Supported Formats

The information below is based of version 20210213

Storage media image file formats

Storage media image file format support is provided by dfvfs.

Volume system formats

Volume system format support is provided by dfvfs.

File system formats

File System Format support is provided by dfvfs.

File formats

Amazon Web Services CloudTrail logs
Amazon Web Services Elastic Load Balancer access logs
Apple System Log (ASL)
Azure Activity logs
Android usage-history (app usage)
Basic Security Module (BSM)
Bencode files
Chrome Disk Cache Format
Chrome preferences
CUPS IPP
Extensible Storage Engine (ESE) Database File (EDB) format using libesedb
Firefox Cache
Java WebStart IDX
Jump Lists .customDestinations-ms files
MacOS Application firewall
MacOS Keychain
MacOS Securityd
MacOS Wifi
mactime logs
McAfee Anti-Virus Logs
Microsoft Internet Explorer History File Format (also known as MSIE 4 - 9 Cache Files or index.dat) using libmsiecf
Microsoft IIS log files
NTFS $MFT and $UsnJrnl:$J using libfsntfs
OLE Compound File using libolecf
Opera Browser history
OpenXML
Portable Executable (PE) files using pefile
PL SQL cache file (PL-SQL developer recall files)
Popularity Contest log
Property list (plist) format using plistlib
Restore Point logs (rp.log)
Santa logs
Safari Binary Cookies
SCCM client logs
SELinux audit logs
SkyDrive log and error log files
SQLite database format using SQLite
Symantec AV Corporate Edition and Endpoint Protection log
Syslog
utmp, utmpx
Windows Event Log (EVT) using libevt
Windows Firewall
Windows Job files (also known as “at jobs”)
Windows Prefetch files
Windows Recycle bin (INFO2 and $I/$R)
Windows NT Registry File (REGF) using libregf
Windows Shortcut File (LNK) format using liblnk (including shell item support)
Windows XML Event Log (EVTX) using libevtx
Xchat and Xchat scrollback files
Zsh history files

Bencode file formats

Transmission BitTorrent activity file
uTorrent active torrent file

Compound ZIP file formats

OpenXML (OXML) file

ESE database file formats

Internet Explorer WebCache ESE database (WebCacheV01.dat, WebCacheV24.dat) file
System Resource Usage Monitor (SRUM) ESE database file
Windows 8 File History ESE database file

OLE Compound File formats

Automatic destinations jump list OLE compound file (.automaticDestinations-ms)
Document summary information (\0x05DocumentSummaryInformation)
Summary information (\0x05SummaryInformation) (top-level only)

Property list (plist) formats

Airport plist file
Apple account information plist file
Bluetooth plist file
iPod, iPad and iPhone plist file
Launchd plist file
MacOS installation history plist file
MacOS software update plist file
MacOS user plist file
Safari history plist file
Spotlight plist file
Spotlight volume configuration plist file
TimeMachine plist file

SQLite database file formats

Android call history SQLite database (contacts2.db) file
Android text messages (SMS) SQLite database (mmssms.dbs) file
Android WebViewCache SQLite database file
Android WebView SQLite database file
Dropbox sync_history SQLite database file
Google Chrome 17 - 65 cookies SQLite database file
Google Chrome 27 and later history SQLite database file
Google Chrome 66 and later cookies SQLite database file
Google Chrome 8 - 25 history SQLite database file
Google Chrome autofill SQLite database (Web Data) file
Google Chrome extension activity SQLite database file
Google Drive snapshot SQLite database (snapshot.db) file
Google Hangouts conversations SQLite database (babel.db) file
iOS Kik messenger SQLite database (kik.sqlite) file
Kodi videos SQLite database (MyVideos.db) file
MacOS and iOS iMessage database (chat.db, sms.db) file
MacOS application usage SQLite database (application_usage.sqlite) file
MacOS document revisions SQLite database file
MacOS Duet / KnowledgeC SQLites database file
MacOS launch services quarantine events database SQLite database file
MacOS MacKeeper cache SQLite database file
MacOS Notes SQLite database (NotesV7.storedata) file
MacOS Notification Center SQLite database file
MacOS Transparency, Consent, Control (TCC) SQLite database (TCC.db) file
Mozilla Firefox cookies SQLite database file
Mozilla Firefox downloads SQLite database (downloads.sqlite) file
Mozilla Firefox history SQLite database (places.sqlite) file
Safari history SQLite database (History.db) file
Skype SQLite database (main.db) file
Tango on Android profile SQLite database file
Tango on Android TC SQLite database file
Twitter on Android SQLite database file
Twitter on iOS 8 and later SQLite database (twitter.db) file
Windows 10 Timeline SQLite database (ActivitiesCache.db) file
Zeitgeist activity SQLite database file

Syslog file formats

Cron syslog line
SSH syslog line

Windows Registry formats

Application Compatibility Cache Registry data
Background Activity Moderator (BAM) Registry data
BagMRU (or ShellBags) Registry data
Boot Execution Registry data
CCleaner Registry data
Microsoft Internet Explorer zone settings Registry data
Microsoft Office MRU Registry data
Microsoft Outlook search MRU Registry data
Most Recently Used (MRU) Registry data
Run and run once Registry data
Security Accounts Manager (SAM) users Registry data
Terminal Server Client Connection Registry data
Terminal Server Client Most Recently Used (MRU) Registry data
User Assist Registry data
Windows boot verification Registry data
Windows drivers and services Registry data
Windows Explorer mount points Registry data
Windows Explorer Programs Cache Registry data
Windows Explorer typed URLs Registry data
Windows last shutdown Registry data
Windows log-on Registry data
Windows network drives Registry data
Windows networks (NetworkList) Registry data
Windows Task Scheduler cache Registry data
Windows time zone Registry data
Windows USB device Registry data
Windows USB Plug And Play Manager USBStor Registry data
Windows version (product) Registry data
WinRAR History Registry data

Hashers Supported

MD5
SHA1
SHA256