ImHex-Patterns/patterns/DFIR/DFIR_README.md at master

mirror of https://github.com/WerWolv/ImHex-Patterns.git synced 2026-03-27 23:37:04 -05:00

Files

F01TECH 28a297582b patterns: Added DFIR Patterns (#442 )

* Added /DFIR/ with patterns

Added /DFIR/ sub-directory.
Contains modified versions of built-in patterns for semi-automated Disk/Volume/Filesystem parsing geared towards Digital Forensics.
Originals in /fs/ should remain in tact for spot placement.

* DFIR_README.md

* DFIR_README.md

* DFIR_README.md

* DISK_PARSER.hexpat

* DISK_PARSER.hexpat

* FAT32.hexpat

* exFAT.hexpat

* README.md

Added DFIR related hexpats to table.

* README.md

---------

Co-authored-by: Xtreme-Liberty <59177844+Xtreme-Liberty@users.noreply.github.com>

2025-12-05 21:18:56 +01:00

4.1 KiB

Raw Permalink Blame History

ImHex Pattern Files - Digital Forensics:

ImHex-DFIR-Patterns

Enhanced features of the stock Disk/Filesystem pattern files for forensic review of disk content.

Use:

Open a physical disk via Raw Provider (read-only)
- EXAMPLE: /dev/disk6
Import Pattern File
- EXAMPLE: DISK_PARSER.hexpat
Pattern_Selection (screenshot)
DISK_PARSER.hexpat
- Recognize MBR/GPT Disks and parse MPT/GPT
  - Including Logical Volumes in an Extended Partition (container)
- Auto load file system patterns for FAT32, exFAT, NTFS formatted volumes
- Optional Disk Report
DISK > MBR/GPT (screenshot)
DISK > MBR > MPT > 3 Primaries | 2 Logicals in an Extended (screenshot)
FAT32.hexpat
- Auto loaded by DISK_PARSER.hexpat
- Parse VBR, FAT1, FAT2, Root Dir, and 1 level of SubDirs
- FAT1/FAT2 Cluster chaining with SFN resolution
- LFN/SFN Alias grouping in Root Dir
- Recognize deleted entries (xE5)
- File Content pointer
- D/T Conversions
- Optional FAT32 Volume Report
VOLUME > FAT32 > FAT1 (screenshot)
VOLUME > FAT32 > Root Dir (screenshot)
VOLUME > FAT32 > Data Pointer (screenshot)
exFAT.hexpat
- Auto loaded by DISK_PARSER.hexpat
- Parse VBR/Boot Sector/Extended Sectors, FAT1, Root Dir
- Recognize active directory entries (x85, xC0, xC1)
- Recognize inactive directory entries (x05, x40, x41)
- xC0/x40 File Content pointer
- D/T Conversions
- Optional exFAT Volume Report
VOLUME > exFAT (screenshot)
VOLUME > exFAT > Root Dir > xC0 (screenshot)
VOLUME > exFAT > Data Pointer (screenshot)
NTFS.hexpat
- Auto loaded by DISK_PARSER.hexpat
- Parse VBR (Boot Sector), $MFT, Root Dir, and Indexes
- Recursively parse the $Metadata files, $Attributes, and user files/dirs
  - Added file record | parent [MFT#] [SEQ#] indicators
- Parse x80/xB0 Data Runs
- File Content pointer
- D/T Conversions
- Optional NTFS Volume Report
VOLUME > NTFS > $MFT > D/T Conversion (screenshot)
VOLUME > NTFS > $MFT > x80 Run List (screenshot)
VOLUME > NTFS > Data Pointer (screenshot)
Optional Reports
- Simply copy the console output to a file...
- To enable/disable the reports:
  - Open each DFIR related .hexpat
  - Find the report constant (near the top)
    - "true" = enabled
    - "false" = disabled

Example Report: GPT > FAT32|exFAT

exFAT_Report

Example Report: MBR > 5 Logical Volumes (2 in an Extended) > All FAT32 Volumes

MBR_5_VOLs

4.1 KiB Raw Permalink Blame History

4.1 KiB

Raw Permalink Blame History