Supported Formats

The information below is based of version 1.5.0

Storage Media Image File Formats

Storage Media Image File Format support is provided by dfvfs.

Volume System Formats

Volume System Format support is provided by dfvfs.

File System Formats

File System Format support is provided by dfvfs.

File formats

• Apple System Log (ASL)

• Android usage-history (app usage)

• Basic Security Module (BSM)

• Bencode files

• Chrome Disk Cache Format

• Chrome preferences

• CUPS IPP

• Extensible Storage Engine (ESE) Database File (EDB) format using libesedb

• Firefox Cache

• Java WebStart IDX

• Jump Lists .customDestinations-ms files

• MacOS Application firewall

• MacOS Keychain

• MacOS Securityd

• MacOS Wifi

• mactime logs

• McAfee Anti-Virus Logs

• Microsoft Internet Explorer History File Format (also known as MSIE 4 - 9 Cache Files or index.dat) using libmsiecf

• Microsoft IIS log files

• NTFS $MFT and $UsnJrnl:$J using libfsntfs

• OLE Compound File using libolecf

• Opera Browser history

• OpenXML

• Pcap files

• Portable Executable (PE) files using pefile

• PL SQL cache file (PL-SQL developer recall files)

• Popularity Contest log

• Property list (plist) format using plistlib

• Restore Point logs (rp.log)

• Safari Binary Cookies

• SCCM client logs

• SELinux audit logs

• SkyDrive log and error log files

• SQLite database format using SQLite

• Symantec AV Corporate Edition and Endpoint Protection log

• Syslog

• utmp, utmpx

• Windows Event Log (EVT) using libevt

• Windows Firewall

• Windows Job files (also known as “at jobs”)

• Windows Prefetch files

• Windows Recycle bin (INFO2 and $I/$R)

• Windows NT Registry File (REGF) using libregf

• Windows Shortcut File (LNK) format using liblnk (including shell item support)

• Windows XML Event Log (EVTX) using libevtx

• Xchat and Xchat scrollback files

• Zsh history files

Bencode file formats

• Transmission

• uTorrent

ESE database file formats

• Internet Explorer WebCache format

• Windows 8 File History

OLE Compound File formats

• Document summary information

• Summary information (top-level only)

• Jump Lists .automaticDestinations-ms files

Property list (plist) formats

• Airport

• Apple Account

• Bluetooth

• Install History

• iPod/iPhone

• Mac User

• Safari history

• Software Update

• Spotlight

• Spotlight Volume Information

• Timemachine

SQLite database file formats

• Android call logs

• Android SMS

• Chrome cookies

• Chrome browsing and downloads history

• Chrome Extension activity

• Firefox cookies

• Firefox browsing and downloads history

• Google Drive

• iMessage (iOS and MacOS)

• Kik (iOS)

• Launch services quarantine events

• MacKeeper cache

• MacOS document versions

• Skype text conversations

• Twitter (iOS)

• Zeitgeist activity database

Windows Registry formats

• AppCompatCache

• BagMRU (or ShellBags)

• CCleaner

• Explorer ProgramsCache

• Less Frequently Used (LFU)

• MountPoints2

• Most Recently Used (MRU) MRUList and MRUListEx (including shell item support)

• MSIE Zones

• Office MRU

• Outlook Search

• Run and RunOnce keys

• SAM

• Services

• Shutdown

• Task Scheduler Cache (Task Cache)

• Terminal Server MRU

• Timezones

• Typed URLS

• USB

• USBStor

• UserAssist

• WinRar

• Windows version information

Hashers Supported

• MD5

• SHA1

• SHA256