Example: aff-forensic
Inputs
- examples/inputs/aff-forensic-samples/README.md
- examples/inputs/aff-forensic-samples/sample.aff
Profile
# AFF Forensic Image Example Profile
# Demonstrates analysis of AFF (Advanced Forensic Format) forensic disk images
decode = ["base64"]
max-file-size = 104857600 # 100 MiB
tag = "aff-forensic"
# Patterns to match in AFF images and extracted partitions
[[patterns]]
name = "AFF Signature"
pattern = "41:46:46" # "AFF" signature
type = "bytes"
[[patterns]]
name = "AFD Signature"
pattern = "41:46:44" # "AFD" signature
type = "bytes"
[[patterns]]
name = "AWS Access Key"
pattern = "AKIA[0-9A-Z]{16}"
type = "regex"
[[patterns]]
name = "SSH Private Key"
pattern = "-----BEGIN.*PRIVATE KEY-----"
type = "regex"
[[patterns]]
name = "Password in Config"
pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
type = "regex"
[[patterns]]
name = "MBR Boot Signature"
pattern = "55:AA"
type = "bytes"
[[patterns]]
name = "GPT Signature"
pattern = "45:46:49:20:50:41:52:54" # "EFI PART"
type = "bytes"
[[patterns]]
name = "NTFS Signature"
pattern = "4E:54:46:53" # "NTFS"
type = "bytes"
[[patterns]]
name = "Email Address"
pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
type = "regex"
Report outputs
No triage_report.json found in /home/kalabelt/dev/sus/examples/outputs/aff-forensic
CSV outputs
errors.csv
Empty CSV
files.csv
| path | file_name | sha256 | file_created | file_modified | file_accessed | mime_types_from_file_extension | is_symbolic_link | is_extracted_file | is_decoded_file | is_deobfuscated_file | tag |
|---|---|---|---|---|---|---|---|---|---|---|---|
| /README.md | README.md | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | 2026-01-31T10:59:09.249752466Z | 2026-01-31T10:59:09.249752466Z | 2026-01-31T11:14:23.615342869Z | ["application/x-genesis-rom"] | 0 | 0 | 0 | 0 | |
| /sample.aff/sample.aff:aff:metadata | sample.aff:aff:metadata | f30fe1ec95972579e85a590996123c38368217b8ece820ea1d4da3dbd249f3be | [] | 0 | 1 | 0 | 0 | ||||
| /sample.aff | sample.aff | c6dcd8213512d1f64ad6cf39d6bbae7770c022051a1ea9e4cbd00cf2c3b63496 | 2026-01-31T10:59:09.249752466Z | 2026-01-31T10:59:09.249752466Z | 2026-01-31T11:14:23.615342869Z | [] | 0 | 0 | 0 | 0 |
pattern_matches.csv
| id | sha256 | pattern_name | match_type | match | location | length |
|---|---|---|---|---|---|---|
| 1 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 2 | 3 |
| 2 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 71 | 3 |
| 3 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 146 | 3 |
| 4 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 158 | 3 |
| 5 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 411 | 3 |
| 6 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFD Signature | bytes | AFD | 419 | 3 |
| 7 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 424 | 3 |
| 8 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 493 | 3 |
| 9 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 529 | 3 |
| 10 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 1258 | 3 |
| 11 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 1274 | 3 |
| 12 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFD Signature | bytes | AFD | 1278 | 3 |
| 13 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 1468 | 3 |
| 14 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 1931 | 3 |
| 15 | 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | AFF Signature | bytes | AFF | 2218 | 3 |
| 16 | f30fe1ec95972579e85a590996123c38368217b8ece820ea1d4da3dbd249f3be | AFF Signature | bytes | [65,70,70] | 8 | 3 |
| 17 | f30fe1ec95972579e85a590996123c38368217b8ece820ea1d4da3dbd249f3be | AFF Signature | bytes | [65,70,70] | 357 | 3 |
| 18 | f30fe1ec95972579e85a590996123c38368217b8ece820ea1d4da3dbd249f3be | AFF Signature | bytes | [65,70,70] | 458 | 3 |
| 19 | f30fe1ec95972579e85a590996123c38368217b8ece820ea1d4da3dbd249f3be | AFF Signature | bytes | [65,70,70] | 581 | 3 |
| 20 | c6dcd8213512d1f64ad6cf39d6bbae7770c022051a1ea9e4cbd00cf2c3b63496 | AFF Signature | bytes | AFF | 0 | 3 |
| 21 | c6dcd8213512d1f64ad6cf39d6bbae7770c022051a1ea9e4cbd00cf2c3b63496 | Password in Config | regex | password=secret123 | 1:791 | 530 |
| 22 | c6dcd8213512d1f64ad6cf39d6bbae7770c022051a1ea9e4cbd00cf2c3b63496 | Email Address | regex | test@example.com | 1:519 | 16 |
signature_matches.csv
Empty CSV
unique_files.csv
| sha256 | sha1 | md5 | file_size | mime_type_for_content | shannon_entropy |
|---|---|---|---|---|---|
| 72dc854e4715b7d86c4ea6ac693d077cac9bf31c576eb1c2017afd596efe7394 | 16a531a3dd2497cd89505b5146114808fac6f50c | 740cc27c160aa0f35ae3bc0eedf6aecc | 2405 | text/plain | 4.89741547802229 |
| f30fe1ec95972579e85a590996123c38368217b8ece820ea1d4da3dbd249f3be | f6591a3387b0c5f6bf3b59103cd62b3b495e59b9 | c5efea5354849c51bb5831f121a14cd0 | 799 | text/plain | 4.88908335822632 |
| c6dcd8213512d1f64ad6cf39d6bbae7770c022051a1ea9e4cbd00cf2c3b63496 | 54bedfb39f8619237717ed61277380b6b7ae1d56 | d7ed0ed6d2c12096d21c303c7270dfde | 1321 | application/octet-stream | 0.310085889129748 |