Key Benefits

• 3,035 types of files supported
• Renames Files using their Metadata and File Type
• Fixes Wrong File Extensions
• Familiar DOS DIR user interface
• 109 Columns of file details for each file
• Supports MS Windows 98se/Me/NT/200x/XP/Vista
• Finds Files with Floating Headers
• Displays all NTFS Security File Usernames
• Displays all NTFS Alternate Data Streams
• Displays metadata extracted from many of the supported file types

The Summary/Syntax screen shows the usage syntax, versions of the included libraries as well as a list of the Legal Hash Databases that are loaded.  The screen shot on the left (click the image to enlarge) shows that we identify thousands of different file types (listed as the number of entrees in the Descriptions Database).  At the bottom of the screen, there is a list of the other help screens that are available.

The Display Options screen provides you with the commands available for controlling the output formatting of your search results.  You can control the size of each column individually, or use one of the preconfigured sets of columns (ex: /VD or /VM).  With the /RT command, File Investigator Directory for Windows creates a report containing the statistics of all the different file types and categories found.

The Filter Options screen has commands that provide the ability to filter your search results by File Type, Platform/OS, Storage Method, Content Type and Accuracy level that File Investigator is able to achieve on each file.  Using the /I command filters out all files with a file extension known to belong to their file type.

The Configuration Options screen has commands that calculate hash values, fix bad filenames and wrong file extensions as well as select the Identification Stages used.  Using the /NM command, you can rename files using metadata found inside them.  This is useful when recovering files from a damaged hard drive that resulted in a large number of files losing their original file names.

The Usage Examples screen list a number of example for how you can mix and match commands to produce the exact output that you need.  It includes everything from removing the header & footer text and adding comma delimiters between fields for importing into a spreadsheet to sorting the files by a select column.

Here's an example of what you will see when you simply run FIWDIR.EXE without any command line parameters other than the path and filespec.  Three columns are provided: Filename+Ext, Attributes and Description.  The Filename+Ext column shows the long filenames and any Alternate Data Streams (ADS) hiding behind them.  The Attributes column shows the usual Archive, Directory, Read-Only, Hidden & System file attributes as well as 'N' for NTFS ADS files.  The Description is a name for the true file type that File Investigator has identified each file as. 

Here's another example of using FIWDIR.EXE on a set of files, and adding the /VD command to show the Descriptions and Details columns.  The first column is the DOS Filename (which displays the shortened 8.3 filename) in order to limit the filename to 12 characters.  After that comes the same Description column as in the last example, then the Numbers Metadata Summary column.  This last column combines the individual numbers metadata columns into a single field for a quick summary.  Using the /Vn command, you can resize any of the 109 columns to customize the display to best fit your needs.

This is a Spreadsheet Export example using the following command line:

fiwdir.exe C:\test\*.* /C /VM >C:\fiwdir8.csv

/VM expands all columns to their maximum width and /C surrounds all fields with quotes and separates them with commas.  

Here's another Spreadsheet Export example with the addition of more commands: fiwdir.exe C:\test\*.* /C /VM /ST0 /HCC /HC4 >C:\fiwdir8a.csv

/ST0 instructs File Investigator to compare each file's hash codes to external legal hash databases before using the rest of our file analysis stages.  You will see some files identified as Legal Hash Database(s) Match rather than the detailed description that we typically provide.  The /HCC and /HC4 instruct File Investigator to calculate the CRC-32 and MD4 hash codes for every file.  Notice that most files had Checksum and Hash values calculated, because the loaded legal hash databases required those values for identification.  Three files were a match for these databases, and were given the description "Legal Hash Database(s) Match (Good)".  This means that they are known good files that belong to the software package listed as a "Source" in the extracted Text Metadata values.  Those same files did not get their Checksum & MD4 hash values calculated, because they weren't required to match with the legal databases that they were located in.

This is a Report on the statistics collected while analyzing a typical hard drive with MS Windows XP and a number of other applications installed.  When you want a preview of a hard drive, before you start your investigation, this report will give you an overview of the types of files and data you will be searching through.  The command line used was: fiwdir.exe c:\*.* /D /RTc:\fiwdir9.txt /S

/D instructs File Investigator to recursively scan directories for directory, file and size totals.  /RT is the report command, which is followed by the name of the file to create for the report.  /S is used to recurse through subdirectories when searching for files to analyze.

In this report, you will notice that 98% of the 183,793 files were identified with 90% or higher accuracy.  That is unprecedented in the Electronic Discovery industry.  The files being analyzed take up 73 GB, and the whole process completed in 2 hours and 23 minutes.

* Forensic Innovations does not guarantee that all of the file's metadata is extracted.