Main Screen

This screen shows a forensic data recovery in progress.  To start, the forensic investigator simply selects the Data Source, Output Folder and which file types he/she wishes to recover. 

Further options allow the Block Size to be set and the number of files to be written out per folder.  With image files where the block size has been set prior to the evidential capture, the block size will be automatically set by Blade.  It is recommended that with physical/logical devices or flat file dd images, the Block Size is set to at least 512 sectors.  This ensures a fast recovery.

With Professional Module recovery, only one type can be selected at a time.  There is no restriction with normal forensic data recovery.

Personal Signature Database

The Personal Signature Database is where the forensic investigator will store his/her custom settings for bespoke data recovery.

The forensic investigator can set custom file header information using powerful regular expression syntax for fast/accurate data recovery.

Blade ships with many of the standard data types already pre-programmed ready for performing forensic data recovery out of the box.

AOL (PFC) Email Recovery This screen shows an email which has been extracted and reconstructed.  One of the issues faced by a forensic investigator when dealing with AOL email is the fact that the body and much of the text of the email may be compressed.  Searching across a hard disk for keywords contained within AOL email messages will fail because of this.  With the AOL Professional Module, any live or deleted individual email messages are recovered, decompressed and reconstructed and presented in a similar format to the original email message.  These messages can then be searched using traditional methods. This module will also recover additional data which is not recovered by the current tools on the market (such as hidden/embedded date/time stamps).  It is the only software available today which can recover AOL email messages directly from an Encase® image. The output from the software also allows the forensic investigator to identify the exact physical sector and sector offset of the evidence on the original disk.

E01 Image Converter This screen shows the module properties for the E01 Image Converter.  This Professional Recovery Module is FREE with the purchase of any Blade Professional Module.  The E01 Image Converter will take any Expert Witness source image and convert it into a single or segmented flat file image.  The module also has the option to MD5/SHA1 the output and compare it with the hashes embedded within the original image file.  The converter will work with e01 images from Encase® v1-6, SMART (s01) or FTK Imager. Additional settings allow the user to select a single flat file image with whatever extension is required; or, a segmented image type with the segment length set to whatever length suits the current purpose. If MD5 / SHA1 hashing is selected, the data is hashed as it is output and then compared against the embedded hashes within the original image. Embedded metadata from the original image is output to the audit log during the conversion.

    

Link File Deconstructor This screen shows the module properties for the Link File Extractor and Deconstructor.  From this screen, the user can select the output format to review the evidence.  The variety of export formats allow the data to easily be imported into a number of different applications for review and analysis. The user can also decide whether he/she wishes the link files from the original source to be written out.  The output contains a full audit trail allowing the forensic examiner to identify exactly where the link evidence was found in the source data.