Back to binalyze.com

File Explorer

AIR can be used to explore the file systems of Windows, macOS, and Linux systems where full disk or volume images have been acquired in either the RAW (dd), EWF (E01/Ex01), VHD/X, or VMDK formats.

The forensic image can be added from your SMB, SFTP, Amazon S3 bucket, or Azure Blob storage to AIR as a new asset in a simple three-step process:

  • 1. On the Assets page, click on the ‘Add New’ button and then select Disk Image:

File Explorer: Add a Disk Image

  • 2. Select your connected repository and then select the first segment of the RAW, EWF or VMDK file you wish to mount and explore:

File Explorer: Select the first segment of an image file from the evidence list

  • 3. Select ‘Create Asset’:

File Explorer: Create Asset

The image must be supplied to AIR from your SMB, SFTP, Amazon S3 bucket, or Azure Blob storage evidence repositories; segmented files are supported.

File Explorer: Compatibitly chart

Tool Tip for File Explorer users:

  • Ex01 and E01 Images: These are accessible immediately in File Explorer. Using AIR to generate Ex01 files avoids the need to unzip files in the Evidence Repository.

  • DD Images: Generated in a zip file by AIR. To access, connect to the Evidence Repository, unzip the zip file, and then mount or explore the image in File Explorer.

Next, select your new asset from the Assets table to launch the AIR File Explorer. The asset’s directory structure will appear in the secondary menu (highlighted below), allowing you to browse and select individual files for inspection in Hex, Text, or Metadata views.

File Explorer: Directory Tree displayed in Secondary Menu

A file can be selected with a right-click to download it locally or calculate its hash values.

Advanced filters can be applied to filter the files displayed.

File Explorer - Calculate Hash for disk images

Navigating to the root of the Device Name in the breadcrumb path opens the Asset Info page for the mounted disk image:

File Explorer: Asset Info

  • When a disk image is added as an asset to AIR, users can now calculate the hash value of that image file either through the Asset Actions button or from the Disk Image Details window.

  • MD5, SHA1, and SHA256 are all calculated simultaneously.

  • This hash function can be carried out at any time.

File Explorer: Hash Calculation

File Explorer - Recursive Search

  • Recursive searching is now possible in the AIR File Explorer via the Global Search box, where the File Explorer tab will display any hits found in the File Explorer.

File Explorer: Recursive Search

This is just the beginning of our File Explorer project - many more features are planned, and your feedback is most welcome.

PreviousGenerating a SAS URLNextFile Explorer - FAQs

Last updated

Was this helpful?