A binary analysis platform for analyzing binary programs
The goal of Truehunter is to detect encrypted containers using a fast and memory efficient approach without any external dependencies for ease of portability. It was designed to detect Truecrypt and Veracrypt containers, however it may detect any encrypted file with a 'header' not included in its database. Truehunter performs the following checks: Test the first 8 bytes of the file against its own database. File size modulo 64 must be zero. Calculates file entropy. Truehunter is part of BlackArch forensic tools. Installation: Any Python version from 2.7-3.7 should work, it does not need any additional libraries. Usage: The headers database file will be created with the first use, and can be updated after every scan. Note this is not a correct header database, just the first 8 bytes of every file, extension and date (It does the job as a PoC). Fast Scan: Searches for files with a size % 64 = 0 (block ciphers), unknown headers and appearing less than MAXHEADER value (default 3). Default Scan: Performs a fast scan and calculates the entropy of the resulting files to reduce false positives. Usage: truehunter.py [-h] [-D HEADERSFILE] [-m MINSIZ
A binary analysis platform for analyzing binary programs
LiME is a Linux Memory Extractor tool for acquiring volatile memory from Linux and Linux-based devices, including Android, with features like full memory captures and minimal process footprint.
No More Ransom is a collaborative project to combat ransomware attacks by providing decryption tools and prevention advice.
A library for working with Windows NT data types, providing access and manipulation functions.
Tool for analyzing Windows Recycle Bin INFO2 file
Malscan is a tool to scan process memory for YARA matches and execute Python scripts.