Forensicsextractionbinaryblobforensicsarchivecompressionfilesystemcarving

unblob

unblob is an accurate, fast, and easy-to-use extraction suite that parses unknown binary blobs for over 30 archive, compression, and file-system formats. It recursively extracts content and carves out unknown chunks.

Description

unblob is a Python 3 library and tool designed for forensic analysis of binary data. It excels at identifying and extracting embedded files from unknown binary blobs, supporting more than 30 different archive, compression, and filesystem formats. The tool recursively processes nested containers and carves out unaccounted data chunks, making it invaluable for digital forensics investigations.

Use cases include malware analysis, disk image examination, memory forensics, and recovering files from corrupted or obfuscated binaries. Investigators can use unblob to automatically unpack complex nested archives and filesystems without manual intervention, saving significant time in evidence extraction.

The tool requires additional extractor commands like 7z, debugfs, jefferson, and others to handle specific file types. It provides detailed output about discovered file structures and supports controlled recursion depth for precise analysis.

How It Works

unblob parses binary blobs using format-specific parsers for over 30 archive, compression, and filesystem types. It recursively extracts contents up to a configurable depth, leveraging external extractor tools (7z, debugfs, ubireader, etc.) for supported formats. The tool calculates entropy for randomness detection and carves unknown data chunks not matching known signatures. Python libraries like python3-lief, python3-cryptography, and python3-dissect.cstruct handle specialized parsing tasks.

Installation

bash

sudo apt install unblob

Flags

-e, --extract-dir DIRECTORYExtract the files to this directory. Will be created if doesn't exist.

-f, --forceForce extraction even if outputs already exist (they are removed).

-d, --depth INTEGER RANGERecursion depth. How deep should we extract containers. [default: 10; x>=1]

-n, --randomness-depth INTEGER RANGEEntropy calculation depth. How deep should we analyze for randomness.

Examples

Display help and usage information for unblob.

unblob -h

Analyze firmware binary blob with default settings (depth=10).

unblob firmware.bin

Extract contents from disk image to 'extracted/' directory.

unblob -e extracted/ disk.img

Force extraction to 'output/' directory, overwriting existing files.

unblob -f -e output/ archive.tar.gz

Analyze memory dump with limited recursion depth of 5.

unblob -d 5 memory.dump

Perform entropy analysis with randomness depth of 3.

unblob --randomness-depth 3 blob.dat

Deep recursive extraction (depth 15) for forensic evidence.

unblob -d 15 -e forensics/ evidence.bin

Updated 2026-04-16kali.org ↗