Wipe Detector Framework

A forensic disk wipe detection framework designed to analyze disk images for possible wiping, high-entropy overwrite regions, SSD TRIM behavior, multi-pass wipe patterns, and evidence integrity verification.

The project combines a high-performance Rust analysis engine with a Python FastAPI layer for API-based execution and HTML report generation.

---

🚀 Features

• Disk image scanning using block-wise analysis
• SHA-256 hash verification before analysis
• Entropy-based wipe pattern detection
• Multi-pass overwrite pattern analysis
• SSD TRIM candidate detection
• E01 image handling support
• JSON output from Rust core
• FastAPI endpoint for analysis
• HTML forensic report generation
• Docker-based deployment support

---

🛠️ Tech Stack

• Rust
• Python
• FastAPI
• Pydantic
• Jinja2
• Streamlit
• Docker
• Docker Compose

---

📂 Repository Structure

wipe_detector_framework/
├── config/
│   └── config.yaml
├── docker/
│   ├── docker-compose.yml
│   ├── python.Dockerfile
│   └── rust.Dockerfile
├── python-api/
│   ├── app.py
│   ├── requirements.txt
│   ├── services/
│   ├── templates/
│   └── ui/
└── rust-core/
    ├── Cargo.toml
    └── src/

---

⚙️ How It Works

1. The user provides a disk image path and expected SHA-256 hash.
2. The Rust core verifies the disk image integrity.
3. If the hash matches, the disk image is scanned block by block.
4. The scanner detects wipe-like patterns using entropy and repetition thresholds.
5. Additional modules perform multi-pass analysis, encryption-region detection, and SSD TRIM candidate detection.
6. Results are scored and exported as JSON.
7. The Python FastAPI service converts the analysis output into an HTML forensic report.

---

🔧 Configuration

The framework uses config/config.yaml

block_size: 4096
entropy_random_threshold: 7.8
single_byte_threshold: 0.95
ssd_page_size: 4096

---

🌐 API Endpoint

POST /analyze/

Request Body

{
  "image_path": "sample.raw",
  "expected_sha256": "your_expected_sha256_hash",
  "case_info": {
    "case_id": "CASE-001",
    "case_title": "Suspected Disk Wipe Investigation"
  },
  "investigator_info": {
    "name": "Investigator Name",
    "organization": "Cyber Forensic Lab"
  }
}

Response

{
  "report_html": "<html>Generated forensic report</html>"
}

---

💻 Run Locally

1️⃣ Clone Repository

git clone git@github.com:code-with-nc/wipe_detector_framework.git
cd wipe_detector_framework

---

2️⃣ Build Rust Core

cd rust-core
cargo build --release
cd ..

---

3️⃣ Install Python Dependencies

cd python-api
pip install -r requirements.txt

---

4️⃣ Start FastAPI Server

uvicorn app:app --host 0.0.0.0 --port 8000

API will run at:

http://localhost:8000

---

🐳 Run with Docker

cd docker
docker compose up --build

---

🧪 Example Rust Core Usage

./rust-core/target/release/wipe_detector_core sample.raw <expected_sha256>

---

📊 Output

The Rust engine outputs structured JSON containing:

• scanned block results
• detected wipe patterns
• entropy values
• multi-pass analysis results
• encryption-region indicators
• SSD TRIM candidates
• severity scores
• audit log SHA-256 hash

---

🎯 Use Cases

• Digital forensic disk investigation
• Evidence integrity validation
• Deleted/wiped data analysis
• SSD wipe behavior detection
• Cyber crime lab training
• Academic forensic research
• Incident response investigation workflow

---

⚠️ Notes

This tool is intended for educational, research, and authorized forensic investigation use only.

Always work on forensic copies of disk images and preserve original evidence according to chain-of-custody procedures.

---

👩‍💻 Author

Narayani
GitHub: code-with-nc

---