Info message
Forensic Internals website
Welcome to the Forensic Internals website.
Forensic Internals is a suite of low-level disk and file-system tools for use in Digital Forensics. It supports a variety of common image file formats, remote acquisition, volume shadow copies and BitLocker.
The software is currently a work-in-progress. It is functional but missing some desired features. The software is only available to bona fide forensic practitioners and researchers.
If you would like to try the software or find out more please use the contact form below.
Forensic Internals Components
Forensic Internals currently includes the following software tools:
Tool | Function |
DiskMAN |
A general disk / hex editor with advanced data and file system dissection and plug-in support (UI) |
IMAGER |
High-performance imaging tool for creation, restoration, conversion and hashing of industry standard E01/Raw/VHD(X) image files (UI) and support for remote acquisition and adaptive compression (UI) |
DMIMAGE |
Command line build of Imager tool with additional support for volume shadow copies and BitLocker (command-line) |
DMDIFF |
File / forensic image differencing tool (command-line) |
DMDUMP |
Dump common disk / file system structures including FAT and NTFS file system metadata (command-line) |
DMSERVER |
Serve local physical disks, file systems and disk images for remote acquisition (command-line) |
DMWIPE |
Utility to secure erase physical disks, file systems and files using a variety of industry standard methods (command-line) |
DMMOUNT |
Mount file / forensic image as emulated physical disk or volume with support for delta/write access and simulated bad sectors and support for E01/Ex01/AFF/VHD(x)/Raw, Volume Shadow Copies and BitLocker. Drag and drop for quick mount (command-line) |
ATATOOL |
Dump and configure HPA / DCO features and bad sectors on (S)ATA disks (command-line) |
DISKID |
Wipe / write identity information to disk sectors for file system / RAID research (command-line) |
HASHMAN |
File / folder / forensic image hashing tool with support for > 20 different hash methods (command-line) |
DISKINFO |
Report disk properties including vendor, unique serial number and connection type (command-line) |
DMBOOTSECT |
Export/import MBR and Microsoft file system VBR executable code (command-line) |
DMPART |
Partitioning tool to initialize disks as MBR/GPT and manipulate partition properties (command-line) |
MOUNTISO |
Mount ISO file using native Windows interface (command-line) |
MOUNTVHD |
Mount VHD(X) file using native Windows interface (command-line) |
WIMTOOL |
Extract Windows installation files from WIM archive format (command-line) |
What is Forensic Internals?
The majority of the Forensic Internals tools are command-line based and have a self-explanatory function. For example, HashMAN is used to calculate file / directory / image hashes
and DMIMAGE is used to create/restore forensic images from the command-line. The centrepiece of the suite is a graphical disk / hex editor program called DiskMAN:
DiskMAN is extensible and supports a DLL based plug-in system. Plug-ins are currently supported for:
- Data interpretation e.g. via the "Data Dissector" feature
- Data manipulation e.g. via the "Tools" menu
The suite supports a variety of common image formats including: E01, Ex01, AFF4, raw, VMDK, VHD, VHDX and also remote image sources via the network or even the internet.
You can serve remote data using the DMSERVER tool or any other industry standard web server. Over time, I intend to develop new features as standalone command-line tools (like HashMAN)
and then, when they are reasonably mature, add them as a plug-in to DiskMAN. I haven’t written any of the documentation yet but would be happy to answer any questions or explain what is required to create a plug-in if you want to give it a try.
Plug-ins currently support:
- MBR and GPT partitions
- FAT and NTFS file systems (with analysis of $MFT file and non-resident indexes)
- NTFS USNJrnl change journal
- Windows Shell Link (shortcut) files
- Data hashing
- Data statistics e.g. byte frequency report
- Data heat map (not very functional)
- Data conversion (upper case, lower case, ANSI <-> Unicode etc.)
Who created Forensic Internals?
Forensic Internals was created by James Clark. It is based on an older project called "Binary Markup Toolkit" that was created for a Master’s degree in Forensic Computing at the Cyber Technology Institute of De Montfort University, Leicester, UK.
Currently, Forensic Internals is a side project. However, it isn't the first forensic tool I have worked on! In my day job, I am the technical architect for a well known commercial forensic suite and have written various other
commercial forensic utilities, XWF X-Tensions and Encase EnScripts. My first forensic project was a non-commercial MS-DOS project called Diskman (1999-2004).
Diskman is no longer under development. The historic website is available here.
I also maintain several related tools:
Forensic Internals Technical Requirements
The suite has following technical requirements:
- Standard PC running Microsoft Windows 7 SP1 or later (currently 64-bit only)
- 1024x768 display or larger
- 2GB RAM minimum (more recommended)
- Admin permissions for disk / file system access
Usage Examples
To list the available local devices and file systems use the /LIST command:
DMDUMP /LIST
To list the volumes present on a partitioned device or image, use the /LISTVOLUMES command:
DMDUMP /LISTVOLUMES "example.e01"
Similarly, to target a specific volume, use the /VOLUME argument:
DMDUMP /VOLUME:1 \\.\PhysicalDrive3
To list the volume shadow copies present on a specific volume, combine the /VOLUME and /LISTVSS arguments:
DMDUMP /VOLUME:1 /LISTVSS \\.\PhysicalDrive0
Similarly, to target a specific volume shadow copy, combine the /VOLUME and /VSS arguments:
DMDUMP /VOLUME:1 /VSS:2 \\.\PhysicalDrive0
To dump the $MFT for a specific volume shadow copy, combine the /VOLUME and /VSS arguments:
DMDUMP /DUMPMFT /ALL /VOLUME:1 /VSS:2 \\.\PhysicalDrive0
To target a BitLocker protected volume, use the /BLPW or /BLRK arguments to specify either the password or recovery key:
DMDUMP /BLPW:Password123 "bitlocker.E01"
Similarly, if the image contains multiple volumes, combine either the /BLPW or /BLRK argument with the /VOLUME argument:
DMDUMP /VOLUME:0 /BLPW:Password123 "bitlocker.E01"
To serve a local device, file system or image to a remote host use the DMSERVER tool:
DMSERVER /PORT:8080 \\.\PhysicalDrive3
Similarly, to open a remote resource served by DMSERVER or another web server, prefix the name with http:// or https://. For example:
DMIMAGE /CREATE:example.e01 http://somehost:8080
To install the DMMOUNT emulation driver or check current status:
DMMOUNT /INSTALL
DMMOUNT /STATUS
To mount a forensic image read-only:
DMMOUNT "example.e01"
Similarly, to mount a forensic image with simulated write access via a delta file:
DMMOUNT /DELTA "example.e01"
To mount a specific BitLocker protected volume in a forensic image and decrypt the contents:
DMMOUNT /VOLUME:0 /BLPW:Password123 "bitlocker.e01"
Similarly, to mount a specific volume shadow copy on a BitLocker protected volume in a forensic image and decrypt the contents:
DMMOUNT /VOLUME:0 /VSS:2 /BLPW:Password123 "bitlockerwithvss.e01"
Or, to compare two different volume shadow copies on the same volume (between time points), including those protected by BitLocker, mount both volumes and compare the two file systems with
Beyond Compare or another similar tool:
DMMOUNT /VOLUME:1 /VSS:2 [/BLPW:Password123] "image.e01"
DMMOUNT /VOLUME:1 /VSS:0 [/BLPW:Password123] "image.e01"
To mount an image with simulated bad sectors (for testing):
DMMOUNT /BADSECTORS:0x1-0x2,0x5-0x10 "example.e01"
To mount a specific local Volume Shadow Copy:
DMMOUNT /MOUNT "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5"
Finally, to mount an ISO file or VHD(X) file using the native Windows interface:
MOUNTISO "example.iso"
MOUNTVHD "demo.vhd"
NB: The DMMOUNT tool does not currently support ISO mount
Remote Acquisition Demo
For demonstration, a remote NTFS image is available from the following URL. This can be opened directly by most of the tools including DiskMAN (via the "Open Special" feature):
https://www.datasynergy.co.uk/forensicinternals/demo/NTFS.bin
Raw images can be served using most standard web servers. Target devices can be served directly with the DMSERVER tool.
ATATool Tips
The following tips may be useful when using ATATool:
- Ensure the (S)ATA drive is connected directly to a "real" (S)ATA controller. ATATool probably won’t work if connected via a USB bridge or a forensic write blocker.
- Remember that reducing the drive size via a DCO is a fundamental change. It is best done on a drive that is empty. If the drive contains a file system, applying a DCO will likely corrupt it.
- Double check you are applying the DCO/HPA to the correct drive. Creating a DCO/HPA on the wrong drive may lead to data loss.
- If the /SETDCO command fails, it may be because a DCO is already present or it is frozen. Try removing it (*):
/RESTOREDCO
* Some motherboard BIOS freeze the DCO on start-up. If this happens, subsequent DCO commands will fail. A quick workaround (for a non-system drive) is to disconnect the SATA power connector and then reconnect it after a few seconds.
Notes on Bad Sectors
You can also use the tools to create "bad" sectors. This may be useful for testing procedures or other tools. You can do this with either a real physical disk (= danger!!!) using ATATOOL or simulated bad sectors with DMMOUNT tool. Regardless of the technique, the result should essentially be the same.
To create bad sectors on a physical disk with ATATool:
- Confirm target drive is attached to a physical / motherboard controller e.g. not a USB/forensic bridge
- List the available drives:
ATATOOL /LIST
e.g. The available drives are named \\.\PhysicalDriveN where N is a number. e.g. \\.\PhysicalDrive1
- Confirm you *really* want to trash the drive (there may be no going back!)
- Confirm the drive contains no bad sectors. You could do this as follows:
HASHMAN \\.\physicaldrive3
- Make sector #10 bad:
ATATOOL /BADECC:10 \\.\physicaldrive3
NB: /BADECC requires the drive to support the WRITE UNCORRECTABLE EXT command set. If an error is reported, you may need to try the alternative method below.
- If no error reported, repeat step [4] to verify the bad sector. You should see an error similar to this:
Error #23. Data error (cyclic redundancy check) \\.\physicaldrive3
- If the /BADECC command worked ok, try fixing the sector with:
ATATOOL /FIXECC:10 \\.\physicaldrive3
and repeat step [4] to verify the bad sector is now fixed.
- If the /BADECC command failed (because the WRITE UNCORRECTABLE EXT command set isn’t supported), you could try the older /BADECCLONG command. This may not work on all drives (and especially modern drives):
ATATOOL /BADECCLONG:10 \\.\physicaldrive3
HASHMAN \\.\physicaldrive3
ATATOOL /FIXECCLONG:10 \\.\physicaldrive3
- If you cannot get /BADECC or /BADECCLONG to work with the physical drive, try a different physical drive. Anecdotally, older drives are less likely to support the WRITE UNCORRECTABLE EXT command and support the /BADECCLONG approach. No drive has been seen that supports both methods.
- Finally, you can always simulate the same bad sector with DMMOUNT:
DMMOUNT /BADSECTORS:10 /WRITE /RAM:1GB
HASHMAN /LIST (in a different command window)
HASHMAN \\.\physicaldrive3 (in a different command window)
- Alternatively, to mount an image with simulated bad sectors (overlaid onto the image):
DMMOUNT /BADSECTORS:0x1-0x2,0x5-0x10 "example.e01"
or, to make a 4GB RAM disk with some bad sectors:
DMMOUNT /BADSECTORS:0x10-0x20 /WRITE /RAM:4GB
Screenshots
Start DiskMAN data dissector:
Dissect NTFS $MFT record:
View Windows Shell Link (LNK) file properties:
Who can use Forensic Internals? What's the catch?
Forensic Internals is a work-in-progress. It is only available to bona fide forensic practitioners working in law enforcement, academia or similar.
You are free to use the software for any purpose. I would welcome bug reports or suggestions for new features. Please contact me if you think the software is useful or useless. I won’t be offended!
Download / Ask Question
If you would like to use the software, report a bug, make a suggestion or just ask a question please use the form below: