FI TOOLS has been replaced by Dark Data Detective, which is a superset of features and usability. This page remains as a reference to this legacy product.
We’ve merged our File Investigator technology with the DOS Directory command, to search for files by their File Type, Contents, Operating System Platform, Data Storage Method, File Attributes, plus more. Forget using file extensions, now you can search for files intelligently and output the results to a spreadsheet for detailed review.
The Summary screen shows the usage syntax, versions of the included libraries as well as a list of the Legal Hash Databases that are loaded. The screen shot on the left (click the image to enlarge) shows that we identify thousands of different file types (listed as the number of entrees in the Descriptions Database). At the bottom of the screen, there is a list of the other help screens that are available.
The Display Options screen provides you with the commands available for controlling the output formatting of your search results. You can control the size of each column individually, or use one of the preconfigured sets of columns (ex: /VD or /VM). With the /RT command, File Investigator Directory for Windows creates a report containing the statistics of all the different file types and categories found.
The Filter Options screen has commands that provide the ability to filter your search results by File Type, Platform/OS, Storage Method, Content Type and Accuracy level that File Investigator is able to achieve on each file. Using the /I command filters out all files with a file extension known to belong to their file type.
The Configuration Options screen has commands that calculate hash values, fix bad filenames and wrong file extensions as well as select the Identification Stages used. Using the /NM command, you can rename files using metadata found inside them. This is useful when recovering files from a damaged hard drive that resulted in a large number of files losing their original file names.
The Usage Examples screen list a number of example for how you can mix and match commands to produce the exact output that you need. It includes everything from removing the header & footer text and adding comma delimiters between fields for importing into a spreadsheet to sorting the files by a select column.
Here’s an example of what you will see when you simply run FIWDIR.EXE without any command line parameters other than the path and filespec. Three columns are provided: Filename+Ext, Attributes and Description. The Filename+Ext column shows the long filenames and any Alternate Data Streams (ADS) hiding behind them. The Attributes column shows the usual Archive, Directory, Read-Only, Hidden & System file attributes as well as ‘N’ for NTFS ADS files. The Description is a name for the true file type that File Investigator has identified each file as.
Here’s another example of using FIWDIR.EXE on a set of files, and adding the /VD command to show the Descriptions and Details columns. The first column is the DOS Filename (which displays the shortened 8.3 filename) in order to limit the filename to 12 characters. After that comes the same Description column as in the last example, then the Numbers Metadata Summary column. This last column combines the individual numbers metadata columns into a single field for a quick summary. Using the /Vn command, you can resize any of the 109 columns to customize the display to best fit your needs.
fiwdir.exe C:\test\*.* /C /VM >C:\fiwdir8.csv
/VM expands all columns to their maximum width and /C surrounds all fields with quotes and separates them with commas.
fiwdir.exe C:\test\*.* /C /VM /ST0 /HCC /HC4 >C:\fiwdir8a.csv
/ST0 instructs File Investigator to compare each file’s hash codes to external legal hash databases before using the rest of our file analysis stages. You will see some files identified as Legal Hash Database(s) Match rather than the detailed description that we typically provide. The /HCC and /HC4 instruct File Investigator to calculate the CRC-32 and MD4 hash codes for every file. Notice that most files had Checksum and Hash values calculated, because the loaded legal hash databases required those values for identification. Three files were a match for these databases, and were given the description “Legal Hash Database(s) Match (Good)”. This means that they are known good files that belong to the software package listed as a “Source” in the extracted Text Metadata values. Those same files did not get their Checksum & MD4 hash values calculated, because they weren’t required to match with the legal databases that they were located in.
This is a Report on the statistics collected while analyzing a typical hard drive with MS Windows XP and a number of other applications installed. When you want a preview of a hard drive, before you start your investigation, this report will give you an overview of the types of files and data you will be searching through. The command line used was:
fiwdir.exe c:\*.* /D /RTc:\fiwdir9.txt /S
/D instructs File Investigator to recursively scan directories for directory, file and size totals. /RT is the report command, which is followed by the name of the file to create for the report. /S is used to recurse through subdirectories when searching for files to analyze.
In this report, you will notice that 98% of the 183,793 files were identified with 90% or higher accuracy. That is unprecedented in the Electronic Discovery industry. The files being analyzed take up 73 GB, and the whole process completed in 2 hours and 23 minutes.
Feel free to try this product before you buy it. A registration key is required for the trial period. Purchase a perpetual license and receive 1 year of quarterly updates and support. We are constantly adding more, and improving existing, file types in our products.
All of these features may also be added to your own product(s), with the File Investigator OEM API Kit.