Walk the line, Byte by Byte Analysis
Project description
fbi
Strings can be one of the quickest ways to analyze unknown binaries and memory images, even with corrupted acquisitions for low-hanging fruit.
FBI - Walk the line, Byte by Byte Analysis
options:
-h, --help show this help message and exit
-b BLOCKS, --blocks BLOCKS
Input Filename
-d, --download Download Bloom Filter
-o OUTPUT, --output OUTPUT
Output Directory
-u, --updated Bloom Filter Last Updated
-v, --version show program's version number and exit
CHALLENGES
The first challenge is data encoding, as several applications only display ASCII characters with the potential for Unicode and UTF-8 to exist.
The second hurdle is that memory does not have the traditional data structures you would find during regular disk forensics with file systems (sectors) and operating systems (clusters).
Finally is the exponentially growing volume of data requiring analysis.
SOLUTIONS
Python can natively handle UTF-8 decoding with Unicode exception handling.
Data structures get trickier since the input file has to be walked byte by byte, which can be resource-intensive, requiring threading to help performance.
The program hashing that much data required using the BLAKE3 cryptographic hash function, adding a Rust programming language dependency to speed things up.
https://github.com/BLAKE3-team/BLAKE3
DATASET
Blocks of 512 bytes that match sectors found on the filesystem identify matches. Like MD5 and SHA256, BLAKE3 has a hash value for empty files that trims whitespace to a single character in the extracted output.
AF1349B9F5F9A1A6A0404DEA36DCC9499BCB25C9ADC112B7CC9A93CAE41F3262
GetBlocks generates the dataset with the block (sector) hashes only available in BLAKE3 format.
https://github.com/4n6ir/getblocks
A pipeline runs every hour to determine if AWS has released any new verified Amazon Machine Image (AMI) to harvest artifacts with the current coverage available.
https://static.matchmeta.info/amazonami.json
DISTRIBUTION
A download option in the command line interface (CLI) stores the bloom filter in the user's home directory.
fbi -d
Please use this link to download the bloom filter for offline analysis.
https://static.fileblock.info/fbi.bloom
You will be able to verify the integrity of the bloom filter by using the provided SHA256 hash value.
https://static.fileblock.info/fbi.sha256
It is available for download if you're interested in the raw data.
https://b3.lukach.io/amzn/sector
API keys are available using the self-registration process.
LAST UPDATED
Check when the bloom filter was last updated using the command line interface (CLI).
fbi -u
Or by hitting the provided website for the last updated timestamp.
https://static.fileblock.info/fbi.updated
ANALYSIS
The analyzed file allows both the absolute and relative location.
fbi -b /usr/bin/df
or
fbi -b df
OUTPUT
Output writes to the current working with fbi- appended to the front of the analyzed filename or a specified directory.
fbi -b /usr/bin/df -o /tmp
REQUIREMENTS
curl https://sh.rustup.rs -sSf | sh -s -- -y
source "$HOME/.cargo/env"
INSTALLATION
pip install fileblocks
DEVELOPMENT
python setup.py install --user
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file fileblocks-2023.5.30.tar.gz
.
File metadata
- Download URL: fileblocks-2023.5.30.tar.gz
- Upload date:
- Size: 8.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.16
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 355bb02750e8f8c520f2b0c926b2ef7b117519a99df827e64f3f753687c654d0 |
|
MD5 | 993ea475b248bde203b5e41cf2d05238 |
|
BLAKE2b-256 | 2d2364bdf543e8b92c3b15cfd934cd7c7748d1685a169e04295a225a93d6a986 |
File details
Details for the file fileblocks-2023.5.30-py3-none-any.whl
.
File metadata
- Download URL: fileblocks-2023.5.30-py3-none-any.whl
- Upload date:
- Size: 9.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.16
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 888f33c446fe0687ddabec773f2d5d278b89abbc4966f0f4754188bcfec9bbec |
|
MD5 | 259b215936a4d3c11ded4c00b08c4724 |
|
BLAKE2b-256 | 27c2f9c920a102beaef328bda925cfb269280d1cb106a213f854d6cbba00aebc |