Load history from a forensic image

BHE does not directly support the parsing of forensic image files therefore you will need to mount the forensic image first:

• In order to make Windows Volume Shadow Copies accessible we recommend using Arsenal Image Mounter which can be licenced or used in "Free Mode".
• For mounting macOS APFS images on Windows we recommend Mount Image Pro.

Once the image is mounted go to File > Capture History, select Capture history from logical drive and choose the relevant operating system (Windows or macOS).

You can then enter the path to the Windows/macOS user folder within the mounted drive, and the path to save the captured data to.

Once the capture is complete you will be prompted to load the history automatically into BHE.