 _____ _    _   ___  __
|  ___| |  | | | \ \/ /
| |_  | |  | | | |\  /
|  _| | |__| |_| |/  \
|_|   |_____\___//_/\_\

Flux Forensics

A high-performance digital forensic CLI tool built in C++17. Analyze disk images, recover deleted files, search raw bytes, carve artifacts, and reconstruct timelines — all from a single binary.

C++17 Windows & Linux Streaming I/O Zero External Dependencies

Commands

Image Formats

Filesystems

50+

Carve Signatures

flux-forensics

forensic> open D:\evidence\server.vmdk ✓ Opening disk image (1.50 TB) - 0.001s ✓ Detecting partitions (5 partition(s) found) - 0.016s
forensic> rawsearch "password" --all-partitions Search target: All partitions Mode: Full partition search ✓ Search completed - 4.28s (892.1 MB/s avg) Found 37 matches across 5 partitions
forensic> timeline --from=2026-01-01 --to=2026-02-12 Generating MACB timeline... 12,847 events

Image Formats

13 Disk Image Formats Supported

From raw dumps to enterprise virtual disks, open any image format natively without external libraries.

💾

RAW / DD

.dd .img .bin .raw

🔎

E01

EnCase, multi-segment, FTK compatible

⚙

VMDK

VMware sparse, flat, split

🖧

VHD

Hyper-V Virtual Hard Disk

🖧

VHDX

Hyper-V v2 format

📦

VDI

VirtualBox disk image

📦

QCOW2

QEMU COW v2/v3, zlib

🔒

AD1

AccessData logical image

🍎

DMG

Apple UDIF, zlib compressed

📦

OVA

Open Virtual Appliance

📦

XVA

Citrix XenServer

💫

Physical Drive

\\.\PhysicalDriveN, /dev/sdX

📁

Nested Image

Images inside parsed filesystems

Filesystem Parsers

13 Filesystems, Full Traversal

Navigate directories, recover deleted files, detect slack space, and reconstruct file trees on every major filesystem.

NTFS Windows

MFT parsing, data runs, $LogFile analysis, deleted file recovery, slack space detection

FAT32 Cross-platform

Boot sector, FAT chain traversal, directory browsing

exFAT Cross-platform

Boot sector parsing, bitmap analysis, directory entries

EXT4 Linux

Superblock, inode, extent-based allocation, bitmap parsing

XFS Linux

Allocation groups, B-tree navigation, extent reader

Btrfs Linux

Chunk tree, root tree, FS tree, logical-to-physical address mapping

ZFS Linux / BSD

Block reader, object reader, ZAP parser, file tree reconstruction

APFS macOS / iOS

NX Superblock, checkpoint ring, OMAP resolution, B-tree reader

HFS+ macOS

B-tree catalog reader, extent parsing

ISO9660 Cross-platform

CD/DVD image, boot sector parsing

AD1 Windows

AccessData logical image format with item tree

Partition: MBR / GPT / LVM

Master Boot Record, GUID Partition Table, Linux LVM2 with logical volume expansion

Capabilities

Built for Real-World Forensics

Every feature is designed for streaming I/O — constant memory usage regardless of image size.

🔍

Raw Byte Search

Search across entire disks, partitions, or unallocated space with ASCII, hex, and binary wildcard patterns.

Background execution with progress tracking
Batch search from pattern files
Auto-fallback to disk-wide search
CSV / JSON export

🕐

MACB Timeline

Reconstruct file activity with Modified, Accessed, Changed, and Born timestamps.

Date range & name pattern filtering
Multi-partition analysis
Bodyfile & CSV export
Activity hotspot statistics

🔧

File Carving

Recover files from unallocated and slack space using 50+ built-in file signatures.

JPEG, PNG, PDF, ZIP, EXE, DOC, and more
Min/max size filters
Confidence scoring & validation
Export with ZIP encryption

📁

Full File Navigation

Unix-style file browsing: ls, cd, tree, find, grep, cat, hex, strings — all inside the disk image.

ls with 15+ options (-l, -R, -t, -S, etc.)
find with -name, -size, -type, -newer
grep with -i, -r, -n, -c, -v, context
less-style paginated viewer

🔓

Deleted File Recovery

Detect and recover deleted files from NTFS MFT records, EXT4 inodes, and more.

MFT record enumeration (NTFS)
Inode scanning (Linux FS)
Data run / extent reconstruction
Export recovered files to disk

📊

Log Analysis

Parse system logs directly from disk images without mounting.

Linux wtmp/utmp login records
Windows RDP EVTX events (21-25, 39-40)
NTFS $LogFile transaction parsing
Timezone-aware display

🔑

Hash Verification

Calculate and verify file integrity with industry-standard algorithms.

MD5, SHA-1, SHA-256
Streaming calculation (constant memory)
Per-file and bulk hashing
OpenSSL EVP backend

📂

Nested Image Analysis

Open disk images found inside parsed filesystems for recursive analysis with context stacking.

open-image to dive into nested images
back to return to parent context
Full analysis at every level
Works with all 13 image formats

💾

Session Management

Save and restore entire analysis sessions, background jobs, and search results.

Session save / load
Auto-backup on job completion
Job result persistence (.job, .json)
Backup cleanup by age

Command Reference

57 Commands at Your Fingertips

A complete interactive shell with tab-completion, command history, and pipe support.

Disk Image / Device 6

open	Open disk image, physical drive, or logical drive (C:, #N notation)
info	Display disk image metadata
list-devices	List available physical and logical drives
list-partitions	List detected partitions with type, size, and filesystem
select-partition	Select a partition for filesystem operations
dump	Create dd image from disk or partition

File Navigation 8

ls	List directory (-a -l -R -t -S -X -h -F -i -s --group-directories-first)
cd	Change directory (relative, absolute, ..)
pwd	Print working directory
tree	Directory tree view (-L depth, -d dirs, --deleted)
find	Search files (-name, -type, -size, -newercm, --deleted)
grep	Search file contents (-i -r -n -l -c -v -A -B -C)
list-files	List files with wildcard pattern matching
stat	Detailed file metadata (size, timestamps, record number)

File Viewing 6

cat	Display entire file content as text
more	Paginated file viewing
less	Advanced viewer with search and navigation
hex	Hexadecimal dump (--offset, --size, --hex/--utf-8/--unicode)
strings	Extract printable strings (-n length, -e encoding)
file	Detect file type using magic bytes and hashes

Search & Carving 5

rawsearch	Pattern search: ASCII, hex, binary wildcards, background execution
rawsearch-batch	Batch search from pattern file (--combine, --separate)
carve	File carving from unallocated space (50+ signatures)
carve-list	List carved files with confidence scores
carve-export	Export carved files (--zip, --password)

Recovery & Export 5

export	Extract file to disk (--zip with optional password encryption)
undelete	Recover deleted files by path or record number
md5sum	Calculate MD5 hash
sha1sum	Calculate SHA-1 hash
sha256sum	Calculate SHA-256 hash

Analysis 6

timeline	MACB timeline with date range, name, and event type filtering
timeline-export	Export to bodyfile or CSV format
timeline-stats	Activity statistics and hotspot analysis
last	Parse Linux wtmp/utmp login records
rdplog	Analyze Windows RDP EVTX logs
ntfs-logfile	Parse NTFS $LogFile transactions

Tasks & Sessions 12

tasks	List background jobs with progress
task-result	View detailed results (--limit, --head, --tail)
task-cancel	Cancel running background job
task-export	Export results to CSV or JSON
task-save	Save job results to file
task-load	Load saved job
task-save-all	Save all jobs to directory
task-clear	Clear completed jobs
task-list-saved	List saved jobs
task-clean-backups	Remove old backups (--older-than=N)
session-save	Save entire analysis session
session-load	Restore saved session

Containers & Utilities 9

container-add	Create file group for targeted rawsearch
container-list	List containers or files within
container-remove	Remove files from container
container-delete	Delete container
open-image	Open nested disk image inside filesystem
back	Return to parent analysis context
timezone	Show/change display timezone
clear	Clear the terminal screen
help	Show available commands