examples/inputs/disk-image-samples/README.md
examples/inputs/disk-image-samples/create_disk_image.sh
examples/inputs/disk-image-samples/sample.dd
# Disk Image Example Profile
# Demonstrates analysis of raw disk images (dd output) with MBR/GPT partition extraction
decode = ["base64"]
max-file-size = 104857600 # 100 MiB
tag = "disk-image"
# Patterns to match in files within partitions
[[patterns]]
name = "AWS Access Key"
pattern = "AKIA[0-9A-Z]{16}"
type = "regex"
[[patterns]]
name = "SSH Private Key"
pattern = "-----BEGIN.*PRIVATE KEY-----"
type = "regex"
[[patterns]]
name = "Password in Config"
pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
type = "regex"
[[patterns]]
name = "MBR Boot Signature"
pattern = "55:AA"
type = "bytes"
[[patterns]]
name = "GPT Signature"
pattern = "45:46:49:20:50:41:52:54" # "EFI PART"
type = "bytes"
[[patterns]]
name = "NTFS Signature"
pattern = "4E:54:46:53" # "NTFS"
type = "bytes"
[[patterns]]
name = "ext2/3/4 Signature"
pattern = "53:EF" # ext superblock magic
type = "bytes"
total_files 10 critical_count 0 high_count 0 medium_count 0 low_count 1 minimal_count 9 must_investigate_count 0 all_scores None generated_at 2026-01-31T02:10:31.308029892+00:00
characteristics_score file_type file_type_score must_investigate path pattern_count_score pattern_matches pattern_severity_score reasons risk_level score sha256 0 Script 20 False /create_disk_image.sh 5 4 6 ["4 suspicious patterns detected"] Low 31 dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac 0 Configuration 10 False config.ini/config.ini 5 1 0 ["1 suspicious patterns detected"] Minimal 15 5d74438e06c88aefcc1acfd904c8b8e2df7db0b5079abb81f7c75abcdae3ceeb 0 Other 0 False /sample.dd/sample.dd:mbr:partition2:data/sample.dd:mbr:partition2:data.0 5 4 6 ["4 suspicious patterns detected"] Minimal 11 ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd 0 Other 0 False credentials.txt/credentials.txt 5 2 3 ["2 suspicious patterns detected"] Minimal 8 98a7404a87384e9540beff68d83ff409a3169815538261ce8fb99527d65967b8 0 Other 0 False id_rsa/id_rsa 5 1 0 ["1 suspicious patterns detected"] Minimal 5 a2a41ee356aacffeaeb40ef1cb66b46d95fe67324fbc2a77689aa7714c6733bf 0 Other 0 False /sample.dd 5 1 0 ["1 suspicious patterns detected"] Minimal 5 e53052c8f329c474658ac808b9179ceb4b5da0cb25e5eb34284ecd353ea0801e 0 Other 0 False /README.md 0 0 0 [] Minimal 0 a408d059c3306caa127148c8d5cd00d8fe371cf4938ee9da0ad26efe4414f0a7 0 Other 0 False /sample.dd/sample.dd:mbr:summary 0 0 0 [] Minimal 0 f34394fe8799a6775273da2098478c1144dc81ab3ce17b5a9fe20e15655d5e6f 0 Other 0 False /sample.dd/sample.dd:mbr:partition2:info 0 0 0 [] Minimal 0 5abab32bc9baaa47add4ed8d0ffc7d37a9857bad28a7f4f438938df0c2a112dc 0 Other 0 False /sample.dd/sample.dd:mbr:partition2:data 0 0 0 [] Minimal 0 64f529d25fcca3ff3ca1ffe90bd078776a002727e46d34108f0e5ba0632f9f71
Empty CSV
path file_name sha256 file_created file_modified file_accessed mime_types_from_file_extension is_symbolic_link is_extracted_file is_decoded_file is_deobfuscated_file tag /README.md README.md a408d059c3306caa127148c8d5cd00d8fe371cf4938ee9da0ad26efe4414f0a7 2026-01-31T01:53:56.77281481Z 2026-01-31T01:53:56.77281481Z 2026-01-31T01:54:14.280871854Z ["application/x-genesis-rom"] 0 0 0 0 /create_disk_image.sh create_disk_image.sh dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac 2026-01-31T01:53:56.77281481Z 2026-01-31T01:53:56.77281481Z 2026-01-31T01:54:14.280871854Z ["text/x-shellscript"] 0 0 0 0 /sample.dd/sample.dd:mbr:summary sample.dd:mbr:summary f34394fe8799a6775273da2098478c1144dc81ab3ce17b5a9fe20e15655d5e6f [] 0 1 0 0 /sample.dd/sample.dd:mbr:partition2:info sample.dd:mbr:partition2:info 5abab32bc9baaa47add4ed8d0ffc7d37a9857bad28a7f4f438938df0c2a112dc [] 0 1 0 0 config.ini/config.ini config.ini 5d74438e06c88aefcc1acfd904c8b8e2df7db0b5079abb81f7c75abcdae3ceeb 2026-01-31T01:38:09Z [] 0 1 0 0 credentials.txt/credentials.txt credentials.txt 98a7404a87384e9540beff68d83ff409a3169815538261ce8fb99527d65967b8 2026-01-31T01:38:09Z ["text/plain"] 0 1 0 0 id_rsa/id_rsa id_rsa a2a41ee356aacffeaeb40ef1cb66b46d95fe67324fbc2a77689aa7714c6733bf 2026-01-31T01:38:09Z [] 0 1 0 0 /sample.dd/sample.dd:mbr:partition2:data/sample.dd:mbr:partition2:data.0 sample.dd:mbr:partition2:data.0 ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd [] 0 1 0 0 /sample.dd/sample.dd:mbr:partition2:data sample.dd:mbr:partition2:data 64f529d25fcca3ff3ca1ffe90bd078776a002727e46d34108f0e5ba0632f9f71 [] 0 1 0 0 /sample.dd sample.dd e53052c8f329c474658ac808b9179ceb4b5da0cb25e5eb34284ecd353ea0801e 2026-01-31T01:53:56.77281481Z 2026-01-31T01:53:56.803814538Z 2026-01-31T01:54:14.280871854Z [] 0 0 0 0
id sha256 pattern_name match_type match location length 1 dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac AWS Access Key regex AKIAIOSFODNN7EXAMPLE 36:18 20 2 dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac SSH Private Key regex -----BEGIN RSA PRIVATE KEY----- 55:0 31 3 dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac Password in Config regex password=SuperSecret123! 38:9 24 4 dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac Password in Config regex password="mysecretpassword 47:0 26 5 5d74438e06c88aefcc1acfd904c8b8e2df7db0b5079abb81f7c75abcdae3ceeb Password in Config regex password="mysecretpassword 5:0 26 6 98a7404a87384e9540beff68d83ff409a3169815538261ce8fb99527d65967b8 AWS Access Key regex AKIAIOSFODNN7EXAMPLE 2:18 20 7 98a7404a87384e9540beff68d83ff409a3169815538261ce8fb99527d65967b8 Password in Config regex password=SuperSecret123! 4:9 24 8 a2a41ee356aacffeaeb40ef1cb66b46d95fe67324fbc2a77689aa7714c6733bf SSH Private Key regex -----BEGIN RSA PRIVATE KEY----- 1:0 31 9 ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd AWS Access Key regex AKIAIOSFODNN7EXAMPLE 11:18 20 10 ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd SSH Private Key regex -----BEGIN RSA PRIVATE KEY----- 15:834 31 11 ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd Password in Config regex password="mysecretpassword 5:0 26 12 ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd Password in Config regex password=SuperSecret123! 13:9 24 13 e53052c8f329c474658ac808b9179ceb4b5da0cb25e5eb34284ecd353ea0801e MBR Boot Signature bytes U� 510 2
Empty CSV
sha256 sha1 md5 file_size mime_type_for_content shannon_entropy a408d059c3306caa127148c8d5cd00d8fe371cf4938ee9da0ad26efe4414f0a7 546a1f2bdc4615acee5403743be2a69f59f32846 82bea8bcdc0202f9bad3c7e29c0ecb8d 1709 text/plain 5.1017954354414 dfb12f805afad4c89f13823ea45b035144ae6437065b3a26aa03ec1f2c3e81ac 7bab9570f251694ae7a4525576bd109803c89f83 714617c420a02932157efc597515c2b7 2208 text/x-shellscript 5.43331673755846 f34394fe8799a6775273da2098478c1144dc81ab3ce17b5a9fe20e15655d5e6f 4b3e650481da84189946ece639d7aa6433f0a5a9 4f4f5d86fd767001e821b6aca0137507 116 text/plain 4.83498904503428 5abab32bc9baaa47add4ed8d0ffc7d37a9857bad28a7f4f438938df0c2a112dc 28a24e597919e17ca9fb3dbfe3cf47de1a661805 018662367a81e2773e9f572ae53e1b8f 114 text/plain 4.89533483952472 5d74438e06c88aefcc1acfd904c8b8e2df7db0b5079abb81f7c75abcdae3ceeb 6bd25abe90d4fe10f97e003bca965a5ccd7b0ecb 05e5fc7db0897511e3e67e57da9f9ea1 169 text/plain 5.04359459472203 98a7404a87384e9540beff68d83ff409a3169815538261ce8fb99527d65967b8 29916fc6e0b432ea2dd85dbb09ab486cd92bb1ef da3665dd2c7e870b74629a16a16f48d1 190 text/plain 5.47492289005644 a2a41ee356aacffeaeb40ef1cb66b46d95fe67324fbc2a77689aa7714c6733bf 80ef309bd6be9fdd50190c86ddccf6c6c3505f21 e5954e2dbd2a059e1c29f11af26c4c5e 184 application/x-pem-file 5.10836688223618 ba349d90730da40536076a47e076ee1803d22888d5189cefe9b1e0d32bab19dd 99c165aa33959d7b6744313440b3fcad7e1c08e2 224eac52786ec37e439b37ad162a3561 10240 application/x-tar 0.81729236591822 64f529d25fcca3ff3ca1ffe90bd078776a002727e46d34108f0e5ba0632f9f71 ca76dd8fa56634d936ff1cad2e412a03405357a1 6d860e860a5a967a45ae86ef3ffb3e1b 9437184 application/gzip 0.00133887163440445 e53052c8f329c474658ac808b9179ceb4b5da0cb25e5eb34284ecd353ea0801e c5cff3d3fd98864413d4523da146ce4db2d9de83 707e4b6d17fdc383bcaed159676b8fb7 10485760 application/octet-stream 0.00124267704003298