blueflower is a simple tool that looks for secrets such as private keys or passwords in a file structure. Interesting files are detected using heuristics on their names and on their content.

Unlike some forensics tools, blueflower does not search in RAM, and does not attempt to identify cryptographic keys or algorithms in binaries.

DISCLAIMER: This program is under development. It may not work as expected and it may destroy your computer. Use at your own risk.

• multithreading
• support of the following types of files:
  • text/* MIME-typed files
  • archives RAR, tar, ZIP
  • compressed files bzip2, gzip
  • encrypted containers/archives: PGP/GPG, Truecrypt, RAR, ZIP
  • documents PDF
• support of nested archives and compressed files (except for nested RARs)
• portable *nix/Windows
• CSV output

• *Office documents
• more secrecy heuristics
• more type recognition heuristics
• speed optimizations

Installation:

sudo make

(omit sudo on Windows)

Execution:

blueflower [directory1] [directory2] ...

A new thread is created for each directory passed as argument.

Results are written to a file blueflower-YYYYMMDDhhmmss.

The makefile defines make clean, make cleanall, and make dist.

WARNINGS:

• no limit is set on the number of files processed
• there may be a lot of false positives

Python modules:

• pdfminer
• python-magic
• rarfile

Other:

• unrar utility

blueflower is released under GPLv3. Copyright Jean-Philippe Aumasson 2014.