SPECTER
Forensic CLI: parallel hashing + ssdeep, native metadata, signed evidence, cluster + triage
v1.0.1
Linux
Quick Start
Install via jcli
jcli install specterHash + identify
# 4 algorithms in parallel + ssdeep fuzzy hash
specter hash suspect.bin
# Verify a known good hash (algorithm detected by hex length)
specter hash file.bin --verify 5d41402abc4b2a76b9719d911017c592
# Native metadata extraction (no ExifTool required)
specter meta photo.jpg
specter geo photo.jpg --kml > out.kmlTriage + analyze + cluster (NEW)
# NEW: Fast triage — hash + magic + tamper + scanner only (~10x faster than analyze)
specter triage suspect.exe
# Full pipeline (carve + entropy + strings on opt-in)
specter analyze suspect.bin --strings --report report.md
# Recursive directory walk, sharded across cores via rayon
specter batch ./samples/
# NEW: Cluster a directory by SHA-256 dedup + ssdeep similarity
specter cluster ./samples/ --threshold 30Evidence chain-of-custody (HMAC + Ed25519)
# Produce a signed evidence bag (HMAC + NEW: detached Ed25519 signature)
specter evidence make file.bin > evidence.json
# Verify — third parties only need the Ed25519 public key
specter evidence verify evidence.jsonYARA-lite scanner + IOC strings
# Scan with the linear-time regex engine (no ReDoS on adversarial input)
specter scan suspect.bin
# Extract strings + IOC regex families (URLs, IPs, BTC/ETH addrs, AWS/GitHub tokens, base64 blobs)
specter strings suspect.bin
# Custom rules: drop .json files into ~/.local/share/specter/rules/
specter rules list
specter rules show ioc-eicarWhat's new in v1.0 (Rust rewrite)
- Parallel hashing. MD5, SHA-1, SHA-256, SHA-512 all run in 4 threads from the same byte buffer (rayon::join). For files under 1 GiB the wall-clock approaches the single-fastest algorithm rather than the sum of four. ssdeep fuzzy hash computed in the same pass.
- NEW
clustersubcommand. Two-stage: group exact SHA-256 duplicates first, then group remaining unique files by ssdeep similarity. The standard malware-family clustering workflow — "are these all variants of the same threat?" — without an external tool. - NEW
triagesubcommand. Opinionated fast path: hash + magic + tamper + scanner only. Skips entropy / strings / carve. ~10x faster thananalyzewhen minutes matter. - Ed25519 detached signatures.
evidence makeproduces both an HMAC envelope (self-verify with the symmetric key) AND a detached Ed25519 signature against a per-operator private key. Third-party verifiers — courts, opposing counsel, peer reviewers — only need the public key, never the symmetric secret. - Parallel batch via rayon. The
batchsubcommand shards a directory walk across cores. Python was strictly serial — a 10k-file scan now finishes in a fraction of the wall-clock time. - Linear-time
regexscanner. The YARA-lite engine now runs on Rust'sregexcrate (no catastrophic backtracking). Adversarial inputs can't ReDoS the scanner — a real improvement over Python'sre. - Mach-O fat-arch expansion. Multi-arch binaries (a sample that hides ARM64 alongside x86_64) get every slice enumerated individually.
- Expanded magic-byte table (~60 from 25): DEX, APK, RPM, SQLite, SSH / PGP keys, MP3 / MP4 / MKV, FLAC, RTF, XZ, 7z, deb / ar.
- NEW NDJSON output on every subcommand — pipes straight into SIEMs and downstream analytics tooling.
- Single binary, zero runtime deps. Replaces a Python 3.12 environment + the optional
richdep with a 5 MB Rust binary. Works on hardened airgapped hosts.
Subcommands
| Command | What it does |
|---|---|
hash | MD5 + SHA-1 + SHA-256 + SHA-512 + ssdeep (parallel) |
meta | Native metadata (JPEG EXIF, PNG chunks, PDF info dict, OOXML props) |
geo | GPS extraction + OSM link + KML export; --directory aggregates |
scan | YARA-lite scanner with linear-time regex (no ReDoS) |
strings | ASCII + UTF-16LE strings with 13 IOC regex families |
binary | PE / ELF / Mach-O headers (incl. fat-arch slices) |
carve | PDF (JS / OpenAction / EmbeddedFile / Launch) + ZIP (entries + zip-bomb) |
timeline | Sort every timestamp (EXIF / GPS / PDF / OOXML / filesystem) |
diff | Metadata diff between two files |
analyze | Full pipeline with verdict engine + confidence score |
batch | Parallel recursive analyze with worst-verdict aggregation |
evidence | HMAC + Ed25519 signed evidence bag (make / verify) |
db | Local SQLite store (list / search / stats / check / purge) |
rules | Inspect rule registry (list / show) |
report | Markdown forensic report |
triage NEW | Fast single-file pipeline (~10x faster than analyze) |
cluster NEW | Group a directory by SHA-256 + ssdeep similarity |
Verdict + exit codes
| Verdict | Trigger | Exit code |
|---|---|---|
MALICIOUS | ≥1 HIGH-severity scanner hit | 2 |
SUSPICIOUS | MEDIUM scanner hit / HIGH tamper / packer-grade entropy | 1 |
TAMPERED | Only LOW-severity tamper findings | 1 |
CLEAN | No findings | 0 |
UNKNOWN | File unreadable | 3 |