Comparing Interface Types in Cyber Forensics

In digital and cyber forensics, there are three main types of categories when it comes to forensic tooling. They can be considered as:

  • Graphical User Interfaces (GUIs)
  • Interactive Text-based Consoles
  • Command-line interfaces (CLI’s)

Of these, the main competitors are really just GUIs and CLIs as they certainly differentiate most from one another.

They both have their strengths and reasons to be used, of which neither should be discounted.

Many people like to use the GUI version of an application, as it allows them to focus on the task at hand that may extend between a range of activities and doesn’t require them to remember command line arguments and other such distractions. Essentially, getting straight to the point and focusing on retrieving the necessary evidence to place into a report in order to complete the investigation at hand.

The CLI version conversely, while usually less intuitive, tends to focus on a single problem domain or task and resolves that very well (Garling, 2012).

If you know exactly what you are looking for and how to achieve it, CLIs definitely dig straight to the core of the challenge on the first attempt and help you to resolve problems very succinctly.

CLIs are also commonly traited to how hackers or expert users operate computers (Campagnano, 2016) and this is the case because the tasks can be accomplished very swiftly if you know exactly how the inner workings function and can tamper with the core of the undertaking to piece together your own solutions.

GUI applications tend to be better for most operations and usually come with very simple and useful export features (, 2017). Allowing the end user, or forensic investigator in this case the ability to export reports as PDFs or HTML documents which they can use to build cases and for court evidence directly.

However, the real advantage that CLIs have over GUI application is when you need that extra level of control or when something goes wrong with a GUI application feature. Such as where a GUI does not complete a task or where there is a missing piece of output.

This is when knowing how to operate a relevant CLI comes in extremely handy. Sometimes being able to manually trigger a command or swap out for a better alternative at that point can help complete the evidence report as opposed to waiting for the GUI’s software vendor to push out a new version or resolve a known bug that is stopping you from progressing.

It is also not terribly difficult to create your own GUI on top of a CLI to automate scripts, tasks or groups of commands. This can be done by means of creating a web application, bash/shell script or implementing the CLI directly using Qt (, 2018) or an alternative.

CLIs are at the heart of problem solving and should definitely be seen as the most powerful and controllable option when doing a comparison between forensic tooling types.



Garling, C. (2012) Why the GUI will never kill the sacred command line [Online], Available from: (Accessed on 2nd September 2018)

Campagnano, M (2016) Why do most developers, hackers and computer system professionals use the command line in Windows for their work? Why don’t they use GUI applications? [Online], Available from: (Accessed on 2nd September 2018) (2017) Difference Between CLI and GUI [Online], Available from: (Accessed on 2nd September 2018) (2018) How to Learn Qt [Online], Available from: (Accessed on 2nd September 2018)


0 0 vote
Article Rating
Notify of
1 Comment
Oldest Most Voted
Inline Feedbacks
View all comments

[…] forensics, there are three main types of categories when it comes to forensic tooling. Source: […]