Disk Explorer

From ForensicsWiki
Revision as of 12:57, 27 November 2006 by CeleryGod (Talk | contribs)

Jump to: navigation, search

DiskExplorer is a forensic tool that can be used by investigators to analyze file systems. The file systems supported by DiskExplorer are:

  • FAT12
  • FAT16
  • FAT32
  • NTFS

DiskExplorer for FAT file systems can accomplish the following tasks[1]:

  • Navigate through your drive by using browser-style back and forth arrows, by going directly to the partition table, boot record, FAT or root directory, by jumping to a certain sector etc.
  • Switch between several views, such as hex, text, directory, FAT, partition table and boot record view
  • Search your drive for text, boot records, partition tables and sub directories
  • Investigate the volume' s boot record by looking at the volume information
  • Edit your drive by using the direct read/write mode (not recommended) or the virtual write mode
  • View and recover even deleted files
  • Create a virtual volume when your boot record is lost or corrupted
  • Conduct your own data recovery by taking advantage of all these features

DiskExplorer for NTFS file systems can accomplish the following tasks[2]:

  • Navigate through your NTFS drive by jumping to the partition table, boot record, Master file table or the root directory
  • Choose between views such as hex, text, index allocation, MFT, boot record, partition table
  • Inspect the file entry details, NT attributes etc.
  • Search your drive for text, partition tables, boot records, MFT entries, index buffers
  • View files
  • Save files or whole directories from anywhere on the drive
  • Identify the file a certain cluster belongs to
  • Create a virtual volume when the boot record is lost or corrupt
  • Edit your drive by using the direct read/write mode (not recommended) or the virtual write mode
  • Conduct your own data recovery by taking advantage of all these features