Moin! 👋
Today I want to share something a little different from the usual artifact analysis posts — I am releasing crush-forensics v0.5.0, a digital forensic analysis workbench I have been building for a while.
You can find it on GitHub: github.com/kalink0/crush-forensics
The Problem
When I work with acquisitions — especially mobile ones — I often find myself wanting to quickly look at a specific file without firing up a full forensic platform. Maybe I want to check a PLIST, peek into a SQLite database, or just confirm what a binary blob actually contains. Opening the whole acquisition in a heavy tool just to answer a quick question felt like overkill.
At the same time, reaching for a hex editor or writing a one-off script every time also gets old fast. I wanted something in the middle: a lightweight, dedicated workbench that knows about the file formats we actually work with in DFIR — and that lets me navigate directly inside ZIP and TAR archives without extracting anything to disk first.
That is what crush is.
Why "crush"?
I am a big Finding Nemo fan. Crush is the laid-back sea turtle who surfs the East Australian Current — and that is exactly the vibe I wanted for this tool: just riding through data formats, going with the flow. 🐢
The idea of surfing through file formats felt like the right metaphor — you open an archive, navigate the structure, and glide from a PLIST to a SQLite DB to a hex view without fighting the current. Dude.
What Can It Do?
crush is a Python-based GUI application (built with PySide6). It supports:
- Opening and navigating inside ZIP and TAR archives directly — no extraction to disk needed
- Opening single files and folders
- Export files/folders and open them directly in external software
- Hex Viewer
- SQLite Viewer
- Text Viewer with syntax highlighting and encoding detection
- JSON Viewer (collapsible tree)
- XML Viewer (collapsible tree)
- PLIST and BPLIST Viewer
- SEGB v1 and v2 Viewer
- ABX Viewer (Android Binary XML)
- LevelDB Viewer (Chrome LevelDB / Android app databases)
- Image Viewer
- Media Viewer (audio and video)
- Multi-Log Studio — multi-source log analysis with format auto-detection, including Apple Unified Log /
.tracev3/.logarchive, syslog, and more (note: Unified Log support is currently alpha — decoding can be slow, this is actively being worked on) - Protobuf Viewer — schema-less, with optional schema decoding
- PDF text extraction
- Realm Database Viewer — header, schema/class extraction, top-ref comparison, table/column data decoding
Built-in Data Format Database
One feature I am particularly happy with is the built-in data format database. Crush identifies forensically relevant formats by magic bytes and extension, and surfaces the information directly in the UI for every selected file — including formats that do not have a dedicated viewer yet.
For each format it shows:
- Full name and abbreviation
- Category (database, configuration, log, ...)
- Forensic relevance — what an investigator is likely to find here
- Relevant platforms (iOS, Android, macOS, Windows, ...)
- Magic bytes with offset and description
- Links to format specs and relevant forensic research
So for example, when you open an ABX file, crush identifies it via its magic bytes, opens it in the ABX viewer, and right there in the UI you can see that this is an Android Binary XML file used for system and app settings — plus links to the AOSP source and relevant research from CCL Solutions. No more alt-tabbing to a browser to remember what a format is.
Integrity Mode
Crush also has an optional integrity mode for auditability. When enabled:
- Records SHA-256 hashes when files are opened or exported
- Hashes ZIP/TAR/file sources on open (folders are not hashed)
- Writes hashes to the log
- Creates a
crush-export-hashes.txtfile next to exported data
You can toggle it via the status badge in the bottom right of the UI. It can also be turned off for faster opening of large ZIP/TAR sources. A small but useful addition for anyone who needs to demonstrate that what they examined is what they got.
Installation
v0.5.0 ships with pre-built binaries for Windows, Linux, and macOS — available directly from the GitHub releases page. No Python environment needed, no dependency wrangling — just download and run.
One honest caveat: the macOS binary is currently untested as I do not have a macOS system available. If you are on macOS and give it a try, please let me know how it goes via GitHub issues or direct message — that feedback would be really valuable.
If you prefer to run from source (e.g. for development), the README has full instructions, including the platform-specific system dependencies and how to download the Unified Log parser binaries.
Credits
Crush builds on some excellent work from the DFIR community. Bundled third-party modules include:
- ccl_bplist by CCL Solutions Group — binary plist parsing
- ccl_segb by CCL Solutions Group — SEGB parsing
- ccl_leveldb by CCL Solutions Group — LevelDB / Chrome LevelDB parsing
- macos-UnifiedLogs by Mandiant — Apple Unified Log parsing
Thank you to everyone in the community whose research and open source work made this possible.
Nightly Builds
If you want to live on the edge — every night a fresh build is automatically created from the
latest main branch, including the most recent features and fixes. Changes are tracked in the
changelog.md in the repo. Not recommended for production casework, but great if you
want to try out what is coming next or help with testing.
What's Next?
There is still a lot I want to add — more decoders, better search, maybe some lightweight timeline capabilities. I will keep building as I run into things I wish it could do during actual casework.
If you try it out, I would love to hear what features would be most useful to you. Open an issue on GitHub, or reach out to me on Mastodon, Bluesky, or LinkedIn.
Until next time — happy forensicating! 🔍
No comments:
Post a Comment