- examples/inputs/vmdk-forensic-samples/README.md
- examples/inputs/vmdk-forensic-samples/sample.vmdk
# VMDK Forensic Image Example Profile
# Demonstrates analysis of VMDK (VMware Virtual Machine Disk) forensic disk images
decode = ["base64"]
max-file-size = 104857600 # 100 MiB
tag = "vmdk-forensic"
# Patterns to match in VMDK images and extracted partitions
[[patterns]]
name = "VMDK Sparse Signature"
pattern = "4B:44:4D:56" # "KDMV" at header (sparse/stream-optimized)
type = "bytes"
[[patterns]]
name = "VMDK COWD Signature"
pattern = "43:4F:57:44" # "COWD" at header (snapshot)
type = "bytes"
[[patterns]]
name = "AWS Access Key"
pattern = "AKIA[0-9A-Z]{16}"
type = "regex"
[[patterns]]
name = "AWS Secret Key"
pattern = "(?i)aws.{0,20}secret.{0,20}['\"][0-9a-zA-Z/+=]{40}['\"]"
type = "regex"
[[patterns]]
name = "SSH Private Key"
pattern = "-----BEGIN.*PRIVATE KEY-----"
type = "regex"
[[patterns]]
name = "Password in Config"
pattern = "password\\s*=\\s*['\"]?[^'\"\\s]+"
type = "regex"
[[patterns]]
name = "Database Connection String"
pattern = "jdbc:[a-zA-Z0-9]+://[^\\s]+password=[^\\s&;]+"
type = "regex"
[[patterns]]
name = "MBR Boot Signature"
pattern = "55:AA"
type = "bytes"
[[patterns]]
name = "GPT Signature"
pattern = "45:46:49:20:50:41:52:54" # "EFI PART"
type = "bytes"
[[patterns]]
name = "NTFS Signature"
pattern = "4E:54:46:53" # "NTFS"
type = "bytes"
[[patterns]]
name = "Email Address"
pattern = "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
type = "regex"
| total_files | 3 |
|---|
| critical_count | 0 |
|---|
| high_count | 0 |
|---|
| medium_count | 0 |
|---|
| low_count | 0 |
|---|
| minimal_count | 3 |
|---|
| must_investigate_count | 0 |
|---|
| all_scores | None |
|---|
| generated_at | 2026-01-31T19:49:34.563022216+00:00 |
|---|
| characteristics_score | file_type | file_type_score | must_investigate | path | pattern_count_score | pattern_matches | pattern_severity_score | reasons | risk_level | score | sha256 |
|---|
| 0 | Other | 0 | False | /README.md | 5 | 5 | 8 | ["5 suspicious patterns detected"] | Minimal | 13 | 81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7 |
| 0 | Other | 0 | False | /sample.vmdk | 5 | 3 | 5 | ["3 suspicious patterns detected"] | Minimal | 10 | 6754517383d7fc7039ad910a3733c409e22dcd2766461a6ef1d8afeeff0ad262 |
| 0 | Other | 0 | False | /sample.vmdk/sample.vmdk:vmdk:metadata | 0 | 0 | 0 | [] | Minimal | 0 | a4b361b721699edb3bfacd150a4eeadbb96803f4b1630a2e469d5372d9d94ce6 |
Empty CSV
| path | file_name | sha256 | file_created | file_modified | file_accessed | mime_types_from_file_extension | is_symbolic_link | is_extracted_file | is_decoded_file | is_deobfuscated_file | tag |
|---|
| /README.md | README.md | 81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7 | 2026-01-31T19:31:14.972192562Z | 2026-01-31T19:31:14.973192565Z | 2026-01-31T19:31:14.972192562Z | ["application/x-genesis-rom"] | 0 | 0 | 0 | 0 | |
| /sample.vmdk/sample.vmdk:vmdk:metadata | sample.vmdk:vmdk:metadata | a4b361b721699edb3bfacd150a4eeadbb96803f4b1630a2e469d5372d9d94ce6 | | | | [] | 0 | 1 | 0 | 0 | |
| /sample.vmdk | sample.vmdk | 6754517383d7fc7039ad910a3733c409e22dcd2766461a6ef1d8afeeff0ad262 | 2026-01-31T19:31:30.371235129Z | 2026-01-31T19:31:30.372235132Z | 2026-01-31T19:31:35.403248471Z | ["application/x-vmdk"] | 0 | 0 | 0 | 0 | |
| id | sha256 | pattern_name | match_type | match | location | length |
|---|
| 1 | 81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7 | VMDK Sparse Signature | bytes | KDMV | 488 | 4 |
| 2 | 81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7 | VMDK COWD Signature | bytes | COWD | 576 | 4 |
| 3 | 81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7 | VMDK Sparse Signature | bytes | KDMV | 789 | 4 |
| 4 | 81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7 | VMDK Sparse Signature | bytes | KDMV | 1516 | 4 |
| 5 | 81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7 | VMDK COWD Signature | bytes | COWD | 1526 | 4 |
| 6 | 6754517383d7fc7039ad910a3733c409e22dcd2766461a6ef1d8afeeff0ad262 | VMDK Sparse Signature | bytes | KDMV | 0 | 4 |
| 7 | 6754517383d7fc7039ad910a3733c409e22dcd2766461a6ef1d8afeeff0ad262 | AWS Access Key | regex | AKIATESTKEY123456789 | 4:0 | 20 |
| 8 | 6754517383d7fc7039ad910a3733c409e22dcd2766461a6ef1d8afeeff0ad262 | Password in Config | regex | password=SecretPass123 | 5:0 | 22 |
Empty CSV
| sha256 | sha1 | md5 | file_size | mime_type_for_content | shannon_entropy |
|---|
| 81443cd3c655a4624aa1315c07f6a1e5fbdd083782ccc4cd066dd9d5398431c7 | 6516142a3ebe7341f9ebc076d3f6d68262d8f9bc | fc18f64809df64d5acb3dc86a6d3064e | 3010 | text/plain | 5.06835686185191 |
| a4b361b721699edb3bfacd150a4eeadbb96803f4b1630a2e469d5372d9d94ce6 | 71a8a220bf2ab90f620f80f091269b57bc2accff | 81f7cbcdf39c98d01b6d0bb1944f1691 | 908 | text/plain | 4.98473949450813 |
| 6754517383d7fc7039ad910a3733c409e22dcd2766461a6ef1d8afeeff0ad262 | 32846dceaa66f20ef9347460b112b2d7017ba25d | a1303b14db40367d4d4a5fbb21d28913 | 1048581 | application/x-vmdk | 0.00150744491163612 |