Getting Started
Learn the basic principles of exhuming any filesystem from a disk image.
The Exhume Filesystem module helps the investigator investigate compatible filesystem within a disk image for standard filesystem analysis.
🛠️ Prerequisites
Installing Rust
The Exhume Toolkit is built with Rust and requires it for development or compilation.
- Linux and MacOs
- Windows
curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh
Visit https://www.rust-lang.org/tools/install to install rustup
You can also use winget to install rustup using the following command in PowerShell:
winget install --id Rustlang.Rustup
important
Be sure to restart your Terminal (and in some cases your system) for the changes to take affect.
Installing Exhume Filesystem
The following will install Exhume partitions globally.
cargo install exhume_filesystem@0.2.0
🚀 Basic Usage
| Option | Description |
|---|---|
-b, --body <body> | The path to the body to exhume. |
-f, --format <format> | The format of the file, either 'raw' or 'ewf'. |
-o, --offset <offset> | The filesystem start address (decimal or hex). |
-s, --size <size> | The size of the filesystem in sectors (decimal or hex). |
-r, --record <record> | Display metadata about a specific file record using its record identifier. |
-e, --enum | Enumerate all file records. |
--list | If --record is specified and it is a directory, list the entries inside. |
--dump | If --record is specified, dump the content to a file named file_<N>.bin. |
-j, --json | Output the result in a JSON format. |
-l, --log-level <log_level> | Set the log verbosity level. Default: info. Possible values: error, warn, info, debug, trace. |
-h, --help | Print help. |
-V, --version | Print version. |
exhume_filesystem [OPTIONS] --body <body> --offset <offset> --size <size>
📘 Example
exhume_filesystem -b disk.E01 -f ewf --offset 0x100000 --size 0x9c00000 --enum
This will:
- Open disk.E01 as a EWF format file
- Start reading at offset 0x100000 of size 0x9c00000
- Detect the FileSystem type
- Display the directory entry metadata for the file identifier 4456449
Example output:
[2025-04-21T15:19:31Z INFO exhume_body] Detected an EWF disk image.
[2025-04-21T15:19:31Z INFO exhume_filesystem::detected_fs] Detected an Extended filesystem.
[2] - drwxr-xr-x 19 0 0 36864 2019-09-06T22:24:48.570079402+00:00 /
[11] - drwx------ 2 0 0 16384 2019-05-17T15:56:49+00:00 /lost+found
[3538945] - drwxr-xr-x 3 0 0 4096 2019-05-08T08:20:43+00:00 /media
[12] - -rw-r--r-- 1 0 0 0 2019-05-08T08:26:36+00:00 /0
[1966081] - drwxr-xr-x 2 0 0 4096 2019-05-17T16:14:37.029686406+00:00 /run
[786433] - drwxr-xr-x 2 0 0 4096 2019-05-03T19:18:07+00:00 /sys
[4980737] - drwxr-xr-x 3 0 0 4096 2019-05-17T15:57:03.753726658+00:00 /srv
[13] - lrwxrwxrwx 1 0 0 7 2019-05-17T15:56:56.041726953+00:00 /bin
[15] - lrwxrwxrwx 1 0 0 34 2019-05-17T15:57:01.425726747+00:00 /initrd.img.old
[1441793] - drwxr-xr-x 3 0 0 4096 2019-09-06T22:45:40.574486844+00:00 /boot
[3801089] - drwxr-xr-x 4 0 0 4096 2019-05-17T16:06:12.297705695+00:00 /dev
[262145] - drwxr-xr-x 13 0 0 4096 2019-05-17T16:06:14.437705613+00:00 /var
[21] - lrwxrwxrwx 1 0 0 33 2019-09-06T22:24:48.570079402+00:00 /initrd.img
[...]