File Carving and Recovery Tools

Etcher is a cross-platform utility designed for creating bootable media by flashing raw disk images onto USB drives and SD cards. It functions as a desktop application that provides a graphical interface for low-level storage device management, ensuring data integrity through built-in validation during the writing process. The application utilizes a unified interface layer to map high-level commands to native system utilities, allowing it to operate consistently across different operating systems. It employs a stream-based data pipeline to pipe image contents directly to storage media, which minimizes memory usage during large write operations. To maintain system security, the tool delegates administrative disk access tasks to a background process. Beyond image deployment, the software includes capabilities for storage device maintenance, such as clearing partition tables and reformatting corrupted or unusable drives. It is distributed through various native package managers and community repositories across Windows, macOS, and Linux environments.

Rufus is a disk imaging tool designed to create bootable USB drives by writing disk images directly to removable storage media. It functions as a standalone utility that formats drives and prepares installation media for operating systems, hardware deployment, and embedded system flashing. The application distinguishes itself through direct-access disk input and output, which bypasses high-level file system abstractions to perform low-level sector-based write operations. It utilizes specialized stream mapping to translate file system structures from disk images onto physical media, ensuring bootable integrity. Furthermore, the tool manages low-level drive partitioning and boot sector configuration, including support for both master boot records and GUID partition tables to maintain compatibility across various firmware environments. The software operates as a portable executable, packaging all necessary dependencies into a single binary that requires no formal installation or registry modifications. It interacts with hardware through native system calls to enumerate drives and manage exclusive access locks during the imaging process.

Etcher is a disk image writer and operating system flashing tool used to create bootable USB drives and SD cards. It transfers binary system images to physical external media, enabling computers or microcontrollers to boot from the prepared storage. The application includes system drive protection to prevent the accidental erasure of internal hard drives by filtering available storage devices based on metadata. It also performs data verification by comparing written bytes against the source image to ensure no corruption occurred during the flashing process.

Umbrel is a home server operating system designed to centralize the management of self-hosted applications and personal data services. It provides a unified, web-based graphical dashboard that abstracts complex system administration tasks, allowing users to deploy and maintain private cloud infrastructure, blockchain nodes, and media streaming services without requiring command-line interaction. The platform distinguishes itself through a modular application marketplace that automates the retrieval, configuration, and lifecycle management of containerized software. It integrates local artificial intelligence hosting and smart home automation coordination, enabling users to run language models and IoT routines directly on their own hardware. By utilizing disk-image-based provisioning, the system facilitates rapid deployment onto dedicated hardware while maintaining strict control over data sovereignty. Beyond its core hosting capabilities, the platform includes comprehensive tools for data resilience, including encrypted backups, external storage configuration, and automated disk redundancy. It also incorporates system-level network traffic filtering for ad-blocking and secure remote access, alongside real-time monitoring of hardware resource utilization. Access to the environment is protected through centralized authentication and security controls.

Ventoy is a cross-platform boot manager that enables users to launch multiple operating system installers and live environments from a single portable storage device. By intercepting the BIOS or UEFI startup sequence, it provides a unified menu that allows for the direct execution of disk image files without requiring file extraction or manual reformatting of the drive. The tool distinguishes itself through a modular, plugin-driven architecture that maps raw image files directly into system memory as block devices. Users can navigate local directories to select bootable files and utilize a web-based interface to generate configuration files, which manage custom scripts and environment variables during the boot process. This approach allows for the injection of drivers and parameters to support automated system provisioning and specialized maintenance tasks. The software supports a wide range of image formats, including ISO, WIM, IMG, VHD, and EFI files. It functions by traversing filesystem structures at runtime to locate and index these images, regardless of their physical placement on the storage media.

Excelize is a library for reading and writing spreadsheet files in the Office Open XML format. It provides a comprehensive suite of tools for programmatically creating, modifying, and analyzing workbooks, worksheets, and cell data, ensuring compatibility across various office software suites through structured XML serialization. The library distinguishes itself with a built-in formula calculation engine that evaluates complex mathematical and logical expressions directly against workbook data. It also features a memory-mapped streaming architecture, which allows for the efficient processing of massive spreadsheet files by handling data in chunks, thereby maintaining low memory usage during document manipulation. Beyond basic file operations, the project supports advanced document features including style-driven formatting, conditional rules, and the embedding of graphical elements like charts and pivot tables. It also provides security capabilities, allowing users to encrypt and decrypt protected spreadsheet files to manage sensitive information. The project is implemented in Go and is available for integration into applications requiring automated spreadsheet generation, data import and export, or complex document transformation.

dnSpy is a desktop application designed for the analysis, debugging, and modification of compiled .NET assemblies. It functions as an assembly analysis suite and decompiler, translating binary instruction streams back into readable source code to facilitate reverse engineering when original source files are unavailable. The tool distinguishes itself through an integrated binary patching engine and metadata editor, which allow for the direct modification of executable logic and internal metadata tables. It supports in-process debugging instrumentation, enabling users to inject runtime hooks, set breakpoints, and inspect memory state within compiled binaries to troubleshoot application behavior. Beyond core analysis and debugging, the platform provides an interactive scripting environment for automating repetitive tasks and manipulating assembly structures. It includes capabilities for abstract syntax tree manipulation and memory-mapped file inspection, allowing users to navigate between high-level code constructs and raw binary data.

This project is a command-line utility designed for secure, content-addressable data archiving. It functions as an encrypted backup tool that stores data as deduplicated chunks, ensuring that every piece of information is identified by a cryptographic hash to maintain integrity across all backups. By applying strong encryption and message authentication codes to both data and metadata, the software prevents unauthorized access and detects potential tampering. The tool distinguishes itself through a backend-agnostic storage abstraction that allows users to maintain repositories across diverse environments, including local filesystems, network-attached storage, and various cloud object storage providers. It optimizes storage efficiency and network performance by aggregating small data chunks into structured pack files and utilizing index-based metadata lookups. To further improve performance, the system maintains a local cache of repository indexes, which accelerates search operations and reduces latency during backup analysis. Beyond its core storage capabilities, the software supports automated backup orchestration and disaster recovery planning through versioned snapshots. It provides a comprehensive set of management tools for inspecting repository objects and configuring secure connections to remote backends via standard protocols. The software is distributed as a portable binary, with support for installation through native package managers, containerized execution, and cross-compilation from source.

Hachoir is a Python library to view and edit a binary stream field by field

Mole is a terminal-based utility designed for comprehensive system maintenance, storage management, and real-time hardware monitoring. It provides a command-line interface for users to analyze disk usage, track system health metrics, and perform routine optimization tasks to maintain machine stability and performance. The project distinguishes itself through a declarative configuration model that uses structured data files to define custom cleanup logic, allowing for precise control over the removal of temporary files and project artifacts. It incorporates a safety-first execution layer that wraps destructive operations in validation checks, ensuring that user intent is verified before any files are modified or deleted. This approach extends to application lifecycle management, where the tool facilitates the complete removal of software binaries along with their associated configuration files and orphaned data. Beyond its core cleanup capabilities, the tool offers a broad suite of maintenance functions, including the clearing of system caches, the removal of redundant installer packages, and the optimization of background processes. It features a recursive file-system traversal engine to identify storage-consuming data and provides real-time visibility into hardware resources such as CPU, memory, and network status. Users can further extend the utility by integrating custom script directories to automate specific workflows directly from the command line.

Sample staging & detonation utility to be used in combination with Cuckoo Sandbox.

Jadx is a comprehensive Java decompilation suite designed to transform compiled binary application files into readable source code. It functions as a static analysis workbench, providing a graphical interface for navigating, searching, and inspecting the internal logic of complex software packages. By utilizing a bytecode-to-Java pipeline, the project reconstructs high-level logical structures from low-level binary instructions, making it a primary tool for Android application reverse engineering. The project distinguishes itself through a sophisticated control flow reconstruction engine and a symbolic deobfuscation engine that restores original code structure by renaming obfuscated identifiers. Beyond its graphical interface, Jadx offers a binary analysis library that allows developers to embed automated decompilation and source code extraction directly into custom security pipelines and software workflows. These capabilities enable detailed application security auditing and the investigation of mobile malware by tracing interactions across large, complex codebases. The platform includes extensive tooling for code navigation, such as cross-referencing class and method usage, jumping to declarations, and mapping dependencies within binary projects. To support the analysis of massive packages, it incorporates performance-oriented features like disk-backed caching, in-memory indexing, and configurable package exclusion to manage memory consumption and processing speed.

EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.

This project is a high-performance command-line utility designed for rapid filesystem navigation and file discovery. It enables users to locate files and directories within large project structures using recursive search, pattern matching, and metadata-aware filtering. By employing multi-threaded parallel traversal, it provides an efficient way to explore complex directory trees. What distinguishes this tool is its ability to integrate directly into terminal workflows and automate file management tasks. It automatically respects version control ignore files and hidden file settings, ensuring that search results remain focused on relevant project content. Beyond simple discovery, it features a built-in batch execution engine that allows users to run custom shell commands or scripts against search results, using dynamic placeholders to process file paths and metadata. The utility supports a wide range of interoperability features, including standard stream piping for safe data transfer to other command-line tools, text editors, and fuzzy finders. It provides granular control over search parameters, including full path matching, regex-based pattern evaluation, and configurable output formatting. Diagnostic utilities are also included to assist with pattern debugging and terminal readability.

Binwalk is a firmware analysis tool and binary data carver used to identify and extract embedded files and data segments from binary images. It functions as an embedded file extractor and data entropy analyzer to retrieve fragments from binary blobs when original file system structures are missing. The tool employs signature-based pattern matching and linear byte-stream scanning to detect known byte sequences and isolate hidden files. It uses sliding-window entropy analysis to locate regions of a file that are compressed or encrypted. The system supports recursive file carving, utilizing heuristic-based boundary detection and offset-based data extraction to slice nested content into standalone files.

ripgrep is a command-line utility designed for searching through large file trees and source code repositories. It functions as a recursive text processor that traverses directories to locate and display matching patterns, serving as a high-performance alternative to traditional search tools. The tool distinguishes itself through a focus on execution speed and intelligent file handling. It utilizes a finite automata-based regular expression engine to ensure linear time complexity and employs hardware-level acceleration for literal byte sequence scanning. By integrating with version control systems, it automatically respects ignore patterns to skip irrelevant files, while its parallel worker threading and memory-mapped file scanning techniques maximize throughput across large datasets. Beyond its core search capabilities, the utility supports complex text filtering and data stream manipulation within terminal environments. It is designed to optimize development workflows by reducing wait times during large-scale codebase analysis and log file inspection. The project provides precompiled, static binaries for Windows, macOS, and Linux, and is invoked via the command line using the binary name rg.

This project is a comprehensive, curated collection of software resources designed for the macOS ecosystem. It serves as a centralized directory for discovering applications across a wide range of functional domains, including professional development, system management, and personal productivity. The directory distinguishes itself by offering a highly granular classification of tools that cater to specific technical and creative workflows. It highlights specialized software for software engineering, such as terminal emulators, version control clients, and API development tools, alongside a broad selection of utilities for system security, virtualization, and network analysis. Beyond technical requirements, the collection includes extensive categories for design, writing, and daily task management, ensuring a diverse range of software needs are addressed. The repository covers a vast capability surface, spanning from communication and file-sharing utilities to advanced document processing, media management, and privacy-focused browsing tools. It also features specialized sections for artificial intelligence agents, data recovery, and financial tracking, providing a holistic view of the available software landscape for the platform.

RevokeMsgPatcher is a binary patching utility designed to modify the execution logic of desktop messaging applications. By applying low-level changes to compiled executable files and libraries, the tool enables functionality not natively supported by the original software, specifically focusing on message persistence and process management. The utility distinguishes itself through targeted binary instrumentation and control flow redirection. It identifies specific function patterns and memory offsets within proprietary software to inject custom assembly instructions. These modifications allow the software to suppress incoming message recall commands, ensuring that deleted content remains visible in chat histories. Additionally, the tool overrides application startup constraints by disabling synchronization primitives, which permits the simultaneous execution of multiple instances of the same messaging client. The project covers a range of binary modification techniques, including static instrumentation and dynamic library injection, to ensure that changes persist across application sessions. It provides automated mechanisms for locating and patching target code blocks, effectively bypassing built-in restrictions to customize the behavior of communication platforms.

Sandboxie is an operating system-level virtualization tool designed to run Windows applications in isolated, secure environments. By intercepting system calls and redirecting file system and registry modifications to a separate, discardable storage area, it prevents untrusted software from making permanent changes to the host system. This containment ensures that browser history, temporary files, and potential malware remain trapped within the sandbox, protecting the integrity and privacy of the underlying host. The software distinguishes itself through granular control over the isolation environment, including the ability to emulate administrative privileges for compatibility without granting actual elevated rights. It supports complex security policies such as per-sandbox network filtering, proxy redirection, and DNS control, alongside the ability to define specific breakout rules for documents or applications. Users can manage these environments through snapshots, encrypted storage, and volatile memory mapping, which allows for high-speed performance and automatic data clearing upon process termination. Beyond core isolation, the platform provides comprehensive lifecycle management for virtualized workspaces, including automated deployment for removable drives and programmatic configuration via a command-line interface. It enforces strict resource usage limits and access rules to maintain system stability while offering tools for data recovery and state management. The software is distributed as a utility for Windows environments, providing a centralized interface for monitoring and maintaining these isolated execution containers.

This project is a graphical Windows debugger designed for the analysis and manipulation of compiled binary applications. It functions as a comprehensive binary analysis suite, providing a real-time environment for inspecting CPU registers, monitoring memory states, and tracing instruction execution to investigate system-level software behavior. The tool distinguishes itself through an event-driven debugging loop that allows for precise process control and state modification during runtime. It supports advanced analysis techniques, including hardware-breakpoint injection for monitoring memory access and instruction-set-aware disassembly to translate machine code into readable assembly. These capabilities facilitate specialized tasks such as malware reverse engineering, software vulnerability research, and the analysis of complex system crashes. The platform includes a modular plugin architecture that enables the integration of external libraries for custom analysis and automation. It also features memory-mapped symbol resolution to correlate machine addresses with source code labels, assisting in the interpretation of internal application logic.