How to use the command 'pngcheck' (with examples)
- Linux
- December 25, 2023
The command ‘pngcheck’ is a forensics tool used to validate the integrity of PNG image files. It can also be used to extract embedded images and text from a file. This article will provide examples of different use cases for the ‘pngcheck’ command.
Use case 1: Verify the integrity of an image file
Code:
pngcheck path/to/file.png
Motivation:
Verifying the integrity of an image file is a crucial step in digital forensics. By using the ‘pngcheck’ command, you can ensure that the PNG file is intact and has not been tampered or corrupted.
Explanation:
In this use case, we simply use the ‘pngcheck’ command followed by the path to the PNG file that needs to be verified. This command will run the integrity check on the file and provide the results.
Example output:
OK: path/to/file.png (9612x4873, 24-bit RGB, non-interlaced, 96.03%).
Use case 2: Check the file with [v]erbose and [c]olorized output
Code:
pngcheck -vc path/to/file.png
Motivation:
When dealing with a large number of image files, it can be helpful to have a more detailed and readable output. Using the ‘-v’ and ‘-c’ options with the ‘pngcheck’ command provides verbose and colorized output, making it easier to identify any potential issues.
Explanation:
In this use case, we add the ‘-v’ option to enable verbose output and the ‘-c’ option to enable colorized output. By combining these options with the ‘pngcheck’ command, we get a more detailed and visually appealing result.
Example output:
Verifying path/to/file.png...
OK: path/to/file.png (9612x4873, 24-bit RGB, non-interlaced, 96.03%).
Use case 3: Display contents of [t]ext chunks and [s]earch for PNGs within a specific file
Code:
pngcheck -ts path/to/file.png
Motivation:
When analyzing image files for forensic purposes, it is important to inspect the text chunks embedded within the PNG file. Additionally, searching for other PNG files within a file can help uncover hidden content or malicious files.
Explanation:
In this use case, we combine the ‘-t’ and ‘-s’ options with the ‘pngcheck’ command to display the contents of text chunks and search for PNGs within the specified file. This allows us to gather more information about the image file and discover any additional hidden content.
Example output:
** File: path/to/file.png
IHDR chunk at offset 0x0000c, length 13: 9612 x 4873 image, 24-bit RGB, non-interlaced
sRGB chunk not found
gAMA chunk not found
pHYs chunk not found
IDAT chunk at offset 0x00021, length 13732 bytes: zlib: deflated, 32768K window size
IEND chunk at offset 0x036ed, length 0
Use case 4: Search for, and e[x]tract embedded PNGs within a specific file
Code:
pngcheck -x path/to/file.png
Motivation:
In some cases, image files may contain hidden or embedded PNG files. Extracting these embedded images can reveal additional information or evidence for forensic analysis.
Explanation:
In this use case, we use the ‘-x’ option with the ‘pngcheck’ command to search for and extract embedded PNGs within the specified file. This option allows us to identify and extract any hidden images for further examination.
Example output:
File: path/to/file.png (9612x4873, 24-bit RGB, non-interlaced, 96.03%).
chunk IHDR at offset 0x0000c, length 13: 9612 x 4873 image, 24-bit RGB, non-interlaced
chunk IDAT at offset 0x00021, length 13732 bytes: zlib: deflated, 32768K window size
chunk IEND at offset 0x036ed, length 0
Conclusion:
The ‘pngcheck’ command is a powerful tool for forensic analysis of PNG image files. By verifying integrity, displaying text chunks, searching for hidden PNGs, and extracting embedded images, this command provides valuable information for digital forensics investigations.
