Live Boot virtualization, Shadow Copy, Meta extraction, Carving, Hash Sets, Index and Keyword search, Bookmarking and more...
Locate evidence faster than ever before with advanced sorting, filtering, keyword searching, previewing and scripting. Run, customize or create scripts to automate complex tasks: skin tone, file export, registry analysis and more.
Forensic Explorer is a tool for the preservation, analysis and
presentation of electronic evidence. Primary users of this software are
law enforcement, government, military and corporate investigations
Forensic Explorer combines a flexible graphic user interface (GUI)
with advanced sorting, filtering, keyword searching, previewing and
scripting technology. It enables investigators to:
- Manage the analysis of large volumes of information from multiple sources in a case file structure;
- Access and examine all available data, including hidden and system
files, deleted files, file and disk slack and unallocated clusters;
- Automate complex investigation tasks;
- Produce detailed reports; and,
- Provide non forensic investigators a platform to easily review evidence.
Forensic Explorer and Mount Image Pro are optimized for an Intel® Core i7 with 16GB RAM.
Forensic Explorer is a 32bit application which will run on both x86
and x64 installations of Windows 7, 8, 8.1 or 10. Forensic Explorer
should be run with local administrator permissions where possible.
Supported File Formats
Forensics Explorer supports the analysis of the following file formats:
- Apple DMG
- DD or RAW;
- EnCase® (.E01, .L01, Ex01);
- Forensic File Format .AFF
- FTK® (.E01, .AD1 formats);
- ISO (CD and DVD image files);
- Microsoft VHD
- NUIX File Safe MFS01
- XWays E01 and CTR
Supported File Systems
Forensic Explorer supports analysis of:
- Windows FAT12/16/32, exFAT, NTFS,
- Macintosh HFS, HFS+
- EXT 2/3/4
- Hardware and Software RAID: JBOD, RAID 0, RAID 5
Email Analysis Formats
Email module supports the analysis of .PST files.
The Index Search module (DTSearch) supports the index and keyword search of .PST files.
Live Boot: Boot forensic image files. Learn more about Live Boot.
Shadow Copy analysis: Easily add and analyze shadow copy files. Learn more about Forensic Explorer Shadow Copy Volumes.
Customizable Interface: The forensic explorer interface has
been designed for flexibility. Simply drag, drop and detach windows for a
customized workspace. Save and load your own workspace configurations
to suit investigative needs.
International Language Support: Forensic Explorer is Unicode
compliant. Investigators can search and view data in native language
format such as Dutch or Arabic.
Complete Data Access: Access all areas of physical or imaged
media at a file, text, or hex level. View and analyze system files, file
and disk slack, swap files, print files, boot records, partitions, file
allocation tables, unallocated clusters, etc.
Fully Threaded Application: Run multiple functions and scripts in threads.
Multiple Core Processing: Maximize PC processors for intensive functions like keyword searching, data carving, hashing, signature analysis.
Powerful Pascal Scripting language: Automate analysis using a provided script library, or write your own analysis scripts. Automate tasks such as:
- Run skin tone analysis on graphics files;
- Extract user, hardware system information from the registry;
- Locate and analyze transcripts from Internet chats; etc.
Data Views: Powerful data views including:
- File List: Sort and multiple sort files by attribute,
including, extension, signature, hash, path and created, accessed and
- Disk: Navigate a disk and its structure via a graphical view. Zoom in and out to graphically map disk usage.
- Gallery: Thumbnail photos and image files.
- Display: Display more than 300 file types. Zoom, rotate, copy, search. Play video and music.
- Filesystem Record: Easily access and interpret FAT and NTFS records.
- Text and Hexadecimal: Access and analyze data at a text or hexadecimal. Automatically decode values with the data inspector.
- File Extent: Quickly locate the location of files on disk with start and end sector runs.
- Byte Plot and Character Distribution: Examine individual files using Byte Plot graphs and ASCII character distribution.
Categorize and Custom Filter:
- Filter any list view to show folders and files that match a set criteria. Script your own filters.
- Display files in Categories view where files are grouped by extension, signature, attribute, etc.
- Quickly flag files of interest.
RAID Support: Work with physical or forensically imaged RAID media, including software and hardware RAID, JBOD, RAID 0 and RAID 5.
Hashing: Apply hash sets to a case to identify or exclude known files. Hash individual files for analysis.
Keyword search: Sector level keyword search of entire media using RegEx expressions.
Keyword index: Built in DTSearch index and keyword search technology.
Bookmarks and Reporting: Add case notes to identify evidence and include case notes in a custom report builder.
Data Recovery and Carving: Recover folders, files and
partitions. Use an inbuilt data carving tool to carve more than 300
known file types or script your own. Learn more about Forensic Explorer data carving.
File Signature Analysis: Forensic Explorer can automatically
verify the signature of every file in a case and identify those
mismatching file extensions.
Registry analysis: Open and examine Windows registry hives.
Filter, categorize and keyword search registry keys. Automate registry
analysis with RegEx scripts.