Analysis

Analysis

The Analysis module assembles a file dossier reusing every engine in the app: real type, entropy, strings, executable headers, embedded signatures, fuzzy hash, YARA and C2PA Content Credentials.

What it does

What the Analysis module does

Real type ↔ extension

Recognises the format from magic bytes and compares it with the extension (handling aliases like jpeg/jpg).

Shannon entropy

Global and per-block value (sparkline); flags already-compressed formats to avoid false alarms.

ASCII and UTF-16 strings

Extracts printable strings, including Windows-style UTF-16LE; URLs/emails/IPs highlighted.

Executable headers

PE/ELF/Mach-O: architecture, sections, imports; for PE also imphash and packer detection.

Fuzzy hash & hash-sets

ssdeep to find similar files and comparison against known hash-sets (NSRL-style lists).

YARA & C2PA

Applies YARA rules from an updatable endpoint and reads/validates C2PA Content Credentials.

Step by step

How it works

  1. Open a file: Probatio detects the type and computes entropy on a sample.
  2. It extracts strings, executable headers, embedded signatures and ssdeep.
  3. On demand it checks hash-sets, applies YARA and analyses the C2PA manifest.
FAQ

Frequently asked questions

What does the file analysis detect?
Real type vs extension, entropy (global and per-block), ASCII/UTF-16 strings, executable headers, embedded signatures, ssdeep fuzzy hash, known hash-sets, YARA and C2PA.
Does Probatio validate the C2PA signature?
Yes: it decodes the manifest (JUMBF + CBOR) and cryptographically verifies the COSE signature (ES256/384, PS/RS256/384/512, EdDSA). It does not yet validate the chain up to a C2PA trust anchor.
Where do the YARA rules come from?
From an online endpoint configurable in Settings; the rules are downloaded, compiled and applied to the file locally.