In my extensive experience training IT forensics investigators about file systems and file systems artefacts, I have never found a tool that allows you to easily “explore” evidence, while still maintaining a byte-level view. To my knowledge, this tool does not exist. Therefore I had to develop it!
Tyrhex is based on the experience of file systems forensics practitioners. It can help users understand the main concepts of this practise, compare the results produced by other forensic software, investigate damaged devices and explain results in courtroom scenarios.
Core inovative concepts :
- Ability to isolate certain byte strings, lock the offset you wish to use as reference, choose a particular unit and identify the value and possibly use this value to move by the value to a new position.
- Historical bookmarking so that important data areas can be accessed later when referring to a particular stage of the analysis.
- Ability to search for artefacts in damaged file systems and, by using the quick search features, create a virtual volume with estimated properties. The volume can alos be browsed as it is being repaired.
- Automatic generation of colour coded combined with user defined bookmarks to support the explanation of findings and reverse engineering techniques.
- Provision of a detailled reporting system that can be used when comparing the results to the outputs of other forensic tools.
- Strong objective-C classes used to analyse file systems and file system artefacts. These classes are not dependent of external algorithms, which is useful when crosschecking the results produced by other tools.
Used in a classroom, Tyrhex, provides visual support all logical structures that are embedded in file systems.
Finns att ladda ned här: https://itunes.apple.com/app/tyrhex/id933525733