AIR File Explorer

AIR can be used to explore the file systems of Windows, macOS, and Linux systems where full disk or volume images have been acquired in either the RAW (dd), EWF (E01/Ex01) or VMDK formats.

The forensic image can be added from your SMB, SFTP, or Amazon S3 bucket to AIR as a new asset in a simple three-step process:

• 1. On the Assets page, click on the ‘Add New’ button and then select Disk Image:

• 2. Select your connected repository and then select the first segment of the RAW, EWF or VMDK file you wish to mount and explore:

• 3. Select ‘Create Asset’:

The next step is to select your new asset and 'File Explorer' from the secondary menu:

Now you can browse the asset’s directory structure which is now expanded in the secondary menu (highlighted below) and then go on to select individual files for closer inspection:

A file can be selected with a right-click to download it locally or calculate its hash values.

Advanced filters can be applied to filter the files displayed.

File Explorer - Calculate Hash for disk images

• When a disk image is added as an asset to AIR, users can now calculate the hash value of that image file either through the Asset Actions button or from the Disk Image Details window.

• MD5, SHA1 and SHA256 are all calculated simultaneously.

• This hash function can be carried out at any time.

File Explorer - Recursive Search

• Recursive searching is now possible in the AIR File Explorer via the Global Search box where the File Explorer tab will display any hits found in the File Explorer.

This is just the beginning of our File Explorer project - many more features are planned and your feedback is most welcome.