Yara is the pattern matching swiss knife for malware researchers (and everyone else). Basically Yara allow us to scan files based on textual or binary patterns, thus we can take advantage of Yara's potential and focus it in forensic investigations.
For now I have created a set of rules that search for magic headers on files and dump files like raw image of dd as well. So I invite anyone to add or improve rules regarding forensics stuff.
The repository is splitted in two folders: file and raw. The rules in file folder are mainly to look for magic in standalone files, on the other hand, rules inside raw folder are mainly to look for magic in raw file or dump files. The main difference is the offset of the magic usually at 0x0 in files.
The avaliable files are listed in FILES.md.
We have defined a short document describing how to contribute to Yara-Forensics, please before sharing your rules we encorage you to read the CONTRIBUTING.md file.
Installing Yara is quite easy: just follow the official documentation, after that, you can use the rules of this repository (and all Yara rules in general).
This will tell whether the file Hard_Drive.jpg is an image.
$> yara file/images.yar test/Hard_Drive.jpg
jpg_magic_with_EXIF test/Hard_Drive.jpg
Or scanning images in dump files.
$> yara raw/images.yar ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
contains_jpeg /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
Yara offers a good set of options that can be useful, as example I will show two interesting options, but there are more.
For example:
$> yara -s file/images.yar test/Hard_Drive.jpg
jpg_magic_with_EXIF test/Hard_Drive.jpg
0x0:$a: FF D8 FF E1 4B EF 45 78 69 66 00
This is more useful when using the raw rules.
$> yara -s raw/images.yar ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
contains_jpeg /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
0x5b73800:$a: FF D8 FF E0 00 10 4A 46 49 46 00
0x5b76000:$a: FF D8 FF E0 00 10 4A 46 49 46 00
0x5b76232:$a: FF D8 FF E0 00 10 4A 46 49 46 00
It is also possible to get he rule tags. This will be useful when executing a bunch of rule and then filter by some possible tag.
yara -g file/images.yar test/Hard_Drive.jpg
jpg_magic_with_EXIF [JPG] test/Hard_Drive.jpg
Well, there are no actual benchmarks, but I would like to show how fast is Yara.
$> ls -lh ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
-rw-r--r-- 1 libvirt-qemu libvirt-qemu 247M abr 22 2016 /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
$> time yara raw/images.yar ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
contains_jpeg /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso
0,72s user 0,00s system 44% cpu 0,732 total
$> ls -lh ~/kvm/ISOs/Windows\ 7\ 64Bits\ SP1.iso
-rw-r--r-- 1 libvirt-qemu libvirt-qemu 3,1G feb 17 2014 /home/xumeiquer/kvm/ISOs/Windows 7 64Bits SP1.iso
$> time yara raw/images.yar ~/kvm/ISOs/Windows\ 7\ 64Bits\ SP1.iso
contains_jpeg /home/xumeiquer/kvm/ISOs/Windows 7 64Bits SP1.iso
13,26s user 0,97s system 45% cpu 30,982 total
$> ls -lh mem.raw
-rwxr-xr-x 1 root staff 18G 29 abr 00:18 mem.raw
$> time yara raw/jpeg.yar mem.raw
contains_jpeg mem.raw
contains_jpg_with_EXIF mem.raw
contains_jpeg_2000 mem.raw
44,60s user 12,84s system 57% cpu 1:39,83 total
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent