- examples/inputs/e01-forensic-samples/README.md
- examples/inputs/e01-forensic-samples/sample.E01
# E01 Forensic Image Example Profile
# Demonstrates analysis of E01 (Expert Witness Format / EnCase) forensic disk images
decode = ["base64"]
max-file-size = 104857600 # 100 MiB
tag = "e01-forensic"
# Patterns to match in E01 images and extracted partitions
[[patterns]]
name = "E01 Signature"
pattern = "45:56:46:09:0D:0A:FF:00" # "EVF" signature
type = "bytes"
[[patterns]]
name = "AWS Access Key"
pattern = "AKIA[0-9A-Z]{16}"
type = "regex"
[[patterns]]
name = "SSH Private Key"
pattern = "-----BEGIN.*PRIVATE KEY-----"
type = "regex"
[[patterns]]
name = "Password in Config"
pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
type = "regex"
[[patterns]]
name = "MBR Boot Signature"
pattern = "55:AA"
type = "bytes"
[[patterns]]
name = "GPT Signature"
pattern = "45:46:49:20:50:41:52:54" # "EFI PART"
type = "bytes"
[[patterns]]
name = "NTFS Signature"
pattern = "4E:54:46:53" # "NTFS"
type = "bytes"
[[patterns]]
name = "Email Address"
pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
type = "regex"
| total_files | 4 |
|---|
| critical_count | 0 |
|---|
| high_count | 0 |
|---|
| medium_count | 0 |
|---|
| low_count | 0 |
|---|
| minimal_count | 4 |
|---|
| must_investigate_count | 0 |
|---|
| all_scores | None |
|---|
| generated_at | 2026-01-31T11:16:10.476841061+00:00 |
|---|
| characteristics_score | file_type | file_type_score | must_investigate | path | pattern_count_score | pattern_matches | pattern_severity_score | reasons | risk_level | score | sha256 |
|---|
| 0 | Other | 0 | False | /sample.E01 | 5 | 3 | 5 | ["3 suspicious patterns detected"] | Minimal | 10 | 16b7e321137f3719320a3d844da38923eae1bc9f2134a10c8c56bc3682985c43 |
| 0 | Other | 0 | False | /README.md | 0 | 0 | 0 | [] | Minimal | 0 | 70a741fdc8fd57be0dbe105b6d92199126b9440343d201de42a5d65111e3025a |
| 0 | Other | 0 | False | /sample.E01/sample.E01:e01:metadata | 0 | 0 | 0 | [] | Minimal | 0 | 9a46a57c78f9996e1549d33f1f1a02ea01639b871abab3b6e203b2c73c5dba99 |
| 0 | Other | 0 | False | /sample.E01/sample.E01:e01:sections | 0 | 0 | 0 | [] | Minimal | 0 | 859291139098c14d13d8bce18c2661100e6515bda7d384ca4b03f2ef67b0e2f2 |
Empty CSV
| path | file_name | sha256 | file_created | file_modified | file_accessed | mime_types_from_file_extension | is_symbolic_link | is_extracted_file | is_decoded_file | is_deobfuscated_file | tag |
|---|
| /README.md | README.md | 70a741fdc8fd57be0dbe105b6d92199126b9440343d201de42a5d65111e3025a | 2026-01-31T10:59:09.276752167Z | 2026-01-31T10:59:09.276752167Z | 2026-01-31T11:13:54.14750985Z | ["application/x-genesis-rom"] | 0 | 0 | 0 | 0 | |
| /sample.E01/sample.E01:e01:metadata | sample.E01:e01:metadata | 9a46a57c78f9996e1549d33f1f1a02ea01639b871abab3b6e203b2c73c5dba99 | | | | [] | 0 | 1 | 0 | 0 | |
| /sample.E01/sample.E01:e01:sections | sample.E01:e01:sections | 859291139098c14d13d8bce18c2661100e6515bda7d384ca4b03f2ef67b0e2f2 | | | | [] | 0 | 1 | 0 | 0 | |
| /sample.E01 | sample.E01 | 16b7e321137f3719320a3d844da38923eae1bc9f2134a10c8c56bc3682985c43 | 2026-01-31T10:59:09.276752167Z | 2026-01-31T10:59:09.276752167Z | 2026-01-31T11:13:54.14750985Z | [] | 0 | 0 | 0 | 0 | |
| id | sha256 | pattern_name | match_type | match | location | length |
|---|
| 1 | 16b7e321137f3719320a3d844da38923eae1bc9f2134a10c8c56bc3682985c43 | E01 Signature | bytes | EVF � | 0 | 8 |
| 2 | 16b7e321137f3719320a3d844da38923eae1bc9f2134a10c8c56bc3682985c43 | Password in Config | regex | password=secret123 | 2:869 | 274 |
| 3 | 16b7e321137f3719320a3d844da38923eae1bc9f2134a10c8c56bc3682985c43 | Email Address | regex | test@example.com | 2:597 | 16 |
Empty CSV
| sha256 | sha1 | md5 | file_size | mime_type_for_content | shannon_entropy |
|---|
| 70a741fdc8fd57be0dbe105b6d92199126b9440343d201de42a5d65111e3025a | ed81dba87cf0c7d8422c123406673185cddbe505 | 5a9f9a9818d43cec1c6eed7af64328db | 2220 | text/plain | 4.94692176785771 |
| 9a46a57c78f9996e1549d33f1f1a02ea01639b871abab3b6e203b2c73c5dba99 | 8406cb1cd0ef3aa12868db8513ebaea6aa9a884f | 9aa1d45dc0ae3ed7edcf024010bd6334 | 830 | text/plain | 4.95453188643216 |
| 859291139098c14d13d8bce18c2661100e6515bda7d384ca4b03f2ef67b0e2f2 | ce7b2ec567e74c335f98d6d8d490e39e34382144 | 7d74182dbff1c2ef700f49190df3f85f | 294 | text/plain | 4.88598232057513 |
| 16b7e321137f3719320a3d844da38923eae1bc9f2134a10c8c56bc3682985c43 | 996863509a9c64701c8d2a28fe5193c45ab60560 | 484246f9115e0b0f3039c07aacba8c07 | 1147 | application/octet-stream | 0.449226489277724 |