██████╗ ███╗ ███╗███████╗ ██╔══██╗████╗ ████║██╔════╝ ██║ ██║██╔████╔██║███████╗ ██║ ██║██║╚██╔╝██║╚════██║ ██████╔╝██║ ╚═╝ ██║███████║ ╚═════╝ ╚═╝ ╚═╝╚══════╝
Advanced Malware Detection & Forensic Analysis Tool
Purpose-built for digital forensics professionals and incident responders
Quick Start • Interactive Mode • Features • Use Cases • Wiki
DMS (Drive Malware Scan) is a comprehensive, all-in-one malware detection and forensic analysis toolkit designed specifically for digital forensics investigators, incident response teams, and security professionals.
Unlike traditional antivirus tools that only scan mounted filesystems, DMS operates at the raw disk level, allowing it to detect threats hidden in:
- Deleted files that haven't been overwritten
- Slack space (unallocated disk areas)
- Boot sectors and MBR/GPT structures
- Forensic disk images (E01/EWF format)
- Encrypted or packed malware through entropy analysis
DMS combines 12+ scanning techniques into a single, easy-to-use tool with an interactive TUI, producing actionable reports that guide your investigation.
git clone https://github.com/Samuele95/dms.git && cd dms && chmod +x malware_scan.shsudo ./malware_scan.sh --interactiveThat's it! The interactive TUI will guide you through everything. DMS can automatically download all required tools - no manual installation needed.
Interactive mode is the recommended way to use DMS. It provides a full-screen interface that makes scan configuration intuitive and error-free.
sudo ./malware_scan.sh --interactive
# or
sudo ./malware_scan.sh -i╔══════════════════════════════════════════════════════════════════════╗
║ DMS - DRIVE MALWARE SCAN ║
║ Use ↑↓ to navigate, Space/Enter to toggle, S to start ║
╠══════════════════════════════════════════════════════════════════════╣
║ INPUT SOURCE ║
╟──────────────────────────────────────────────────────────────────────╢
║▶ Path: /dev/sdb1 [block_device] ║
╟──────────────────────────────────────────────────────────────────────╢
║ SCAN TYPE ║
╟──────────────────────────────────────────────────────────────────────╢
║ ( ) Quick Scan Fast sample-based analysis ║
║ (●) Standard Scan ClamAV + YARA + Strings + Binwalk ║
║ ( ) Deep Scan All scanners + entropy + carving ║
╟──────────────────────────────────────────────────────────────────────╢
║ SCAN SCOPE ║
╟──────────────────────────────────────────────────────────────────────╢
║ (●) Full Drive Scan entire device including all data ║
║ ( ) Slack Space Scan only unallocated/deleted areas ║
╟──────────────────────────────────────────────────────────────────────╢
║ OPTIONS ║
╟──────────────────────────────────────────────────────────────────────╢
║ [ ] Mount device before scanning ║
║ [✓] Update ClamAV databases ║
║ [✓] Parallel scanning mode ║
║ [ ] Auto-calculate chunk size ║
║ [ ] Verify EWF hash before scan (forensic integrity) ║
╟──────────────────────────────────────────────────────────────────────╢
║ ADDITIONAL FEATURES ║
╟──────────────────────────────────────────────────────────────────────╢
║ [ ] VirusTotal hash lookup (requires API key) ║
║ [ ] Rootkit detection (requires mount) ║
║ [ ] Generate file timeline ║
╟──────────────────────────────────────────────────────────────────────╢
║ OUTPUT ║
╟──────────────────────────────────────────────────────────────────────╢
║ [✓] Generate HTML report ║
║ [✓] Generate JSON report ║
║ [ ] Keep output directory after scan ║
╠══════════════════════════════════════════════════════════════════════╣
║ [S] Start Scan [I] Set Input Path [Q] Quit ║
╚══════════════════════════════════════════════════════════════════════╝
✓ Ready to scan: /dev/sdb1 (block_device)
| Key | Action |
|---|---|
↑ / ↓ |
Navigate menu items |
Space / Enter |
Toggle option or select |
S |
Start scan with current settings |
I |
Open input path dialog |
Q / Esc |
Quit |
1 / 2 / 3 |
Quick select scan type |
| Feature | Description |
|---|---|
| Auto-detection | Automatically identifies input type (block device, EWF, raw) |
| Input Validation | Prevents starting scan without valid input path |
| Device Discovery | Lists available block devices when setting input path |
| EWF Awareness | Suggests enabling hash verification for forensic images |
| Real-time Feedback | Status line shows current state and readiness |
DMS can download all required tools automatically. This is the easiest way to get started:
# Clone DMS
git clone https://github.com/Samuele95/dms.git && cd dms && chmod +x malware_scan.sh
# Run with portable mode - tools are downloaded automatically!
sudo ./malware_scan.sh --interactive --portable
# Or via command line
sudo ./malware_scan.sh /dev/sdb1 --portableWhat portable mode does:
- Downloads ClamAV, YARA, and other required tools
- Stores them in
/tmp/malscan_portable_tools - Works on any Linux system with internet access
- Use
--portable-keepto preserve tools for offline use later
# Keep tools after scan for reuse
sudo ./malware_scan.sh /dev/sdb1 --portable --portable-keep
# Subsequent scans reuse cached tools
sudo ./malware_scan.sh /dev/sdc1 --portableIf you prefer to install tools system-wide, or if you're on Tsurugi Linux (which has most tools pre-installed):
Debian/Ubuntu/Tsurugi Linux
# Core tools (required for basic scans)
sudo apt update
sudo apt install clamav clamav-daemon yara binutils binwalk
# Deep scan tools (recommended for full forensic analysis)
sudo apt install foremost bulk-extractor ssdeep libimage-exiftool-perl md5deep
# Slack space analysis
sudo apt install sleuthkit
# EWF forensic image support
sudo apt install libewf-tools
# Rootkit detection (optional)
sudo apt install chkrootkit rkhunterFedora/RHEL/CentOS
# Enable EPEL repository
sudo dnf install epel-release
# Core tools
sudo dnf install clamav clamav-update yara binutils binwalk
# Additional tools
sudo dnf install foremost sleuthkit libewf-toolsArch Linux
# Core tools
sudo pacman -S clamav yara binutils binwalk
# AUR packages
yay -S foremost bulk-extractor sleuthkit libewf# Create symlink for global access
sudo ln -s $(pwd)/malware_scan.sh /usr/local/bin/dms
# Now you can run from anywhere
sudo dms --interactive
|
|
| Feature | Description | |
|---|---|---|
| 🖥️ | Interactive TUI | User-friendly menu-driven interface - the recommended way to use DMS |
| 📦 | Portable Mode | Zero-install option - auto-downloads all required tools |
| 🔬 | Deep Analysis | Entropy analysis, file carving, PE/ELF header detection, boot sector inspection |
| 🔍 | Multi-Engine Scanning | ClamAV signatures + YARA rules + Binwalk + Strings + Bulk Extractor |
| 📊 | Smart Reporting | Text, HTML, and JSON reports with prioritized actionable guidance |
| 🔒 | Forensic Integrity | Read-only operations, EWF hash verification, evidence preservation |
| ⚡ | Parallel Processing | Multi-threaded scanning with automatic chunk optimization |
| 💾 | Slack Space Recovery | Extract and analyze unallocated disk space for hidden threats |
| 🌐 | VirusTotal Integration | Automatic hash lookup via VT API for threat intelligence |
| 🔄 | Checkpoint/Resume | Resume interrupted scans without losing progress |
When investigating a potentially compromised system, forensic analysts face several challenges:
| Challenge | Traditional Tools | DMS Solution |
|---|---|---|
| Scanning disk images | Require mounting, may alter evidence | Native E01/EWF support with hash verification |
| Finding deleted malware | Cannot access unallocated space | Slack space extraction and analysis |
| Multiple scan tools | Run ClamAV, YARA, strings separately | All-in-one integrated scanning |
| Correlating results | Manual cross-referencing | Unified reports with guidance |
| Hidden/packed malware | Signature-only detection | Entropy analysis + behavioral patterns |
| Time pressure | Sequential tool execution | Parallel scanning mode |
| Tool installation | Complex dependency management | Portable mode downloads everything |
DMS provides a forensically-sound, comprehensive, and efficient approach:
┌─────────────────────────────────────────────────────────────────┐
│ INTERACTIVE MODE │
│ or │
│ ONE COMMAND │
│ │ │
│ sudo ./malware_scan.sh evidence.E01 --deep │
│ │ │
│ ▼ │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ ClamAV │ │ YARA │ │ Entropy │ │ Carving │ │ Strings │ │
│ │ Scan │ │ Rules │ │Analysis │ │ Files │ │ Extract │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │
│ └───────────┴───────────┴───────────┴───────────┘ │
│ │ │
│ ▼ │
│ ┌───────────────────────────────┐ │
│ │ UNIFIED FORENSIC REPORT │ │
│ │ with Actionable Guidance │ │
│ └───────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
Scenario: A user reports suspicious activity. You need to quickly assess if malware is present.
# Launch interactive mode for guided scan
sudo ./malware_scan.sh --interactive --portable
# Or via command line for quick triage
sudo ./malware_scan.sh /dev/sda1 --quick --portable
# If threats found, perform deep analysis
sudo ./malware_scan.sh /dev/sda1 --deep --parallel --html --portableWhat DMS Does:
- Quick scan samples strategic disk regions for rapid assessment
- Deep scan recovers deleted files, checks entropy, analyzes boot sector
- HTML report provides clickable findings for your incident report
Scenario: Law enforcement provides an E01 forensic image from a seized computer.
# Launch interactive mode - it auto-detects EWF and suggests hash verification
sudo ./malware_scan.sh --interactive
# Or via command line
sudo ./malware_scan.sh evidence.E01 --verify-hash --deep --json
# Focus on deleted/hidden data
sudo ./malware_scan.sh evidence.E01 --slack --htmlWhat DMS Does:
- Verifies MD5/SHA1 hash matches acquisition hash (chain of custody)
- Mounts E01 as virtual device without modifying original
- Slack space mode finds malware the suspect tried to delete
- JSON output integrates with your case management system
Scenario: Security team wants to sweep servers for unknown threats.
# Comprehensive threat hunt with VirusTotal enrichment
sudo ./malware_scan.sh /dev/nvme0n1p2 --deep --virustotal --parallel
# Check for rootkits on mounted system
sudo ./malware_scan.sh /dev/sda1 --mount --rootkitWhat DMS Does:
- YARA rules detect patterns missed by signature-only AV
- Entropy analysis flags packed/encrypted suspicious regions
- VirusTotal lookup provides threat intelligence context
- Rootkit scanners (chkrootkit/rkhunter) check for kernel-level threats
Scenario: Analyze a disk image containing malware samples.
# Full analysis with all engines
sudo ./malware_scan.sh malware_disk.raw --input-format raw --deep
# Extract artifacts for further analysis
sudo ./malware_scan.sh malware_disk.raw --deep --keep-outputWhat DMS Does:
- File carving recovers complete malware samples
- Strings extraction reveals C2 URLs, file paths, credentials
- Bulk extractor finds email addresses, URLs, crypto artifacts
--keep-outputpreserves all extracted files for sandbox analysis
Scenario: Responding to an incident with only a bootable USB - no tools pre-installed.
# Portable mode downloads and runs tools automatically
sudo ./malware_scan.sh --interactive --portable --portable-keep
# Subsequent scans use cached tools (even offline!)
sudo ./malware_scan.sh /dev/sdc1 --portableWhat DMS Does:
- Automatically downloads ClamAV, YARA, and dependencies
- Stores tools in
/tmp/malscan_portable_toolsfor reuse - Works on any Linux system with internet access
--portable-keeppreserves tools for offline use later
While interactive mode is recommended, DMS also supports full command-line operation:
# Scan a partition
sudo ./malware_scan.sh /dev/sdb1
# Update ClamAV database and scan
sudo ./malware_scan.sh /dev/sdb1 --update
# Mount filesystem before scanning (enables rootkit checks)
sudo ./malware_scan.sh /dev/sdb1 --mount# Scan EWF/E01 image (auto-detected)
sudo ./malware_scan.sh case001.E01
# Verify hash integrity before scanning (recommended for legal cases)
sudo ./malware_scan.sh case001.E01 --verify-hash
# Scan raw DD image
sudo ./malware_scan.sh disk.dd --input-format raw# Full deep scan with all analysis modules
sudo ./malware_scan.sh /dev/sdb1 --deep
# Deep scan with parallel processing (faster on multi-core systems)
sudo ./malware_scan.sh /dev/sdb1 --deep --parallel --auto-chunk
# Deep scan with VirusTotal enrichment
sudo ./malware_scan.sh /dev/sdb1 --deep --virustotal# Scan only unallocated space (where deleted files hide)
sudo ./malware_scan.sh /dev/sdb1 --slack
# Slack space scan on forensic image
sudo ./malware_scan.sh evidence.E01 --scan-mode slack# Generate HTML and JSON reports
sudo ./malware_scan.sh /dev/sdb1 --html --json
# Custom output location
sudo ./malware_scan.sh /dev/sdb1 --output /cases/case001/report.txt --html
# Preserve all working files for further analysis
sudo ./malware_scan.sh /dev/sdb1 --deep --keep-output| Mode | Command | Speed | Coverage | Best For |
|---|---|---|---|---|
| Quick | --quick |
Fast | Sampled regions | Rapid triage, "is this worth investigating?" |
| Standard | (default) | Medium | Allocated data | General malware detection |
| Deep | --deep |
Slow | Everything | Full forensic analysis |
| Slack | --slack |
Medium | Unallocated only | Deleted file recovery, hidden threats |
| Parallel | --parallel |
Faster | Same as mode | Multi-core acceleration |
Quick Scan
- Strategic sampling of disk regions
- Entropy checks on samples
- Identifies areas needing deeper investigation
- Ideal for rapid triage
Standard Scan (Default)
- ClamAV signature scan
- YARA rule matching (Windows, Linux, Android, Documents)
- Binwalk embedded file detection
- Strings analysis for IOCs
Deep Scan
All standard scans PLUS:
- Entropy analysis (detect encrypted/packed data)
- File carving (recover deleted files)
- Executable header detection (PE/ELF)
- Boot sector and MBR analysis
- Bulk extraction (emails, URLs, credit cards)
- Hash generation for all carved files
Slack Space Scan
- Extracts unallocated space using
blkls(Sleuth Kit) - Carves recoverable files from slack
- Scans all recovered data for threats
- Finds malware that was "deleted" but not overwritten
┌─────────────────────────────────────────────────────────────────┐
│ DMS v2.1 │
├─────────────────────────────────────────────────────────────────┤
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────────────────┐ │
│ │ Input │ │ Config │ │ CLI / Interactive │ │
│ │ Handler │ │ Loader │ │ Parser │ │
│ └──────┬──────┘ └──────┬──────┘ └───────────┬─────────────┘ │
│ └────────────────┴─────────────────────┘ │
│ │ │
│ ┌───────────────────────▼───────────────────────────────────┐ │
│ │ Scan Orchestrator │ │
│ │ (Sequential / Parallel Mode with Checkpoint Support) │ │
│ └───────────────────────┬───────────────────────────────────┘ │
│ │ │
│ ┌───────────────────────▼───────────────────────────────────┐ │
│ │ Scanning Modules (12+) │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │
│ │ │ ClamAV │ │ YARA │ │ Binwalk │ │ Strings │ │ │
│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │
│ │ │ Entropy │ │ Carving │ │ Bulk │ │ Hashes │ │ │
│ │ │Analysis │ │ Engine │ │Extractor│ │ Gen │ │ │
│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │
│ └───────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌───────────────────────▼───────────────────────────────────┐ │
│ │ Report Generator │ │
│ │ (Text / HTML / JSON with Actionable Guidance) │ │
│ └───────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
| Metric | Value |
|---|---|
| Script Size | ~4,850 lines of Bash |
| Scanning Engines | 12+ integrated techniques |
| Configuration Parameters | 30+ tunable options |
| YARA Rule Categories | 4 (Windows, Linux, Android, Documents) |
| Type | Extensions | Auto-Detected |
|---|---|---|
| Block Device | /dev/sdX, /dev/nvmeXnY |
Yes |
| EWF Image | .E01, .E02, .Ex01, .L01, .Lx01 |
Yes |
| Raw Image | .raw, .dd, .img, .bin |
Yes |
| Format | Description | Use Case |
|---|---|---|
| Text | Plain ASCII with formatting | Terminal viewing, logs |
| HTML | Styled web page | Sharing with stakeholders |
| JSON | Machine-readable | SIEM integration, scripting |
| Engine | Signatures/Rules | Parallel Support |
|---|---|---|
| ClamAV | 1M+ signatures | Yes |
| YARA (Windows) | Qu1cksc0pe rules | Yes |
| YARA (Linux) | Qu1cksc0pe rules | Yes |
| YARA (Android) | Qu1cksc0pe rules | Yes |
| YARA (Documents) | oledump rules | Yes |
| Entropy Analysis | Threshold: 7.5/8.0 | No |
| File Carving | foremost/scalpel | No |
| Code | Meaning |
|---|---|
0 |
Success - scan completed |
1 |
Error - scan failed or invalid arguments |
130 |
Interrupted - SIGINT (Ctrl+C) |
143 |
Terminated - SIGTERM |
| Option | Short | Description |
|---|---|---|
--interactive |
-i |
Launch interactive TUI (recommended) |
--portable |
Auto-download missing tools | |
--portable-keep |
Keep portable tools after scan | |
--mount |
-m |
Mount device before scanning |
--update |
-u |
Update ClamAV databases first |
--deep |
-d |
Enable deep forensic scan |
--parallel |
-p |
Enable parallel scanning |
--quick |
Fast sample-based scan | |
--slack |
Scan unallocated space only | |
--html |
Generate HTML report | |
--json |
Generate JSON report | |
--quiet |
-q |
Minimal output |
--verbose |
-v |
Debug output |
--verify-hash |
Verify EWF image integrity | |
--virustotal |
Enable VT hash lookup | |
--rootkit |
Run rootkit detection | |
--timeline |
Generate file timeline | |
--keep-output |
Preserve temp files | |
--resume FILE |
Resume from checkpoint | |
--config FILE |
Custom config file | |
--log-file FILE |
Write logs to file | |
--output FILE |
-o |
Custom output path |
--dry-run |
Preview without executing |
Create ~/.malscan.conf, /etc/malscan.conf, or ./malscan.conf:
# Performance Settings
CHUNK_SIZE=500 # MB per chunk (larger = more RAM, faster)
MAX_PARALLEL_JOBS=4 # Parallel scan threads (match CPU cores)
# Tool Paths
CLAMDB_DIR=/tmp/clamdb
YARA_RULES_BASE=/opt/Qu1cksc0pe/Systems
OLEDUMP_RULES=/opt/oledump
# VirusTotal Integration
VT_API_KEY=your_api_key_here
VT_RATE_LIMIT=4 # Requests per minute (free API limit)
# Forensic Image Settings
EWF_SUPPORT=true
EWF_VERIFY_HASH=false # Set true to always verify
# Slack Space Settings
SLACK_EXTRACT_TIMEOUT=600 # Seconds
SLACK_MIN_SIZE_MB=10 # Skip if smaller
MAX_CARVED_FILES=1000 # Limit recovered files
# Logging
LOG_LEVEL=INFO # DEBUG, INFO, WARNING, ERRORDoes DMS modify the evidence/disk?
No. DMS operates in read-only mode. It reads raw disk data without writing anything to the source device or image. EWF images are mounted read-only using FUSE.
Can I scan a live/running system?
Yes, but with caveats:
- Use
--mountto enable filesystem-level analysis - Rootkit detection (
--rootkit) works best on mounted systems - For best results, boot from a forensic live USB and scan the offline disk
What if I don't have tools installed?
Use --portable mode! DMS will automatically download and use portable versions of all required tools:
sudo ./malware_scan.sh --interactive --portableCan I use custom YARA rules?
Yes! Set YARA_RULES_BASE in your config file:
YARA_RULES_BASE=/path/to/my/yara-rulesRules should be in subdirectories: Windows/, Linux/, Android/
How do I integrate with VirusTotal?
- Get a free API key from VirusTotal
- Add to config:
VT_API_KEY=your_key_here - Enable in interactive mode or use
--virustotalflag
Contributions are welcome! Here's how to help:
# Fork and clone
git clone https://github.com/YOUR_USERNAME/dms.git
cd dms
# Create feature branch
git checkout -b feature/amazing-feature
# Make changes and test
./malware_scan.sh --help
sudo ./malware_scan.sh /dev/sdX --dry-run
# Commit and push
git commit -m "Add amazing feature"
git push origin feature/amazing-feature
# Open Pull Request- Additional YARA rule sets
- New detection engines
- Performance optimizations
- Documentation improvements
- Bug fixes
MIT License - see LICENSE for details.
| Project | Role in DMS |
|---|---|
| Tsurugi Linux | Target forensic distribution |
| ClamAV | Signature-based detection |
| YARA | Pattern matching engine |
| Qu1cksc0pe | YARA rules collection |
| The Sleuth Kit | Forensic tools |
| Binwalk | Firmware analysis |
| Bulk Extractor | Artifact extraction |
DMS v2.1
Built for Tsurugi Linux | Works on any Linux