💽 Extract evidence media before the review begins
MediaExtractor is a cross-platform forensic acquisition tool built to recover images and videos from complex evidence sources: folders, disk images, E01/Ex01, archives, office documents, PDFs, email containers, SQLite databases and Project VIC exports.
It preserves the original relative structure where possible, calculates SHA256 during copy, and produces a clean CSV manifest ready for review, reporting, triage or import into analysis workflows such as Media Insight.
MediaExtractor does not mount disks, does not require OSFMount, does not call external conversion tools and does not convert full EWF images to temporary RAW first. It reads supported evidence directly and continues across non-fatal container errors.
Download
Choose the package that fits your lab, field or triage workflow.
Version 1.0.3 · Updated 16/05/2026
Windows x64 ZIP Linux x64 TAR.GZ macOS Apple Silicon ZIP macOS Intel ZIP
macOS first launch note
If macOS reports that MediaExtractor is damaged, it is usually Gatekeeper quarantine.
Open Terminal, copy the command for your Mac, and replace
/path/to/ with the folder where the app was downloaded or extracted.
Apple Silicon Macs
xattr -dr com.apple.quarantine "/path/to/MediaExtractor-osx-arm64.app"Intel Macs
xattr -dr com.apple.quarantine "/path/to/MediaExtractor-osx-x64.app"After running the command, open MediaExtractor again.
Supported Evidence Sources
Folders & file systems
Recursive folder scans on Windows, Linux and macOS, with extension and signature-based detection for common image and video formats.
Disk images
Processes raw and virtual disks such as .img, .dd, .raw, .vhd, .vhdx, .vmdk, .vdi and .iso.
EWF / EnCase images
Reads .e01 and .ex01 through native libewf, including segmented evidence files such as case.E01, case.E02 and case.E03.
Project VIC exports
Uses Project VIC 2 JSON metadata to reconstruct the original filesystem path in the output and preserve timestamps when available.
Embedded containers
Extracts supported media from ZIP-like containers, archives, CAB, legacy Office OLE files, modern Office documents, OpenDocument files, APK/JAR files and more.
PDF, email & SQLite
Recovers images from PDFs, media payloads from .eml, .msg and .oft, and image/video BLOBs from SQLite databases opened read-only.
Forensic Workflow
Select the evidence source
Choose a normal folder, a forensic image, an EWF/E01 set, a Project VIC JSON export, or a supported embedded container.
Choose a clean output folder
MediaExtractor writes copied media and carved embedded media under a structured output root, avoiding path traversal and output overwrites.
Review the manifest
Every extracted item is recorded with source path, output path, type, internal path, timestamps, file size and SHA256.
Built for triage and case preparation
MediaExtractor is especially useful before visual analysis: it turns messy evidence sources into a clean media output tree plus a traceable manifest. That output can then be reviewed manually, archived, hashed, imported into Media Insight, or processed by another forensic workflow.
Traceable Output & Manifest
Output layout
Folder sources keep their original relative paths. Disk images are written under <output>/<image-name>.disk/volume_XX/<filesystem>/.... Embedded containers are written under a .media folder next to the container path.
Source: D:\Evidence\Users\Mario\Pictures\photo.jpg
Output: D:\ExtractedMedia\Users\Mario\Pictures\photo.jpg
Disk output:
D:\ExtractedMedia\Volume_C.E01.disk\volume_00\NTFS\Users\Mario\Pictures\photo.jpgManifest columns
The generated media_manifest.csv records the key facts needed to trace each output file back to its source.
original_source
output_path
type
internal_path
source_created_utc
source_modified_utc
output_size_bytes
sha256Quick Start
Console
Use the CLI when you want repeatable acquisition commands, scripted runs or integration into a lab pipeline.
MediaExtractor <source path> <output path> [options]
MediaExtractor.exe "D:\Evidence" "D:\ExtractedMedia"
MediaExtractor.exe "D:\Evidence\Volume_C.E01" "D:\ExtractedMedia"
MediaExtractor.exe "D:\Evidence" "D:\ExtractedMedia" --max-parallel 12
MediaExtractor.exe "D:\Evidence" "D:\ExtractedMedia" --no-embeddedDesktop launcher
Open MediaExtractor.Gui, choose a source file or folder, choose an output folder, then start extraction. The GUI launches the same extraction engine from the same folder.
Linux / macOS examples:
./MediaExtractor "/mnt/evidence" "/mnt/extracted"
./MediaExtractor "/cases/Volume_C.E01" "/cases/extracted" --quiet-errorsCommand Line Options
| Option | Use it when |
|---|---|
--max-parallel N | You are scanning normal folder sources and want to control parallel workers. Default is min(CPU count, 8). |
--no-embedded | You only want direct image/video files and want to skip archives, PDFs, emails and documents. |
--quiet-errors | You want compact one-line warnings and errors for cleaner logs. |
--help | You want the full command help from the executable. |
Signature-Based Recovery
MediaExtractor checks both extensions and media file signatures. This helps recover common images and videos even when they are stored with generic names such as .bin, .dat, cache files or no extension. ZIP-compatible containers are also detected by header, so mobile and forensic exports with custom outer extensions can still be opened when the internal format is ZIP-compatible.
From Acquisition to Analysis
Use MediaExtractor to normalize evidence into an extracted media tree, then move into review and analysis with your preferred tools. For visual triage, semantic search, EXIF/GPS review, face search and similarity workflows, you can import the output into Media Insight.
Download MediaExtractor Open Media Insight