Skip to content

Supported Applications

Jump to bottom
Eduardo Aguiar edited this page Dec 30, 2025 · 3 revisions

Mobius Forensic Toolkit provides in-depth parsing for a wide range of popular applications through dedicated native C++ extensions. These extensions extract rich forensic artifacts such as user accounts, history, messages, shared/received files, and metadata. Most modern extensions integrate with case profiles via vfs_processor_impl for customizable processing scope.

Browsers

  • Chromium-based Browsers (app-chromium)
    Supports Google Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and other Chromium derivatives.

    • Decrypts and parses: Cookies, Login Data (passwords), History, Bookmarks, Web Data (autofill, credit cards), Preferences, Local State, Extension Cookies, Safe Browsing Cookies.
    • Extensive schema version support (e.g., Web Data v52–143, History up to v70+, Cookies v6/17).
    • Automatic decryption of DPAPI-protected data and v10/v20 blobs including cookies, passwords, credit cards, and autofill.

  • Gecko-based Browsers (app-gecko or integrated support)
    Supports Mozilla Firefox, GeckoFX and derivatives.

    • Parses places.sqlite (history, bookmarks), cookies.sqlite, logins.json (encrypted passwords), formhistory.sqlite, and other profile artifacts.

  • Internet Explorer
    Parses legacy IE artifacts including index.dat files, cached web content, cookies, and history.

Communication

  • Skype (app-skype)
    Native support for classic desktop versions 4 to 14.
    • Parses all SQLite formats: main.db (v4–7), main.db/skype.db (v8–14), and s4l-*.db.
    • Extracts: Contacts, calls, chat messages, file transfers, voicemails, remote party IP addresses, and rich metadata.

P2P File Sharing

  • Ares Galaxy (app-ares)
    Parses ShareH.dat, ShareL.dat, PHashIdx.dat, ARESTRA.dat, TempDL/UDPPHash_.dat, torrenth.dat.

    • Extracts: Autofill data, local/shared files, received/sent files, user accounts, remote party shared files.

  • DC++
    Parses DC++ configuration files, hash data, file lists, and transfer logs for shared files, connections, and user activity.

  • eMule / aMule / DreaMule (app-emule)
    Full support including aMule configurations.
    Parses AC_SearchStrings.dat, known.met, .part.met, preferences.dat, statistics.ini.

    • Extracts: Autofill data, local/shared files, received/sent files, search strings, user accounts, remote party shared files.

  • µTorrent / BitTorrent (app-utorrent)
    Includes support for µTorrent Web.
    Parses settings.dat, resume.dat, dht.dat.

    • Extracts: User accounts, IP addresses, local/received/sent/shared files, remote party shared files.

  • Shareaza (app-shareaza)
    Parses Profile.xml, Library.dat, Searches.dat, Shareaza.db3, *.sd files.

    • Extracts: Autofill data, local/received/sent files, searched texts, shared files, user accounts, remote party shared files.

  • eMule Torrent (app-emuletorrent)
    Parses eMule torrent control files and associated evidence.

Other Applications

  • iTubeGo (app-itubego)
    Extracts URL history, download history, and related artifacts.

Additional Extensions

  • Bitlocker Volumes (vfs.block.bitlocker)
    Detects, decodes, and retrieves metadata including protector information (e.g., recovery keys).

  • Bitlocker Viewer (vfs-block-view-bitlocker)
    Dedicated viewer for Bitlocker volume protectors.

Mobius Forensic Toolkit continues to expand its application coverage, with particular emphasis on browser, communication, and P2P forensics. Many extensions leverage the modern vfs_processor_impl architecture for efficient, profile-aware processing.

For the most up-to-date details, refer to the latest release notes on GitHub.

If a desired application is not yet supported, the toolkit’s extensible design makes it straightforward to Extension-Development in C++ or Python.

Clone this wiki locally