Live data inspector. Shows the byte under the cursor as every common type at once: u8…i64 (LE/BE), f32/f64, ASCII / UTF-8 / UTF-16, Unix & FILETIME & WebKit timestamps, OLE dates.
Use case: spot a suspicious 8-byte value in a header — instantly see whether it's a size, a pointer, an epoch or floating-point junk.
Three modes in one panel: ASCII text, hex with ?? wildcards (e.g. DE AD ?? ?? BE EF), and Go-flavoured regex. Streams over the file in chunks so very large inputs don't freeze the browser; matches carry across chunk boundaries.
Use case: hunt a known indicator — an API key, a domain, a protocol magic — across a disk image in seconds.
Shannon entropy plotted over a configurable window and step. High regions (approaching 8.0) indicate encryption or strong compression; flat regions are typically text, code or padding.
Use case: identify encrypted blobs inside an otherwise readable firmware dump — hidden payloads pop out immediately.
Streaming CRC32, MD5, SHA-1, SHA-256 and SHA-512. Hash the whole file or any selected range.
Use case: compute an evidentiary hash over a disk region before and after an edit, or compare against a public IOC database.
Extracts printable ASCII and UTF-16 LE/BE strings with a configurable minimum length. Runs are carried across chunk boundaries so straddled strings aren't missed.
Use case: pull user-agents, URLs, command-line strings, file paths and passwords out of a closed-source binary in a single pass.
Regex-driven indicator-of-compromise extractor. 15 built-in categories: IPv4 / IPv6, email, URL, domain, MD5 / SHA-1 / SHA-256, CVE IDs, Bitcoin addresses, Windows registry keys, file paths, hex-encoded PE headers, Base64 blocks…
Use case: drop a suspicious document in and instantly get a clean list of every network indicator and file path it references.
Named, coloured, optionally categorised markers. Shown as highlights in the editor and pins on the minimap. Persisted in the browser and bundled into the case export.
Use case: mark every unpacked field of a header so you can return after a detour — or annotate suspicious regions for a colleague who will receive the case archive.
Auto-detects and parses common formats: PNG, JPEG, ZIP, ELF, PE, Mach-O, RIFF, ASN.1 / DER. Every field is clickable — clicking jumps the hex view and highlights the byte range.
Use case: drop an unfamiliar .exe in and see every PE header field, every import and every section laid out as a tree.
Templates — Binary Templates DSL
solid
A compact DSL for arbitrary binary layouts. Write a struct that matches your file, apply it, and every field is parsed, decoded and cross-linked into the hex view. Supports primitive types (LE/BE), nested structs, arrays sized by literal or prior field, constants, enums, conditionals, and full expressions. Templates are saved to the browser.
const MAGIC_LEN = 4
enum Kind { A = 1, B = 2 }
struct Header {
magic: char[MAGIC_LEN]
version: u32le
count: u32le
items: Record[count]
if version == Kind.B {
extra: u64le
}
}
struct Record { id: u16le; name: char[16] }
apply Header at 0
Use case: invent your own packet format on a Tuesday afternoon, or reverse an undocumented configuration blob and share the template with a colleague.
Scans for both PEM- and DER-encoded X.509 certificates. Renders subject, issuer, serial number, validity window, public-key & signature algorithm, SANs, key usage, and SHA-256 fingerprint.
Use case: triage a captured firmware image for expired or self-signed certificates, or pull all certificates out of a memory dump for chain-of-trust analysis.
Finds embedded cryptographic material: PEM key blocks (RSA, EC, DSA, OpenSSH), PKCS#1 / PKCS#8 DER, EC private keys, OpenSSH public-key one-liners, OpenSSH v1 magic, PKCS#12 / PFX. Each finding reports kind, format, offset, length and a summary.
Use case: sweep a firmware dump or memory image for accidentally-embedded private keys before they end up in the wrong hands.
Renders embedded media directly: images (PNG, JPEG, GIF, BMP, WebP), audio (WAV, MP3, OGG, FLAC), video (Matroska, MP4). Auto-scan the whole file or render just a highlighted range.
Use case: spot a JPEG hidden inside a ZIP, or play an MP3 stashed at the end of a PNG, without having to carve it out first.
Searches for 17 embedded formats, each with its own structural validator where possible. Exact lengths for PNG/JPEG/ZIP/ELF; offsets and class for magic-only matches (gzip, bzip2, Mach-O, RAR).
Use case: split a monolithic disk image into its constituent files without relying on the on-disk filesystem.
Scans for plausible timestamps in common formats: 32- and 64-bit Unix, Windows FILETIME, WebKit time, OLE automation date. Filtered to a sensible date range to cut down false positives.
Use case: build a timeline from an undocumented log or packed database file.
A transform pipeline. Chain operations: hex / Base64 encode & decode, XOR with a single byte or a full key, inflate (zlib / raw DEFLATE / gzip). Each step's output becomes the next step's input; intermediate results are shown after every stage.
Use case: unwrap a doubly-encoded payload in a single pass: base64 → zlib-inflate → xor 0x42.
Classical-cipher workbench with brute-forcing and an English-frequency scorer: Caesar shift (any), Atbash, XOR-byte brute, Vigenère (with a known key), and a "try everything" mode.
Use case: crack a trivially-obscured CTF flag or triage an obfuscated strings blob without writing a one-off script.
A compact YARA-like engine: ASCII, hex (with ?? wildcards) and regex patterns combined with any of them, all of them, N of them, plus basic boolean conditions.
Use case: reuse a sharing-friendly ruleset for recurring triage — a quick "is this a Cobalt Strike beacon?" pass, for example.
Loads two files (main slot & compare slot — drop with Shift held) and diffs them by chunk. Differing regions are highlighted, pinned on the minimap and navigable with next / previous buttons.
Use case: identify exactly what changed between firmware 1.2.0 and 1.2.1, or spot a single flipped byte between a known-good binary and a tampered copy.
Heuristic decoder for x86, x86_64, AArch64. Recognises common instruction patterns (branches, returns, moves, calls, jumps, syscalls) and falls back to db / .word with an uncertainty marker. ARM32 and MIPS render raw bytes today. Every run is logged to evidence.
Use case: get a reasonable first look at a shellcode fragment or a small firmware routine without spinning up a full disassembler.
Enumerates every object in a PDF, walks stream contents and decompresses FlateDecode streams in place. Rogue objects, missing cross-references and embedded JavaScript become easy to spot.
Use case: triage a suspicious PDF attachment without running it, or extract a compressed JavaScript payload for further analysis.
Trailer detection for PNG / JPEG / ZIP — flags appended data after the EOF markers and extracts it. LSB tooling for PNG IDAT (extract or inject at configurable bit depths). Metadata extraction for PNG (tEXt / zTXt / iTXt), JPEG (COM / APPn) and a minimal EXIF ASCII parser.
Use case: CTF stego challenges — and legitimate forensic hunts for data hidden inside marketing PDFs or avatar images.
BoRIS — firmware triage
solid
A one-click firmware classifier. Flags 20+ markers: gzip, lzma, xz, bzip2, zstd, SquashFS, UBI, JFFS2, U-Boot headers, Android boot images, ELF, and more. Reports presence and offset, not contents.
Use case: first pass on an unknown IoT image — confirm whether it contains a SquashFS rootfs, a U-Boot envelope or a compressed kernel, before committing to a deeper extraction.
Opens a SquashFS 4.x image, reads the superblock, walks the directory tree and lets you extract individual files straight to disk. Gzip is fully supported; xz, lzma, zstd, lz4 and lzo surface a clear "compressor not supported" message rather than pretending.
Use case: pull /etc/shadow or /etc/ssl/ out of a SquashFS rootfs carved from a router firmware image.
A multi-pattern signature scanner with Over 100 built-in formats. Archives, compression, filesystems, executables, firmware headers, images and more. Each hit comes with a confidence score (low / medium / high), an offset, a size where possible, and a description. Filter by confidence, click to jump, or carve any hit straight to disk.
Use case: a JPEG wrapped in a tarball wrapped in a cpio wrapped in a UBI volume? Binsnoop tells you.
A tiny audit-friendly DSL: set, fill, xor, copy. Patches are planned before they are applied — you see the exact before / after layout before anything is committed.
Use case: patch out a hard-coded check in a binary, or blank a sensitive field before sharing an artefact.
Every significant action — hashes, disassembly runs, parsed formats, user notes — lands in an append-only evidence log. Bundled into the case export, and clearable or filterable any time.
Use case: produce a clean, timestamped trail of your investigation for a later report or an audit.
Drop an ES-module plugin file into the Plugins panel and it registers itself as a new side panel. Plugins have full access to the bridge, the bus and the shared state — first-class citizens, not walled off.
Use case: add a bespoke decoder for your organisation's internal format without ever forking the main codebase.