Computer Forensics
Computer Forensics HardwareComputer Forensics SoftwareComputer Forensics TrainingComputer Forensics ServicesPurchase Forensic Computer ProductsTechnical SupportResellersCompany Information
DI Advanced Search


17165 W. Glendale Drive
New Berlin, WI 53151
866-DIGINTEL (866-344-4683)
Outside the US: 262-782-3332

Site Contents Copyright © 2018


Software Case

DRIVESPY is a forensic DOS shell. It is designed to emulate and extend the capabilities of DOS to meet forensic needs.

Commercial Customers
SKU: S1000


Law Enforcement
Personnel / Agencies
SKU: S1050




About DriveSpy


Whenever appropriate, DRIVESPY will use familiar DOS commands (CD, DIR, etc) to navigate the system under investigation. When beneficial, DRIVESPY will extend the capabilities of the associated DOS commands, or add new commands as necessary. DRIVESPY provides a familiar DOS-like prompt during system navigation. (DRIVESPY does not use drive letters in the prompt, but rather a Drive/Part combination (i.e "D0P1:\WINDOWS\SYSTEM") to eliminate confusion in the event where the resident operating system has not assigned a drive letter to the drive being processed (i.e examining a FAT32 partition under DOS 6.22)).

SC Magazine Recommends DriveSpySC Magazine's testing of Forensic Software identifies DRIVESPY as the ONLY product reviewed which found ALL the hidden information in their test suite. This included forensic software products costing almost 10 times as much as DRIVESPY!

Software Floppy
DriveSpy Processes
  • Large Hard Drives (Greater than 8.4 Gb)
  • Floppy Disks and Removable media
  • FAT12/16/16x/32/32x Partitions
  • Hard Drives without Partitions (removable media)
  • Hidden DOS Partitions (full functionality)
  • Non-DOS partitions (physically)
  • Long File Names (Fully Decoded and Listed)
  • File Creation (Win95/98), Modification (DOS), and Access Dates (Win95/98)
  • Erased files (With their companion Long File Name if one exists)
  • Slack Space
  • Unallocated Space

DriveSpy Includes

  • A built in Sector (and Cluster) Hex Viewer which can be used to examine DOS and Non-DOS partitions.
  • Configurable logging capabilities to document the investigation (keystroke-by-keystroke if desired).
  • The ability to create and restore compressed forensic images of drive partitions
  • Full Scripting Capabilities to Automate Processing Activities

DRIVESPY accesses physical drives using pure Int13 or Int13x calls. (Does not flip file access dates or involve operating system calls in any way. This also makes it possible to achieve full functionality (i.e. FAT32 processing) even when booted under older versions of DOS like 3.3!)

What DriveSpy Does Software DVD
  • Record all activities to a log file (keystroke-by-keystroke if desired)
  • Enable and Disable logging of activities on demand
  • Display extensive architectural information for entire Hard Drives and individual Partitions
  • Examine DOS and Non-DOS partitions using a built in Sector (and Cluster) Hex Viewers
  • Create direct disk-to-disk forensic duplicates
  • Copy a range of sectors within, or between, drives
  • Process duplicate drives regardless of physical drive geometry or sector translation differences
  • Select files based on their name and extension
  • Select files based on their attributes
  • Recurse subdirectories during the selection of files
  • Select files of a specific type or group based on internal header information
  • Maintain custom file type header information and group information in a user extensible initialization file
  • Process or list files based on a specified sort order
  • List directory entry information for selected files including Long File Names and Creation (Win95/98), Modification (DOS), and Access(Win95/98) dates
  • Create a Database export file containing directory entry information for a selected partition (Including information specific to FAT-32, Win9X (creation and access dates), and erased file information)
  • Copy selected files to a designated work area (without tripping file access/modification dates)
  • Unerase selected files to a designated work area (without tripping file access/modification dates).
  • Search a drive, partition, or specified file(s) for one or more text strings or data sequences (without tripping file access/modification dates). Accuracy values can be individually specified for each string to find partial matches.
  • Collect all the Slack Space in an entire partition to a file (RAM Slack, Residual Slack, or Both)
  • Collect all the unallocated space in a partition to a file
  • Save and Restore one or more contiguous sectors to/from a file
  • Query the FAT of a partition to obtain individual cluster allocation information and follow cluster chains
  • Wipe an entire Drive, individual Partition, unallocated space, or slack space
  • Generate an MD5 hash of an entire Drive, individual Partition, or selected Files
  • Save and Restore compressed forensic images of a partition

Download DRIVESPY v1.70
Download DRIVESPY Help File (Required for v1.50+)
Download DRIVESPY Documentation for Additional Information (PDF)

Here is the current collection of file headers and file group definitions for inclusion in your DRIVESPY.INI file. (Be sure not to make any changes to the "License" section of the DRIVESPY.INI when merging this information into the file)

File Type and File Group Information for DRIVESPY.INI (Updated 05/21/00)