- examples/inputs/vhdx-forensic-samples/README.md
- examples/inputs/vhdx-forensic-samples/sample.vhdx
# VHDX Forensic Image Example Profile
# Demonstrates analysis of VHDX (Virtual Hard Disk v2) forensic disk images
decode = ["base64"]
max-file-size = 104857600 # 100 MiB
tag = "vhdx-forensic"
# Patterns to match in VHDX images and extracted partitions
[[patterns]]
name = "VHDX Signature"
pattern = "76:68:64:78:66:69:6C:65" # "vhdxfile" at header
type = "bytes"
[[patterns]]
name = "AWS Access Key"
pattern = "AKIA[0-9A-Z]{16}"
type = "regex"
[[patterns]]
name = "AWS Secret Key"
pattern = "(?i)aws.{0,20}secret.{0,20}['\"][0-9a-zA-Z/+=]{40}['\"]"
type = "regex"
[[patterns]]
name = "SSH Private Key"
pattern = "-----BEGIN.*PRIVATE KEY-----"
type = "regex"
[[patterns]]
name = "Password in Config"
pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
type = "regex"
[[patterns]]
name = "Database Connection String"
pattern = "jdbc:[a-zA-Z0-9]+://[^\\s]+password=[^\\s&;]+"
type = "regex"
[[patterns]]
name = "MBR Boot Signature"
pattern = "55:AA"
type = "bytes"
[[patterns]]
name = "GPT Signature"
pattern = "45:46:49:20:50:41:52:54" # "EFI PART"
type = "bytes"
[[patterns]]
name = "NTFS Signature"
pattern = "4E:54:46:53" # "NTFS"
type = "bytes"
[[patterns]]
name = "Email Address"
pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
type = "regex"
| total_files | 3 |
|---|
| critical_count | 0 |
|---|
| high_count | 0 |
|---|
| medium_count | 0 |
|---|
| low_count | 0 |
|---|
| minimal_count | 3 |
|---|
| must_investigate_count | 0 |
|---|
| all_scores | None |
|---|
| generated_at | 2026-01-31T14:40:53.032681135+00:00 |
|---|
| characteristics_score | file_type | file_type_score | must_investigate | path | pattern_count_score | pattern_matches | pattern_severity_score | reasons | risk_level | score | sha256 |
|---|
| 0 | Other | 0 | False | /sample.vhdx | 10 | 6 | 8 | ["6 suspicious patterns detected"] | Minimal | 18 | a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef |
| 0 | Other | 0 | False | /README.md | 5 | 2 | 3 | ["2 suspicious patterns detected"] | Minimal | 8 | 38a13bd791913971e0ef62805930c72598bd549f7ae1e38d77436111d9c0d0d0 |
| 0 | Other | 0 | False | /sample.vhdx/sample.vhdx:vhdx:metadata | 0 | 0 | 0 | [] | Minimal | 0 | 5e1d1fba1cbf19a94ab7bbe9f9ab5b351b58444acac9ceb18024bf1c7b1a3266 |
Empty CSV
| path | file_name | sha256 | file_created | file_modified | file_accessed | mime_types_from_file_extension | is_symbolic_link | is_extracted_file | is_decoded_file | is_deobfuscated_file | tag |
|---|
| /README.md | README.md | 38a13bd791913971e0ef62805930c72598bd549f7ae1e38d77436111d9c0d0d0 | 2026-01-31T14:35:39.975936764Z | 2026-01-31T14:35:39.976936747Z | 2026-01-31T14:36:13.424393908Z | ["application/x-genesis-rom"] | 0 | 0 | 0 | 0 | |
| /sample.vhdx/sample.vhdx:vhdx:metadata | sample.vhdx:vhdx:metadata | 5e1d1fba1cbf19a94ab7bbe9f9ab5b351b58444acac9ceb18024bf1c7b1a3266 | | | | [] | 0 | 1 | 0 | 0 | |
| /sample.vhdx | sample.vhdx | a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef | 2026-01-31T14:35:14.517358468Z | 2026-01-31T14:35:14.517358468Z | 2026-01-31T14:36:13.425393891Z | ["application/x-vhdx"] | 0 | 0 | 0 | 0 | |
| id | sha256 | pattern_name | match_type | match | location | length |
|---|
| 1 | 38a13bd791913971e0ef62805930c72598bd549f7ae1e38d77436111d9c0d0d0 | VHDX Signature | bytes | vhdxfile | 461 | 8 |
| 2 | 38a13bd791913971e0ef62805930c72598bd549f7ae1e38d77436111d9c0d0d0 | VHDX Signature | bytes | vhdxfile | 1319 | 8 |
| 3 | a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef | VHDX Signature | bytes | vhdxfile | 0 | 8 |
| 4 | a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef | SSH Private Key | regex | -----BEGIN PRIVATE KEY----- | 5:0 | 27 |
| 5 | a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef | Password in Config | regex | password = MySecretP@ssw0rd! | 3:6 | 28 |
| 6 | a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef | Password in Config | regex | password=secret123 | 8:49 | 18 |
| 7 | a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef | Database Connection String | regex | jdbc:postgresql://localhost:5432/mydb?user=admin&password=secret123 | 8:0 | 67 |
| 8 | a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef | Email Address | regex | support@company.com | 4:0 | 19 |
Empty CSV
| sha256 | sha1 | md5 | file_size | mime_type_for_content | shannon_entropy |
|---|
| 38a13bd791913971e0ef62805930c72598bd549f7ae1e38d77436111d9c0d0d0 | b95bf31e3c8f0179d3d0e7adc439d4614d3dbf5f | 8e3497f1e335c0a27b92e1efb5dfe42b | 2711 | text/plain | 5.01402600581424 |
| 5e1d1fba1cbf19a94ab7bbe9f9ab5b351b58444acac9ceb18024bf1c7b1a3266 | 32f49b043419c3c9255641b6a29b69b27f7279cf | 0bd314dd5a07382a13dd5e2d4e90f5a5 | 884 | text/plain | 5.01756054475152 |
| a20805a2e25dfc53905a11213b4f184f430d98ec199c8d69267195a5408628ef | ee47c231473c6d9e380ad793ab47bf29738c6bcd | 82bc120398da1622b7b934ff72726884 | 1048576 | application/x-vhdx | 0.00541595196467941 |