Extract everything. Miss nothing.

Credentials, keys, and persistence from disk images and memory dumps. SAM, NTDS.dit, LSA, DPAPI, browsers, SSH, cloud, LSASS. Raw, E01, VMDK with NTFS and ext4.

Download Latest View Source
abyss 
$ abyss image evidence.E01 --creds
[SAM]  Administrator:500:aad3b...:31d6c...
[SAM]  backup_svc:1001:aad3b...:8846f...
[NTDS] jsmith:1105:aad3b...:e02bc...
[NTDS] admin:500:aad3b...:fc525...
[LSA]  _SC_SQLService: P@ssw0rd123!
[DCC2] $DCC2$10240#jsmith#a8f2e...
[BROWSER] Chrome: admin@corp.com / hunter2
42 findings | 3 partitions | 2.1s
0
Crates
0
Disk Formats
0
Finding Types
0
Dependencies
0
Platforms
FEATURES

Credentials from every layer

SAM hashes, NTDS.dit domain dumps, LSA secrets, browser passwords, SSH keys, cloud credentials, and LSASS memory extraction.

Credential Extraction

SAM hashes, NTDS.dit domain dumps with PEK v2/v3, LSA secrets, cached domain credentials (DCC2), DPAPI master keys. Hashcat-ready output.

$ abyss image disk.img --output hashcat
Administrator:500:aad3b...:31d6c...
$DCC2$10240#jsmith#a8f2e... — Ctrl+C to disconnect
13
Rust Crates

Browser Passwords

Chromium saved passwords via DPAPI decryption. Firefox via key4.db + logins.json. Master password detection and skip.

Memory Analysis

LSASS minidump credential extraction. MSV1_0/NTLM credential packages. Wdigest plaintext credential scanning.

Relay & SOCKS5

Port forwarding, multi-hop chain relay, and proxychains-compatible SOCKS5 proxy server.

3
Disk Formats

Disk Image Formats

Raw sector dumps, E01 (EnCase), and VMDK (VMware sparse). Auto-detected by header magic. MBR and GPT partition tables. NTFS and ext2/3/4 filesystems.

$ abyss image evidence.E01
E01 detected (3 segments)
GPT: 2 partitions | NTFS + NTFS — padding 256B, jitter 50-150ms

Persistence Detection

Windows services, BootExecute entries, Image File Execution Options debugger hijacks. Offline analysis of autoruns.

CAPABILITIES

Analysis capabilities

Full offline analysis on Linux and Windows. 14 finding types across disk, memory, and credential sources.

SAM Hashes
NTDS.dit
LSA Secrets
DCC2 Cached
DPAPI Keys
Browser Creds
SSH Keys
Cloud Creds
LSASS Dump
Raw / E01 / VMDK
NTFS + ext4
MBR + GPT
Hashcat Output
JSON Output
Interactive Shell
Persistence
Wdigest Scan
Hash Cracking
Full   Linux Only   Not Supported
ARCHITECTURE

Pipeline architecture

Disk Image to Container to Volume to Filesystem to Extractors to Findings to Output. 13 crates with single responsibilities.

1

Container Layer

Auto-detect Raw, E01, or VMDK by header magic. Parse segment tables and provide a unified block-level read interface.

2

Volume + FS

MBR/GPT partition enumeration. NTFS MFT walking and ext4 inode traversal. File extraction by path or pattern.

3

Extractors

Registry hive parsing, ESE database (NTDS.dit), crypto decryption (SAM, LSA, DPAPI), browser DB, memory dump analysis.

4

Output

14 finding types with discriminated union. Text (colored), JSON (line-delimited), Hashcat (mode auto-detect) formatters.

GETTING STARTED

Build and analyze

Single Rust binary. Build and start extracting credentials in under a minute.

build
$ git clone https://github.com/Real-Fruit-Snacks/Abyss.git
$ cd Abyss && cargo build --release

# Static binary for target deployment


$ ./target/release/abyss --help
abyss 0.1.0
usage
# Full analysis $ abyss image disk.img # Credentials only, hashcat format $ abyss image disk.img --creds --output hashcat # Memory dump $ abyss memory lsass.dmp
DETECTION AWARENESS

Know the boundaries

Hidden From

  • Read-only analysis — never modifies source images
  • Offline operation — no network access required
  • Single binary — no installation footprint
  • Hashcat output — no built-in cracking
  • Zero dependencies — static Rust binary

Visible To

  • File access logs — image reads are logged
  • Process monitoring — binary execution visible
  • EDR/XDR — credential extraction patterns
  • Memory forensics — extracted creds in RAM
  • Disk forensics — binary on analyst workstation