Wreckage

Wreckage: Open-Source Digital Forensics Tool

Scan for deleted files, extract artifacts, and carve out data from unallocated space to help investigate cyber incidents.

What is Wreckage?

Wreckage is an open-source digital forensics and incident response tool for analyzing disk images. It is designed to help security analysts and forensic investigators efficiently scan disk images to uncover indicators of compromise after a cyberattack.

Some of the key features of Wreckage include:

• File scanning - Scans disk images for deleted files and extracts them for analysis. Supports both existing files and carved files from unallocated space.
• Artifact parsing - Extracts browser, application, and system artifacts like browser history, downloads, chat logs, email, etc. Useful for reconstructing user and application activity.
• Data carving - Carves and reconstructs files from unallocated space using header/footer signatures. Allows recovering deleted files.
• Custom modules - Extensible modules allow creating customized scans tailored to an investigation.
• Command line interface - Command line operation allows scripting complex forensic workflows.

With its extensive artifact parsing and data carving capabilities optimized for speed, Wreckage can save significant analyst time during cyber investigations. The modular extensible design makes it adaptable for multiple investigation scenarios.

Wreckage Features

Official Links