Tags: , , , , , , , ,

Download Disk Drill data recovery app for Windows  for Mac

Disk Drill Enterprise (or Expert version) has the ability to export forensic data from a disk in the DFXML format. This allows for forensic analysis of data storage devices for the purposes of identifying, preserving and retrieving sensitive data.

To take advantage of this feature, you must have the Enterprise version of Disk Drill (or Expert if available at that time). This version can be purchased from the CleverFiles website. If you already have the PRO version, contact us about upgrading to Enterprise.

How to Export Forensic Data

  1. Launch Disk Drill and perform a scan of the volume in question, as directed in our How to Recover Lost Files with Disk Drill PRO tutorial. 
  2. Once the scan is complete, select File > Export Forensic Data from the top menu bar.Screen Shot 2013-05-20 at 11.21.19 AM
  3. When the Save window pops up, select the location you wish to save the file to (do not save it to the disk you just scanned or you risk data loss), select the file format (the default is XML, but you also have the option of saving as a DB (sqlite) or CSV format as well), and then click Save.Screen Shot 2013-05-20 at 11.16.26 AM
  4. You can then import the forensic data file into the program of your choice for further analysis.


The exported DFXML file (in XML format) will have the following format: XML sample #1, and XML sample #2.

If you choose DB (sqlite) as your export format, the database will consist of two tables, which are the SQL-representations for Digital Forensic XML. The structure of the tables looks like this:

create table fileobject(
    fileid integer primary key,
    filename text,
    family text,
    filesize integer,
    mtime integer

create table run(
    fileid integer references fileobject(fileid),
    file_offset integer,
    img_offset integer,
    len integer

If you export forensic data into CSV, the data fields will be stored in this sequence:

filename, family, filesize, mtime, file_offset1, img_offset1, len1, …,
file_offset8, img_offset8, len8

Here are two samples of the CSV files generated by Disk Drill: CSV sample #1, and CSV sample #2.

Still have questions?  Contact us  or visit our  Public forum