dfirOS

A modern digital forensics platform.

A digital forensics platform for examining disk images and mobile device backups. Built for forensic examiners, incident responders, and cybersecurity professionals.

macOS · Windows
dfirOS — MFT record parsing with hex view, structure breakdown, and NTFS file browser
dfirOS — Analysis tab with 180+ artifact scanners, MFT Timeline, Event Logs, and file activity
dfirOS — iOS artifact analysis with KnowledgeC App Usage, communication, location, and media scanners
180+
Artifact Scanners
30+
Format Previews
6
File Systems
4
Report Templates

Open Any Evidence

E01, AFF4, raw disks, mobile backups, and more.

Disk Images

EnCase E01, AFF4, raw/dd, DMG, and ISO disk images with automatic file system detection.

Mobile Evidence

iTunes backups, tar.gz archives, zip files, and folder structures. iOS and Android evidence.

File Systems

NTFS, APFS, HFS+, ext4, FAT32, and exFAT with MBR, GPT, and Apple Partition Map support.

Encryption

BitLocker, FileVault, and encrypted iTunes backup decryption built in.

Browse and Search

Navigate evidence at scale.

Virtual-Scrolled Browser

File browser supporting 500,000+ files with instant scrolling and navigation.

Full-Text Search

Search across all files in an image. Find what you need without manual browsing.

Deleted File Recovery

Recover deleted files and detect alternate data streams hidden in the evidence.

Hex Viewer

Paginated hex view with instant navigation and click-to-highlight offset linking.

30+ Format Previews

Parse and render forensic formats natively.

Windows

Registry hives, EVTX event logs, Prefetch, ESE databases, OLE/CFB documents, LNK shortcuts, MFT records, PE executables, and certificates.

Databases

SQLite with blob drill-down. Automatic plist, protobuf, and JSON detection inside blobs.

macOS & Mobile

Plist files, FSEvents, EXIF metadata, EML emails, and more.

180+ Forensic Artifact Scanners

Automated extraction across Windows, macOS, iOS, and Android.

Windows

Registry, Event Logs, Prefetch, USN Journal, BAM, Services, Scheduled Tasks, Jump Lists, Recycle Bin, BITS, UserAssist, Thumbcache, WMI, ETL.

macOS

Safari, Notes, Call History, iCloud Drive, QuickLook, Launchpad, Screen Time, FSEvents, KnowledgeC, Notifications.

iOS & Android

SMS, Contacts, Call Logs, Photos, Location, Apps, Telegram, WhatsApp, Signal.

Cross-Platform

Chrome, Firefox, Edge history and downloads. Shell history and other shared artifacts.

AI-Assisted Analysis

Ask questions about your evidence.

Multi-Provider

Built-in support for Anthropic, OpenAI, Google, and local Ollama models.

Context-Aware

Queries with file content, artifact data, and forensic knowledge. "Explain with AI" on any artifact row or timeline event.

Professional Reports

Document findings. Export anywhere.

Report Builder

Drag-and-drop builder with markdown editing. In-app screenshots and GIF recording.

Export Formats

HTML, PDF, DOCX, and JSON. Four templates: Standard, Incident Response, Malware, Mobile.

How It Works

1

Open

Load an E01, raw image, mobile backup, or folder.

2

Analyze

Browse files, scan artifacts, parse formats, ask AI.

3

Report

Export findings to HTML, PDF, DOCX, or JSON.

Stay in the loop

New features, formats, and updates to dfirOS.

You're on the list. We'll be in touch.

Pricing

$49.99
per year