| name | binwalk |
| description | Use binwalk for authorized firmware, binary blob, archive, filesystem, and embedded-content triage with bounded extraction and evidence handling. |
binwalk
Use binwalk for authorized triage of firmware images, binary blobs, packed artifacts, and files that may contain embedded filesystems or compressed content.
Help First
Before constructing commands, run the installed help and use it as the source of truth:
binwalk --help
Usage Rules
- Work only on explicitly provided artifacts in scope.
- Start with identification/listing before extraction.
- Extract only into a task-scoped output directory.
- Treat signatures and offsets as leads; verify extracted files with
file, hashes, directory review, or follow-up analysis.
- Keep extraction bounded and avoid recursive or broad extraction unless the user explicitly asks and the artifact scope permits it.
- Do not execute extracted files.
- Save large listings, extraction logs, and recursive output to files rather than streaming them into the conversation.
Common Workflows
Signature scan without extraction:
binwalk firmware.bin
Bounded extraction into a task directory:
mkdir -p binwalk-out
binwalk -e -C binwalk-out firmware.bin
Review extracted file types before further analysis:
find binwalk-out -maxdepth 3 -type f -exec file '{}' +
Use recursive extraction only when the artifact scope and expected expansion are clear:
binwalk -Me -C binwalk-out firmware.bin
Output
Report the artifact path, command used, output directory, notable offsets or embedded content, extracted paths, and limitations such as failed extraction or unsupported formats.