- examples/inputs/vhd-forensic-samples/README.md
- examples/inputs/vhd-forensic-samples/sample.vhd
# VHD Forensic Image Example Profile
# Demonstrates analysis of VHD (Virtual Hard Disk) forensic disk images
decode = ["base64"]
max-file-size = 104857600 # 100 MiB
tag = "vhd-forensic"
# Patterns to match in VHD images and extracted partitions
[[patterns]]
name = "VHD Signature"
pattern = "63:6F:6E:65:63:74:69:78" # "conectix" at footer
type = "bytes"
[[patterns]]
name = "AWS Access Key"
pattern = "AKIA[0-9A-Z]{16}"
type = "regex"
[[patterns]]
name = "AWS Secret Key"
pattern = "(?i)aws.{0,20}secret.{0,20}['\"][0-9a-zA-Z/+=]{40}['\"]"
type = "regex"
[[patterns]]
name = "SSH Private Key"
pattern = "-----BEGIN.*PRIVATE KEY-----"
type = "regex"
[[patterns]]
name = "Password in Config"
pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
type = "regex"
[[patterns]]
name = "Database Connection String"
pattern = "jdbc:[a-zA-Z0-9]+://[^\\s]+password=[^\\s&;]+"
type = "regex"
[[patterns]]
name = "MBR Boot Signature"
pattern = "55:AA"
type = "bytes"
[[patterns]]
name = "GPT Signature"
pattern = "45:46:49:20:50:41:52:54" # "EFI PART"
type = "bytes"
[[patterns]]
name = "NTFS Signature"
pattern = "4E:54:46:53" # "NTFS"
type = "bytes"
[[patterns]]
name = "Email Address"
pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
type = "regex"
| total_files | 3 |
|---|
| critical_count | 0 |
|---|
| high_count | 0 |
|---|
| medium_count | 0 |
|---|
| low_count | 0 |
|---|
| minimal_count | 3 |
|---|
| must_investigate_count | 0 |
|---|
| all_scores | None |
|---|
| generated_at | 2026-01-31T14:40:44.798620233+00:00 |
|---|
| characteristics_score | file_type | file_type_score | must_investigate | path | pattern_count_score | pattern_matches | pattern_severity_score | reasons | risk_level | score | sha256 |
|---|
| 0 | Other | 0 | False | /sample.vhd | 5 | 5 | 8 | ["5 suspicious patterns detected"] | Minimal | 13 | 5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db |
| 0 | Other | 0 | False | /README.md | 5 | 2 | 3 | ["2 suspicious patterns detected"] | Minimal | 8 | 727e2112f3aa742c2fbc8a7a0e4b7a629c6c5f09f29325a86515c3577b04c657 |
| 0 | Other | 0 | False | /sample.vhd/sample.vhd:vhd:metadata | 0 | 0 | 0 | [] | Minimal | 0 | 59becf4cab63377618afc1b735b04b25705334d6824c934c348575b833f162eb |
Empty CSV
| path | file_name | sha256 | file_created | file_modified | file_accessed | mime_types_from_file_extension | is_symbolic_link | is_extracted_file | is_decoded_file | is_deobfuscated_file | tag |
|---|
| /README.md | README.md | 727e2112f3aa742c2fbc8a7a0e4b7a629c6c5f09f29325a86515c3577b04c657 | 2026-01-31T14:35:39.975936764Z | 2026-01-31T14:35:39.976936747Z | 2026-01-31T14:36:08.737470505Z | ["application/x-genesis-rom"] | 0 | 0 | 0 | 0 | |
| /sample.vhd/sample.vhd:vhd:metadata | sample.vhd:vhd:metadata | 59becf4cab63377618afc1b735b04b25705334d6824c934c348575b833f162eb | | | | [] | 0 | 1 | 0 | 0 | |
| /sample.vhd | sample.vhd | 5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db | 2026-01-31T14:35:03.913534019Z | 2026-01-31T14:35:03.914534002Z | 2026-01-31T14:36:08.738470489Z | ["application/x-vhd"] | 0 | 0 | 0 | 0 | |
| id | sha256 | pattern_name | match_type | match | location | length |
|---|
| 1 | 727e2112f3aa742c2fbc8a7a0e4b7a629c6c5f09f29325a86515c3577b04c657 | VHD Signature | bytes | conectix | 415 | 8 |
| 2 | 727e2112f3aa742c2fbc8a7a0e4b7a629c6c5f09f29325a86515c3577b04c657 | VHD Signature | bytes | conectix | 1233 | 8 |
| 3 | 5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db | VHD Signature | bytes | conectix | 1048576 | 8 |
| 4 | 5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db | AWS Access Key | regex | AKIAIOSFODNN7EXAMPLE | 2:15 | 20 |
| 5 | 5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db | SSH Private Key | regex | -----BEGIN RSA PRIVATE KEY----- | 5:0 | 31 |
| 6 | 5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db | Password in Config | regex | password = super_secret_123 | 3:0 | 27 |
| 7 | 5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db | Email Address | regex | user@example.com | 4:0 | 16 |
Empty CSV
| sha256 | sha1 | md5 | file_size | mime_type_for_content | shannon_entropy |
|---|
| 727e2112f3aa742c2fbc8a7a0e4b7a629c6c5f09f29325a86515c3577b04c657 | 51db17240ab464138436782b8faab570198e00bc | 7179526643f27b072e53e5140edc5db3 | 2573 | text/plain | 4.98682022434222 |
| 59becf4cab63377618afc1b735b04b25705334d6824c934c348575b833f162eb | 81b99cffda0fef23a30ae18f75b2204aed85f190 | 4dde8029b491ba34491e416d58205826 | 838 | text/plain | 4.99978188275922 |
| 5678641cfe00dfe87174bec088a6ed724765f5477d5f3ee3b451f83f0deac4db | 1f9d2a442a6561d63276886076a435faddf0e606 | 0cb25891268c7394b7f32ded41f9a275 | 1049088 | application/octet-stream | 0.00398315440918742 |