{"id":20005219,"url":"https://github.com/xumeiquer/yara-forensics","last_synced_at":"2026-02-02T19:33:18.481Z","repository":{"id":73135671,"uuid":"89471115","full_name":"Xumeiquer/yara-forensics","owner":"Xumeiquer","description":"Set of Yara rules for finding files using magics headers","archived":false,"fork":false,"pushed_at":"2020-09-08T08:13:39.000Z","size":76,"stargazers_count":137,"open_issues_count":1,"forks_count":21,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-06-19T04:50:12.444Z","etag":null,"topics":["dump-files","forensics","magic-headers","yara","yara-forensics","yara-rules"],"latest_commit_sha":null,"homepage":"","language":"YARA","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Xumeiquer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-04-26T10:59:56.000Z","updated_at":"2025-03-26T10:31:27.000Z","dependencies_parsed_at":null,"dependency_job_id":"e7af3c35-576f-491b-9fa2-fbf1ed31dd2e","html_url":"https://github.com/Xumeiquer/yara-forensics","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Xumeiquer/yara-forensics","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xumeiquer%2Fyara-forensics","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xumeiquer%2Fyara-forensics/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xumeiquer%2Fyara-forensics/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xumeiquer%2Fyara-forensics/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Xumeiquer","download_url":"https://codeload.github.com/Xumeiquer/yara-forensics/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Xumeiquer%2Fyara-forensics/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29018027,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-02T18:51:31.335Z","status":"ssl_error","status_checked_at":"2026-02-02T18:49:20.777Z","response_time":58,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dump-files","forensics","magic-headers","yara","yara-forensics","yara-rules"],"created_at":"2024-11-13T05:38:37.208Z","updated_at":"2026-02-02T19:33:18.457Z","avatar_url":"https://github.com/Xumeiquer.png","language":"YARA","funding_links":["https://ko-fi.com/M4M625UW0"],"categories":["\u003ca id=\"ecb63dfb62722feb6d43a9506515b4e3\"\u003e\u003c/a\u003e新添加"],"sub_categories":[],"readme":"YARA-FORENSICS\n==============\n\n[![License: GPL v3](https://img.shields.io/badge/License-GPL%20v3-blue.svg)](http://www.gnu.org/licenses/gpl-3.0) [![DFIR: Yara rules](https://img.shields.io/badge/DFIR-Yara%20Rules-brightgreen.svg)](https://yararules.com) [![Travis build](https://travis-ci.org/Xumeiquer/yara-forensics.svg)](https://github.com/Xumeiquer/yara-forensics)\n\n`Yara` is the pattern matching swiss knife for malware researchers (and everyone else). Basically `Yara` allow us to scan files based on textual or binary patterns, thus we can take advantage of `Yara`'s potential and focus it in forensic investigations.\n\nFor now I have created a set of rules that search for magic headers on files and dump files like raw image of `dd` as well. So I invite anyone to add or improve rules regarding forensics stuff.\n\n***\n\n## Content\n\nThe repository is splitted in two folders: `file` and `raw`. The rules in `file` folder are mainly to look for `magic` in standalone files, on the other hand, rules inside `raw` folder are mainly to look for `magic` in raw file or dump files. The main difference is the offset of the magic usually at `0x0` in files.\n\nThe avaliable files are listed in [`FILES.md`](FILES.md).\n\n***\n\n## Contribution\n\nWe have defined a short document describing how to contribute to Yara-Forensics, please before sharing your rules we encorage you to read the [CONTRIBUTING.md](CONTRIBUTING.md) file.\n\n***\n\n## Yara installation\n\nInstalling `Yara` is quite easy: just follow [the official documentation](http://yara.readthedocs.io/en/v3.5.0/gettingstarted.html), after that, you can use the rules of this repository (and all `Yara` rules in general).\n\n***\n\n## Examples\n\n### The basic use of `Yara` rules\n\nThis will tell whether the file `Hard_Drive.jpg` is an image.\n\n```\n$\u003e yara file/images.yar test/Hard_Drive.jpg\njpg_magic_with_EXIF test/Hard_Drive.jpg\n```\n\nOr scanning images in dump files.\n\n```\n$\u003e yara raw/images.yar ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso\ncontains_jpeg /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso\n```\n\n### `Yara` options\n\n`Yara` offers a good set of options that can be useful, as example I will show two interesting options, but there are more.\n\nFor example:\n\n#### Offest\n\n```\n$\u003e yara -s file/images.yar test/Hard_Drive.jpg\njpg_magic_with_EXIF test/Hard_Drive.jpg\n0x0:$a: FF D8 FF E1 4B EF 45 78 69 66 00\n```\n\nThis is more useful when using the raw rules.\n\n```\n$\u003e yara -s raw/images.yar ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso\ncontains_jpeg /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso\n0x5b73800:$a: FF D8 FF E0 00 10 4A 46 49 46 00\n0x5b76000:$a: FF D8 FF E0 00 10 4A 46 49 46 00\n0x5b76232:$a: FF D8 FF E0 00 10 4A 46 49 46 00\n```\n\n#### Tags\n\nIt is also possible to get he rule `tags`. This will be useful when executing a bunch of rule and then filter by some possible tag.\n\n```\nyara -g file/images.yar test/Hard_Drive.jpg\njpg_magic_with_EXIF [JPG] test/Hard_Drive.jpg\n```\n\n### Benchmarks\n\nWell, there are no actual benchmarks, but I would like to show how fast is `Yara`.\n\n```\n$\u003e ls -lh ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso\n-rw-r--r-- 1 libvirt-qemu libvirt-qemu 247M abr 22  2016 /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso\n\n$\u003e time yara raw/images.yar ~/kvm/ISOs/debian-8.4.0-amd64-netinst.iso\ncontains_jpeg /home/xumeiquer/kvm/ISOs/debian-8.4.0-amd64-netinst.iso\n\n0,72s user 0,00s system 44% cpu 0,732 total\n\n```\n\n```\n$\u003e ls -lh ~/kvm/ISOs/Windows\\ 7\\ 64Bits\\ SP1.iso\n-rw-r--r-- 1 libvirt-qemu libvirt-qemu 3,1G feb 17  2014 /home/xumeiquer/kvm/ISOs/Windows 7 64Bits SP1.iso\n\n$\u003e time yara raw/images.yar ~/kvm/ISOs/Windows\\ 7\\ 64Bits\\ SP1.iso\ncontains_jpeg /home/xumeiquer/kvm/ISOs/Windows 7 64Bits SP1.iso\n\n13,26s user 0,97s system 45% cpu 30,982 total\n```\n\n```\n$\u003e ls -lh mem.raw\n-rwxr-xr-x  1 root  staff    18G 29 abr 00:18 mem.raw\n\n$\u003e time yara  raw/jpeg.yar mem.raw\ncontains_jpeg mem.raw\ncontains_jpg_with_EXIF mem.raw\ncontains_jpeg_2000 mem.raw\n\n44,60s user 12,84s system 57% cpu 1:39,83 total\n```\n[![ko-fi](https://www.ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/M4M625UW0)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxumeiquer%2Fyara-forensics","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fxumeiquer%2Fyara-forensics","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fxumeiquer%2Fyara-forensics/lists"}