Skip to content

F01TECH/ImHex-DFIR-Patterns

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

27 Commits
DFIR
DFIR
 
 
reports
reports
 
 
screenshots
screenshots
 
 
README.md
README.md
 
 

Repository files navigation

ImHex Pattern Files - Digital Forensics

Enhanced features of the stock Disk/Filesystem pattern files for forensic review of disk content.

Install:

  • Create a new folder called "DFIR"
  • Add these updated pattern files to "DFIR"
1-Folder_Structure

Use:

  • Open a physical disk via Raw Provider (read-only)
    • EXAMPLE: /dev/disk6
  • Import Pattern File
    • EXAMPLE: DISK_PARSER.hexpat
2-DISK_PARSER-Pattern
  • DISK_PARSER.hexpat
    • Recognize MBR/GPT Disks and parse MPT/GPT
      • Including Logical Volumes in an Extended Partition (container)
    • Auto load file system patterns for FAT32, exFAT, NTFS formatted volumes
    • Optional Disk Report

DISK > MBR/GPT 3-DISK-HYBRID

DISK > MBR > MPT > 3 Primaries | 2 Logicals in an Extended 3a-DISK-MBR

  • FAT32.hexpat
    • Auto loaded by DISK_PARSER.hexpat
    • Parse VBR, FAT1, FAT2, Root Dir, and 1 level of SubDirs
    • FAT1/FAT2 Cluster chaining with SFN resolution
    • LFN/SFN Alias grouping in Root Dir
    • Recognize deleted entries (xE5)
    • File Content pointer
    • D/T Conversions
    • Optional FAT32 Volume Report

VOLUME > FAT32 > FAT1 4-FAT32-1_SMALL_TXT

VOLUME > FAT32 > Root Dir 5-FAT32_ROOT_DIR

VOLUME > FAT32 > Data Pointer 6-FAT32_SFN_POINTER

  • exFAT.hexpat
    • Auto loaded by DISK_PARSER.hexpat
    • Parse VBR/Boot Sector/Extended Sectors, FAT1, Root Dir
    • Recognize active directory entries (x85, xC0, xC1)
    • Recognize inactive directory entries (x05, x40, x41)
    • xC0/x40 File Content pointer
    • D/T Conversions
    • Optional exFAT Volume Report

VOLUME > exFAT 7-exFAT-1

VOLUME > exFAT > Root Dir > xC0 (Stream Ext) 8-exFAT_xC0

VOLUME > exFAT > Data Pointer 9-exFAT-Data_Pointer

  • NTFS.hexpat
    • Auto loaded by DISK_PARSER.hexpat
    • Parse VBR (Boot Sector), $MFT, Root Dir, and Indexes
    • Recursively parse the $Metadata files, $Attributes, and user files/dirs
      • Added file record | parent [MFT#] [SEQ#] indicators
    • Parse x80/xB0 Data Runs
    • File Content pointer
    • D/T Conversions
    • Optional NTFS Volume Report

VOLUME > NTFS > $MFT > D/T Conversion 10-NTFS-DT

VOLUME > NTFS > $MFT > x80 Run List 11-NTFS-DATA_RUN

VOLUME > NTFS > Data Pointer 12-NTFS-DATA_POINTER

  • Optional Reports

    • Simply copy the console output to a file...

    • To enable/disable the reports:

      • Open each DFIR related .hexpat
      • Find the report constant (near the top)
        • "true" = enabled
        • "false" = disabled

Example Report: GPT > FAT32|exFAT

Example Report: MBR > 5 Logical Volumes (2 in an Extended) > All FAT32 Volumes

About

Digital Forensics Pattern Files for ImHex

Resources

Readme
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published