// industry vertical
file & filesystem artifact forensics
carving · NTFS logfile replay · sparse/hidden files · compound document extraction · registry hive recovery · entropy slicing — when the evidence is the bytes on disk, not a SaaS export.
start here · primary tools
ordered. work top-down. the first tool is the suggested entry point for this vertical.
- file carverscan any binary for embedded files · JPEG · PNG · PDF · ZIP · MP4 · SQLite · 30+ signatures · extract all · download zip · runs locally
- file signature batch scannerdrop hundreds of files · detect extension mismatch · magic bytes vs declared extension · batch triage · export report · runs locally
- ntfs logfile transaction journal parserdrop a raw $logfile from ntfs · parse every metadata operation on the volume · file creates modifies deletes renames · lower level than usn journal · reconstruct operations that were cleared from usn journal · runs locally
- ole2 compound document forensic carverdrop a raw disk image or binary · carve ole2 compound documents from raw bytes using directory structure signatures · recover word excel powerpoint old format files · more reliable than header-only carving · reconstruct compound documents from fragments · runs locally
- registry hive carver from disk imagedrop a raw disk image or memory dump · scan for registry hive fragments by regf signature · extract and reconstruct partial hives · identify additional registry hives beyond the standard locations · runs locally
- sparse file detectordrop any file · 4096-byte chunk classification · zero fill pattern data · unicode density map · stats · export chunk csv · runs locally
- file entropy slicerdrop any file · interactive entropy heatmap with zoom · click any block to inspect hex · detect encrypted regions · compressed sections · hidden data boundaries · runs locally
- case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
also useful · secondary tools
cross-cutting tools that surface depending on the specific investigation.
- semantic structure-based file carverdrop a raw disk image or binary · carve files based on internal structure consistency rather than just magic bytes · find jpeg-shaped regions by dct statistics · sqlite-shaped regions by btree structure · pe-shaped regions by section validity · finds files that header-based carvers miss · runs locally
- file birth time deep analyzerdrop mft csv · compare si vs fn vs indx · detect birth time inconsistencies · copy vs create · export csv · runs locally
- deleted file timelinedrop a disk image · extract all file timestamps including deleted entries · render interactive timeline · filter by type · date range · export CSV · runs locally
- sqlite record carverdrop a sqlite database · recover deleted records · parse free pages · unallocated space · extract surviving data · runs locally
- ntfs journal gap analyzerdrop usn journal csv or ntfs logfile csv · detect gaps in journal sequence numbers · identify windows where filesystem activity was not recorded · surface journal clearing or rollover events · runs locally
- sleuth kit filesystem artifact timeline extractordrop tsk fls/ils csv export · parse inode timeline + deleted entries · runs locally
- ad1 logical evidence file forensic analyzerdrop accessdata ad1 logical export · parse segment table + file entries · runs locally
- encase ex01 evidence file forensic analyzerdrop encase ex01/e01 segment export · parse header + volume + compression map · runs locally
- evidence manifest generatordrop evidence files · compute md5 sha1 sha256 · chain of custody manifest · case number · analyst · export pdf and csv · runs locally
want deeper file artifacts coverage?
this vertical is intentionally sparse — deep-moat coverage grows over time. tracked in the forensics rollout.