Getting Started

Learn the basic principles of exhuming an exFAT filesystem from a disk image.

The exhume exFAT module is helping the investigator with the analysis of the Extensible File Allocation Table filesystem and extract specific artefacts and metadata. Unlike the exhume filesystem module, exhume_exfat can propose some advanced capabilities focused on this kind of filesystem.

🛠️ Prerequisites

Installing Rust

The Exhume Toolkit is built with Rust and requires it for development or compilation.

Linux and MacOs
Windows

curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh

Visit https://www.rust-lang.org/tools/install to install rustup You can also use winget to install rustup using the following command in PowerShell:

winget install --id Rustlang.Rustup

important

Be sure to restart your Terminal (and in some cases your system) for the changes to take affect.

Installing Exhume exFAT

The following will install Exhume exFAT globally.

cargo install exhume_exfat

🚀 Basic Usage

Options

Options:
  -b, --body <body>            Path to the body to exhume.
  -f, --format <format>        Body format: 'raw' or 'ewf'.
  -o, --offset <offset>        The exFAT partition start offset (bytes, dec or hex).
  -s, --size <size>            The size of the exFAT partition in sectors (dec or hex).
      --bpb                    Display boot sector / BPB info.
  -R, --root                   List root directory entries.
  -j, --json                   Output JSON where applicable.
  -l, --log-level <log_level>  [default: info] [possible values: error, warn, info, debug, trace]
  -i, --inode <inode>          Display metadata for a fake inode number (hex or dec accepted).
  -d, --dir_entry              If --inode is a directory, list directory entries (ext-like).
      --dump                   When --inode is set, dump content to 'inode_<N>.bin'
  -h, --help                   Print help
  -V, --version                Print version

exhume_exfat [OPTIONS] --body <body> --offset <offset> --size <size>

📘 Example

exhume_exfat -b USB.E01 --offset 0x0 --size  4026531840 --root

This will:

Open disk.E01 as a EWF format file
Start parsing the exFAT filesystem at offset 0x0 of size 4026531840
Display the root directory entry

Example output:

[2025-10-05T19:34:34Z INFO  exhume_body] Detected RAW Data
0x0000000400000003      131072  cluster        5  MISC
0x0000000400000006      131072  cluster        8  DCIM
0x0000000400000009      131072  cluster        6  System Volume Information
0x000000040000000d      131072  cluster       13  .fseventsd

🛠️ Prerequisites​

Installing Rust​

Installing Exhume exFAT​

🚀 Basic Usage​

Options​

📘 Example​