File System Analysis with Binwalk
Binwalk is a simple Linux tool used for analysis of binary image files. Analyzing binary image files may include; reverse engineering, extracting firmware images, file systems, embedded files or executable codes from the binary images. These binary images could be from firmware of routers, IOT devices or any digital device.
To understand the way the tool works, I ran analysis on a forensic image obtained from 4GB eMMC chip off LG Smart TV. The image was obtained by chip-offforensics method and read through HancomGMD product MD-RED. From my analysis using Binwalk, it revealed the following: Squashfs filesystem, Ext4 Linux filesystem, an Ubiquiti partition header and a YAFFS filesystem.
The steps taken to achieve this is what I would like to share and described below.
LG IMAGE ANALYSIS USING BINWALK
- Install Binwalk: First run the command “apt get install binwalk” to install the tool
- Running Binwalk tool: On the LG Forensic Image (KLM4G1FETE-B041_ChipOff_20190806_ALLPART.mdf) as seen in the syntax in screen shot image below
- Outcome of Running Binwalk: Screenshots of outcome header
Showing Ubiquiti partition header, Squashfs filesystem and linux Ext4 filesystem.
Author
Latest Articles
- BlogSeptember 29, 2020Using the Google custom search engine for OSINT | By Maciej Makowski
- BlogSeptember 22, 2020Sysmon 12.0 — EventID 24 | By Olaf Hartong
- BlogSeptember 21, 2020Decrypting Databases Using RAM Dump – Health Data | By Michal Rozin
- BlogSeptember 18, 2020TikTok — Using OSINT to Discover New Leads | By Josh Richards
Hi!
Very nice to see how you investigated everything here. I have a question which I really need an answer for it.
Question:
Lets assume we have decompressed an .img file using “binwalk” and now we made some changes into some files inside the decompressed directory and now we want to create an image from what we just changed. How to achieve this?
How to decompress, make changes and then compress back into .img file as it was before.
Thanks in advance.
BR