File Explorer

AIR can be used to explore the file systems of Windows, macOS, and Linux systems where full disk or volume images have been acquired in either the RAW (dd), EWF (E01/Ex01), VHD/X, or VMDK formats.

The forensic image can be added from your SMB, SFTP, Amazon S3 bucket, Azure Blob storage, or Google Cloud Storage to AIR as a new asset in a simple three-step process:

• 1. From the Main Menu, select Assets, then select Disk Images from the Secondary Menu. Click the '+ Add New' button:

• 2. Select your connected repository and then select the first segment of the RAW, EWF or VMDK file you wish to mount and explore:

• 3. Select ‘Create Asset’:

Next, select your new asset from the Assets table to launch the AIR File Explorer. The asset’s directory structure will appear in the secondary menu (highlighted below), allowing you to browse and select individual files for inspection in Hex, Text, or Metadata views.

A file can be selected with a right-click to download it locally or calculate its hash values.

Advanced filters can be applied to filter the files displayed.

File Explorer - Calculate Hash for disk images

Navigating to the root of the Device Name in the breadcrumb path opens the Asset Info page for the mounted disk image:

• When a disk image is added as an asset to AIR, users can now calculate the hash value of that image file either through the Asset Actions button or from the Disk Image Details window.

• MD5, SHA1, and SHA256 are all calculated simultaneously.

• This hash function can be carried out at any time.

File Explorer - Recursive Search

• Recursive searching is now possible in the AIR File Explorer via the Global Search box, where the File Explorer tab will display any hits found in the File Explorer.

This is just the beginning of our File Explorer project - many more features are planned, and your feedback is most welcome.