Browse E01 images, raw disks, GrayKey extractions, and iTunes backups natively. No command line. No Windows VM. Just open and explore.
Native app for Mac, iPhone & iPad.
dfirOS is written entirely in Swift — no Electron wrappers, no ported code, no web views. A true native app that feels at home on macOS, iPhone, and iPad. Fast launch, low memory, and every pixel right where Apple intended.
You need to review a forensic image — an E01, a raw disk, a GrayKey extraction. Your options are FTK Imager on Windows, command-line tools, or spinning up a VM.
You just want to open the evidence, browse the filesystem, and get to work.
Sound familiar?
Open what matters. Disk images, mobile extractions, and archives.
E01/EWF (EnCase), raw images (.dd, .raw, .img, .bin, .dmg, .iso), and zipped disk images.
GrayKey full file system extractions and iTunes backups auto-detected by structure.
TAR, TAR.GZ, ZIP, and any local folder. Drop it in, browse it immediately.
FAT12/16/32, NTFS, APFS, HFS+, EXT2/3/4, and exFAT. MBR, GPT, and Apple Partition Map.
Inspect evidence with native tools built for speed.
Browse complete directory trees. Navigate large evidence sets fluidly.
Preview images, documents, PDFs, plists, SQLite databases, and text files inline.
Synchronized offset, hex, and ASCII columns. Examine raw data at the byte level.
Automatic file type detection and detailed metadata display for every file.
Built native for every Apple device. Review evidence anywhere.
Professional multi-panel desktop layout built for deep investigation work.
Full-screen tree navigation with file detail sheets. Evidence review on the go.
Large-screen support for field work. Review evidence on your iPad in the lab, in the field, or in the courtroom.
Be the first to know about new features, formats, and updates to dfirOS.
No spam, ever. Unsubscribe anytime.
One subscription. Full access on all your devices.