Getting Started

Learn the basic principles of exhuming a body of data.

The exhume body tool is the "entry point" into the Exhume Toolkit. It allows you to extract raw data from a disk image or files, currently either in:

RAW
EWF (Expert Witness Format) format.
VMDK (Virtual Machine Disk)

This tool is especially useful when you want to examine or dump a specific region of a file or disk image. The main advantage of using exhume body is to seamlessly allow a direct, format-agnostic access to specific regions of a disk image without needing to mount or fully parse the filesystem.

note

Only the RAW, EWF and VMDK formats are currently supported. Our goal is to support multiple other formats like qcow2, vhdx, ...

🛠️ Prerequisites

Installing Rust

The Exhume Toolkit is built with Rust and requires it for development or compilation.

Linux and MacOs
Windows

curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh

Visit https://www.rust-lang.org/tools/install to install rustup You can also use winget to install rustup using the following command in PowerShell:

winget install --id Rustlang.Rustup

important

Be sure to restart your Terminal (and in some cases your system) for the changes to take affect.

Installing

cargo install exhume_body@0.3.1

Contributing

Clone the ehxume_body repository.

git clone https://github.com/forensicxlab/exhume_body
cd exhume_body

Start enhancing the tool!

🚀 Basic Usage

Required Flags:

-b, --body <FILE>: Path to the disk image or body.
-s, --size <BYTES>: Number of bytes to read from the image.

Optional Flags:

-f, --format <FORMAT>: Format of the image (raw or ewf).
-o, --offset <OFFSET>: Offset in bytes to begin reading from (default is 0).
-l, --log-level <LEVEL>: Logging level (error, warn, info, debug, trace). Default is info.

exhume_body -b <path_to_image> -f <format> -s <size> [-o <offset>] [-l <log_level>]

📘 Example

exhume_body -b disk.E01 -f ewf -s 512 -o 0x0 -l info | xxd

This will:

Open disk.E01 as a EWF format file
Jump to offset 0
Read 512 bytes
Print the result and log info-level information

Sample output bellow:

[2025-06-15T09:32:08Z INFO  exhume_body] Processing the file 'disk.E01' in 'auto' format...
[2025-06-15T09:32:08Z INFO  exhume_body] Detected an EWF disk image.
[2025-06-15T09:32:08Z INFO  exhume_body] Evidence : disk.E01
[2025-06-15T09:32:08Z INFO  exhume_body::ewf] EWF File Information:
[2025-06-15T09:32:08Z INFO  exhume_body::ewf] Number of Segments: 1
[2025-06-15T09:32:08Z INFO  exhume_body::ewf] Acquisition Metadata:
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Case Number: OSDFCon Workshop VM1
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Evidence Number: 001
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Description: Compromised Webserver
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Examiner: Ali Hadi
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Notes:
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Application Version: ADI3.4.2.2
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   OS Version: Win 201x
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Acquisition Date: 2019 10 6 17 58 15
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   System Date: 2019 10 6 17 58 15
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Password Hash: 0
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Reserved: f
[2025-06-15T09:32:08Z INFO  exhume_body::ewf] Volume Information:
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Chunk Count: 1032260
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Sectors Per Chunk: 64 (32768 bytes)
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Bytes Per Sector: 512
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Total Sector Count: 66064608
[2025-06-15T09:32:08Z INFO  exhume_body::ewf] Chunk Information:
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Segment Number: 1
[2025-06-15T09:32:08Z INFO  exhume_body::ewf]   Number of Chunks: 1032260
00000000: efbf bd63 efbf bd10 efbf bdd0 bc00 efbf  ...c............
00000010: bdef bfbd 0000 efbf bdd8 8eef bfbd efbf  ................
00000020: bdef bfbd 007c efbf bd00 06ef bfbd 0002  .....|..........
00000030: efbf bdef bfbd 2106 0000 efbf bdef bfbd  ......!.........
00000040: 0738 0475 0bef bfbd efbf bd10 efbf bdef  .8.u............
00000050: bfbd efbf bd07 75ef bfbd efbf bd16 efbf  ......u.........
00000060: bd02 efbf bd01 efbf bd00 7cef bfbd efbf  ..........|.....
00000070: bdef bfbd 7401 efbf bd4c 02ef bfbd 13ef  ....t....L......
00000080: bfbd 007c 0000 efbf bdef bfbd 0000 0000  ...|............
00000090: 0000 0000 0000 0000 0000 0000 efbf bd01  ................
000000a0: 0000 0000 0000 00ef bfbd efbf bdef bfbd  ................
000000b0: efbf bdef bfbd c280 7405 efbf bdef bfbd  ........t.......
000000c0: 7074 02ef bfbd efbf bdef bfbd 797c 0000  pt..........y|..
000000d0: 31ef bfbd efbf bdd8 8ed0 bc00 20ef bfbd  1........... ...
000000e0: efbf bd64 7c3c efbf bd74 02ef bfbd efbf  ...d|<...t......
000000f0: bd52 efbf bd17 04ef bfbd 0703 7406 efbf  .R..........t...
00000100: bdef bfbd 7def bfbd 1701 efbf bd05 7cef  ....}.........|.
00000110: bfbd 41ef bfbd efbf bd55 efbf bd13 5a52  ..A......U....ZR
00000120: 723d efbf bdef bfbd 55ef bfbd 7537 efbf  r=......U...u7..
00000130: bdef bfbd 0174 3231 efbf bdef bfbd 4404  .....t21......D.
00000140: 40ef bfbd 44ef bfbd efbf bd44 02ef bfbd  @...D......D....
00000150: 0410 0066 efbf bd1e 5c7c 66ef bfbd 5c08  ...f....\|f...\.
00000160: 66ef bfbd 1e60 7c66 efbf bd5c 0cef bfbd  f....`|f...\....
00000170: 4406 0070 efbf bd42 efbf bd13 7205 efbf  D..p...B....r...
00000180: bd00 70ef bfbd 76ef bfbd 08ef bfbd 1373  ..p...v........s
00000190: 0d5a efbf bdef bfbd 0fef bfbd efbf bd00  .Z..............
000001a0: efbf bdef bfbd 7def bfbd 0066 0fef bfbd  ......}....f....
000001b0: c688 64ef bfbd 4066 efbf bd44 040f efbf  ..d...@f...D....
000001c0: bdef bfbd efbf bdef bfbd 02ef bfbd efbf  ................
000001d0: bdef bfbd 40ef bfbd 4408 0fef bfbd efbf  ....@...D.......
000001e0: bdef bfbd efbf bd02 66ef bfbd 0466 efbf  ........f....f..
000001f0: bd60 7c66 09ef bfbd 754e 66ef bfbd 5c7c  .`|f....uNf...\|
00000200: 6631 efbf bd66 efbf bd34 efbf bdef bfbd  f1...f...4......
00000210: 31ef bfbd 66ef bfbd 7404 3b44 087d 37ef  1...f...t.;D.}7.
00000220: bfbd efbf bdef bfbd efbf bd30 efbf bdef  ...........0....
00000230: bfbd efbf bd02 08ef bfbd efbf bdef bfbd  ................
00000240: 5aef bfbd c6bb 0070 efbf bdef bfbd 31db  Z......p......1.
00000250: b801 02ef bfbd 1372 1eef bfbd efbf bd60  .......r.......`
00000260: 1eef bfbd 0001 efbf bdef bfbd 31ef bfbd  ............1...
00000270: efbf bd00 efbf bdef bfbd efbf bdef bfbd  ................
00000280: efbf bd1f 61ef bfbd 265a 7cef bfbd efbf  ....a...&Z|.....
00000290: bd7d efbf bd03 efbf bdef bfbd 7def bfbd  .}..........}...
000002a0: 3400 efbf bdef bfbd 7def bfbd 2e00 efbf  4.......}.......
000002b0: bd18 efbf bdef bfbd 4752 5542 2000 4765  ........GRUB .Ge
000002c0: 6f6d 0048 6172 6420 4469 736b 0052 6561  om.Hard Disk.Rea
000002d0: 6400 2045 7272 6f72 0d0a 00ef bfbd 0100  d. Error........
000002e0: efbf bd0e efbf bd10 efbf bd3c 0075 efbf  ...........<.u..
000002f0: bdef bfbd 40ef bfbd 0200 0000 efbf bd20  ....@..........
00000300: 2100 efbf bd1a 3b1f 0008 0000 00ef bfbd  !.....;.........
00000310: 0700 003b 1b1f 05ef bfbd efbf bdef bfbd  ...;............
00000320: efbf bdef bfbd 0700 0268 efbf bd03 0000  .........h......
00000330: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000340: 0000 0000 0000 0000 0000 0000 0000 55ef  ..............U.
00000350: bfbd 0a                                  ...
``

🛠️ Prerequisites​

Installing Rust​

Installing​

Contributing​

🚀 Basic Usage​

📘 Example​