CyberChef: Your Ultimate Data Transformation and Manipulation Swiss-Army Knife

CyberChef is the best tool for changing and manipulating data. This browser-based “Swiss-Army Knife” was made by GCHQ to make difficult data jobs easier. This piece talks about its features and benefits, whether you work in cybersecurity, digital forensics, or just with data every day.

CyberChef is the self-purported ‘Cyber Swiss-Army Knife’ created by GCHQ. It’s a fantastic tool for data transformation, extraction & manipulation in your web-browser.

Full credit to @GCHQ for producing the tool. See

General Tips

• Download CyberChef and run it entirely client-side. It doesn’t need an internet connection except for certain operations. That way all your data is safe.
• Don’t try and shoe-horn CyberChef into something that it can’t do. It can do a lot but it’s not a fully fledged programming language!

Useful Regular Expressions

Mastering regular expressions are key to making the most of data manipulation in CyberChef (or any DFIR work). Below are some regexs that I keep coming back to.

Extracting Encoded Data

• Extract Base64: [a-zA-Z0-9+/=]{30,}
  • Here ’30’ is an arbitrary number that can be adjusted according to the script.

Extract Hexadecimal: [a-fA-F0-9]{10,}

• This could also be adjusted to {32} (MD5), {40} (SHA1), {64}, SHA256 to extract various hashes

Extract Character Codes: [\d]{2,3}(,|’)

• In this example it would extract character codes in the format (’30, 40, 50, 60′)

Lookaheads & Lookbehinds

• Positive Lookbehind: (?<=foo)(.*)
  • Extract everything after ‘foo’ without including ‘foo’
• Positive Lookahead: ^.*(?=bar)
  • Extract everything before ‘bar’ without including ‘bar’
• Lookahead/behind Combo: (?<=')(.*?)(?=')
  • Extract everything between ‘ and ‘

Working with APIs and CyberChef

CyberChef provides an operation HTTP Request (see Recipe 22) which allows HTTP requests to external resources. Due to Same Origin Policy (SOP) or lack of Cross-Origin Resource Sharing configuration many do not work. SOP is a security measure in modern browsers which prevents you from reading cross-site responses from servers which don’t explicitly allow it via CORS. Check out @GlassSec’s talk on CyberChef which includes tips to boot Chrome without web-security to enable HTTP requests to otherwise restricted APIs (like Virus Total)

For more Click Here