[Solved] How to use “binwalk” forensic tool in kali linux to extract all files ?

blogs Digital Forensics How To



So, users question was, “How ‘binwalk’ in kali linux can be used to extract details of some .mp3 file“. After executing following commands, binwalk music.mp3, the following o/p was shown.

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
152318 0x252FE MySQL ISAM compressed data file Version 2
586865 0x8F471 MySQL ISAM compressed data file Version 5
5669358 0x5681EE MySQL ISAM index file Version 1
5831936 0x58FD00 TIFF image data, little-endian offset of first image directory: 8
5832467 0x58FF13 Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#">
5832624 0x58FFB0 Unix path: /purl.org/dc/elements/1.1/"
5832748 0x59002C Unix path: /ns.adobe.com/xap/1.0/mm/"
5832806 0x590066 Unix path: /ns.adobe.com/xap/1.0/sType/ResourceEvent#">

Main question is, will binwalk -e music.mp3 work ?

So, possible solutions for above questions are :

s1 : binwalk –dd=’.*’ music.mp3

s2 : binwalk -e music.mp3 will automatically list or extract known file types, but binwalk -D=’.*’ music.mp3 OR binwalk –dd=’.*’ music.mp3 will extract type signatures, give the files an extension of ext, and execute cmd.



Details : https://tools.kali.org/forensics/binwalk 

Binwalk Package Description :

Binwalk is a tool for searching a given binary image for embedded files and executable code. Specifically, it is designed for identifying files and code embedded inside of firmware images. Binwalk uses the libmagic library, so it is compatible with magic signatures created for the Unix file utility. Binwalk also includes a custom magic signature file which contains improved signatures for files that are commonly found in firmware images such as compressed/archived files, firmware headers, Linux kernels, bootloaders, filesystems, etc. Source: https://github.com/ReFirmLabs/binwalk

root@kali:~# binwalk -h

Binwalk v2.1.2
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk

Usage: binwalk [OPTIONS] [FILE1] [FILE2] [FILE3] …

Signature Scan Options:
-B, –signature              Scan target file(s) for common file signatures
-R, –raw=<str>              Scan target file(s) for the specified sequence of bytes
-A, –opcodes                Scan target file(s) for common executable opcode signatures
-m, –magic=<file>           Specify a custom magic file to use
-b, –dumb                   Disable smart signature keywords
-I, –invalid                Show results marked as invalid
-x, –exclude=<str>          Exclude results that match <str>
-y, –include=<str>          Only show results that match <str>

Extraction Options:
-e, –extract                Automatically extract known file types
-D, –dd=<type:ext:cmd>      Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
-M, –matryoshka             Recursively scan extracted files
-d, –depth=<int>            Limit matryoshka recursion depth (default: 8 levels deep)
-C, –directory=<str>        Extract files/folders to a custom directory (default: current working directory)
-j, –size=<int>             Limit the size of each extracted file
-n, –count=<int>            Limit the number of extracted files
-r, –rm                     Delete carved files after extraction
-z, –carve                  Carve data from files, but don’t execute extraction utilities
-V, –subdirs                Extract into sub-directories named by the offset

Entropy Options:
-E, –entropy                Calculate file entropy
-F, –fast                   Use faster, but less detailed, entropy analysis
-J, –save                   Save plot as a PNG
-Q, –nlegend                Omit the legend from the entropy plot graph
-N, –nplot                  Do not generate an entropy plot graph
-H, –high=<float>           Set the rising edge entropy trigger threshold (default: 0.95)
-L, –low=<float>            Set the falling edge entropy trigger threshold (default: 0.85)

Binary Diffing Options:
-W, –hexdump                Perform a hexdump / diff of a file or files
-G, –green                  Only show lines containing bytes that are the same among all files
-i, –red                    Only show lines containing bytes that are different among all files
-U, –blue                   Only show lines containing bytes that are different among some files
-w, –terse                  Diff all files, but only display a hex dump of the first file

Raw Compression Options:
-X, –deflate                Scan for raw deflate compression streams
-Z, –lzma                   Scan for raw LZMA compression streams
-P, –partial                Perform a superficial, but faster, scan
-S, –stop                   Stop after the first result

General Options:
-l, –length=<int>           Number of bytes to scan
-o, –offset=<int>           Start scan at this file offset
-O, –base=<int>             Add a base address to all printed offsets
-K, –block=<int>            Set file block size
-g, –swap=<int>             Reverse every n bytes before scanning
-f, –log=<file>             Log results to file
-c, –csv                    Log results to file in CSV format
-t, –term                   Format output to fit the terminal window
-q, –quiet                  Suppress output to stdout
-v, –verbose                Enable verbose output
-h, –help                   Show help output
-a, –finclude=<str>         Only scan files whose names match this regex
-p, –fexclude=<str>         Do not scan files whose names match this regex
-s, –status=<int>           Enable the status server on the specified port



 

Leave a Reply

Your email address will not be published.