fatcousin
// artifact family

disk & filesystem

46 browser-only forensics tools in this catalog group — browse by artifact family when you know the kind of evidence you are working with, not the investigation pattern.

tools
46
catalog slugs
46
processing
local · in browser

tools in this family

ordered as in the forensics catalog. every tool runs locally — no upload, no account.

  1. disk image browserdrop a .img · .iso · .dd · read partition table · browse FAT32 · ext2 filesystems · extract files · no mounting needed · runs locally
  2. disk image hasherdrop any disk image · compute MD5 · SHA1 · SHA256 · SHA512 · sector-by-sector hash log · forensic chain of custody report · export PDF · runs locally
  3. file integrity verifierdrop checksum manifests plus payload files · md5 sha1 sha256 sha512 · verified mismatch missing · certutil · chunked hashing · csv txt export · runs locally
  4. bootkit mbr vbr deep analyzerdrop a disk image or raw mbr vbr sector dump · deep parse mbr and vbr · compare against known-good templates · flag deviations · detect bootkits · identify infected bootstrap code · runs locally
  5. fat32 recoverydrop a FAT32 disk image · scan for deleted file entries · recover files marked deleted but not overwritten · export zip · runs locally
  6. ext4 recoverydrop an ext4 disk image · parse inode table · recover unlinked inodes · extract file content from surviving data blocks · runs locally
  7. ntfs recoverydrop an NTFS image · parse $MFT · recover deleted file records · extract $DATA attribute · rebuild directory tree · runs locally
  8. mft parserdrop a raw $MFT file · parse every file record · timestamps · attributes · flags · resident vs non-resident data · export CSV · runs locally
  9. filesystem journal readerdrop an ext3/ext4 image · parse the ext journal (JBD2) · list recent transactions · recover files from journal commits · runs locally
  10. ntfs journal readerdrop an NTFS image or raw $UsnJrnl · parse the update sequence number journal · list file create · modify · delete · rename events · export CSV · runs locally
  11. inode explorerdrop an ext2/3/4 image · browse the inode table interactively · view permissions · timestamps · block pointers · direct and indirect · runs locally
  12. partition recoverydrop a disk image with a damaged partition table · scan for partition signatures · recover lost partitions · rebuild MBR or GPT · runs locally
  13. gpt / mbr editordrop a disk image · parse MBR or GPT in full · edit partition entries · fix CRC checksums · write corrected table back · export fixed image · runs locally
  14. deleted file timelinedrop a disk image · extract all file timestamps including deleted entries · render interactive timeline · filter by type · date range · export CSV · runs locally
  15. volume shadow differdrop two disk images · diff the file systems · what was added · deleted · modified between snapshots · export change report · runs locally
  16. encrypted volume detectordrop a disk image · detect veracrypt truecrypt bitlocker luks · identify encrypted partitions · entropy analysis · header signatures · runs locally
  17. slack space analyzerdrop a disk image · identify slack space between end of file data and end of cluster · scan for data hidden in slack · visualize · runs locally
  18. unallocated space scannerdrop a disk image · scan sectors between partitions · find file signatures in unallocated space · extract fragments · runs locally
  19. bad sector mapperdrop a disk image · scan every sector for byte-pattern anomalies · zero-fills · repeating-fill sectors · visualize sector health map · export sector report CSV · runs locally
  20. s.m.a.r.t log parserdrop a raw S.M.A.R.T data export or smartctl output · parse all attributes · flag critical values · predict failure probability · runs locally
  21. lvm readerdrop Linux LVM physical volume images · parse PV metadata · reconstruct logical volumes · browse VGs and LVs · runs locally
  22. apfs readerdrop an APFS disk image · locate container and volume superblocks · parse block size · UUID · volume name · role · feature flags · runs locally
  23. vmdk / vhd / vhdx readerdrop a VMware or Hyper-V virtual disk · parse the container format · extract the raw disk image · browse partitions and filesystems inside · runs locally
  24. secure deletion detectordrop disk image · wipe patterns · zero ff aa55 fills · high entropy · sdelete eraser hints · heat map · chunked worker scan · runs locally
  25. raid reconstructordrop 2-6 disk images · specify RAID level 0 · 1 · 5 · 6 · stripe size · disk order · XOR parity · reconstruct logical volume · export · runs locally
  26. shadow copy readerdrop a Windows VSS shadow copy image · browse previous versions of files · extract individual files from snapshots · runs locally
  27. filesystem diffdrop two file manifests (CSV from evidence-manifest-generator) · detect files added · deleted · modified · hash changed · size changed between snapshots · export diff · runs locally
  28. sparse file detectordrop any file · 4096-byte chunk classification · zero fill pattern data · unicode density map · stats · export chunk csv · runs locally
  29. sparse file forensic analyzerdrop mft csv or file listing · identify sparse files · map allocated vs unallocated regions within files · detect data hidden in sparse regions · identify wasted space used for hiding · runs locally
  30. ntfs alternate data stream deep analyzerdrop mft csv or file listing with ads entries · enumerate all alternate data streams · extract content where possible · detect zone identifier abuse · flag hidden executables · surface data concealment · runs locally
  31. ntfs reparse point and symlink forensicsdrop mft csv or file listing · map all ntfs reparse points · symlinks · junctions · mount points · detect symlink attacks · data redirection · path traversal setups · runs locally
  32. ntfs hard link forensic analyzerdrop mft csv · detect files with multiple directory entries (hard links) · map all paths pointing to same inode · identify data sharing between paths · detect hard link based anti-forensics · runs locally
  33. linux extended attribute forensic analyzerdrop getfattr output or filesystem listing with xattr data · parse linux extended attributes · extract security labels · capabilities · custom metadata · detect data hiding in xattrs · capability escalation risks · runs locally
  34. forensic image integrity verifierdrop e01 or aff image files with accompanying hash manifests · verify hash chains · check internal segment hashes · detect any modification to forensic images · validate chain of custody integrity · runs locally
  35. e01 image readerdrop .E01/.E02 segments · parse EWF sections · disk params · chunk table · MBR hex · sample MD5 · metadata export · runs locally
  36. hfs+ parserdrop .img/.dd partition · volume header · catalog B-tree · file paths · deleted orphans · mac HFS time · csv json export · runs locally
  37. exfat recoverydrop .img/.dd image · parse exFAT boot sector · FAT walk · deleted entries · file tree · hex preview · recover download · csv · runs locally
  38. iso udf parserdrop iso img bin · ISO9660 PVD sector 16 · Joliet SVD · Rock Ridge NM TF · UDF AVDP sector 256 · file browser · hex · csv json export · runs locally
  39. virtual machine snapshot metadata analyzerdrop vmware vmsd vmx files or hyper-v xml config files · parse snapshot tree · reconstruct vm state history · identify when snapshots were taken · detect snapshot abuse · deleted snapshots · runs locally
  40. hypervisor log forensic analyzerdrop vmware esxi logs · hyper-v event logs · kvm libvirt logs · detect vm creation deletion · snapshot operations · unusual vm activity · escape attempts · network configuration changes · runs locally
  41. gis and gps track forensic analyzerdrop kml gpx geojson or csv files with coordinates · extract all location data · reconstruct movement timeline · identify locations · correlate timestamps with other artifacts · detect location spoofing · runs locally
  42. ntfs logfile transaction journal parserdrop a raw $logfile from ntfs · parse every metadata operation on the volume · file creates modifies deletes renames · lower level than usn journal · reconstruct operations that were cleared from usn journal · runs locally
  43. shadow copy differential forensics analyzerdrop two file system manifests or mft csvs from different shadow copies · compute exactly what changed between them · files added deleted modified · reconstruct what attacker changed · timeline of filesystem evolution · runs locally
  44. full disk entropy heatmap mapperdrop a raw disk image · compute shannon entropy for every 512-byte sector · render a full disk entropy heatmap · instantly visualize where encrypted compressed or random data lives vs normal filesystem content · locate hidden encrypted volumes · runs locally
  45. cluster allocation order timeline reconstructordrop an mft csv and bitmap · reconstruct the approximate order in which disk clusters were allocated · builds a rough file creation timeline even when timestamps are unavailable or have been tampered · runs locally
  46. secure wipe completeness forensic scorerdrop a disk image · verify whether a secure wipe was actually complete · score overwrite pattern coverage per sector · identify sectors the wipe missed · identify sectors that were wiped but then reallocated and rewritten · prove the wipe was incomplete if evidence survives · runs locally
ready