In my extensive experience training IT forensics investigators about file systems and file systems artefacts, I have never found a tool that allows you to easily “explore” evidence, while still maintaining a byte-level view. To my knowledge, this tool does not exist. Therefore I had to develop it!
Tyrhex is based on the experience of file systems forensics practitioners. It can help users understand the main concepts of this practise, compare the results produced by other forensic software, investigate damaged devices and explain results in courtroom scenarios.
Core inovative concepts :
Ability to isolate certain byte strings, lock the offset you wish to use as reference, choose a particular unit and identify the value and possibly use this value to move by the value to a new position.
Historical bookmarking so that important data areas can be accessed later when referring to a particular stage of the analysis.
Ability to search for artefacts in damaged file systems and, by using the quick search features, create a virtual volume with estimated properties. The volume can alos be browsed as it is being repaired.
Automatic generation of colour coded combined with user defined bookmarks to support the explanation of findings and reverse engineering techniques
Provision of a detailled reporting system that can be used when comparing the results to the outputs of other forensic tools.
Strong objective-C classes used to analyse file systems and file system artefacts. These classes are not dependent of external algorithms, which is useful when crosschecking the results produced by other tools.
Used in a classroom, Tyrhex, provides visual support all logical structures that are embedded in file systems.
As reaction to latest terrorist attacks, and to support law enforcement efforts, Tyrhex becomes free.
- help now expanded, including all interface shortcuts and core concepts
- text reporting reviewed, including detailed report for data stream with allocation anomalies if any
- export text report to a text file using main menu
- exFAT "orphan" 32 bytes entries better handled
- blocks allocation checked when opening allocation details
- case file can now be open from the finder
- locked volume « Home » button allows to open straight root folder (NTFS, FAT, exFAT)
- enhanced file stream description in properties view
- MBR extended partition handled and Extend Boot Record automatically marked
- NTFS data runs color coded : compressed (red) and sparse (green)
- first FAT table location now automatically bookmarked for FAT16/32 and exFAT
- $Bitmap location now automatically bookmarked for exFAT and NTFS
- jump straight from one block to associated bitmap position and vice-versa
- FAT long file names now rebuild also for deleted entries
- exFAT fully implemented including bitmap allocation "file"
- exFAT deleted files can be recovered, including not overwritten fragmented ones
- enhanced exFAT entries detection on damaged volumes
- file system type detected or selected when analysing file entry shown in entry properties
- modification of allocated blocks for volumes « catalogs » file or file entries are now editable and stored. When modified, associated bookmark or volume entry is listed in red color
- when selecting an offset, existing bookmark and volume (if any) are automatically selected
Notes et avisTout afficher
Prend en charge
Jusqu’à six membres de la famille peuvent utiliser cette app lorsque le partage familial est activé.