Digital evidence search-extract forensic utility. Used to narrow digital evidence search process and extract found data.
In order to make it run a recent version of Python is required (at least 3.4)
# pip install -r requirements.txt
./desefu.py ~/path/to/config.yml ~/path/to/evidence/folder
An example of config file:
author: Name Surname
search:
seach_id_1: # Module chain ID
-
mod: file.Extension # This module filter files by their extension
args: ['doc', 'docx', 'xls', 'xlsx']
-
mod: some.Module
args: ['arguments', 'for', 'each', 'module', 'are', 'unique']
sub: # Another (sub)module chain
-
mod: some.other.Module
extract: # Optional parameter, not all modules support this
abc: 123
search_jpg: # For each module chain, initial list of files is the same
-
mod: file.Extension
args: ['', 'jpg', 'jpeg']
-
mod: file.FileHeader
args:
- [FF, D8, FF, E0, 00, 10, 4A, 46, 49, 46]
-
mod: file.type.jpeg.Exif
extract:
gps: true
model: true