Publication of Hachoir project version 1.0

Hachoir is a framework for binary file manipulation: file format recognition, metadata extraction, searching files in any binary stream (forensics), viewing file content with human representation, etc. It’s composed of many components…Programs:
· hachoir-metadata: fault tolerant metadata extraction;
· hachoir-subfile: search subfiles in a disk image or any other binary stream;
· hachoir-urwid, hachoir-wx, hachoir-gtk, hachoir-gtk: user interface to view file content (curses, wxPython, pygtk, web+ajax);

Modules:
· hachoir-core: library to split binary data into a field tree;
· hachoir-parser: collection of 70 file format parsers;
· hachoir-regex: regular expression optimization/manipulation and pattern matching (used by hachoir-subfile).

· Hachoir project website
· List of supported file formats (jpeg, ttf, exe, rar, ogg, ntfs, ole2, torrent, etc.)
· Examples of metadata extraction
· hachoir-wx screenshots

Hachoir works any operating system and only depends on Python (2.4+). Packages are available for Debian, Mandriva, Gentoo, Arch and FreeBSD.

hachoir-core goal is to ease binary parser writing. It takes care of endian problem, has bit resolution (for addresses and sizes), and only use Unicode charset for text. It gives a nice API to the programmer (see parsers source code): each field is an object. A parser is lazy: its value, display string, description, etc. is computed on demand (when the program ask it). So it’s possible to parse very complex structures and huge files (60 GB or more is not a problem).


Get The Latest DFIR News!

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

hachoir-core and hachoir-metadata are “fault tolerant”: on parser/extractor error or file error (truncated or damaged file), the program doesn’t stop but continue to next valid state. It allows to extract informations on very damaged files.

hachoir-metadata create a dictionary with typed values: track number is an integer, creation date is datetime.datetime object, etc. and all text are stored as Unicode string. The API allows easy reuse of extracted data.

Source code has good code coverage with automatic tests (lot of testcases). Fuzzing is sometimes used to find more bugs.

Some experimental programs exist like hachoir-strip: program to remove personal information (author name, timestamp, copyright, etc.) from a
picture, movie, sound, archive, etc. Another example: swf_extract.py allows to extract pictures and sounds from a SWF (Flash) do*****ent.

Victor Stinner aka haypo

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...