Home
Evidence Fetcher (efetch) is a web-based file explorer, viewer, and analyzer. Efetch supports viewing hundreds of file types including office, registry, PST, image, and SQLite files. Efetch supports navigating RAW, E01, ZIP, GZ, TAR, VMDK, VHD, QCOW, and BZ2 files all thanks to dfVFS. Additionally, it supports Apple Partition Map (APM), GPT, LVM, MBR, Volume Shadow Snapshots (VSS), ext2, ext3, ext4, FAT, HFS, HFS+, HFSX, NTFT, and UFS.
Efetch is a great tool for performing quick triage on a wide range of evidence files. No need to Google how to mount a VMDK or VHD, simply navigate to the file and open it! Then from there navigate to any file you want to view inside that image! Have to run bash a command or a python script on a specific file in that evidence? Just add it to the YAML plugin file and refresh the pages!
This version includes an updated user interface, additional YAML plugin features, file upload support, and a powerful Ubuntu 16.04 docker image. Plugins are now categorized and searchable.
The newest version of efetch focuses on ease of use and user experience. The biggest difference is efetch can be used to navigate directly to an evidence file! No need to enter a pathspec manually.
To get started please checkout the Install and Quick Start guides!
Navigating evidence with efetch is very simple:
