File Miner

File Miner offers flexible configuration through the settings. By default, it automatically carves files selectively from specific groups, such as excluding archives where carving generally provides no benefit. Users have the ability to customize settings to select which file groups are automatically carved and which specific groups or file formats should be detected. Additionally, the carving speed for each file type is prominently displayed, allowing for more informed decisions.

Here’s an example of File Miner in action: a malware sample was processed, during which the executable was unpacked using the UPX Unpacker package. File Miner identified four additional executables within the unpacked file.

File Miner can be initiated from any hex view as an action. For instance, we launched it on the data from a memory dump.

Upon completion of the carving process, File Miner presents a comprehensive view of the extracted files.

You have the option to access each file individually or save them in batches. When batch-saving, you can opt to add them as child objects, root objects, or save them directly to the disk.

Once the objects are added, they can be inspected in the same manner as those carved automatically.

File Miner’s functionality can be enhanced through the integration of additional installed packages. In fact, certain file formats are only detected when their corresponding format packages are installed. For instance, PYC files and RAR archives can be detected and processed only with the relevant packages installed.

The package is exposed to the SDK. The following code snippet demonstrates how to carve files programmatically:

from Pro.Core import *
from Pro.UI import *
from Pkg.FileMiner import *

def callback(match, ud):
    print("MATCH:", match.format, "offset:", hex(match.offset), "size:", hex(match.size))

def main():
    c = createContainerFromFile("path/to/file")
    fm = FileMiner()
    wo = proContext().startWait("Carving...")
    fm.mine(c, callback=callback, wait_object=wo)
    wo.stop()