Interactive Digital Forensics Simulator

This page is designed as a step-by-step teaching presentation. You can switch between topics, start each process yourself, pause it, reset it, and inspect the evidence view while the animation runs. The goal is to show what the actual disk, filesystem structures, raw blocks, headers/footers, live memory capture, disk imaging, reconstruction, and password cracking workflow look like in one place.

MBR / partition start
Superblock / filesystem metadata
Inode table
Directory block
JPEG file data
Text / other file data
Deleted file remnants
Free / unknown blocks

1. Disk Structure: MBR → Filesystem → Directories → Inodes → Data Blocks

This view shows a simplified disk layout. At the beginning of the disk you see the partition/boot area, then the filesystem metadata, inode table, directory blocks, and finally blocks that hold actual file content. Click through the animation to follow how a path like /home/user/photo.jpg is resolved.

Disk block map

Directory traversal

/
├── home
│ └── user
│ └── photo.jpg → inode 42
Selected
Nothing selected yet
Meaning
Press Start to animate the structure walkthrough.
Inode 42
size=1.8 MB, owner=user, direct pointers → blocks 12, 13, 14, 20
Directory entry
photo.jpg → inode 42

2. File Carving: Scan Raw Blocks for File Signatures

This animation shows a deleted JPEG whose directory entry is gone. The recovery tool ignores the broken filesystem links and scans raw blocks directly. It moves block-by-block until it sees a known header. For JPEG, the common start marker is FFD8 and the footer is FFD9.

Raw blocks for carving
Waiting to start carving.

Current logic

The scanner is idle. When started, it will inspect each block's bytes, compare against signature definitions, and continue until the footer is found.
Header
JPEG start marker = FFD8
Footer
JPEG end marker = FFD9
Stop rule
Stop when footer appears after an identified header, or stop at corruption / size limit.
Recovered file
No recovered file yet

3. Live Forensics: Evidence from a Running System

Live forensics focuses on evidence that may disappear if the machine powers off. The animation below walks through memory capture, running process collection, network connection capture, and volatile artefact preservation.

1. Running machine

System is live. Volatile evidence still exists.

2. RAM capture

Acquire memory image before shutdown.

3. Processes & handles

Collect running tasks, DLLs, handles, command lines.

4. Network state

Open sockets, active sessions, ARP, routes.

5. Preserve & analyze

Export evidence and continue offline analysis.

RAM
Not captured yet
Processes
Not collected yet
Network
Not collected yet
Open files
Not collected yet
[live] waiting for acquisition...

4. Disk Imaging: Bit-for-Bit Forensic Copy with Hash Verification

Forensic imaging copies every readable sector, including deleted areas and slack space, to preserve evidence exactly. The animation shows sectors being copied into an image file and then verified with a cryptographic hash.

Original disk sectors

Forensic image sectors

Ready to image disk.
Original SHA256: pending... Image SHA256: pending... Verification: pending...

5. Data Reconstruction: Reassemble Fragmented Data

When a file is fragmented, its content may be stored non-contiguously. Reconstruction uses metadata when available, and otherwise relies on signatures, internal structure, offsets, size assumptions, and content continuity.

Fragments discovered on disk

Rebuilt order

Current step
Waiting to start reconstruction
Reasoning
The tool will explain why each fragment belongs before or after another.
Recovered chain
No chain yet

6. Password Cracking: Educational Brute-Force Demonstration

This animation demonstrates the defensive concept of brute-force password guessing against a toy target. It is intentionally simplified and does not provide real cracking capability. It shows the cycle: generate guess → hash guess → compare to target hash → stop on match.

Target password
demo
Target hash
pending
Current guess
waiting...
Guess hash
waiting...
Attempts
0
Ready to demonstrate password guessing.
[bruteforce] idle