About Mobius Forensic Toolkit

Advancing Digital Forensics through Open-Source Excellence

What is Mobius Forensic Toolkit?

Mobius Forensic Toolkit is a robust, open-source framework designed to empower forensic investigators, cybersecurity professionals, and researchers in analyzing digital evidence. Built with C++ and Python, it offers a modular, extensible platform for managing cases, processing diverse data sources, and uncovering critical insights. The toolkit leverages SQLite databases for efficient data storage, ensuring compatibility with other forensic tools. It supports a wide range of input sources, including forensic image files (raw, split, EWF, Talon, Solo, Dossier, MSR, VHD, VHDX) and physical devices, making it a versatile solution for complex investigations.

Since its inception in 2008, Mobius has specialized in peer-to-peer (P2P) network analysis, with advanced extensions for eMule, Shareaza, and Ares Galaxy artifacts. Its latest release, v2.14 (May 2025), introduces cutting-edge features like the `app-emule` extension and CMake-based builds, solidifying its position as a leader in open-source forensics. Whether investigating cybercrimes, recovering data, or researching new forensic techniques, Mobius delivers precision, flexibility, and community-driven innovation.

Project History

Mobius Forensic Toolkit was founded by Eduardo Aguiar in 2008 to provide an accessible, open-source tool for digital forensics. Over nearly two decades, it has evolved through continuous development, community feedback, and technological advancements. The 2.x series (2023–2025) marks significant milestones in its journey:

• Dec 2023 (v2.0): Introduced `mobius::vfs`, a modular C++ framework for recursive data block detection, replacing the legacy `item.datasource` structure.
• Feb 2024 (v2.1): Added BitLocker volume support, enhancing encryption analysis.
• May 2024 (v2.2–v2.3): Improved cryptography (e.g., Chacha20, SM4) and added iTubeGo artifact support.
• Jul 2024 (v2.4–v2.5): Introduced Cellebrite UFDR report file support and Installed Programs evidence type.
• Aug–Oct 2024 (v2.6–v2.8): Added Wireless Network, Contacts, Passwords, and Crypto Wallet evidence types; enhanced UI widgets.
• Nov–Dec 2024 (v2.9–v2.10): Launched `app-ares` for Ares Galaxy, added Credit Card and P2P Remote Files evidence.
• Jan–Feb 2025 (v2.11–v2.12): Introduced `app-emuletorrent` and `app-shareaza` for eMule Torrent and Shareaza artifact analysis.
• Mar 2025 (v2.13): Added Processing View and KFF Alerts to Evidence Viewer, with `Event-Viewer` extension.
• May 2025 (v2.14): Migrated extensions to CMake, launched `app-emule` for deep eMule artifact analysis, and modernized codebase.

These advancements reflect Mobius’s commitment to addressing modern forensic challenges, particularly in P2P networks and mobile device analysis.

Key Features

Mobius Forensic Toolkit offers a rich set of features, driven by its 2.x releases:

• Virtual File System (vfs): A powerful C++ framework (v2.0) for detecting and decoding data blocks, supporting palimpsest structures (e.g., ISOHybrid disks) and multiblock systems (e.g., RAID, LVM).
• P2P Analysis Extensions:
  • app-emule (v2.14): Analyzes eMule artifacts (e.g., `AC_SearchStrings.dat`, `known.met`), retrieving search histories, file transfers, and user settings.
  • app-shareaza (v2.12): Decodes Shareaza control files (e.g., `Profile.xml`, `Library.dat`) for autofill data, shared files, and user accounts.
  • app-ares (v2.9–v2.10): Processes Ares Galaxy files (e.g., `ShareH.dat`, `PHashIdx.dat`) for local, received, and shared files.
  • app-emuletorrent (v2.11): Extracts evidence from eMule Torrent control files.
• UFDR Support (v2.5–v2.8): Processes Cellebrite UFDR report files, retrieving Contacts, Passwords, Crypto Wallets, and Credit Card info.
• Evidence Viewer (v2.13): Features Processing View, KFF Alerts, and Event-Viewer for streamlined evidence management.
• Encryption and Cryptography: Supports BitLocker (v2.1), advanced ciphers (v2.2), and cookie decryption (v2.3).
• Evidence Types: Includes Installed Programs (v2.4), Wireless Networks (v2.6), Credit Cards (v2.10), and more.
• Extensible Framework: Build custom C++ and Python extensions, with full Python API (e.g., `mobius.vfs`, `pymobius.ant.evidence`).
• Cross-Platform Builds: CMake migration (v2.14) enhances build efficiency on Linux, Windows, and macOS.

Use Cases

Mobius Forensic Toolkit excels in diverse forensic scenarios:

• Cybercrime Investigations: Analyze P2P networks (eMule, Shareaza, Ares) to uncover illegal file sharing or cyber fraud.
• Data Recovery: Extract data from forensic images or BitLocker volumes for legal evidence or system restoration.
• Mobile Forensics: Process UFDR files to retrieve contacts, passwords, or crypto wallet data from mobile devices.
• Network Forensics: Reconstruct user activities, such as search histories or file transfers, to build case timelines.
• Research and Training: Develop new forensic tools or train investigators using Mobius’s open-source framework.

License

Mobius Forensic Toolkit is licensed under the GNU General Public License (GPL) version 2 or later. This open-source license ensures that the software is free to use, modify, and distribute, fostering collaboration and innovation. Users are encouraged to contribute enhancements, ensuring Mobius remains a cutting-edge tool for the global forensic community.

Developers and Community

Led by Eduardo Aguiar (aguiar@protonmail.ch), Mobius Forensic Toolkit thrives on community contributions. Join us by:

• Contributing code via the GitHub Repository.
• Reporting issues on the Bug Tracker.
• Engaging on the Mailing List.
• Donating via Buy Me a Coffee or cryptocurrency (see sidebar).

Your support drives Mobius’s mission to advance digital forensics.

Get Started

Explore Mobius Forensic Toolkit v2.14 by downloading it from the sidebar. Visit the Support page for installation guides, documentation, and tutorials. Join the community to shape the future of open-source forensics!