Works on Mac and Windows. (Need a Linux version? Please contact us.)
Browse connected disks and image files to identify all partitions on them.
Write a Report file in CSV format listing all files and folders in an easy-to-browse manner.
Browse directories of every APFS partition.
Copy all files or select folders to a local disk.
Write an SQLite database containing all metadata (filename, path, dates, permissions, etc.) for detailed analysis.
The CSV Report file lets you search the metadata of every file in a spreadsheet program such as Microsoft Excel or Apple's Numbers.
The SQLite Report file gives you even more control over all APFS metadata because it's organized the same way as the on-disk APFS directory structures, giving you individual access to every named key, inode, xattr and extent record, including CNIDs and block numbers. This enables you to perform powerful searches for hardlinks, cloned file content and other relatioships the flat CSV file can't offer. You can even use this information to access every file extent on disk yourself, e.g. for integration into other forensic toolkits, such as TheSleuthKit.
A major goal is to unlock decrypted volumes (provided the recovery key or password is known, of course).
Many more options are possible: Search, file preview, scripting. Let us know what you require and we'll see what can be done.
firstname.lastname@example.org (Thomas Tempelmann)
Are you a blogger, journalist or other influential person in this field? Contact me for a free license.