{"id":20571597,"url":"https://github.com/circl/factual-rules","last_synced_at":"2026-03-09T02:30:59.829Z","repository":{"id":44937042,"uuid":"355847073","full_name":"CIRCL/factual-rules","owner":"CIRCL","description":"Factual rules are YARA rules to find legitimate software on raw disk acquisition.","archived":false,"fork":false,"pushed_at":"2022-01-18T10:05:33.000Z","size":8417,"stargazers_count":13,"open_issues_count":0,"forks_count":1,"subscribers_count":6,"default_branch":"main","last_synced_at":"2026-01-29T22:53:30.381Z","etag":null,"topics":["dfir","dfir-automation","yara-forensics","yara-rules","yara-signatures"],"latest_commit_sha":null,"homepage":"https://circl.github.io/factual-rules/","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-2-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CIRCL.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2021-04-08T09:41:36.000Z","updated_at":"2026-01-23T13:16:54.000Z","dependencies_parsed_at":"2022-09-04T19:11:11.684Z","dependency_job_id":null,"html_url":"https://github.com/CIRCL/factual-rules","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/CIRCL/factual-rules","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Ffactual-rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Ffactual-rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Ffactual-rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Ffactual-rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CIRCL","download_url":"https://codeload.github.com/CIRCL/factual-rules/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CIRCL%2Ffactual-rules/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30280816,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-09T02:23:26.802Z","status":"ssl_error","status_checked_at":"2026-03-09T02:22:46.175Z","response_time":61,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dfir","dfir-automation","yara-forensics","yara-rules","yara-signatures"],"created_at":"2024-11-16T05:16:40.777Z","updated_at":"2026-03-09T02:30:59.807Z","avatar_url":"https://github.com/CIRCL.png","language":"YARA","funding_links":[],"categories":[],"sub_categories":[],"readme":"# factual-rules\n\nFactual rules are [YARA](https://yara.readthedocs.io/en/stable/) rules to find legitimate software on raw disk acquisition.\nThe goal of the software is to be able to use a set of rules against collected or acquired digital forensic evidences and find installed software in a timely fashion.\nAll the rules are generated using [factual-rules-generator](https://github.com/CIRCL/factual-rules-generator).\n\n## Source and origin of rules \n\nYARA rules present in this repository were generated using scripts hosted in the [factual-rules-generator repository](https://github.com/CIRCL/factual-rules-generator).\nAdditional, rules can be automatically created with `factural-rules-generator` and contributed it back to this repository.\n\n## Rules directory format\n\nYARA rules are in the [`/rules`](./rules/) directory and each folder follows the same pattern per software name:\n\n- At the top level:\n\n  - Installer name (such as `chocolatey`, `msiexec`, `exe`)\n  - Following the execution of the installer \n    - two files, md5 and sha1 containing the hashes for each files created during the installation;\n    - a folder with each hash in [Hashlookup](https://github.com/hashlookup/hashlookup-forensic-analyser) file format.\n\n- At the second level, the installer folder:\n\n  - Two rules extract from raw disk:\n    - rule for installation part\n    - rule for uninstallation part\n  - one rule created with the software's executable\n  - Folder containing 2 other rules created with the tree structure of raw disk:\n    - tree rule for installation part\n    - tree rule for uninstallation part\n\n## Usage\n\nExpect the executables rules, each rules has an external parameter called `ext_var`which needs to be specified.\nThis parameter represents the limit of strings to match with the entry file:  if a YARA rule contains 100 strings, if `ext_val` is set to 50, then, the entry file will match only the 50 strings with the YARA rule against the evidence. \n\n~~~bash\ndacru@dacru:~/factual-rules$ yara -d ext_var=50 WinRAR_install.yar rawdisk_acquire.img\nWinRAR_install rawdisk_acquire.img \n~~~\n\nThis result tells you that WinRAR was installed following the strings matches on the raw disk using the `WinRAR_install` rule.\n\n## Benchmarking and testing factual rules search on acquired disk\n\nTo test the YARA rules, the software is installed in a virtual machine (as done in the generation), and change the virtual image into a raw format. \n\nThe rules were tested on the disk without any additional action.\n\n### Sample search result\n\n~~~\nVirtual machine setup and configuration: \n\n- Size of virtual machine: 32GB\n- PC spec:\n  -  i7-10850H CPU @ 2.70GHz\n  - 32GB RAM\n~~~\n\nResult of the execution:\n\n~~~\nreal\t2m24.378s\nuser\t1m55.829s\nsys\t\t0m9.271s\n~~~\n\n## Overview of factual rules generator and the YARA rules are generated \n\n![Overview of factual rules generator](https://github.com/CIRCL/factual-rules/blob/main/img/YaraRule.png?raw=true)\n\nThe source code of the [factual-rules-generator](https://github.com/CIRCL/factual-rules-generator) is open sourced.\n\n## License\n\n~~~\nCopyright (C) 2021-2022 CIRCL - Computer Incident Response Center Luxembourg\nCopyright (C) 2021-2022 David Cruciani\n\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n1. Redistributions of source code must retain the above copyright notice, this\n   list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright notice,\n   this list of conditions and the following disclaimer in the documentation\n   and/or other materials provided with the distribution.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n~~~\n\n\n\n\n\n\n\n\n\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcircl%2Ffactual-rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcircl%2Ffactual-rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcircl%2Ffactual-rules/lists"}