Digler: A Developer-Friendly Tool for Disk Forensics and File Recovery

Sometimes the most useful tools are the ones you hope you never need. You know the scenario: you accidentally rm the wrong directory, a crucial file vanishes from a USB drive, or you're just curious about what data is really sitting on a disk. While there are heavy-duty forensic suites out there, they often feel overkill for a quick, scriptable investigation. That's where Digler comes in.

It's an open-source command-line tool built in Go, designed to give developers a straightforward way to peek into disk structures, analyze filesystems, and even recover deleted files. Think of it as your lightweight, programmatic Swiss Army knife for storage media.

What It Does

Digler is a forensic analysis tool that lets you scan storage devices (like raw disk images or physical drives) to uncover their contents. Its core job is to parse filesystem metadata—the data about data—to build a map of what exists, what's been deleted, and what spaces are empty. It currently supports the FAT32 and exFAT filesystems, with more likely on the way.

You can use it to list all files and directories (including hidden ones), search for specific file types or patterns, and crucially, to carve out and recover files that have been marked as deleted but whose contents may still be lingering on the disk.

Why It's Cool

The clever part of Digler is its focus on being both accessible and automatable. It's a single binary with a clean CLI, so you can easily pipe its output into other tools or integrate its logic into your own scripts. This makes it perfect for automated recovery tasks or for building custom analysis pipelines.

Instead of navigating complex GUI menus, you run commands like digler list /dev/sdb1 to see everything, or digler search /path/to/image.img --pattern "*.pdf" to hunt for specific files. Its "carve" function is the star for recovery, attempting to reconstruct deleted files by following the breadcrumbs left in the filesystem tables.

For developers, it's also a great learning tool. Running it against a disk image you create can be a fantastic way to understand how filesystems actually manage and track data at a low level.

How to Try It

Getting started is straightforward. Since it's written in Go, you can install it directly with go install:

go install github.com/ostafen/digler@latest

You can also grab a pre-built binary for your platform from the GitHub Releases page.

Once installed, you can point it at a disk image file or a block device (be careful with the latter!). A safe first test is to create a FAT32 USB drive, copy a few files onto it, delete one, and then use Digler to inspect it.

# List all entries on a disk image
digler list ./test_disk.img

# Recover deleted files to a local directory
digler carve ./test_disk.img --output ./recovered_files/

Check the project's README for the full command reference and examples.

Final Thoughts

Digler fills a nice niche. It's not trying to be an all-encompassing forensic suite, but rather a sharp, focused tool that respects a developer's workflow. Whether you're building a custom recovery utility, performing a post-mortem on a corrupted device, or just satisfying your curiosity about disk forensics, it provides a clean and scriptable interface to do so. It's the kind of tool you tuck away in your /usr/local/bin and are genuinely glad to have when the need arises.

If you've ever wanted to pull back the curtain on your storage, Digler is a great place to start.

Follow us for more cool projects: @githubprojects