Skip to content

DFIR Patterns #442

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

DFIR Patterns #442

wants to merge 10 commits into from
+3,738 −0

Conversation

F01TECH
Copy link

@F01TECH F01TECH commented Sep 16, 2025

Modified versions of /fs/ for semi-automated parsing of Disks/Volumes/Filesystems related to digital forensics and reporting.

@F01TECH
Added /DFIR/ with patterns
ad571ff 
Added /DFIR/ sub-directory.
Contains modified versions of built-in patterns for semi-automated Disk/Volume/Filesystem parsing geared towards Digital Forensics.
Originals in /fs/ should remain in tact for spot placement.
@F01TECH
DFIR_README.md
d60bfd9
@F01TECH
DFIR_README.md
9e02111
@F01TECH
DFIR_README.md
dbc4403
@F01TECH
DISK_PARSER.hexpat
517ff18
@F01TECH
DISK_PARSER.hexpat
b84a281
@F01TECH
FAT32.hexpat
32ca333
@F01TECH
exFAT.hexpat
e79937a
@WerWolv
Copy link
Owner

WerWolv commented Sep 17, 2025

Wow that's some very impressive work, thank you very much!

Since this is for disk images, I doubt we'll be able to have a proper test file for them so that part is okay. Could you add the folder to the table in the readme page though please?

@F01TECH
Copy link
Author

F01TECH commented Sep 17, 2025
edited
Loading

Great, thanks!

These good?

| DISK_PARSER (DFIR) | application/x-ima | 'patterns/DFIR/DISK_PARSER.hexpat' | Recursive Disk/Volume/Filesystem parsing |

| EXFAT (DFIR) | | 'patterns/DFIR/exFAT.hexpat' | Imported by DISK_PARSER.hexpat |

| FAT32 (DFIR) | | 'patterns/DFIR/FAT32.hexpat' | Imported by DISK_PARSER.hexpat |

| NTFS (DFIR) | | 'patterns/DFIR/NTFS.hexpat' | Imported by DISK_PARSER.hexpat |

@F01TECH
README.md
2177815 
Added DFIR related hexpats to table.
@F01TECH
README.md
c32b23c
@WerWolv
Copy link
Owner

WerWolv commented Sep 21, 2025

Are the patterns meant to be used on their own as well? If not, I'd suggest only adding the main pattern that people are meant to import.
Besides that, about the name. Pretty much all other patterns are named after the thing they're parsing so DFIR is a bit out-of-line I guess since it more describes its purpose than the data format it's parsing. Not sure if we should make an exception here since there's already are patterns available that are specifically for parsing some of these file systems

@F01TECH
Copy link
Author

F01TECH commented Sep 22, 2025

Good call.

In theory, the proposed patterns can replace the existing versions in /fs/. When I was first developing, I had kept them separated due to temporary hard coded placements and never circled back around to consider full replacement. The entry point placements are all 0x0, so will function as semi-automated or targeted (manual placement), just as the originals, but with all the enhancements.

Downside to full replacement:

  • The parsing of the file record entries...
    1. Adds considerable evaluation time on large volumes. Under 5 seconds on 16GB or less, around 10-20 seconds on 100GB, and around 30-50 seconds on 500GB when capped at 4096 file record entries.
    2. If someone were to use without checking the notes for each pattern, they may think they've parsed all entries or the pattern is incomplete/broken/inaccurate...
    3. Overkill for someone that simply wants to parse the MBR/GPT and any VBRs without diving deeper into the file system.

I'll need to test and report back; Will setting the Root Dir/MFT MAX_NUM_ENTRIES to 0 break anything.

@F01TECH
Copy link
Author

F01TECH commented Sep 22, 2025

I attempted to add a 'if DEEP_DIVE' for a quick fix, but too many errors to contend with right now.

If someone doesn't want to parse FAT1/FAT2, RootDir, or MFT, to speed things up, they can simply comment out the related calls or if the pattern offers a 'max number of' constant, set to zero.

For FAT32.hexpat:

  • // FAT_Entry FAT1[MAX_FAT_CHUNKS] @ FAT1_start_offset + 8;
  • // FAT_Entry FAT2[MAX_FAT_CHUNKS] @ FAT2_start_offset + 8;
  • // RootDirParser ROOT_DIR_ENTRIES[while(std::mem::read_unsigned($, 1) != 0x00)] @ root_dir_start;
  • // INFO_Overlay SFN_CLUSTER_LIST[MAX_SFN_CLUSTER_RELATIONS] @ FAT1_start_offset [[name("SFN <-> CLUSTER (DERIVED)")]];

For exFAT.hexpat:

  • const u64 MAX_FAT_CHUNKS = 0;
  • const u64 MAX_DIR_ENTRIES = 0;

for NTFS.hexpat:

  • // MFT_RECORD NEXT_RECORDS[while(fr_magic($) == NTFS_RECORD_TYPES::magic_FILE)] @ (nbs.mft_lcn * cluster_size + 12 * mft_rec_size) [[inline, static]];

That being said, its up to you whether or not we replace the simplicity/usability of the current /fs/ with the proposed patterns or keep it separate as /DFIR/...

If we keep it separate, I can remove the duplicated file system patterns from the table and just have a reference to DISK_PARSER.hexpat?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@F01TECH @WerWolv