Forensicsforensicswindowsexecutableswin32

Miss Identify

Miss Identify is a program to find MS Windows type win32 applications, displaying filenames of executables without standard extensions like exe, dll, or com. It can also display all executables regardless of extension and is useful in forensics investigations.

Description

Miss Identify (missidentify) is a program to find MS Windows type win32 applications. By default, it displays the filename of any executable that does not have an extension such as exe, dll, com, sys, cpl, hxs, hxi, olb, rll or tlb. It can also display all the executables regardless the extension.

Miss Identify is useful in forensics investigations, helping to identify hidden or misnamed executable files on disk images or file systems.

The tool scans files and determines if they are win32 executables based on their binary structure, ignoring file extensions to uncover potential malicious or hidden programs.

How It Works

Miss Identify scans files to detect MS Windows win32 executable format by analyzing binary headers and structure, independent of file extensions. It identifies executables lacking standard extensions (exe, dll, com, sys, cpl, hxs, hxi, olb, rll, tlb) or shows all executables with the -a flag. Additional modes support recursive traversal of directories, string extraction, and varying output verbosity.

Installation

bash

sudo apt install missidentify

Flags

-rRecursive mode. All subdirectories are traversed

-qSilent mode. No error messages are displayed

-aDisplay all executable files regardless of extension

-bBare filename. No path information displayed

-lRelative paths in filenames

-vVerbose mode. Displays the filename for every 10th file processed

-s|-SDisplay strings

-VDisplay version number and exit

-hDisplay this help message

Examples

Display the help message and usage information for missidentify

missidentify -h

Recursively scan all subdirectories in the specified path for win32 executables without standard extensions

missidentify -r /path/to/directory

Display all executable files regardless of extension in the specified files or directory

missidentify -a /path/to/files

Scan files and display only bare filenames without path information for executables without standard extensions

missidentify -b /path/to/files

Scan files and display relative paths in filenames for detected executables

missidentify -l /path/to/files

Verbose mode: scan files and display filename for every 10th file processed while identifying executables

missidentify -v /path/to/files

Scan files and display strings from detected win32 executables

missidentify -s /path/to/files

Updated 2026-04-16kali.org ↗