Quick Reference Guide

The Forensic Explorer User Manual is available here: PDF User Manual PDF

Quick reference guide:

» Activation

Activation - 30 day trial
The 30 day evaluation version is activated by a software key. Request a key here.
The evaluation version cannot be activated on a virtual machine.
PDF See Chapter 2 of the PDF user guide for step by step activation instructions.

Activation - Full Version
The full version of Forensic Explorer is activated by a USB hardware activation dongle only.
PDF See Chapter 5 of the PDF user guide for dongle activation instructions.

» Cancel a Process

Cancel a Process
Process are tracked in the task processes list, accessed from any Forensic Explorer Module in the bottom right hand corner of the main program screen.

Processes Window

To cancel a running process, click the cancel button Cancel Button. The cancel button terminates the running thread gracefully. If a thread cannot be canceled gracefully, the drop down arrow provides access to the terminate button Terminate Button which kills the thread.

PDF See Chapter 7.4 of the PDF user guide for more information about canceling a process.

» Date and Time

Adjusting date and time when adding evidence
Date and time settings can be adjusted for each piece of evidence as it is added to a case. In the Evidence Module, as a device or image is added to the case, use the "Adjust Time Zone Settings" in the bottom section of the "Evidence Processor" window shown below:

Date and Time

Adjusting evidence date and time during a case
The Time zone setting of evidence in a case is displayed in Folders view of the File System module, next to the device or image.

To adjust date and time settings during a case, in the File System Folders view, right click on a device or a partition and select “Modify Time Setting…” from the drop down menu, as shown below:

Date and Time

Synchronizing time zones in a case
In a case involving multiple computers from different geographic locations, it may be advantageous for the investigator to synchronize time zones.

To synchronize time zones;

  1. In the File System module, right click on the case icon;
  2. Select modify time setting from the drop down menu, and apply the time to the case.

A case time setting has precedence over evidence time settings.

PDF See Chapter 19 of the PDF user guide for more information on date and time.

» Disk View

Disk View
Disk view is a graphical display of the sectors which make up the examined device. Right click "Goto" command to move the view to a specific sector.

Disk View

Disk View Key

Disk View Key


PDF See Chapter 8.4 of the PDF user guide for more information about Disk view.

» Download

Download 30 day trial

A 30 day trial of Forensic Explorer is available here. The 30 day version has the following limitations:

  • Does not allow the saving of case files
  • Cannot export files from a case
  • Will expire after 30 days

Download Full Version
The Forensic Explorer full version, dongle activation only, is available for download here.

Download Mount Image Pro
Mount Image Pro is available for download as a separate application at www.mountimage.com.

» Export Files

Export Files
Files and folders can be exported from the File System module by using the right click "Export To" menu function. This operation can be performed on highlighted or checked files.

Export Files to L01
Files and folders can be exported from the File System module to an L01 evidence file using the right-click "Export To > Logical Evidence File" menu function. This operation can be performed on highlighted or checked files.

Export Files with a Script
The "Export File Types.pas" script enables the export of files based on extension. The script can be run either from the script module or from the "Analysis Scripts" button in the File System module. The script exports files by extension. It can easily edited to add additional file types.

PDF See Chapter 9.7 of the PDF user guide for more information about exporting files.

» File Carve

File Carve
File carving is the identification and extraction of file types from unallocated clusters using file signatures.

Forensic Explorer has an inbuilt file carving engine capable of carving more than 300 file types. File carving is performed in the File System module. Click the "File Carve" button in the toolbar.

File Carve

Carving can be performed at three different levels:

  1. Cluster: Files will be carved if they are found on cluster boundaries.
  2. Sector: Files will be carved if they are sector aligned. This is the recommended search.
  3. Byte: This is a byte by byte search. Byte carving is only necessary for non cluster/sector devices such as mobile/cell phone image files.

Carve results are placed in a in the default folder "File Carve x" in the Folders view of the File System module.

File types can only be added to the supported file type list by GetData. If the required file type is not in the list, contact us to determine if it is possible to add it, or create your own carving script in the Scripts module.

PDF See Chapter 22.4 of the PDF user guide for more information about file carving.

» Filters

Folders Filter

A "Folders Filter" is a fast method to display folders and files that meet a specified criteria. These filters are created in the Scripts module and saved in the Filters folder with a sub-folder according to the module in which they are used. They are applied in a Folder Tree view, e.g. the Folders view in the File System module and the Registry Tree view in the Registry module. Use the drop down menu to select the desired filter.

Filter

PDF See Chapter 18 of the PDF user guide for more information about creating filters.

Text Filter Tool

The text filter tool is applied in a list view and allows instant text filtering on column data. To access the text filter tool, right click on a List view window and select "Text Filter Tool” from the drop down menu.

Text Filter

Date Filter Tool
The Date filter tool is applied to the items displayed in a list view and allows filtering by Created, Modified, and Accessed dates. To access the date filter tool, right click on a List view window and select "Date Filter Tool” from the drop down menu.

Date Filter Tool

PDF See Chapter 9.13-15 of the PDF user guide for more information about the Text and Date Filter tools.

» Gallery View

Gallery View
The default location of the Gallery view is in the right hand top window of the File System module. Gallery view provides a thumbnail view of graphics files that are contained within the currently selected folder. If the "branch plate" option in the Folder view is used, Gallery view is a fast way to quickly examine the graphics files in a case.

Gallery View

The default setting in Gallery view is to render 1 page of thumbnails either side of the currently displayed page. When a graphic is displayed, it is written to a cache file held in the case folder. To cache all graphics at once, right click in the gallery view window and select “Cache All Images”.

PDF See Chapter 8.5 of the PDF user guide for more information about Gallery view.

» GUI Customization

Customizing Screen Layouts
The Forensic Explorer interface can be customized by detaching modules or data views from the main program screen (for example, separating the Gallery View from the File System module). This is particularly useful when running a forensic workstation with two or more monitors. Custom layouts are saved by selecting the drop down menu arrow in the right hand corner of any data view, and selecting "Save Layout" from the following menu:

Customize Layout

Custom layouts are stored as .XML files in the "\[User Profile]\Documents\Forensic Explorer\Startup\" folder. PDF See Chapter 7 of the PDF user guide for more information about the Forensic Explorer GUI.

Reset to Default
To quickly return any screen layout to the default, access the drop down menu arrow in the right hand corner of any data view, and selecting "Default Layout" option.

Tool-bars
Forensic Explorer tool-bars are created using scripts. Tool-bars are added to Forensic Explorer at start-up by the Start Up script ("\[User Profile]\Documents\Forensic Explorer\Startup\startup.pas”). The Start Up script provided with Forensic Explorer creates the default Toolbars by calling other scripts in the "Common" script folder. Toolbar buttons can be customized by editing these scripts, or script your own.

PDF See Chapter 18 of the PDF user guide for more information about scripting toolbars.

» Index Search

Forensic Explorer utilizes DTSearch technology (www.dtsearch.com) to index a case an enable real time keyword searching.

To create an index, switch to the Index Search module and click the New Index button. An index can be created on the entire case, or on checked files. The index is cached under the case folder. Please ensure sufficient disk space is available to create the index.

Boolean Search

The following operators can be used:

  • apple and pear - both words must be present
  • apple or pear - either word can be present
  • apple w/5 pear - apple must occur within 5 words of pear
  • apple not w/12 pear - pear apple must occur, but not within 12 words of pear
  • apple and not pear - only apple must be present
  • apple w/5 xfirstword - apple must occur in the first five words
  • apple w/5 xlastword - apple must occur in the last five words

Wildcards

The following wildcards may be used:

? matches any character
= matches any single digit
* matches any number of characters

PDF See Chapter 13 of the PDF user guide for more information about Index Search.

» Investigator Database

Investigator Database
Forensic Explorer records activity in a case by assigning an investigator when a case is created or opened. This is primarily used for case logging purposes.

Investigators are identified by a unique investigator ID (GUID). Investigator details are stored in the case file and will be transferred with the case file if it is moved from one analysis computer to another.

Investigators details are also saved into a local database to ensure that they are automatically available in a drop down list for future cases. The default location for this database is: C:\Users\[profile]\Documents\Forensic Explorer\DataBases\LocalInvestigator.rsv.

To edit the local investigators database click on the Forensic Explorer drop down menu and select the "Investigators..." menu option, shown below:

Investigators

» Keyword Search

A keyword is a user created search expression. A keyword can be a simple text, a regular expression (RegEx), or hexadecimal. A keyword search is a search for that data.

The Keyword Search module is broken down into the following four areas:

Keyword Search

  1. Keyword Management: Used to create and manage keywords and keyword groups;
  2. Keyword Tree: List the search results for each keyword, including the number keyword hits;
  3. Keyword Result List: Lists the files containing the keyword hits and previews the text around the keyword;
  4. Data Views: Displays the file in which the keyword hit/s was found.

To add a keyword

  • Click on the “Add Keyword” icon in the “Keyword Management” (if the Keyword icon is inactive, highlight the “Keywords” folder in the “Keyword Name” window) ; or,
  • Right-click in the Keyword Management window and select “Add Keyword”; or,
  • A keyword can be added from any module using by pressing the “CTRL” and “N” key.

To import a keyword list

A simple keyword list is created in the following format:

;This is a comment that is not imported
[Keyword Group Folder Name]
keyword1
keyword2
keyword3

Writing RegEx Expressions

The following are basic syntax options for RegEx expressions:

\wFFFF Unicode character
\xFF Hex character
. Any character
# Any number [0-9]
? Repeat zero or one time
+ Repeat at least once
[A-Z] A through Z
* Repeat zero+ times
[XYZ] Either X, Y, or Z
[^XYZ] Neither X nor Y nor Z
\[ Literal character
(ab) Group ab together for ?, +, *, |
{m,n} Repeat m to n times
a|b Either a or b


PDF See Chapter 12 of the PDF user guide for more information about keyword searching.

» Live Boot

Live Booot
Live Boot is a feature introduced in Forensic Explorer v3. Live Boot utilizes Mount Image Pro (included with a Forensic Explorer purchase) and VMWare or Virtual Box to boot a forensic image file for fast and reliable access to the virtual environment of a suspects computer. It is also possible to create a deploy-able Live Boot session that does not require FEX or MIP on an examination computer.

PDF Click here for more information or see Chapter 27 Live Boot more information.

» Maintenance

Maintenance Guarantee
Current maintenance provides access to the latest version (no major version release fees!).

Initial 12 Months
Your purchase includes 12 months Forensic Explorer maintenance and support from the date of purchase. When the maintenance for a dongle has expired, Forensic Explorer will continue to work, however you may only use the latest available version prior to the expiration of your maintenance period.

Additional Maintenance
Additional maintenance can be added in the shopping cart at the time of purchase, or purchased here.

Apply Maintenance
Follow the guide here, or PDF see Chapter 5.2 of the PDF user guide.

» Mount Image Pro

Your purchase of Forensic Explorer includes Mount Image Pro. Mount Image Pro is software to a drive or forensic image file as a drive letter under Windows.

Mount Image Pro is available for download as a separate application at www.mountimage.com. More information on its use is available at that website.

» Multiple Core Priority

Setting Processing Priority

Forensic Explorer is designed to use multiple CPU cores to process resource intensive tasks. This includes data carving, keyword searching and file hashing.

Multiple core use is set using the "Priority" drop down menu, shown below. Priority "Low" is single core processing.

Multiple Core Priority

The speed of multiple-core process is influenced by computer hardware. Multiple-core processing on some hardware configurations may lead to a data bottleneck and as a result be slower than single core process. It is recommended that users test the speed of their hardware to ensure maximum processing speed.

» Orphaned

Orphaned Folders

The "Orphaned" folder appears in the Folder view of the File System module. Orphans are deleted folders and files for which the original parent folder is unknown. From the investigators perspective, an orphaned file can be treated in an investigation the same way as any other deleted file. The only difference is that it is longer possible to determine the location of the file or folder within the directory structure prior to deletion.

Orphaned

» Preview

The preview button in the Evidence module allows the investigator to quickly preview a device, image or registry file without first creating a case.

Preview

The investigator can choose to save the preview at any time and create the case at that point.

PDF See Chapter 10.1 of the PDF user guide for more information about previewing.

» Purchase Questions

When you purchase Forensic Explorer you receive:

  • A Wibu Codemeter USB hardware activation dongle that activates Forensic Explorer and Mount Image Pro;
  • 12 months maintenance and support.

Shipping of the dongle is by courier (destination taxes, customs duties or tariffs are the responsibility of the purchaser). Courier tracking details are provided. If you prefer to use your own courier service please contact us at the time of your purchase with the details.

A purchase can be made through a reseller. Contact us for a list of authorized re-sellers.

» Recover Folders

Recover Folders
“Recover Folders” is a method of searching unallocated clusters to find deleted or missing folders and their content. Recover Folders will often locate multilevel folder and sub folder structures and make them visible to the investigator within the File System module. For this reason it is recommended that a Recover Folders search be one of the first tasks undertaken by an investigator in a new case.

A Recover Folders is a search of unallocated clusters for fragments of file and folder structure.

To run a Recover Folders search, click the Recover Folders button in the File System module. As search can only be conducted on an existing partition. Select the partition from the drop down menu and the type of file system folders for which to search.

Recover Folders

The results a Recover Folders search are added to the File System module Folder view in the “Folder Carve X” folder.

PDF See Chapter 22 - Data Recovery, of the PDF user guide for more information about Recover Folders.

» RegEx

Recover Folders

Writing RegEx Expressions

Regular expressions are used in keyword and registry searching. The following are basic syntax options for RegEx expressions:

\wFFFF Unicode character
\xFF Hex character
. Any character
# Any number [0-9]
? Repeat zero or one time
+ Repeat at least once
[A-Z] A through Z
* Repeat zero+ times
[XYZ] Either X, Y, or Z
[^XYZ] Neither X nor Y nor Z
\[ Literal character
(ab) Group ab together for ?, +, *, |
{m,n} Repeat m to n times
a|b Either a or b

» Registry Analysis

The Forensic Explorer Registry Module is used to examine registry files and parse registry keys.

Add Registry Files
Stand alone registry files are added to a case using the "Add File" button in the Evidence module. Alternately a registry file can be added directly from the File System module by right clicking on the file and using the "Send to Module" option.

Parse Registry Keys
The default Registry Module toolbar buttons utilize the "Registry Key Processor" script to extract and process key data. The script uses RegEx search command to locate relevant keys. It can easily be customized if required.

PDF See Chapter 15 of the PDF user guide for more information about examining registry files.

» Reports

The Reports module enables the automatic generation of reports using the data stored within a case.

PDF See Chapter 17 of the PDF user guide for more information about Reports.

» Save a Case

There are two methods to save a case:

1. Use the SAVE button in the Evidence module;

Save Case

2. Use the "Save Case" option in the Forensic Explorer drop down menu;

Forensic Explorer Menu

Case files are stored in the following path: ..\User\Documents\Forensic Explorer\Cases\[Case Name]\

PDF See Chapter 10 of the PDF user guide for more information about working with cases.

» Shadow Copy

The ability of Forensic Explorer to easily access and explorer Volume Shadow Copies (VSCs) offers the forensics investigator fast access to previous versions of files and volumes in an investigation.

To locate shadow copies, click the "Shadow Mount" icon in the File System module toolbar.

Shadow Mount Button

The Volume Snapshot Mount window will open showing the available shadow copies.

Shadow Mount

Select the required shadow copy and click OK to add the content to the File System module. Once processed, the mounted volume appears in the file system with a shadow copy icon, as shown below:

Shadow Mount

PDF See Chapter 24 of the PDF user guide for more information about working with shadow copies.

» Verify a Hash

To verify a device or image hash:

  1. In the Evidence module, start a new case or preview. Click the Add Device, Add Image, or Add File button to add evidence. In the Evidence Processor window, check the option to "Verify Device Hashes". The hash is the calculated as part of the add process; or,

  2. When the hash is calculated the hash value is written to the Evidence tab of the Evidence module (shown below), as well as in the "Hash" column of the File System module as meta data for the device.

Hash Values

PDF See Chapter 20 of the PDF user guide for more information about hashing.

 
AFP Secret Service DHS Deloitte HK Police NYS Police NSW Police Microsoft SA Police DOJ InterPol HK Customs