Foremost
Foremost Foremost is the classic header-footer carver that hunts for known file signatures in raw disk images, pulling out JPEGs, PDFs, or Office docs from deleted clusters with configurable offsets. It's a lightweight CLI tool you compile and run on your evidence, tuning configs for speed or depth without GUI overhead. Open-source and battle-tested, it's the reliable rifle for examiners reclaiming lost files from the digital wilds.
Explore →Scalpel
Scalpel Scalpel is the surgical file carver that slices through images using a scalpel.conf for precise signature matching, optimizing for fragmented or overwritten data with multi-threaded efficiency. Drop it on a drive dump via terminal, specifying file types like EXEs or ZIPs, and watch it rebuild structures from fragments. Open-source and performant, it's the scalpel for forensics pros carving with clinical accuracy.
Explore →PhotoRec
PhotoRec PhotoRec is the resilient multimedia rescuer that ignores file systems to carve photos, videos, and docs from any media, signature-based and forgiving of corruption for quick recoveries. Run it standalone or with TestDisk for a GUI nudge, selecting partitions and output dirs for automated pulls. Open-source and cross-platform, it's the forgiving fisherman for individuals netting lost media from stormy seas.
Explore →Bulk Extractor
Bulk Extractor Bulk Extractor is the feature hunter that streams through images for artifacts like emails or URLs without full carving, outputting stats and files for targeted forensics without parsing overhead. Fire it at a dump for parallel scans, tuning scanners for CCNs or base64 blobs in your hunt. Open-source and stream-smart, it's the selective sweeper for analysts panning gold from data rivers.
Explore →Binwalk
Binwalk Binwalk is the embedded file detective that scans binaries and firmware for carved archives, images, or code, extracting nested structures with entropy analysis for firmware reverse. Use its CLI on your image for signature scans or extraction, scripting for recursive dives into unpacked layers. Open-source and entropy-savvy, it's the unpacker for examiners unraveling hidden payloads in device dumps.
Explore →TestDisk
TestDisk TestDisk is the partition revivalist with carving chops, recovering lost file systems and carving media from raw disks to restore structures or grab orphans directly. Boot it from live USB for non-destructive scans, selecting recovery modes for quick pulls of photos or partitions. Open-source and recovery-focused, it's the revival rod for solo techs fishing files from failed drives.
Explore →Fiwalk
Fiwalk Fiwalk is the Sleuth Kit walker that enumerates and carves files from images, generating body files for timelines while extracting metadata for artifact-rich outputs. Pipe it to mactime for super-timelines, focusing on allocated or unallocated spaces for comprehensive sweeps. Open-source and FS-aware, it's the methodical mapper for investigators cataloging evidence trails.
Explore →RevEnge
RevEnge RevEnge is the GUI carver that visualizes disk sectors for manual or auto file recovery, highlighting signatures and letting you drag-select regions for targeted extracts. Load your image in the interface, tune profiles for media types, and export with previews for verification. Free and visual, it's the guided gardener for users pruning files from tangled disk undergrowth.
Explore →CarvFS
CarvFS CarvFS is the virtual file system mounter that exposes carved files as a browsable FS, letting you navigate recovered artifacts like a live directory without extraction pauses. Mount your image via FUSE, drilling into virtual folders for selective copies or analysis. Open-source and mountable, it's the illusory index for examiners exploring carved landscapes as if they were intact.
Explore →Artifact Detector