per-suggestion confirmation. There's no "run everything" mode.

Custom Flag Formats

Different CTFs use different flag formats. If your challenge uses something other than 'flag{...}' or 'ctf{...}', add it with the parameter:

forensics-copilot challenge.zip --flag-pattern 'myctf=MYCTF\{[^}]{1,300}\}'

You can repeat '--flag-pattern' for multiple formats. If you skip the 'NAME=' prefix, it will be auto-labeled 'custom1', 'custom2'.


Tools Used By '--interactive'

Tool Used for Install (Debian/Ubuntu) Install (macOS)
file Confirming actual file type when the extension looks wrong apt install file brew install file
strings Pulling readable text out of binary files apt install binutils brew install binutils
exiftool Reading image/file metadata apt install libimage-exiftool-perl brew install exiftool
xxd Raw hex dump — checking magic bytes / header structure apt install xxd ships by default
zipinfo Listing a ZIP's contents without extracting it apt install unzip brew install unzip
pngcheck Validating PNG structure chunk-by-chunk apt install pngcheck brew install pngcheck
ent Byte-level entropy — spotting likely encrypted/compressed/hidden data apt install ent brew install ent

Limitations

  • Only a first batch of read-only tools is wired up for execution (see table above) — more will be added incrementally.
  • No automated decision loop (e.g. "this didn't find anything, try the next tool automatically") — every execution is a deliberate, individual choice, by design for now.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

forensics_copilot-0.1.0.tar.gz (21.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

forensics_copilot-0.1.0-py3-none-any.whl (18.5 kB view details)

Uploaded Python 3

File details

Details for the file forensics_copilot-0.1.0.tar.gz.

File metadata

  • Download URL: forensics_copilot-0.1.0.tar.gz
  • Upload date:
  • Size: 21.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.6

File hashes

Hashes for forensics_copilot-0.1.0.tar.gz
Algorithm Hash digest
SHA256 8be5261aeb84f192cc0d3da82a66d037a1ef7172bc7829ba0dff9a11cb610cba
MD5 edb5df5a131128b4d76519b928ecd012
BLAKE2b-256 20cc64c7aaeece52575e81503eb06a9b553a3de6efe40b8909438466718bd5e8

See more details on using hashes here.

File details

Details for the file forensics_copilot-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for forensics_copilot-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 cbfc984c18ce72e4ad4872cd4d331517e5a0f3506f980fa4d99c46ba96eb7b0e
MD5 d89ce5de41a776b3976472614c7eb09e
BLAKE2b-256 775c87f606d3eaae8693d2dac6a07a971cdfd8a68e0874638e58e1d5ebd75556

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page