Click to collapse/expand
Although already useful in specific forensic investigation scenarios, the project is still far from complete. The current version serves as a foundation for what will eventually become a much more powerful, versatile, and feature-rich forensic analysis tool.
DataDetective is a Python-based tool designed to extract, analyze, and interpret forensic evidence from EWF disk images and raw storage dumps. It aims to provide investigators with a reliable and efficient method to uncover critical data for forensic analysis.
- Linux (Tested on Debian GNU/Linux 12 Bookworm, but should work on other distributions).
- Python 3 (latest stable version recommended).
- The Sleuth Kit (TSK) - Essential for forensic disk analysis.
- RegRipper - Critical for extracting Windows registry artifacts.
curl -O https://github.com/franckferman/DataDetective/blob/stable/src/DataDetective/DataDetective.pygit clone https://github.com/franckferman/DataDetective.git- Go to GitHub repo.
- Click
<> Code→Download ZIP. - Extract the archive to your desired location.
Once installed, you can start using DataDetective with the following commands:
❔ Get Help:
python3 DataDetective.py -h⚖️ Check Image Integrity:
python3 DataDetective.py -i image.ewf --check-image📋 List Image Partitions:
python3 DataDetective.py -i image.ewf --show-partitions📁 List Partition Files:
python3 DataDetective.py -i image.ewf --show-files
python3 DataDetective.py -i image.ewf --show-files -r # Recursive listing🗂️ Show a Specific Directory:
python3 DataDetective.py -i image.ewf --show-dir /path/to/directory🔎 Extract Data:
python3 DataDetective.py -i image.ewf -e ALL -o /path/for/outputThis project is licensed under the GNU Affero General Public License, Version 3.0. For more details, please refer to the LICENSE file in the repository: Read the license on GitHub
