Skip to content

R
rules
Commit 9faf2952 by Xumeiquer
Options

Added Forensics rules

parent 8473a65c
Showing with 491 additions and 0 deletions
utils/forensics/file/audio.yar 0 → 100644
/*
Author: Jaume Martin
Date: 24/04/2017
Description: This finds the magics on individual files.
*/
rule ogg_magic: OGG
{
meta:
author = "Jaume Martin"
file_info = "Ogg Vorbis Codec"
strings:
$a = {4F 67 67 53 00 02 00 00 00 00 00 00 00 00}
condition:
$a at 0
}
utils/forensics/file/compressed.yar 0 → 100644
/*
Author: Jaume Martin
Date: 24/04/2017
Description: This finds the magics on individual files.
*/
rule _7z_magic: _7z
{
meta:
author = "Jaume Martin"
strings:
$a = {37 7A BC AF 27 1C}
condition:
$a at 0
}
utils/forensics/file/gps.yar 0 → 100644
/*
Author: Jaume Martin
Date: 24/04/2017
Description: This finds the magics on individual files.
*/
rule gps_magic: GPS GPX
{
meta:
author = "Jaume Martin"
strings:
$a = {3C 67 70 78 20 76 65 72 73 69 6F 6E 3D 22 31 2E 31}
condition:
$a at 0
}
utils/forensics/file/images.yar 0 → 100644
/*
Author: Jaume Martin
Date: 24/04/2017
Description: This finds the magics on individual files.
*/
rule jpeg_magic: JFIF JPE JPEG JPG
{
meta:
author = "Jaume Martin"
strings:
$a = {FF D8 FF E0 ?? ?? 4A 46 49 46 00}
condition:
$a at 0
}
rule jpg_magic_with_EXIF: JPG
{
meta:
author = "Jaume Martin"
strings:
$a = {FF D8 FF E1 ?? ?? 45 78 69 66 00}
condition:
$a at 0
}
rule jpeg_magic_with_Canon_EOS: JPEG
{
meta:
author = "Jaume Martin"
strings:
$a = {FF D8 FF E2 ?? ?? 53 50 49 46 46 00}
condition:
$a at 0
}
rule jpeg_magic_with_Samsung_D500: JPEG
{
meta:
author = "Jaume Martin"
strings:
$a = {FF D8 FF E3 ?? ?? 53 50 49 46 46 00}
condition:
$a at 0
}
rule jpg_magic_with_SPIFF: JPG
{
meta:
author = "Jaume Martin"
strings:
$a = {FF D8 FF E8 ?? ?? 53 50 49 46 46 00}
condition:
$a at 0
}
rule jpeg_magic_2000: JPEG2000
{
meta:
author = "Jaume Martin"
strings:
$a = {00 00 00 0C 6A 50 20 20 0D 0A}
condition:
$a at 0
}
utils/forensics/file/mem_dumps.yar 0 → 100644
/*
Author: Jaume Martin
Date: 24/04/2017
Description: This finds the magics on individual files.
*/
rule win_64_mem_dump_magic: DMP
{
meta:
author = "Jaume Martin"
file_info = "Windows 64-bit memory dump"
strings:
$a = {50 41 47 45 44 55 36 34}
condition:
$a at 0
}
rule win_32_mem_dump_magic: DMP
{
meta:
author = "Jaume Martin"
file_info = "Windows 32-bit memory dump"
strings:
$a = {50 41 47 45 44 55 4D 50}
condition:
$a at 0
}
utils/forensics/file/office.yar 0 → 100644
/*
Author: Jaume Martin
Date: 24/04/2017
Description: This finds the magics on individual files.
*/
rule doc_magic: DOC
{
meta:
author = "Jaume Martin"
strings:
$a = {CF 11 E0 A1 B1 1A E1 00}
condition:
$a at 0
}
utils/forensics/file/pdf.yar 0 → 100644
/*
Author: Jaume Martin
Date: 24/04/2017
Description: This finds the magics on individual files.
*/
rule pdf_magic: PDF
{
meta:
author = "Jaume Martin"
strings:
$a = {25 50 44 46}
$b = {0A 25 25 45 4F 46 (??|0A)}
$c = {0D 0A 25 25 45 4F 46 0D 0A}
$d = {0D 25 25 45 4F 46 0D}
condition:
$a at 0 and for any of ($b, $c, $d): (@ > @a)
}
utils/forensics/file/vcard.yar 0 → 100644
/*
Author: Jaume Martin
Date: 24/04/2017
Description: This finds the magics on individual files.
*/
rule vcard_magic: vCard
{
meta:
author = "Jaume Martin"
strings:
$a = {42 45 47 49 4E 3A 56 43 41 52 44 0D 0A}
condition:
$a at 0
}
utils/forensics/file/video.yar 0 → 100644
/*
Author: Jaume Martin
Date: 24/04/2017
Description: This finds the magics on individual files.
*/
rule videocd_magic: VCD
{
meta:
author = "Jaume Martin"
strings:
$a = {45 4E 54 52 59 56 43 44 02 00 00 01 02 00 18 58}
condition:
$a at 0
}
rule ogg_magic: OGG
{
meta:
author = "Jaume Martin"
file_info = "Ogg Vorbis Codec"
strings:
$a = {4F 67 67 53 00 02 00 00 00 00 00 00 00 00}
condition:
$a at 0
}
utils/forensics/raw/audio.yar 0 → 100644
/*
Author: Jaume Martin
Date: 26/04/2017
Description: This finds the magics on dump files, like raw dd image.
Disclaimer: This can though false positives.
*/
rule contains_ogg: OGG
{
meta:
author = "Jaume Martin"
file_info = "Ogg Vorbis Codec"
strings:
$a = {4F 67 67 53 00 02 00 00 00 00 00 00 00 00}
condition:
$a
}
utils/forensics/raw/compressed.yar 0 → 100644
/*
Author: Jaume Martin
Date: 26/04/2017
Description: This finds the magics on dump files, like raw dd image. This can though false positives.
*/
rule contains_7z: _7z
{
meta:
author = "Jaume Martin"
strings:
$a = {37 7A BC AF 27 1C}
condition:
$a
}
utils/forensics/raw/gps.yar 0 → 100644
/*
Author: Jaume Martin
Date: 26/04/2017
Description: This finds the magics on dump files, like raw dd image. This can though false positives.
*/
rule contains_gps: GPS GPX
{
meta:
author = "Jaume Martin"
strings:
$a = {3C 67 70 78 20 76 65 72 73 69 6F 6E 3D 22 31 2E 31}
condition:
$a
}
utils/forensics/raw/images.yar 0 → 100644
/*
Author: Jaume Martin
Date: 26/04/2017
Description: This finds the magics on dump files, like raw dd image. This can though false positives.
*/
rule contains_jpeg: JFIF JPE JPEG JPG
{
meta:
author = "Jaume Martin"
strings:
$a = {FF D8 FF E0 ?? ?? 4A 46 49 46 00}
condition:
$a
}
rule contains_jpg_with_EXIF: JPG
{
meta:
author = "Jaume Martin"
strings:
$a = {FF D8 FF E1 ?? ?? 45 78 69 66 00}
condition:
$a
}
rule contains_jpeg_like_Canon_EOS: JPEG
{
meta:
author = "Jaume Martin"
strings:
$a = {FF D8 FF E2 ?? ?? 53 50 49 46 46 00}
condition:
$a
}
rule contains_jpeg_like_Samsung_D500: JPEG
{
meta:
author = "Jaume Martin"
strings:
$a = {FF D8 FF E3 ?? ?? 53 50 49 46 46 00}
condition:
$a
}
rule contains_jpg_with_SPIFF: JPG
{
meta:
author = "Jaume Martin"
strings:
$a = {FF D8 FF E8 ?? ?? 53 50 49 46 46 00}
condition:
$a
}
rule contains_jpeg_2000: JPEG2000
{
meta:
author = "Jaume Martin"
strings:
$a = {00 00 00 0C 6A 50 20 20 0D 0A}
condition:
$a
}
utils/forensics/raw/mem_dumps.yar 0 → 100644
/*
Author: Jaume Martin
Date: 26/04/2017
Description: This finds the magics on dump files, like raw dd image. This can though false positives.
*/
rule contains_win_64_mem_dump: DMP
{
meta:
author = "Jaume Martin"
file_info = "Windows 64-bit memory dump"
strings:
$a = {50 41 47 45 44 55 36 34}
condition:
$a
}
rule contains_win_32_mem_dump: DMP
{
meta:
author = "Jaume Martin"
file_info = "Windows 32-bit memory dump"
strings:
$a = {50 41 47 45 44 55 4D 50}
condition:
$a
}
utils/forensics/raw/office.yar 0 → 100644
/*
Author: Jaume Martin
Date: 26/04/2017
Description: This finds the magics on dump files, like raw dd image. This can though false positives.
*/
rule contains_doc: DOC
{
meta:
author = "Jaume Martin"
strings:
$a = {CF 11 E0 A1 B1 1A E1 00}
condition:
$a
}
utils/forensics/raw/pdf.yar 0 → 100644
/*
Author: Jaume Martin
Date: 26/04/2017
Description: This finds the magics on dump files, like raw dd image. This can though false positives.
*/
rule contains_pdf: PDF
{
meta:
author = "Jaume Martin"
strings:
$a = {25 50 44 46}
$b = {0A 25 25 45 4F 46 (??|0A)}
$c = {0D 0A 25 25 45 4F 46 0D 0A}
$d = {0D 25 25 45 4F 46 0D}
condition:
$a and for any of ($b, $c, $d): ( @ > @a )
}
utils/forensics/raw/vcard.yar 0 → 100644
/*
Author: Jaume Martin
Date: 26/04/2017
Description: This finds the magics on dump files, like raw dd image. This can though false positives.
*/
rule contains_vcard: vCard
{
meta:
author = "Jaume Martin"
strings:
$a = {42 45 47 49 4E 3A 56 43 41 52 44 0D 0A}
condition:
$a
}
utils/forensics/raw/video.yar 0 → 100644
/*
Author: Jaume Martin
Date: 26/04/2017
Description: This finds the magics on dump files, like raw dd image. This can though false positives.
*/
rule contains_videocd: VCD
{
meta:
author = "Jaume Martin"
strings:
$a = {45 4E 54 52 59 56 43 44 02 00 00 01 02 00 18 58}
condition:
$a
}
rule contains_ogg: OGG
{
meta:
author = "Jaume Martin"
file_info = "Ogg Vorbis Codec"
strings:
$a = {4F 67 67 53 00 02 00 00 00 00 00 00 00 00}
condition:
$a
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment