unblob: Extract files from any kind of container formats

by ddos · Published · Updated

unblob is an accurate, fast, and easy-to-use extraction suite. It parses unknown binary blobs for more than 30 different archive, compression, and file-system formatsextracts their content recursively, and carves out unknown chunks that have not been accounted for.

How does it work?

unblob identifies known and unknown chunks of data within a file:

  • known chunks are identified by finding the start offset using a search rule, and the end offset is computed based on the format standard. Unknown chunks represents unidentified chunks of data before, after, or between known chunks. Unknown chunks composed of known content (e.g., null padding, 0xFF padding) are identified automatically and reported as such.
  • unblob will carve out known chunks to disk and perform the extraction phase using the extractor assigned to a given handler. It will then walk the extracted content, looking for chunks in extracted files.
  • a report on metadata can be generated by unblob, providing detailed information about identified chunks (format, offsets, size, entropy) and their extracted content if available (ownership, permissions, timestamps, …).

unblob also supports special formats where data is split across multiple files like multi-volume archives or data & meta-data formats:

  • Special DirectoryHandler is responsible to identify the files that make up a multi files set.
  • Identified MultiFile sets are not carved, but rather directly extracted using special DirectoryExtractor.

Install & Use

Copyright (c) 2022 ONEKEY GmbH

Tags: unblob