File Miner Package
2024-7-15 22:12:5 Author: blog.cerbero.io(查看原文) 阅读量:6 收藏

We are thrilled to announce the launch of the File Miner package, a sophisticated file carving tool now available for all Cerbero Suite licenses. Designed to aid malware and forensic analysts in their daily tasks, this package stands out as a top-tier utility in its category, and we plan to enhance it further by supporting additional file formats.

File Miner offers flexible configuration through the settings. By default, it automatically carves files selectively from specific groups, such as excluding archives where carving generally provides no benefit. Users have the ability to customize settings to select which file groups are automatically carved and which specific groups or file formats should be detected.

Additionally, the carving speed for each file type is prominently displayed, allowing for more informed decisions.

Here’s an example of File Miner in action: a malware sample was processed, during which the executable was unpacked using the UPX Unpacker package. File Miner identified four additional executables within the unpacked file.

File Miner can be initiated from any hex view as an action.

For instance, we launched it on the data from a memory dump.

Upon completion of the carving process, File Miner presents a comprehensive view of the extracted files.

You have the option to access each file individually or save them in batches. When batch-saving, you can opt to add them as child objects, root objects, or save them directly to the disk.

Once the objects are added, they can be inspected in the same manner as those carved automatically.

File Miner’s functionality can be enhanced through the integration of additional installed packages. In fact, certain file formats are only detected when their corresponding format packages are installed. For instance, PYC files and RAR archives can be detected and processed only with the relevant packages installed.

The package is exposed to the SDK. The following code snippet demonstrates how to carve files programmatically:

from Pro.Core import *
from Pro.UI import *
from Pkg.FileMiner import *

def callback(match, ud):
    print("MATCH:", match.format, "offset:", hex(match.offset), "size:", hex(match.size))

def main():
    c = createContainerFromFile("path/to/file")
    fm = FileMiner()
    wo = proContext().startWait("Carving...")
    fm.mine(c, callback=callback, wait_object=wo)
    wo.stop()

As we continue to develop and expand this tool, we remain committed to equipping our users with the most powerful and intuitive resources for their cybersecurity and forensic needs.


文章来源: https://blog.cerbero.io/file-miner-package/
如有侵权请联系:admin#unsafe.sh