Introduction
Blade® is a Windows-based, advanced professional forensic data recovery solution designed by Digital Detective. It supports professional module plug-ins which give it advanced data recovery and analysis capabilities as well as Intelli-Carve® technology for accurate data recovery and validation. Blade supports all of the major forensic image formats and is more than just a data recovery tool. The professional modules have in-built validation and interpretation routines to assist with accurate data recovery. Some of the standard profiles also have Intelli-Carve® validated routines (such as the JPEG recovery module).
The software has been designed for extremely fast/accurate forensic data recovery. Not only is it highly effective in the pre-analysis stage of a forensic examination, it can be quickly configured to recover bespoke data formats. It has specifically been written for the field of Digital Forensics.
What does it do?
Blade can:
- Processes supported bit-stream for Browser artefacts
- Recover deleted records and files
- Native support for Expert Witness E01 image files
- Native support for Advanced Forensic Format (AFF)
- Native support for sector level processing of:
- Physical devices (such as hard disks)
- Logical devices (such as hard disk volumes or removable device)
- Memory dumps
- Export data in a format that can be imported into NetAnalysis for forensic review / analysis
Sources of Evidence
Blade can recover data from a number of different file system artefacts such as:
Blade supports a number of forensic image and output file formats. The following table presents a summary of the supported file types.
Supported Forensic Image Formats |
EnCase® v1 - 8 Image File (EVF / Expert Witness Format) | *.e01 |
EnCase® v7 - 8 Image File (ex01) | *.ex01 |
AccessData® FTK Image Files | *.e01, *.001, *.s01 |
Advanced Forensic Format (AFF®) | *.aff;*.afd,*.afm |
Logicube Forensic Dossier® E01 | *.e01 |
SMART/Expert Witness Image File | *.s01 |
X-Ways Forensics Image File | *.e01 |
VMWare Virtual Disk File | *.vmdk |
Virtual Hard Disk File | *.vhd |
Segmented Image Unix / Linux DD / Raw Image Files | *.000, *.001 |
Single Image Unix / Linux DD/Raw Image Files | *.dd; *.img; *.ima; *.raw |
Memory Dumps | *.dmp; *.dump; *.crash; *.mem; *.vmem; *.mdmp |
Binary Dumps | *.bin; *.dat; *.unallocated; *.rec; *.data; *.binary |
Micro Systemation Extraction File | *.xry |
Table 1
Sector Level Access to Physical / Logical Devices
Blade can search any binary file for supported recovery profiles and also supports direct sector level access to Physical and Logical devices. This allows the user to employ hardware / software write blockers and to recover data directly from a disk or external media.
Blade uses an overlap process when reading a source to ensure that data is recovered on block boundaries.