computer forensics, computer forensics expert, mobile phone forensics, expert witness

Digital Evidence Experts.

Open source tools

In the course of his research Dr Schatz has produced a number of tools which have been contributed to the community.

Pasco2: Internet Explorer Cache Parser

Pasco2 is a forensic tool for decoding the web history and cache records produced by Microsoft's Internet Explorer. This was written as an alternative parser in response to finding bugs in the original (and "C" based Pasco) utility, and adds additional metadata fields not supported in the original. Today it can be found powering the the IE History capibilities in the Autopsy Forensic Browser.

Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It can be used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.


Dr Schatz helped pave the way to widespread adoption of the forensic analysis of the RAM of computers by, in 2010, contributing support to the Volatility framework enabling analysis of Windows Vista and Windows 7 memory images. Prior to this, analysis had been limited to Windows XP.

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.


dd2vmdk is an online Physical-to-Virtual (P2V) conversion tool, useful in converting images of physical hard disk drives to bootable VMWare virtual disks. This tool was born in 2004 due to address then limitations in converting forensic images into virtual machines.

Since this service was created, other more capable solutions have appeared. If you require a P2V conversion tool that works with raw forensic images and VMWare, we now recommend using OpenLV.