Name: Inforenz Forager (Group Test: Forensic tools)
Price: $604 for full standard version
- Quick searching and modular architecture.
- A limited set of modules.
- Looks promising but needs more modules.
SC Labs Reviews
Reviews from our expert team
This tool is designed to help search file systems during forensic examinations. It collects information and meta data associated with files, and offers strong searching and indexing capabilities, although limited to Windows file systems.
Forager is more of an architecture than a finished work. The software is modular: its concept of filestores is abstract, with “stores” being a filesystem, a zip file, an Exchange message store or anything else. File meta data is read by plug-in modules which understand the data buried in, say, a Word document or JPG file.
On paper, we like the concept, but it kept feeling like a work in progress. The documentation describes the architecture as an interface to these file stores, but the only data stores available are the local file system and Forager’s own indices created from searches.
The online help (the only documentation we received) is itself incomplete – some sections indicate they are in development, while others send you off to read separate PDFs. Modules for MP3, Word, Excel, OLE, and JPG files are available, as well as one retrieving the basic filesystem data.
From within a spartan but clean interface it is quick and easy to start a new case, scan file systems and build indices. Searching is oriented around file names and properties, and can restrict by any arbitrary complexity using regular expressions applied to either names or any known property.
It is very fast, with search results over thousands of files delivered in a few seconds (once the initial index is built). Searches and indices can be built on each other, so you can create custom sets of files quickly and easily. And with the search results, file data can be shown in a basic report, or more complex reports generated with combinations of meta data fields.
One important item to take into account is that the software, using the OS filesystem, changes the last access time stamp on the file, so it should only be used on a mirror of the files to be examined. And because it accesses files through the standard Windows filesystem, it can only access proper files, not deleted files or data concealed in slack space or fake bad sectors.
The architecture of Forager appears sound, and looks like a flexible, extensible system with real potential. But the limitations we found on the version tested here meant it showed its potential, rather than really delivered on it.