fatcousin
// evidence type

hex / raw binary / unknown blob

unallocated chunk · firmware slice · malware sample · partial carve. entropy map, signature scan, string extract, pattern search — when you do not know the container yet.

tools
13
priority
M
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. raw hex editorfull hex editor in the browser · navigate by offset · search bytes or ASCII · edit and export · interprets known headers · runs locally
  2. hex diffdrop two binary files · see exactly which bytes differ · offset · old value · new value · runs locally
  3. binary stringsextract readable strings from any binary · ASCII · UTF-16 · minimum length filter · export · runs locally
  4. binary execution gap analyzerdrop execution artifact csvs · identify periods with no execution activity · distinguish system-off gaps from suspicious quiet periods · flag anomalous gaps · runs locally
  5. entropy mappervisualize entropy across any file · heatmap by block · find encrypted regions · embedded files · corruption boundaries · runs locally
  6. file signature batch scannerdrop hundreds of files · detect extension mismatch · magic bytes vs declared extension · batch triage · export report · runs locally
  7. pe analyzerdrop a Windows executable · parse PE headers · sections · imports · exports · entropy per section · detect packers · imphash · runs locally
  8. file carverscan any binary for embedded files · JPEG · PNG · PDF · ZIP · MP4 · SQLite · 30+ signatures · extract all · download zip · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. binary provenance & build metadata analyzerdrop pe elf mach-o · build timestamp · linker · rich header · pdb · go buildinfo · json export · runs locally
  2. binary structural similarity scorerdrop two or more binaries · structural and syntactic similarity · malware variant families · shared imports and strings · runs locally
  3. fuzzy hash calculatordrop files · compute ssdeep and tlsh · compare similarity · find malware variants · runs locally
  4. yara scannerwrite YARA-like rules · scan any file locally · string and byte pattern matching · condition logic · export match report · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready