Forensic Internals website

Welcome to the Forensic Internals website.

Forensic Internals is a suite of low-level disk and file-system tools for use in Digital Forensics. It supports a variety of common image file formats, remote acquisition, volume shadow copies and BitLocker.

The software is currently a work-in-progress. It is functional but missing some desired features. The software is only available to bona fide forensic practitioners and researchers.

If you would like to try the software or find out more please use the contact form below.



Forensic Internals Components

Forensic Internals currently includes the following software tools:


ToolFunction
DiskMAN A general disk / hex editor with advanced data and file system dissection and plug-in support (UI)
IMAGER High-performance imaging tool for creation, restoration, conversion and hashing of industry standard E01/Raw/VHD(X) image files (UI) and support for remote acquisition and adaptive compression (UI)
DMIMAGE Command line build of Imager tool with additional support for volume shadow copies and BitLocker (command-line)
DMDIFF File / forensic image differencing tool (command-line)
DMDUMP Dump common disk / file system structures including FAT and NTFS file system metadata (command-line)
DMSERVER Serve local physical disks, file systems and disk images for remote acquisition (command-line)
DMWIPE Utility to secure erase physical disks, file systems and files using a variety of industry standard methods (command-line)
DMMOUNT Mount file / forensic image as emulated physical disk or volume with support for delta/write access and simulated bad sectors and support for E01/Ex01/AFF/VHD(x)/Raw, Volume Shadow Copies and BitLocker. Drag and drop for quick mount (command-line)
ATATOOL Dump and configure HPA / DCO features and bad sectors on (S)ATA disks (command-line)
DISKID Wipe / write identity information to disk sectors for file system / RAID research (command-line)
HASHMAN File / folder / forensic image hashing tool with support for > 20 different hash methods (command-line)
DISKINFO Report disk properties including vendor, unique serial number and connection type (command-line)
DMBOOTSECT Export/import MBR and Microsoft file system VBR executable code (command-line)
DMPART Partitioning tool to initialize disks as MBR/GPT and manipulate partition properties (command-line)
MOUNTISO Mount ISO file using native Windows interface (command-line)
MOUNTVHD Mount VHD(X) file using native Windows interface (command-line)
WIMTOOL Extract Windows installation files from WIM archive format (command-line)


What is Forensic Internals?

The majority of the Forensic Internals tools are command-line based and have a self-explanatory function. For example, HashMAN is used to calculate file / directory / image hashes and DMIMAGE is used to create/restore forensic images from the command-line. The centrepiece of the suite is a graphical disk / hex editor program called DiskMAN:


Diskman editor UI


DiskMAN is extensible and supports a DLL based plug-in system. Plug-ins are currently supported for:

The suite supports a variety of common image formats including: E01, Ex01, AFF4, raw, VMDK, VHD, VHDX and also remote image sources via the network or even the internet. You can serve remote data using the DMSERVER tool or any other industry standard web server. Over time, I intend to develop new features as standalone command-line tools (like HashMAN) and then, when they are reasonably mature, add them as a plug-in to DiskMAN. I haven’t written any of the documentation yet but would be happy to answer any questions or explain what is required to create a plug-in if you want to give it a try.

Plug-ins currently support:



Who created Forensic Internals?

Forensic Internals was created by James Clark. It is based on an older project called "Binary Markup Toolkit" that was created for a Master’s degree in Forensic Computing at the Cyber Technology Institute of De Montfort University, Leicester, UK.

Currently, Forensic Internals is a side project. However, it isn't the first forensic tool I have worked on! In my day job, I am the technical architect for a well known commercial forensic suite and have written various other commercial forensic utilities, XWF X-Tensions and Encase EnScripts. My first forensic project was a non-commercial MS-DOS project called Diskman (1999-2004). Diskman is no longer under development. The historic website is available here.

I also maintain several related tools:



Forensic Internals Technical Requirements

The suite has following technical requirements:



Usage Examples

To list the available local devices and file systems use the /LIST command:

DMDUMP /LIST

To list the volumes present on a partitioned device or image, use the /LISTVOLUMES command:
DMDUMP /LISTVOLUMES "example.e01"

Similarly, to target a specific volume, use the /VOLUME argument:
DMDUMP /VOLUME:1 \\.\PhysicalDrive3

To list the volume shadow copies present on a specific volume, combine the /VOLUME and /LISTVSS arguments:
DMDUMP /VOLUME:1 /LISTVSS \\.\PhysicalDrive0

Similarly, to target a specific volume shadow copy, combine the /VOLUME and /VSS arguments:
DMDUMP /VOLUME:1 /VSS:2 \\.\PhysicalDrive0

To dump the $MFT for a specific volume shadow copy, combine the /VOLUME and /VSS arguments:
DMDUMP /DUMPMFT /ALL /VOLUME:1 /VSS:2 \\.\PhysicalDrive0

To target a BitLocker protected volume, use the /BLPW or /BLRK arguments to specify either the password or recovery key:
DMDUMP /BLPW:Password123 "bitlocker.E01"

Similarly, if the image contains multiple volumes, combine either the /BLPW or /BLRK argument with the /VOLUME argument:
DMDUMP /VOLUME:0 /BLPW:Password123 "bitlocker.E01"

To serve a local device, file system or image to a remote host use the DMSERVER tool:
DMSERVER /PORT:8080 \\.\PhysicalDrive3

Similarly, to open a remote resource served by DMSERVER or another web server, prefix the name with http:// or https://. For example:
DMIMAGE /CREATE:example.e01 http://somehost:8080

To install the DMMOUNT emulation driver or check current status:
DMMOUNT /INSTALL
DMMOUNT /STATUS

To mount a forensic image read-only:
DMMOUNT "example.e01"

Similarly, to mount a forensic image with simulated write access via a delta file:
DMMOUNT /DELTA "example.e01"

To mount a specific BitLocker protected volume in a forensic image and decrypt the contents:
DMMOUNT /VOLUME:0 /BLPW:Password123 "bitlocker.e01"

Similarly, to mount a specific volume shadow copy on a BitLocker protected volume in a forensic image and decrypt the contents:
DMMOUNT /VOLUME:0 /VSS:2 /BLPW:Password123 "bitlockerwithvss.e01"

Or, to compare two different volume shadow copies on the same volume (between time points), including those protected by BitLocker, mount both volumes and compare the two file systems with Beyond Compare or another similar tool:
DMMOUNT /VOLUME:1 /VSS:2 [/BLPW:Password123] "image.e01"
DMMOUNT /VOLUME:1 /VSS:0 [/BLPW:Password123] "image.e01"

To mount an image with simulated bad sectors (for testing):
DMMOUNT /BADSECTORS:0x1-0x2,0x5-0x10 "example.e01"

To mount a specific local Volume Shadow Copy:
DMMOUNT /MOUNT "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5"

Finally, to mount an ISO file or VHD(X) file using the native Windows interface:
MOUNTISO "example.iso"
MOUNTVHD "demo.vhd"

NB: The DMMOUNT tool does not currently support ISO mount




Remote Acquisition Demo

For demonstration, a remote NTFS image is available from the following URL. This can be opened directly by most of the tools including DiskMAN (via the "Open Special" feature):

https://www.datasynergy.co.uk/forensicinternals/demo/NTFS.bin

Raw images can be served using most standard web servers. Target devices can be served directly with the DMSERVER tool.




ATATool Tips

The following tips may be useful when using ATATool:




Notes on Bad Sectors

You can also use the tools to create "bad" sectors. This may be useful for testing procedures or other tools. You can do this with either a real physical disk (= danger!!!) using ATATOOL or simulated bad sectors with DMMOUNT tool. Regardless of the technique, the result should essentially be the same.

To create bad sectors on a physical disk with ATATool:

  1. Confirm target drive is attached to a physical / motherboard controller e.g. not a USB/forensic bridge

  2. List the available drives:
    ATATOOL /LIST
    e.g. The available drives are named \\.\PhysicalDriveN where N is a number. e.g. \\.\PhysicalDrive1

  3. Confirm you *really* want to trash the drive (there may be no going back!)

  4. Confirm the drive contains no bad sectors. You could do this as follows:
    HASHMAN \\.\physicaldrive3
  5. Make sector #10 bad:
    ATATOOL /BADECC:10 \\.\physicaldrive3
    NB: /BADECC requires the drive to support the WRITE UNCORRECTABLE EXT command set. If an error is reported, you may need to try the alternative method below.

  6. If no error reported, repeat step [4] to verify the bad sector. You should see an error similar to this:
    Error #23. Data error (cyclic redundancy check) \\.\physicaldrive3
  7. If the /BADECC command worked ok, try fixing the sector with:
    ATATOOL /FIXECC:10 \\.\physicaldrive3
    and repeat step [4] to verify the bad sector is now fixed.

  8. If the /BADECC command failed (because the WRITE UNCORRECTABLE EXT command set isn’t supported), you could try the older /BADECCLONG command. This may not work on all drives (and especially modern drives):
    ATATOOL /BADECCLONG:10 \\.\physicaldrive3
    HASHMAN \\.\physicaldrive3
    ATATOOL /FIXECCLONG:10 \\.\physicaldrive3
  9. If you cannot get /BADECC or /BADECCLONG to work with the physical drive, try a different physical drive. Anecdotally, older drives are less likely to support the WRITE UNCORRECTABLE EXT command and support the /BADECCLONG approach. No drive has been seen that supports both methods.

  10. Finally, you can always simulate the same bad sector with DMMOUNT:
    DMMOUNT /BADSECTORS:10 /WRITE /RAM:1GB
    HASHMAN /LIST                             (in a different command window)
    HASHMAN \\.\physicaldrive3                (in a different command window)
  11. Alternatively, to mount an image with simulated bad sectors (overlaid onto the image):
    DMMOUNT /BADSECTORS:0x1-0x2,0x5-0x10 "example.e01"
    or, to make a 4GB RAM disk with some bad sectors:
    DMMOUNT /BADSECTORS:0x10-0x20 /WRITE /RAM:4GB


Screenshots

Start DiskMAN data dissector:



Dissect NTFS $MFT record:



View Windows Shell Link (LNK) file properties:





Who can use Forensic Internals? What's the catch?

Forensic Internals is a work-in-progress. It is only available to bona fide forensic practitioners working in law enforcement, academia or similar. You are free to use the software for any purpose. I would welcome bug reports or suggestions for new features. Please contact me if you think the software is useful or useless. I won’t be offended!



Download / Ask Question

If you would like to use the software, report a bug, make a suggestion or just ask a question please use the form below:

Name:    
Organisation:    
Position:    
Organisation Email:    
Subject:
Message: