In my extensive experience training IT forensics investigators about file systems and file systems artefacts, I have never found a tool that allows you to easily “explore” evidence, while still maintaining a byte-level view. To my knowledge, this tool does not exist. Therefore I had to develop it!

Tyrhex is based on the experience of file systems forensics practitioners. It can help users understand the main concepts of this practise, compare the results produced by other forensic software, investigate damaged devices and explain results in courtroom scenarios.

Core inovative concepts  :

  • The ability to isolate certain byte strings, lock the offset you wish to use as reference, choose a particular unit and identify the value and possibly use this value to move by the value to a new position.
  • Bit level accuracy, allowing to easy solve allocation value associated with selected block.
  • Historical bookmarking so that important data areas can be accessed later when referring to a particular stage of the analysis.
  • The ability to search for artefacts in damaged file systems and, by using the quick search features, create a virtual volume with estimated properties. The volume can also be browsed as it is being repaired.
  • The generation of colour coded automatic and user defined bookmarks to support the explanation of findings and reverse engineering techniques
  • The provision of a detailled reporting system that can be used when comparing the results to the outputs of other forensic tools.
  • Strong objective-C classes which are used to analyse file systems and file system artefacts. These classes are not dependent of external algorithms, which is useful when crosschecking the results from other tools.

Used in a classroom, Tyrhex, provides visual support all logical structures that are embedded in file systems.

Used in front of Court during a trial, Tyrhex allows to show factual bytes while keeping everything clear and understandable. 

tyrhex © Yves Vandermeer  2015-2017   #tyrhex