{"id":13791268,"url":"https://github.com/adoreste/truehunter","last_synced_at":"2025-05-12T10:31:31.283Z","repository":{"id":51317932,"uuid":"88866938","full_name":"adoreste/truehunter","owner":"adoreste","description":"Truehunter","archived":false,"fork":false,"pushed_at":"2021-05-15T19:48:56.000Z","size":19,"stargazers_count":30,"open_issues_count":2,"forks_count":19,"subscribers_count":5,"default_branch":"master","last_synced_at":"2024-08-04T22:15:23.979Z","etag":null,"topics":["dfir","entropy","forensics","python","truecrypt","veracrypt"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/adoreste.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-04-20T13:11:02.000Z","updated_at":"2023-09-28T10:40:49.000Z","dependencies_parsed_at":"2022-09-11T21:30:17.307Z","dependency_job_id":null,"html_url":"https://github.com/adoreste/truehunter","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adoreste%2Ftruehunter","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adoreste%2Ftruehunter/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adoreste%2Ftruehunter/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/adoreste%2Ftruehunter/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/adoreste","download_url":"https://codeload.github.com/adoreste/truehunter/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225133757,"owners_count":17426057,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dfir","entropy","forensics","python","truecrypt","veracrypt"],"created_at":"2024-08-03T22:00:58.099Z","updated_at":"2024-11-18T05:32:15.673Z","avatar_url":"https://github.com/adoreste.png","language":"Python","funding_links":[],"categories":["Tools"],"sub_categories":["Encryption / Obfuscation"],"readme":"# Truehunter\nThe goal of Truehunter is to detect encrypted containers using a fast and memory efficient approach without any external dependencies for ease of portability. It was designed to detect Truecrypt and Veracrypt containers, however it may detect any encrypted file with a 'header' not included in its database.  \n  \nTruehunter performs the following checks:\n1. Test the first 8 bytes of the file against its own database.  \n2. File size modulo 64 must be zero.  \n3. Calculates file entropy.  \n  \nTruehunter is part of BlackArch forensic tools.  \nhttps://blackarch.org/forensic.html\n\n## Installation\nAny Python version from 2.7-3.7 should work, it does not need any additional libraries. \n  \n## Usage  \n  \nThe headers database file will be created with the first use, and can be updated after every scan. Note this is not a correct header database, just the first 8 bytes of every file, extension and date(It does the job as a PoC).  \n  \nFast Scan: Searchs for files with a size % 64 = 0 (block ciphers), unknown headers and appearing less than MAXHEADER value (default 3).  \nDefault Scan: Performs a fast scan and calculates the entropy of the resulting files to reduce false positives.  \n  \n```  \nusage: truehunter.py [-h] [-D HEADERSFILE] [-m MINSIZE] [-M MAXSIZE]  \n                     [-R MAXHEADER] [-f] [-o OUTPUTFILE]  \n                      LOCATION  \n  \nChecks for file size, unknown header, and entropy of files to determine if  \nthey are encrypted containers.  \n  \npositional arguments:  \n  LOCATION              Drive or directory to scan.  \n\noptional arguments:  \n  -h, --help            show this help message and exit.   \n  -D HEADERSFILE, --database HEADERSFILE  \n                        Headers database file, default headers.db  \n  -m MINSIZE, --minsize MINSIZE  \n                        Minimum file size in Kb, default 1Mb.  \n  -M MAXSIZE, --maxsize MAXSIZE  \n                        Maximum file size in Kb, default 100Mb.  \n  -R MAXHEADER, --repeatHeader MAXHEADER  \n                        Discard files with unknown headers repeated more than  \n                        N times, default 3.  \n  -f, --fast            Do not calculate entropy.  \n  -o OUTPUTFILE, --outputfile OUTPUTFILE  \n                        Scan results file name, default scan_results.csv\n```\n  \n## License: GPLv3\n  \nTruehunter  \nAuthor Andres Doreste  \nCopyright (C) 2015, Andres Doreste  \nLicense:   GPLv3  \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadoreste%2Ftruehunter","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fadoreste%2Ftruehunter","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fadoreste%2Ftruehunter/lists"}