binwalk
https://github.com/ReFirmLabs/binwalk
foremost / scalpel
https://github.com/korczis/foremost
https://github.com/sleuthkit/scalpel
# identify file type
file suspicious.img
# check entropy (packed / encrypted regions)
binwalk -E suspicious.img
# initial scan (structure + offsets)
binwalk suspicious.img
# recursive extraction (main workflow)
binwalk -Me suspicious.img
# list extracted structure
ls -lah _suspicious.img.extracted/
# find potential filesystems / rootfs
find . -type f | grep -Ei "squashfs|ubifs|cramfs|ext|rootfs|uimage"
# locate root directories
find . -type d | grep -Ei "rootfs|squashfs-root|ubifs|etc|www|html"
# if squashfs found
unsquashfs <filesystem>
# if ext filesystem found
sudo mount -o loop,ro <filesystem.img> /mnt
# if UBI/UBIFS found
ubireader_extract_files <ubi.img>
# extract raw data carving (fallback)
foremost -i suspicious.img -o carved/
scalpel suspicious.img -o carved_scalpel/
# inspect partitions (if disk image)
fdisk -l suspicious.img
# mount with offset (if partitioned image)
sudo mount -o loop,ro,offset=<OFFSET> suspicious.img /mnt
# quick strings for creds / execution
strings suspicious.img | grep -Ei "password|admin|root|telnet|ssh|http"
# hunt for URLs / C2
strings suspicious.img | grep -Ei "http|ftp|dns"
# hash extracted payloads
sha256sum extracted_file
# inspect magic bytes
xxd -l 16 extracted_file
# expected headers:
# MBR = 55 AA
# ELF = 7F 45 4C 46
# SquashFS = 68 73 71 73
# UBI = 55 42 49 23
# ZIP = 50 4B
# hunt for binaries
find . -type f -executable
# identify binaries
file <binary>
# decompress everything
for f in *.xz; do unxz "$f"; done
for f in *.zip; do unzip "$f" -d "${f}_out"; done
Hunting Matrix
| Pattern (Binwalk Output) | What It Is | Why It Appears | What You Should Do | Priority |
|---|---|---|---|---|
| YAFFS filesystem | Flash filesystem (NAND) | Embedded Linux root filesystem | 🔥 Extract → this is ROOTFS | 🔴 CRITICAL |
| SquashFS / UBIFS / ext | Linux filesystem | Main OS / firmware data | 🔥 Extract immediately | 🔴 CRITICAL |
| Linux EXT filesystem | Full Linux disk FS | Complete OS image | 🔥 Mount / explore /etc, /www | 🔴 CRITICAL |
| uImage header | Linux kernel image (U-Boot) | Bootable kernel | Ignore initially (not rootfs) | 🟡 Medium |
| Android bootimg | Android kernel + ramdisk | Mobile / embedded Android | Extract ramdisk if needed | 🟠 High |
| Flattened device tree (FDT) | Hardware config blob | CPU, RAM, peripherals | Context only | 🟢 Low |
| ESP Image (ESP32 / ESPxx) | Microcontroller firmware | WiFi/Bluetooth chip firmware | Ignore unless reversing HW | 🟢 Low |
| gzip / xz / lzma / lzo | Compressed data | Packed filesystem / configs | 🔥 Decompress → may hide rootfs | 🔴 HIGH |
| Zip archive / classes.dex | Android app / Java code | Embedded APKs | Extract → possible app logic | 🟠 High |
| ELF (ARM / x86) | Linux executable | Programs / services | 🧠 Inspect unknown binaries | 🟠 High |
| Microsoft executable (PE) | Windows binary | Cross-platform tools / weird embed | 🚨 Suspicious in firmware | 🔴 HIGH |
| mcrypt / encrypted data | Encrypted blob | Secrets / configs / payload | 🚨 High-value target | 🔴 HIGH |
| Certificates (x509 / PKCS7) | Crypto certs / signatures | Secure boot / TLS | Usually legit | 🟡 Medium |
| XML document | Config / metadata | App / firmware settings | Inspect for creds / URLs | 🟡 Medium |
| Unix paths (/etc, /dev, /sys) | Strings in binary | Embedded references | Ignore (context only) | 🟢 Low |
| CRC tables / AES S-box / SHA constants | Crypto/math tables | Part of compiled binaries | Noise | ⚪ Ignore |
| Intel microcode | CPU firmware updates | Embedded CPU patches | Noise | ⚪ Ignore |
| Bitmaps / images | UI assets | Device UI / web panel | Ignore initially | ⚪ Low |
| MySQL ISAM / MISAM | Database files | Embedded DB storage | 🧠 Investigate if used | 🟠 High |
| Ubiquiti / JBOOT headers | Vendor firmware format | Partitioning / boot structure | Helps map layout | 🟡 Medium |
| Base64 index table | Encoding table | Library artifact | Noise | ⚪ Ignore |