search

Xumeiquer / yara-forensics

Set of Yara rules for finding files using magics headers
GNU General Public License v3.0
135 stars 24 forks source link
dump-files forensics magic-headers yara yara-forensics yara-rules

readme

YARA-FORENSICS

License: GPL v3 DFIR: Yara rules Travis build

Yara is the pattern matching swiss knife for malware researchers (and everyone else). Basically Yara allow us to scan files based on textual or binary patterns, thus we can take advantage of Yara's potential and focus it in forensic investigations.

For now I have created a set of rules that search for magic headers on files and dump files like raw image of dd as well. So I invite anyone to add or improve rules regarding forensics stuff.

Content

The repository is splitted in two folders: file and raw. The rules in file folder are mainly to look for magic in standalone files, on the other hand, rules inside raw folder are mainly to look for magic in raw file or dump files. The main difference is the offset of the magic usually at 0x0 in files.

The avaliable files are listed in FILES.md.

Contribution

We have defined a short document describing how to contribute to Yara-Forensics, please before sharing your rules we encorage you to read the CONTRIBUTING.md file.

Yara installation

Installing Yara is quite easy: just follow the official documentation, after that, you can use the rules of this repository (and all Yara rules in general).

Examples

The basic use of Yara rules

This will tell whether the file Hard_Drive.jpg is an image.

$> yara file/images.yar test/Hard_Drive.jpg
jpg_magic_with_EXIF test/Hard_Drive.jpg

Or scanning images in dump files.

$> yara raw/images.yar ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
contains_jpeg /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso

Yara options

Yara offers a good set of options that can be useful, as example I will show two interesting options, but there are more.

For example:

Offest

$> yara -s file/images.yar test/Hard_Drive.jpg
jpg_magic_with_EXIF test/Hard_Drive.jpg
0x0:$a: FF D8 FF E1 4B EF 45 78 69 66 00

This is more useful when using the raw rules.

$> yara -s raw/images.yar ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
contains_jpeg /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
0x5b73800:$a: FF D8 FF E0 00 10 4A 46 49 46 00
0x5b76000:$a: FF D8 FF E0 00 10 4A 46 49 46 00
0x5b76232:$a: FF D8 FF E0 00 10 4A 46 49 46 00

Tags

It is also possible to get he rule tags. This will be useful when executing a bunch of rule and then filter by some possible tag.

yara -g file/images.yar test/Hard_Drive.jpg
jpg_magic_with_EXIF [JPG] test/Hard_Drive.jpg

Benchmarks

Well, there are no actual benchmarks, but I would like to show how fast is Yara.

$> ls -lh ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
-rw-r--r-- 1 libvirt-qemu libvirt-qemu 247M abr 22  2016 /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso

$> time yara raw/images.yar ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
contains_jpeg /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso

0,72s user 0,00s system 44% cpu 0,732 total

$> ls -lh ~/kvm/ISOs/Windows\ 7\ 64Bits\ SP1.iso
-rw-r--r-- 1 libvirt-qemu libvirt-qemu 3,1G feb 17  2014 /home/xumeiquer/kvm/ISOs/Windows 7 64Bits SP1.iso

$> time yara raw/images.yar ~/kvm/ISOs/Windows\ 7\ 64Bits\ SP1.iso
contains_jpeg /home/xumeiquer/kvm/ISOs/Windows 7 64Bits SP1.iso

13,26s user 0,97s system 45% cpu 30,982 total
$> ls -lh mem.raw
-rwxr-xr-x  1 root  staff    18G 29 abr 00:18 mem.raw

$> time yara  raw/jpeg.yar mem.raw
contains_jpeg mem.raw
contains_jpg_with_EXIF mem.raw
contains_jpeg_2000 mem.raw

44,60s user 12,84s system 57% cpu 1:39,83 total

ko-fi