mirror of
https://github.com/WerWolv/ImHex-Patterns.git
synced 2026-03-28 07:47:02 -05:00
28a297582b
* Added /DFIR/ with patterns Added /DFIR/ sub-directory. Contains modified versions of built-in patterns for semi-automated Disk/Volume/Filesystem parsing geared towards Digital Forensics. Originals in /fs/ should remain in tact for spot placement. * DFIR_README.md * DFIR_README.md * DFIR_README.md * DISK_PARSER.hexpat * DISK_PARSER.hexpat * FAT32.hexpat * exFAT.hexpat * README.md Added DFIR related hexpats to table. * README.md --------- Co-authored-by: Xtreme-Liberty <59177844+Xtreme-Liberty@users.noreply.github.com>
82 lines
4.1 KiB
Markdown
82 lines
4.1 KiB
Markdown
ImHex Pattern Files - Digital Forensics:
|
|
|
|
- [ImHex-DFIR-Patterns](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns)
|
|
|
|
Enhanced features of the stock Disk/Filesystem pattern files for forensic review of disk content.
|
|
- [ImHex](https://github.com/WerWolv/ImHex)
|
|
- [ImHex Patterns](https://github.com/WerWolv/ImHex-Patterns)
|
|
|
|
Use:
|
|
- Open a physical disk via Raw Provider (read-only)
|
|
- EXAMPLE: /dev/disk6
|
|
- Import Pattern File
|
|
- EXAMPLE: DISK_PARSER.hexpat
|
|
- [Pattern_Selection (screenshot)](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/screenshots/2-DISK_PARSER-Pattern.png)
|
|
|
|
- DISK_PARSER.hexpat
|
|
- Recognize MBR/GPT Disks and parse MPT/GPT
|
|
- Including Logical Volumes in an Extended Partition (container)
|
|
- Auto load file system patterns for FAT32, exFAT, NTFS formatted volumes
|
|
- Optional Disk Report
|
|
|
|
- [DISK > MBR/GPT (screenshot)](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/screenshots/3-DISK-HYBRID.png)
|
|
- [DISK > MBR > MPT > 3 Primaries | 2 Logicals in an Extended (screenshot)](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/screenshots/3a-DISK-MBR.png)
|
|
|
|
- FAT32.hexpat
|
|
- Auto loaded by DISK_PARSER.hexpat
|
|
- Parse VBR, FAT1, FAT2, Root Dir, and 1 level of SubDirs
|
|
- FAT1/FAT2 Cluster chaining with SFN resolution
|
|
- LFN/SFN Alias grouping in Root Dir
|
|
- Recognize deleted entries (xE5)
|
|
- File Content pointer
|
|
- D/T Conversions
|
|
- Optional FAT32 Volume Report
|
|
|
|
- [VOLUME > FAT32 > FAT1 (screenshot)](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/screenshots/4-FAT32-1_SMALL_TXT.png)
|
|
- [VOLUME > FAT32 > Root Dir (screenshot)](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/screenshots/5-FAT32_ROOT_DIR.png)
|
|
- [VOLUME > FAT32 > Data Pointer (screenshot)](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/screenshots/6-FAT32_SFN_POINTER.png)
|
|
|
|
- exFAT.hexpat
|
|
- Auto loaded by DISK_PARSER.hexpat
|
|
- Parse VBR/Boot Sector/Extended Sectors, FAT1, Root Dir
|
|
- Recognize active directory entries (x85, xC0, xC1)
|
|
- Recognize inactive directory entries (x05, x40, x41)
|
|
- xC0/x40 File Content pointer
|
|
- D/T Conversions
|
|
- Optional exFAT Volume Report
|
|
|
|
- [VOLUME > exFAT (screenshot)](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/screenshots/7-exFAT-1.png)
|
|
- [VOLUME > exFAT > Root Dir > xC0 (screenshot)](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/screenshots/8-exFAT_xC0.png)
|
|
- [VOLUME > exFAT > Data Pointer (screenshot)](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/screenshots/9-exFAT-Data_Pointer.png)
|
|
|
|
- NTFS.hexpat
|
|
- Auto loaded by DISK_PARSER.hexpat
|
|
- Parse VBR (Boot Sector), $MFT, Root Dir, and Indexes
|
|
- Recursively parse the $Metadata files, $Attributes, and user files/dirs
|
|
- Added file record | parent [MFT#] [SEQ#] indicators
|
|
- Parse x80/xB0 Data Runs
|
|
- File Content pointer
|
|
- D/T Conversions
|
|
- Optional NTFS Volume Report
|
|
|
|
- [VOLUME > NTFS > $MFT > D/T Conversion (screenshot)](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/screenshots/10-NTFS-DT.png)
|
|
- [VOLUME > NTFS > $MFT > x80 Run List (screenshot)](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/screenshots/11-NTFS-DATA_RUN.png)
|
|
- [VOLUME > NTFS > Data Pointer (screenshot)](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/screenshots/12-NTFS-DATA_POINTER.png)
|
|
|
|
- Optional Reports
|
|
- Simply copy the console output to a file...
|
|
|
|
- To enable/disable the reports:
|
|
- Open each DFIR related .hexpat
|
|
- Find the report constant (near the top)
|
|
- "true" = enabled
|
|
- "false" = disabled
|
|
|
|
Example Report: GPT > FAT32|exFAT
|
|
- [exFAT_Report](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/reports/exFAT_Report.txt)
|
|
|
|
Example Report: MBR > 5 Logical Volumes (2 in an Extended) > All FAT32 Volumes
|
|
- [MBR_5_VOLs](https://github.com/Xtreme-Liberty/ImHex-DFIR-Patterns/blob/main/reports/MBR_5_VOLs.txt)
|
|
|
|
|