fatcousin
// evidence type

disk image / e01 / pagefile

E01/EWF segment set · raw dd · pagefile.sys · hiberfil.sys adjunct. mount metadata, hash verification, pagefile string timeline — full-disk workflows.

tools
12
priority
L
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. e01 image readerdrop .E01/.E02 segments · parse EWF sections · disk params · chunk table · MBR hex · sample MD5 · metadata export · runs locally
  2. disk image browserdrop a .img · .iso · .dd · read partition table · browse FAT32 · ext2 filesystems · extract files · no mounting needed · runs locally
  3. disk image hasherdrop any disk image · compute MD5 · SHA1 · SHA256 · SHA512 · sector-by-sector hash log · forensic chain of custody report · export PDF · runs locally
  4. pagefile extractordrop Windows pagefile.sys or hiberfil.sys · extract strings · URLs · file paths · credentials artifacts · runs locally
  5. pagefile timeline reconstructorpaste strings output · 30-min sessions · urls credentials paths · timeline tabs · csv export · runs locally
  6. hiberfil analyzerdrop hiberfil.sys · urls paths processes keys · hibr header · category tabs · csv export · runs locally
  7. mft parserdrop a raw $MFT file · parse every file record · timestamps · attributes · flags · resident vs non-resident data · export CSV · runs locally
  8. file carverscan any binary for embedded files · JPEG · PNG · PDF · ZIP · MP4 · SQLite · 30+ signatures · extract all · download zip · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. volume shadow copy deletion detectordrop system or security evtx csv · detect vss deletion commands · identify shadow copy destruction patterns · correlate with ransomware or anti-forensic activity · surface which deletion method was used · runs locally
  2. volume shadow differdrop two disk images · diff the file systems · what was added · deleted · modified between snapshots · export change report · runs locally
  3. ntfs file born-time consensus enginedrop mft csv · usn journal csv · logfile operation export · indx csv · correlate all four timestamp sources for every file · produce consensus born-time with confidence score · expose disagreements that prove tampering · runs locally
  4. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready