File Explorer
AIR can be used to explore the file systems of Windows, macOS, and Linux systems where full disk or volume images have been acquired in either the RAW (dd), EWF (E01/Ex01), VHD/X, or VMDK formats.
The forensic image can be added from your SMB, SFTP, Amazon S3 bucket, or Azure Blob storage to AIR as a new asset in a simple three-step process:
1. On the Assets page, click on the ‘Add New’ button and then select Disk Image:

2. Select your connected repository and then select the first segment of the RAW, EWF or VMDK file you wish to mount and explore:

3. Select ‘Create Asset’:

The image must be supplied to AIR from your SMB, SFTP, Amazon S3 bucket, or Azure Blob storage evidence repositories; segmented files are supported.

Next, select your new asset from the Assets table to launch the AIR File Explorer. The asset’s directory structure will appear in the secondary menu (highlighted below), allowing you to browse and select individual files for inspection in Hex, Text, or Metadata views.

A file can be selected with a right-click to download it locally or calculate its hash values.
Advanced filters can be applied to filter the files displayed.
File Explorer - Calculate Hash for disk images
Navigating to the root of the Device Name in the breadcrumb path opens the Asset Info page for the mounted disk image:

When a disk image is added as an asset to AIR, users can now calculate the hash value of that image file either through the Asset Actions button or from the Disk Image Details window.
MD5, SHA1, and SHA256 are all calculated simultaneously.
This hash function can be carried out at any time.
File Explorer - Recursive Search
Recursive searching is now possible in the AIR File Explorer via the Global Search box, where the File Explorer tab will display any hits found in the File Explorer.
This is just the beginning of our File Explorer project - many more features are planned, and your feedback is most welcome.
Last updated
Was this helpful?