playbooks

home / skills / brownfinesecurity / iothackbot / ffind

ffind skill

/skills/ffind

This skill helps you analyze firmware and extract embedded filesystems using ffind, identifying artifact types and enabling deep filesystem inspection.

npx playbooks add skill brownfinesecurity/iothackbot --skill ffind

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
2.4 KB
---
name: ffind
description: Advanced file finder with type detection and filesystem extraction for analyzing firmware and extracting embedded filesystems. Use when you need to analyze firmware files, identify file types, or extract ext2/3/4 or F2FS filesystems.
---

# Ffind - Advanced File Finder with Extraction

You are helping the user find and analyze files with advanced type detection and optional filesystem extraction capabilities using the ffind tool.

## Tool Overview

Ffind analyzes files and directories, identifies file types, and can extract filesystems (ext2/3/4, F2FS) for deeper analysis. It's designed for firmware and IoT device analysis.

## Instructions

When the user asks to analyze files, find specific file types, or extract filesystems:

1. **Understand the target**:
   - Ask what path(s) they want to analyze
   - Determine if they want to extract filesystems or just analyze
   - Ask if they want all file types or just artifact types

2. **Execute the analysis**:
   - Use the ffind command from the iothackbot bin directory
   - Basic usage: `ffind <path> [<path2> ...]`
   - To extract filesystems: `ffind <path> -e`
   - Custom extraction directory: `ffind <path> -e -d /path/to/output`
   - Show all file types: `ffind <path> -a`
   - Verbose output: `ffind <path> -v`

3. **Output formats**:
   - `--format text` (default): Human-readable colored output with type summaries
   - `--format json`: Machine-readable JSON
   - `--format quiet`: Minimal output

4. **Extraction capabilities**:
   - Supports ext2/ext3/ext4 filesystems (requires e2fsprogs)
   - Supports F2FS filesystems (requires f2fs-tools)
   - Requires sudo privileges for extraction
   - Default extraction location: `/tmp/ffind_<timestamp>`

## Examples

Analyze a firmware file to see file types:
```bash
ffind /path/to/firmware.bin
```

Extract all filesystems from a firmware image:
```bash
sudo ffind /path/to/firmware.bin -e
```

Analyze multiple files and show all types:
```bash
ffind /path/to/file1.bin /path/to/file2.bin -a
```

Extract to a custom directory:
```bash
sudo ffind /path/to/firmware.bin -e -d /tmp/my-extraction
```

## Important Notes

- Extraction requires root/sudo privileges
- Requires external tools: e2fsprogs, f2fs-tools, util-linux
- Identifies "artifact" file types relevant to security analysis by default
- Use `-a` flag to see all file types including common formats

Overview

This skill is an advanced file finder focused on firmware and IoT analysis. It detects file types, highlights security-relevant artifacts, and can extract embedded filesystems (ext2/3/4 and F2FS) for deeper inspection. Use it to quickly map contents of firmware images and produce machine- or human-readable reports.

How this skill works

ffind scans one or more paths and classifies contained objects by type, preferring artifact types useful for security analysis by default. It can optionally mount and extract embedded filesystems when requested, requiring appropriate system tools and sudo. Output can be emitted as colored text, JSON for automation, or a quiet minimal form for scripting.

When to use it

  • Investigating firmware images to discover binaries, configs, certificates, or scripts.
  • Extracting embedded ext2/3/4 or F2FS filesystems for manual inspection or carving.
  • Creating machine-readable inventories of firmware contents for triage or automated pipelines.
  • Running broad searches across multiple firmware blobs to find specific file types or indicators.
  • Preparing data for reverse engineering, static analysis, or vulnerability scanning.

Best practices

  • Always run extraction (-e) with sudo and ensure e2fsprogs and f2fs-tools are installed on the analysis host.
  • Default behavior reports artifact types; use -a to reveal all file types when you need full coverage.
  • Use --format json when integrating into automation, CI, or other tooling for reliable parsing.
  • Specify a custom extraction directory (-d) to control disk usage and keep extractions organized.
  • Run with -v for verbose diagnostics when an image fails to extract or types are unclear.

Example use cases

  • Quickly enumerate types in a firmware blob: ffind /path/to/firmware.bin
  • Extract all embedded filesystems for manual review: sudo ffind /path/to/firmware.bin -e
  • Scan multiple images and show every detected format: ffind /path/to/a.bin /path/to/b.bin -a
  • Extract into a named workspace for follow-up tools: sudo ffind /path/to/firmware.bin -e -d /tmp/my-extraction
  • Emit JSON for automated analysis pipelines: ffind /path/to/firmware.bin --format json

FAQ

What prerequisites are required to extract filesystems?

Extraction requires sudo privileges and external tools: e2fsprogs for ext2/3/4 and f2fs-tools for F2FS. Ensure util-linux is available for loop/mount helpers.

How do I get machine-readable output?

Use --format json to produce JSON suitable for scripts and downstream processing.

Why do I sometimes see fewer types by default?

By default ffind highlights security-relevant artifact types. Use -a to display all detected file types including common media or documents.