Frequently Asked Questions

What can I analyse using Tyrhex ?

in theory Tyrhex is dedicated to analyse forensic copies from devices like hard drives, ssd drives, memory cards or thumb drives. Whole device or only partitions (volumes) are automatically recognised by the tool. 

How can I produce forensic devices ?

Using the « dd » command line available on Mac OS and Linux, or other free or commercial tools. So far Tyrhex only works with full raw dd’s and is not able to handle compressed ones, like the ones produced by commercial forensic softwares. However, all commercial forensic softwares are able to generate full raw dd’s

How can I convert an .E01 or other compressed forensic copy ?

There is an excellent tool available for Linux : Xmount . The ewflib allows to convert to raw too. For Mac OS, I advice to install homebrew and then the needed tools like Xmount or ewflib

Why is it not possible to edit the file content ?

Tyrhex is mainly intended to be used for forensic examination and the file is open in read only mode. Using the volume manager features, it is anyway possible to create virtual volumes with specified properties, allowing to analyse the file system as it is repaired.

Is it possible to recover files from the forensic copy using Tyrhex ?

This version will allow to recover files from the forensic copy if the file is described within File System properties. For some file systems, deleted files could be recovered too. No « carving » for deleted file is included in this version.

I already use another expensive forensic software, do I need Tyrhex ?

You will need Tyrhex if :

  • you have to analyse some damaged file system 
  • you want to understand what or how data can be recovered and information gathered from file system artefact.
  • you have to show, explain or interpret some piece of evidence at court
  • you have to explain to students file system properties and why artefacts are useful 
  • you are working as IT forensics expert and you need, sometimes, search for the truth into the bytes
  • you have to crosscheck the results provided by another forensic software, as the algorithms in Tyrhex do not rely on other existing ones.

Otherwise, and if you are not curious at all, you probably don’t need it ;)

tyrhex © Yves Vandermeer  2015-2017   #tyrhex