Getting Started
Learn the basic principles of exhuming a body of data.
The exhume body tool is the "entry point" into the Exhume Toolkit. It allows you to extract raw data from a disk image or files, currently either in raw or EWF (Expert Witness Format) format. This tool is especially useful when you want to examine or dump a specific region of a file or disk image. The main advantage of using exhume body is to seamlessly allow a direct, format-agnostic access to specific regions of a disk image without needing to mount or fully parse the filesystem.
Only the RAW and EWF formats are currently supported. Our goal is to support multiple other formats like vmdk, qcow2, ...
🛠️ Prerequisites
Installing Rust
The Exhume Toolkit is built with Rust and requires it for development or compilation.
- Linux and MacOs
- Windows
curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh
Visit https://www.rust-lang.org/tools/install to install rustup
You can also use winget to install rustup using the following command in PowerShell:
winget install --id Rustlang.Rustup
Be sure to restart your Terminal (and in some cases your system) for the changes to take affect.
Installing
cargo install exhume_body@0.2.0
Contributing
Clone the ehxume_body repository.
git clone https://github.com/forensicxlab/exhume_body
cd exhume_body
Start enhancing the tool!
🚀 Basic Usage
Required Flags:
-b,--body<FILE>: Path to the disk image or body.-s,--size<BYTES>: Number of bytes to read from the image.
Optional Flags:
-f,--format<FORMAT>: Format of the image (raw or ewf).-o,--offset<OFFSET>: Offset in bytes to begin reading from (default is 0).-l,--log-level<LEVEL>: Logging level (error, warn, info, debug, trace). Default is info.
exhume_body -b <path_to_image> -f <format> -s <size> [-o <offset>] [-l <log_level>]
📘 Example
exhume_body -b disk.E01 -f ewf -s 512 -o 0x0 -l info
This will:
- Open disk.E01 as a EWF format file
- Jump to offset 0
- Read 512 bytes
- Print the result and log info-level information
Sample output bellow:
[2025-03-30T20:54:49Z INFO exhume_body] Processing the file '/samples/workshop-kali.E01' in 'auto' format...
[2025-03-30T20:54:50Z INFO exhume_body] Detected an EWF disk image.
[2025-03-30T20:54:50Z INFO exhume_body] Evidence : /samples/workshop-kali.E01
[2025-03-30T20:54:50Z INFO exhume_body::ewf] EWF File Information:
[2025-03-30T20:54:50Z INFO exhume_body::ewf] Number of Segments: 1
[2025-03-30T20:54:50Z INFO exhume_body::ewf] Volume Information:
[2025-03-30T20:54:50Z INFO exhume_body::ewf] Chunk Count: 2621440
[2025-03-30T20:54:50Z INFO exhume_body::ewf] Sectors Per Chunk: 64
[2025-03-30T20:54:50Z INFO exhume_body::ewf] Bytes Per Sector: 512
[2025-03-30T20:54:50Z INFO exhume_body::ewf] Total Sector Count: 167772160
[2025-03-30T20:54:50Z INFO exhume_body::ewf] Chunk Information:
[2025-03-30T20:54:50Z INFO exhume_body::ewf] Segment Number: 1
[2025-03-30T20:54:50Z INFO exhume_body::ewf] Number of Chunks: 2621440
�c��м���؎���|����!��8u
�����u�����|���t�L��|��������t��pt���y|1��؎м ��d|<�t��R��}��|�A��U�ZRr=��U�u7��t21��D@�D��D�f�\|f�f�`|f�\
Z������}�f�ƈd�@f�D�������@�����f�f�`|f �uNf�\|f1�f�4��1�f�t;}7����0�����Z�ƻp��1۸�r��`���1�������a�&Z|��}���}�4��}�.���GRUB GeomHard DiskRead Error
����<u���q;U� !���� �������� �?U�RV����9^��f�-����|�tFf�f�Mf1��9�)ff�U��Df�f�L
�DpP�D�B����p�ff�Ef ���f�f1�f�4�T
f1�f�t�T
�D
;}y�*D
���Lff�U�T
�ъl
ZR�t
P�p��1۴�rF�ÎE
X��E
`����1�1������#��Wa��$���
���%��BZ���(��6��-��.�2��(��loading.
GeomRead Error���F�<u��e
``