Forensic Explorer

Live Boot virtualization, Shadow Copy, Meta extraction, Carving, Hash Sets, Index and Keyword search, Bookmarking and more…

Forensic Explorer is a tool for the analysis of electronic evidence. Primary users of this software are law enforcement, corporate investigations agencies and law firms. Forensic Explorer has the features you expect from the very latest in forensic software. Inclusive with Mount Image Pro, Forensic Explorer will quickly become an important part of your forensic software toolkit.

Forensic Explorer – Facts Sheet

Forensic Explorer is a tool for the preservation, analysis and presentation of electronic evidence. Primary users of this software are law enforcement, government, military and corporate investigations agencies.

Forensic Explorer Facts sheet Download PDF

Forensic Explorer combines a flexible graphic user interface (GUI) with advanced sorting, filtering, keyword searching, previewing and scripting technology. It enables investigators to:

• Manage the analysis of large volumes of information from multiple sources in a case file structure;
• Access and examine all available data, including hidden and system files, deleted files, file and disk slack and unallocated clusters;
• Automate complex investigation tasks;
• Produce detailed reports; and,
• Provide non forensic investigators a platform to easily review evidence.

Recommended Requirements:

• Forensic Explorer and Mount Image Pro are optimized for an Intel® Core i7 with 16GB RAM.
• Forensic Explorer is 64bit application (32bit is available on request).
• Supported Host Operating Systems are Windows 7, 8, 8.1 or 10.
• Forensic Explorer should be run with local administrator permissions where possible.

Supported File Formats

Forensics Explorer supports the analysis of the following file formats:

• Apple DMG
• DD or RAW;
• EnCase® (.E01, .L01, Ex01);
• Forensic File Format .AFF
• FTK® (.E01, .AD1 formats);
• ISO (CD and DVD image files);
• Microsoft VHD
• NUIX File Safe MFS01
• ProDiscover®
• SMART®
• VMWare®
• XWays E01 and CTR

Supported File Systems

Forensic Explorer supports analysis of:

• Windows FAT12/16/32, exFAT, NTFS,
• Macintosh HFS, HFS+
• EXT 2/3/4
• Hardware and Software RAID: JBOD, RAID 0, RAID 5

Email Analysis Formats

Email module supports the analysis of .PST files.

The Index Search module (DTSearch) supports the index and keyword search of .PST files.

Key Features:

Live Boot: Boot forensic image files, including Windows (all versions) and MAC. Learn more about Live Boot.

Shadow Copy analysis: Easily add and analyze shadow copy files. Learn more about Forensic Explorer Shadow Copy Volumes.

Customizable Interface: The forensic explorer interface has been designed for flexibility. Simply drag, drop and detach windows for a customized workspace. Save and load your own workspace configurations to suit investigative needs.

International Language Support: Forensic Explorer is Unicode compliant. Investigators can search and view data in native language format such as Dutch or Arabic.

Complete Data Access: Access all areas of physical or imaged media at a file, text, or hex level. View and analyze system files, file and disk slack, swap files, print files, boot records, partitions, file allocation tables, unallocated clusters, etc.

Fully Threaded Application: Run multiple functions and scripts in threads.

Multiple Core Processing: Maximize PC processors for intensive functions like keyword searching, data carving, hashing, signature analysis.

Powerful Pascal Scripting language: Automate analysis using a provided script library, or write your own analysis scripts. Automate tasks such as:

• Run skin tone analysis on graphics files;
• Extract user, hardware system information from the registry;
• Locate and analyze transcripts from Internet chats; etc.

Data Views: Powerful data views including:

• File List: Sort and multiple sort files by attribute, including, extension, signature, hash, path and created, accessed and modified dates.
• Disk: Navigate a disk and its structure via a graphical view. Zoom in and out to graphically map disk usage.
• Gallery: Thumbnail photos and image files.
• Display: Display more than 300 file types. Zoom, rotate, copy, search. Play video and music.
• Filesystem Record: Easily access and interpret FAT and NTFS records.
• Text and Hexadecimal: Access and analyze data at a text or hexadecimal. Automatically decode values with the data inspector.
• File Extent: Quickly locate the location of files on disk with start and end sector runs.
• Byte Plot and Character Distribution: Examine individual files using Byte Plot graphs and ASCII character distribution.

Categorize and Custom Filter:

• Filter any list view to show folders and files that match a set criteria. Script your own filters.
• Display files in Categories view where files are grouped by extension, signature, attribute, etc.
• Quickly flag files of interest.

RAID Support: Work with physical or forensically imaged RAID media, including software and hardware RAID, JBOD, RAID 0 and RAID 5.

Hashing: Apply hash sets to a case to identify or exclude known files. Hash individual files for analysis.

Keyword search: Sector level keyword search of entire media using RegEx expressions.

Keyword index: Built in multi-threaded DTSearch index and keyword search technology.

Bookmarks and Reporting: Add case notes to identify evidence and include case notes in a custom report builder.

Data Recovery and Carving: Recover folders, files and partitions. Use an inbuilt data carving tool to carve more than 300 known file types or script your own. Learn more about Forensic Explorer data carving.

File Signature Analysis: Forensic Explorer can automatically verify the signature of every file in a case and identify those mismatching file extensions.

Registry analysis: Open and examine Windows registry hives. Filter, categorize and keyword search registry keys. Automate registry analysis with RegEx scripts.