drive-image-searcher

A Rust CLI tool to stream a drive image, and search for one or more byte patterns

cargo install drive-image-searcher
drive-image-searcher -h

Features

• Supports custom "needle" definition configuration file.
• Supports reading from compressed disk images (lz4 and xz compression).
• Writes out chunks of data where the needle was found.
• Fast.

Usage

1. Download the needle_config.sample.yaml file, and fill it with search patterns you want to locate. For example:

- name: "Example Needle 1"
  val: "48 65 6c 6c 6f ff ff ff ff ff ff ff"  # This is "Hello" in hexadecimal
  val_format: hex
  description_notes: "A simple hex value of the word 'Hello'"
  happiness_level: 1

- name: "Example Needle 2"
  val: "word plus a bunch of other random text"
  val_format: ascii
  description_notes: "A plain ASCII value"
  happiness_level: 2
  write_to_file: false

2. Run cargo install drive-image-searcher.
3. Run drive-image-searcher -c none -i /path/to/dd_file.img -n /path/to/needle_config.yaml -o ./output_dir/

When complete, matching instances within the files will be in ./output_dir/, alongside logs.

Bugs

• Total file size for block devices shows as 0, so ETA doesn't work.
• The offsets are incorrect as a result of the carry forward not shifting the haystack