FileSystemAnalyzer: a tool that does what it says

Today I’m happy to release a tool for low-level analysis of file systems, which includes digging through file system structures that aren’t normally visible when exploring your disks, looking at metadata of files and folders that isn’t normally accessible, and even browsing file systems that aren’t supported by Windows or your PC.

Download FileSystemAnalyzer

This is actually the software that I use “internally” to test and experiment with new features for DiskDigger, but I thought that it might be useful enough to release this tool its own. It accesses the storage devices on your PC and reads them at the lowest level, bypassing the file system drivers of the OS.

On the surface, this software is very simple: it allows you to browse the files and folders on any storage device connected to your PC, and supports a number of file systems, including some that aren’t supported by Windows itself. However, the power of this tool comes from what else it shows you in addition to the files and folders:


The program supports FAT12, FAT16, and FAT32 partitions. When looking at FAT partitions, you can see the file and directory structure, and detailed metadata and previews of files that you select. When selecting a file or folder, you can also see its position in the FAT table. And indeed you can explore the entire FAT table independently of the directory structure, to see how the table is structured and how it relates to the files and directories:



Similarly to FAT, this lets you explore the exFAT file system, while also letting you look at the actual FAT table and see how each file corresponds to each FAT entry.


In addition to exploring the NTFS file and folder structure, you can also see the MFT table, and which MFT entry corresponds to which file or folder:



HFS+ is the default file system used in macOS (although it is slowly being superseded by APFS), and is fully supported in FileSystemAnalyzer. You can explore the folders and files in an HFS+ partition, and you can also see the actual B-Tree nodes and node contents that correspond to each file:



Ext4 partitions (used in Linux and other *nix operating systems) are also supported in FileSystemAnalyzer. In addition to exploring the folders and files, you can also see the actual inode table, and observe how the inodes correspond to the directory structure:



Support for APFS is still very rudimentary, since there isn’t yet any official documentation on its internal structure, and requires some reverse engineering. Nevertheless, support for APFS is planned for a near-future update.

Disk images

The program supports E01 (EWF) disk images, as well as VHD (Microsoft Virtual Hard Disk), VDI (from VirtualBox), VMDK (from VMware), and of course plain dd images.

Creating reports

Given the exhaustiveness of the information that this tool presents about the file system that it’s reading, there’s no end to the types of reports that it could generate. Before committing to specific type(s) of reports for the program to create, I’d like to get some feedback from other forensics specialists on what kind of information would be the most useful. If you have any suggestions on what to include in reports, please contact me.


For now, FileSystemAnalyzer is strictly a read-only tool: it lets you read files and folders from a multitude of partitions, but does not let you write new data to them. In some ways this can actually be beneficial (especially for forensics purposes), but is clearly a limitation for users who might want to use the tool to add or modify files in partitions that are not supported natively by the operating system.


I’d love to hear what you think of FileSystemAnalyzer so far, and any ideas that you might have for new features or improvements. If you have any suggestions, feel free to contact me!

Download FileSystemAnalyzer

Revisiting the Windows 10 thumbnail cache

When you look at a folder full of pictures, and enable the display of thumbnails in your folders, Windows will show a thumbnail that represents each of the pictures. Creating these thumbnails is an expensive operation — the system needs to open each file, render the image in memory, and resize it to the desired size of the thumbnail. Therefore, Windows maintains a cache of thumbnails, saved in the following location: [User folder]\AppData\Local\Microsoft\Windows\Explorer.

A few years ago I published a utility for examining the thumbnail cache in Windows Vista and Windows 7.  However, in Windows 8 and Windows 10, Microsoft seems to have made some slight modifications to the file format of the thumbnail cache which was preventing my utility from working properly.  So, I revisited the thumbnail cache on the most recent version of Windows, and made sure the utility works correctly with it, as well as with all previous versions of the cache.

My updated ThumbCacheViewer supports thumbnail cache files from all versions of Windows after XP.  It automatically detects cache files associated with the current user’s account, and it also allows you to explicitly open thumbnail cache files from any other location. Once the file is opened, the utility will show a simple list of all the images contained in the selected cache. If you select an individual image, it will also show some useful metadata about the image:


You can see that the cached images include thumbnails of individual photos, as well as thumbnail representations of folders that contain photos. Both of these can be forensically interesting, since the folder thumbnails still contain plenty of detail in the images. You can also see that there are separate caches for different resolutions of thumbnails, some of which are strikingly high-resolution (up to 2560 pixels wide, which almost defeats the purpose of a cache).

I’ll also point out that you can perform forensic analysis on thumbnail caches using DiskDigger, by opening the cache file as a disk image. You can do this by following these steps:

  • Launch DiskDigger, and go to the “Advanced” tab in the drive selection screen.
  • In the “Bytes per sector” field, enter “1”.
  • Click the “Scan disk image” button, and find the thumbnail cache file that you want to scan.
  • Select “Dig deeper” mode, and proceed with the scan.

Here is the same cache file as in the screenshot above, but viewed using DiskDigger (note the numerous .BMP images detected by the scan):


Either way, this is now a relatively complete solution for analyzing thumbnail cache files, whether you’re a professional forensics specialist, or a home user who’s interested in how Windows preserves thumbnails in more ways than you might think!

The dead dream of chatbots

A long time ago I wrote about the Loebner Prize, and how it seemed like this competition isn’t so much a test of machine intelligence, but rather a test of how well the programmers can fool the judges into thinking they’re talking to a human. Not that anyone has actually done this successfully — none of the judges have ever been convinced that any of the chatbots were really a human, and the annual “winner” of the Prize is decided by sympathy points awarded by some very charitable judges.

In that previous post, I remember being struck by how little has changed in the quality of the chatbots that are entered into this competition:  it hadn’t improved since the inception of the prize.  So, today I thought I’d randomly “check in” on how the chatbots are doing, and read the chat transcripts from the competition from more recent years. (I encourage you to read the transcripts for yourself, to get a taste of the “state of the art” of today’s chatbots.)

And can you guess how they’re doing? Of course you can:  they still haven’t improved by any margin, except perhaps a larger repertoire of cleverly crafted catch-all responses. Even the winner and close runner-up of the 2017 competition are comically robotic, and can be effortlessly pegged as artificial by a human judge.

My goal in this post, however, is not to bash the authors of these chatbots — I’m sure they’re competent developers doing the best they can. My goal is to discuss why chatbot technology hasn’t moved forward since the days of ELIZA. (Note: When I refer to chatbots, I’m not referring to today’s virtual assistants like Siri or Alexa, which have made big strides in a different way, but rather to human-approximating, Turing-test-passing machines, which these chatbots attempt to be.)

I think much of it has to do with a lack of corporate support. Chatbots have never really found a good business use case, so we haven’t seen any major companies devote significant resources to chatbot development. If someone like Google or Amazon had put their weight behind this technology, we might have seen an advancement or two by now.  Instead, the competitors in the Loebner Prize still consist of individual hobbyists and hackers with no corporate backing.

Interest in chatbots seems to have peaked around 2012, when the cool thing was to add a customized bot to your website and let it talk to your users, but thankfully this died down very shortly thereafter, because apparently people prefer to communicate with other people, not lame attempts at imitation. We can theorize that someday we may hit upon an “uncanny valley” effect with chatbots, where the conversation is eerily close to seeming human (but not quite), which will cause a different kind of revulsion, but we’re still very far from that point.

Another thing to note is the actual technology behind today’s (and yesterday’s) chatbots. Most of these bots, and indeed all the bots that have won the Loebner Prize in recent years, are constructed using a language called AIML, which is a markup language based on XML.  Now, there have been plenty of ways that people have abused and misused XML in our collective memory, but this has to be one of the worst!  AIML attempts to augment XML with variables, stacks, macros, conditional statements, and even loops. And the result is an unwieldy mess that is completely unreadable and unmaintainable. If chatbot technology is to move forward, this has to be the first thing to throw out and replace with something more modern.

And finally, building a chatbot is one of those endeavors that seems tantalizingly simple on the surface:  if you look at the past chat logs of the prize-winning bots, it’s easy to think to yourself, “I can build a better bot than that!”  But, once you actually start to think seriously about building a bot that approximates human conversation, you quickly come up against research-level problems like natural language processing, context awareness, and of course human psychology, behavior, and consciousness in general.  These are most definitely not problems that can be solved with XML markup.  They likely can’t even be solved with today’s neural networks and “deep learning” algorithms.  It will probably require a quantum leap in AI technology.  That is, it will require building a machine that is truly intelligent in a more general way, such that its conversations with humans are a by-product of its intelligence, instead of its primary goal.

For now, however, the dream of chatbots has been laid to rest in the mid-2010s, and will probably not come back until the technology allows it, and until they’re actually wanted or needed.


I’m a bit late to the party in starting to tinker with TensorFlow, but nevertheless I’ve been having some product ideas (some dumber than others) for real-world applications of machine learning, and here’s one of the stupider ones:

If you know me at all, you know that one of my hobbies is foraging for wild mushrooms. Going to the forest to forage for mushrooms is a time-honored tradition in Russia and many other Slavic countries.  I also derive great pleasure from sharing this hobby with other people, and telling them how fun, challenging, and rewarding this activity can be.

Therefore, I give you — MushroomHuntr: an Android app that can identify different varieties of mushrooms!  It uses a neural network to perform image recognition in real time, to tell you what kind of mushroom you’re looking at.

Huge legal disclaimer: Do not actually rely on this app to differentiate poisonous mushrooms from edible ones!  The app provides a rough guess of the identity of a mushroom, not a definitive identification.

Under the hood, the app uses the Inception v3 model developed by Google, with the top layer of the model re-trained on a large collection of mushroom images. Many of the training images were taken from Wikimedia Commons, and others came from my personal photos that I’ve taken over the years.

The app can distinguish between about twelve varieties of mushrooms, most of which are native to North America and Europe. All of the trained varieties are common enough to be found easily in parks and forests, to maximize the app’s usefulness for the novice mushroom hunter.

When the app is launched, it automatically enables your phone’s camera, and starts attempting to recognize anything it sees in the image.  Therefore, all you need to do is aim the camera at a mushroom, and see what it says!

To maximize the accuracy of the mushroom recognition, try looking at the mushroom from the side, and bring the camera close enough for the mushroom to fill up most of the frame, like this:


I won’t make this app available on the Google Play Store for the time being, while I continue to refine the model, but if you’d like to check it out, you can build it from source code, or contact me for a pre-built APK that you can install on your device.

VR needs several more generations to succeed

When considering today’s “VR” technology, the actual name “VR” is misleading: it’s not really “virtual reality.” A more accurate name for it would be “binocular display with motion tracking,” but that name is not nearly sexy enough to attract venture capital for your startup. I wanted to put all mentions of “VR” in this blog post in quotes, but that would be too on-the-nose even for me, so just imagine that the quotes are there.

I’ve played with many of the major VR headsets in an “enthusiast” capacity for a while now, and I’ve even developed a few applications for them. I really wanted to like VR. I tried really hard to suspend disbelief and make myself like it, but I just have to admit — I don’t see the appeal, and I don’t see the current generation of VR technology as anything more than a passing fad.

Coming soon to a landfill near you!

The only thing that the current VR experience delivers is novelty. It really is exciting to look into one of these headsets for the first time. However, the drop-off in novelty is very steep, on the order of minutes, not even hours.

There isn’t any one specific deal breaker for the current state of VR. It’s rather a combination of factors that, collectively, make it altogether unusable:

  • It’s very low-resolution. In order for a VR experience to be “believable,” it needs to have a resolution of at least 4K per eye. Otherwise, you can literally see the pixels when you look at the image in the headset.
  • It’s not nearly immersive enough. The field of view of the major VR headsets is about 100 degrees, which feels unnatural, and borders on claustrophobic. And the “depth” of the 3D content in the VR display can’t seem to match true natural proportions, either.
  • It’s nausea-inducing. The sensors that track the 3D position of the headset need to be an order of magnitude more sensitive and responsive.
  • The “headset” form factor is still too impractical to become mainstream. No matter how comfortable the headset becomes, if it still needs to cover your eyes and wrap around your head, you won’t want to use it for very long. Did you know that there’s a Netflix app for VR devices? If watching a two-hour movie while having a big plastic appliance strapped to your face is your idea of a good time, then I salute you, but I would still wager that you’re in the minority.

I don’t believe that VR technology can move forward by addressing any one of the above points. It would need to be a quantum leap of technological advancement.  And honestly, once the collective novelty of VR finally wears off, I’m not sure there will be enough interest among consumers for VR companies to work towards this next leap any time soon, except perhaps for very specific niche markets for which VR is better-suited.

I am, of course, looking forward to the final generation of VR, which will involve a Matrix-like interface that plugs directly into your brain stem. Until then, I’m afraid we can only look forward to landfills brimming with plastic contraptions thrown away shortly after purchase.