// case type
supply chain compromise
package compromise, build-system intrusion, signed-update poisoning. needs SBOM + dependency + build artifact analysis.
start here · primary tools
ordered. work top-down. the first tool is the suggested entry point for this case type.
- yara scannerwrite YARA-like rules · scan any file locally · string and byte pattern matching · condition logic · export match report · runs locally
- yara rule scannerwrite YARA rules or use 50+ built-in rules · drop any binary to scan · condition matching · string search · hex patterns · offset anchors · export matches · runs locally
- pe analyzerdrop a Windows executable · parse PE headers · sections · imports · exports · entropy per section · detect packers · imphash · runs locally
- pe static analyzerdrop any .exe · .dll · .sys · parse PE headers · import table · suspicious API categories · section entropy · packer fingerprint · anomaly detection · export report · runs locally
- PE compile timestamp vs filesystem timestamp conflict detectordrop mft csv or file listing with pe headers · extract compile timestamps from pe headers · detect files with filesystem timestamps earlier than their compile timestamp · surface impossible binaries indicating timestomping · runs locally
- imphash calculatordrop a PE file · compute Mandiant-style import hash · list all imports · compare with known samples · runs locally
- binary compiler and language identifierdrop pe elf or macho binaries · identify compiled language · go rust nim python compiled dlang zig · detect compiler version · extract build metadata · language-specific string patterns · runs locally
- source code style forensic fingerprinterdrop source code or decompiled text · analyze indentation · naming · comments · apis · stylometric fingerprint · compare authorship · runs locally
also useful · secondary tools
supporting and follow-up tools. surface as the investigation widens.
- string ioc correlatorpaste string output or drop binary · match against 300+ known malware family signatures · C2 patterns · mutex names · registry keys · user-agents · export matches · runs locally
- binary structural similarity scorerdrop two or more binaries · structural and syntactic similarity · malware variant families · shared imports and strings · runs locally
- file dna structural fingerprinterdrop any files · structural fingerprint beyond hash · near-duplicate clusters · ssdeep tlsh section string layers · runs locally
- fuzzy hash calculatordrop files · compute ssdeep and tlsh · compare similarity · find malware variants · runs locally
- docker image inspectordrop a docker save .tar · parse layers · manifest · config · view file changes per layer · detect secrets in history · show build commands · runs locally
- kubernetes config security analyzerpaste or drop Kubernetes YAML · scan for privileged containers · hostPID · missing limits · writable hostPath · NodePort exposure · RBAC issues · runs locally
- case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
run as a stack
skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.
supply chain — binary triage
8 stepsdrop suspect binaries → YARA → PE header → compiler ID → similarity → DNA hash → IOC extract → report
- 01evidence-manifest-generatorhash every binary before static analysis
- 02yara-testerrun YARA rules against the suspect file set
- 03pe-header-memory-anomaly-detectorPE header anomalies that suggest packing or tampering
- 04compiler-artifact-identifiercompiler / toolchain fingerprint from binary artifacts
- 05binary-similarity-scorersimilarity scoring across the input binary set
- 06file-dna-fingerprinterstructural DNA hash for cross-sample correlation
- 07ioc-extractorpull URLs, domains, and IPs from embedded strings
- 08case-report-generatordraft a report linking binary similarities to the compromise hypothesis