Operator On The Wire
โ† Back to Knowledge Base
BLUE TEAM / MALWARE REVERSE / ANALYSIS / STATIC / FILES

IMG

binwalk

https://github.com/ReFirmLabs/binwalk

foremost / scalpel

https://github.com/korczis/foremost
https://github.com/sleuthkit/scalpel


# identify file type
file suspicious.img

# check entropy (packed / encrypted regions)
binwalk -E suspicious.img

# initial scan (structure + offsets)
binwalk suspicious.img

# recursive extraction (main workflow)
binwalk -Me suspicious.img

# list extracted structure
ls -lah _suspicious.img.extracted/

# find potential filesystems / rootfs
find . -type f | grep -Ei "squashfs|ubifs|cramfs|ext|rootfs|uimage"

# locate root directories
find . -type d | grep -Ei "rootfs|squashfs-root|ubifs|etc|www|html"

# if squashfs found
unsquashfs <filesystem>

# if ext filesystem found
sudo mount -o loop,ro <filesystem.img> /mnt

# if UBI/UBIFS found
ubireader_extract_files <ubi.img>

# extract raw data carving (fallback)
foremost -i suspicious.img -o carved/
scalpel suspicious.img -o carved_scalpel/

# inspect partitions (if disk image)
fdisk -l suspicious.img

# mount with offset (if partitioned image)
sudo mount -o loop,ro,offset=<OFFSET> suspicious.img /mnt

# quick strings for creds / execution
strings suspicious.img | grep -Ei "password|admin|root|telnet|ssh|http"

# hunt for URLs / C2
strings suspicious.img | grep -Ei "http|ftp|dns"

# hash extracted payloads
sha256sum extracted_file

# inspect magic bytes
xxd -l 16 extracted_file

# expected headers:
# MBR = 55 AA
# ELF = 7F 45 4C 46
# SquashFS = 68 73 71 73
# UBI = 55 42 49 23
# ZIP = 50 4B

# hunt for binaries
find . -type f -executable

# identify binaries
file <binary>

# decompress everything
for f in *.xz; do unxz "$f"; done  
for f in *.zip; do unzip "$f" -d "${f}_out"; done

Hunting Matrix

Pattern (Binwalk Output)What It IsWhy It AppearsWhat You Should DoPriority
YAFFS filesystemFlash filesystem (NAND)Embedded Linux root filesystem๐Ÿ”ฅ Extract โ†’ this is ROOTFS๐Ÿ”ด CRITICAL
SquashFS / UBIFS / extLinux filesystemMain OS / firmware data๐Ÿ”ฅ Extract immediately๐Ÿ”ด CRITICAL
Linux EXT filesystemFull Linux disk FSComplete OS image๐Ÿ”ฅ Mount / explore /etc, /www๐Ÿ”ด CRITICAL
uImage headerLinux kernel image (U-Boot)Bootable kernelIgnore initially (not rootfs)๐ŸŸก Medium
Android bootimgAndroid kernel + ramdiskMobile / embedded AndroidExtract ramdisk if needed๐ŸŸ  High
Flattened device tree (FDT)Hardware config blobCPU, RAM, peripheralsContext only๐ŸŸข Low
ESP Image (ESP32 / ESPxx)Microcontroller firmwareWiFi/Bluetooth chip firmwareIgnore unless reversing HW๐ŸŸข Low
gzip / xz / lzma / lzoCompressed dataPacked filesystem / configs๐Ÿ”ฅ Decompress โ†’ may hide rootfs๐Ÿ”ด HIGH
Zip archive / classes.dexAndroid app / Java codeEmbedded APKsExtract โ†’ possible app logic๐ŸŸ  High
ELF (ARM / x86)Linux executablePrograms / services๐Ÿง  Inspect unknown binaries๐ŸŸ  High
Microsoft executable (PE)Windows binaryCross-platform tools / weird embed๐Ÿšจ Suspicious in firmware๐Ÿ”ด HIGH
mcrypt / encrypted dataEncrypted blobSecrets / configs / payload๐Ÿšจ High-value target๐Ÿ”ด HIGH
Certificates (x509 / PKCS7)Crypto certs / signaturesSecure boot / TLSUsually legit๐ŸŸก Medium
XML documentConfig / metadataApp / firmware settingsInspect for creds / URLs๐ŸŸก Medium
Unix paths (/etc, /dev, /sys)Strings in binaryEmbedded referencesIgnore (context only)๐ŸŸข Low
CRC tables / AES S-box / SHA constantsCrypto/math tablesPart of compiled binariesNoiseโšช Ignore
Intel microcodeCPU firmware updatesEmbedded CPU patchesNoiseโšช Ignore
Bitmaps / imagesUI assetsDevice UI / web panelIgnore initiallyโšช Low
MySQL ISAM / MISAMDatabase filesEmbedded DB storage๐Ÿง  Investigate if used๐ŸŸ  High
Ubiquiti / JBOOT headersVendor firmware formatPartitioning / boot structureHelps map layout๐ŸŸก Medium
Base64 index tableEncoding tableLibrary artifactNoiseโšช Ignore