Difference between revisions of "Disk Explorer"

From ForensicsWiki
Jump to: navigation, search
Line 1: Line 1:
 
DiskExplorer is a forensic tool that can be used by investigators to analyze file systems. The file systems supported by DiskExplorer are: <br>
 
DiskExplorer is a forensic tool that can be used by investigators to analyze file systems. The file systems supported by DiskExplorer are: <br>
 +
[[Image:Example.jpg]]
 
<ul>
 
<ul>
 
<li>
 
<li>

Revision as of 13:56, 27 November 2006

DiskExplorer is a forensic tool that can be used by investigators to analyze file systems. The file systems supported by DiskExplorer are:
File:Example.jpg

  • FAT12
  • FAT16
  • FAT32
  • NTFS

DiskExplorer for FAT file systems can accomplish the following tasks[1]:

  • Navigate through your drive by using browser-style back and forth arrows, by going directly to the partition table, boot record, FAT or root directory, by jumping to a certain sector etc.
  • Switch between several views, such as hex, text, directory, FAT, partition table and boot record view
  • Search your drive for text, boot records, partition tables and sub directories
  • Investigate the volume' s boot record by looking at the volume information
  • Edit your drive by using the direct read/write mode (not recommended) or the virtual write mode
  • View and recover even deleted files
  • Create a virtual volume when your boot record is lost or corrupted
  • Conduct your own data recovery by taking advantage of all these features

DiskExplorer for NTFS file systems can accomplish the following tasks[2]:

  • Navigate through your NTFS drive by jumping to the partition table, boot record, Master file table or the root directory
  • Choose between views such as hex, text, index allocation, MFT, boot record, partition table
  • Inspect the file entry details, NT attributes etc.
  • Search your drive for text, partition tables, boot records, MFT entries, index buffers
  • View files
  • Save files or whole directories from anywhere on the drive
  • Identify the file a certain cluster belongs to
  • Create a virtual volume when the boot record is lost or corrupt
  • Edit your drive by using the direct read/write mode (not recommended) or the virtual write mode
  • Conduct your own data recovery by taking advantage of all these features