Find files quickly
OSForensics™ allows you to search for files many times faster than the search functionality in Windows.
Results can be analyzed in the form of a file listing, a Thumbnail View, or a Timeline View which allows you to determine where significant file change activity has occurred.
Search within files
If the basic file search functionality is not enough, OSForensics can also create an index of the files on a hard disk. This allows for lightning fast searches for text contained inside the documents. Powered by the technology behind Wrensoft’s acclaimed Zoom Search Engine.
Search for Emails
An additional feature of being able to search within files is the ability to search email archives. The indexing process can open and read most popular email file formats (including pst) and identify the individual messages.
This allows for a fast text content search of any emails found on a system.
Recover Deleted Files
After a file has been deleted, even once removed from the recycling bin, it often still exists until another new file takes its place on the hard drive. OSForensics can track down this ghost file data and attempt to restore it back to useable state on the hard drive.
Uncover Recent Activity
Find out what users have been up to. OSForensics can uncover the user actions performed recently on the system, including but not limited to:
Web Browsing History
Connected USB Devices
Connected Network Shares
Collect System Information
Find out what’s inside the computer. Detailed information about the hardware a system is running on:
CPU type and number of CPUs
Amount and type of RAM
Installed Hard Drives
Connected USB devices
and much more. Powered by Passmark’s SysInfo DLL.
View Active Memory
Look directly at what is currently in the systems main memory. Attempt to uncover passwords and other sensitive information that would otherwise be inaccessible.
Select from a list of active processes on the system to inspect. OSF can also dump their memory to a file on disk for later inspection.
Extract Logins and Passwords
Recover usernames and passwords from recently accessed
websites in common web browsers, including Internet Explorer, Firefox, Chrome and Opera.
Detect Hidden Disk Areas
Discover hidden disk areas (HPA/DCO) of a hard disk. Attempt to expose sensitive information that would otherwise be inaccessible.
Remove or create an image of the hidden areas for further analysis.
Verify and Match Files
Using advanced hashing algorithms OSForensics can create a digital identifier that can be used to identify a file.
This identifier can be used both to verify a file has not been changed or to quickly find out if a file is part of a set of known files.
Find Misnamed Files
By looking at the contents of a file OSForensics can identify what kind of file it is and then figure out if the file has an incorrect extension. This can help locate “Dark Data” that the user has tried to conceal.
Create & Compare Drive Signatures
By making a record of the details of the files on a hard drive a comparison can be then done at a later date to find out what has been changed.
Many of the discovery features of OSF return data that has a time associated with it. Using this timeline viewer you can quickly see when activity has occured.
Built-in File Viewer
Once you have found a file you are interested in you can view it multiple ways from within OSF without needing to rely on one or more external applications. Files can be viewed as.
Images (where applicable)
Or you can view the file properties and meta data.
Binary String Extraction
Extract text strings from binary data allowing you to find text hidden in otherwise unreadable chunks of information. Do this for both files found on the hard drive or directly from active memory of processes running on the system.
Open emails from most popular formats directly inside OSForensics, no need to install multiple mail clients in order to view emails from different sources.
Open registry files from within OSF, both offline and live registry files currently locked by Windows, navigate to known key locations and fast searching. As it doesn’t use Windows API calls more information can seen, eg the time and date of a key’s last edit and registry entries that might be hidden by malicious software.
File System Browser
Explorer-like navigation of supported file systems tailored specifically for forensics analysis. Using OSForensics’ own file system implementations, forensics evidence can be quickly identified and recovered.
Raw Disk Viewer
View the raw, sector-by-sector contents of a disk. Data hidden in the sectors outside the file system can be identified and analyzed with this module.
Thumbnail Cache Viewer
Extracts the thumbnail images stored in Windows’ thumbnail cache files for viewing. Thumbnail cache files may contain evidence of images that have been deleted on the system
SQLite Database Browser
Browse and uncover valuable forensics data stored in SQLite database files used in the iPhone, Firefox and Chrome.
ESE Database Viewer
View data containing potential forensics value stored by various Microsoft applications including Windows Search and Microsoft Exchange Server.
Identify when and how often an application is run by analyzing its prefetch data.
Create a Case
Group all gathered evidence together into an OSF Case file for later use. All data is cryptographically hashed to prevent tampering.
Generate a Report
Once created case files can be exported into easily readable reports summarizing the evidence found
Storage Device Management
Manage your storage devices in a centralized manner for convenient access throughout OSForensics.
Create and restore disk images of evidence disks, to support forensics analysis without risking the integrity of the original data.
Rebuild RAID Arrays
Rebuild a complete RAID image from a set of RAID member disk images.
Take OSForensics With You
OSForensics can be installed and run from a portable USB drive. Take the investigation straight to the target computer without risking the contamination of valuable forensic information.
Imaging live systems
Take exact copies of the partitions or drives of an active system. Useful for live acquisitions while running OSForensics from your USB drive. You can also image a drive from a non-live system using our tool, OSFClone.
Maintain an audit trace
OSForensics can automatically maintain a secure audit trail of the exact activities carried out during the course of the investigation.