Discover all relevant forensic evidence from a system, quickly and easily!



  -  277.2 MB  -  Trial
  • Latest Version

    OSForensics 11.0.1008 LATEST

  • Review by

    Michael Reynolds

  • Operating System

    Windows XP / Vista / Windows 7 / Windows 8 / Windows 10 / Windows 11

  • User Rating

    Click to vote
  • Author / Product

    PassMark Software / External Link

  • Filename


  • MD5 Checksum


OSForensics lets you extract forensic evidence from computers quickly with high-performance file searches and indexing. Identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory, and binary data. Manage your digital investigation and create reports from collected forensic data. Enjoy!

OSForensics can index the content of a huge variety of file formats. This includes: DOC, DOCX, PDF, PPT, XLS, RTF, WPD, SWF, DJVU, JPG, GIF, PNG, TIFF, MP3, DWF, DOCX, PPTX, XLSX, MHT, ZIP, PST, MBOX, MSG, DBX, ZIP, ZIPX, RAR, ISO, TAR, 7z and more. Recursive containers are also supported. So it is possible to correctly index a DOCX file attached to an E-mail in a PST file which is in turn compressed in a ZIPX file.

It provides one of the fastest and most powerful ways to locate files on a Windows computer. You can search by filename, size, creation and modified dates, and other criteria. Results are returned and made available in several different useful views. This includes the Timeline View which allows you to sift through the matches on a timeline, making evident the pattern of user activity on the machine.

The first stage in being able to search emails is to create an index of the archives in question. This can take some time but it is what allows for repeated fast searches later on. OS Forensics allows you to perform full-text searches within email archives used by many popular e-mail programs such as Microsoft Outlook, Mozilla Thunderbird, Outlook Express, and more.

OSForensics allows you to recover and search deleted files, even after they have been removed from the Recycle Bin. This allows you to review the files that the user may have attempted to destroy. Each deleted file found is displayed with a corresponding Quality indicator between 0-100. A value towards 100 means that the deleted file is largely intact, with only a few missing clusters of data.

OSForensics scans your system for evidence of recent activity, such as accessed websites, USB drives, wireless networks, recent downloads, website logins, and website passwords. This is especially useful for identifying trends and patterns of the user, and any material or accounts that have been accessed recently.

With the program, you can recover browser passwords from Chrome, Edge, IE, Firefox, and Opera. This can be done on the live machine or from an image of a hard drive. Data recovered include, the URL of the website (usually HTTPS), the login username, the site's password, the browser used to access the site & the Windows user name. Blacklisted URLs are also reported, showing the user has visited the site but elected not to store a password in the browser.

It can discover and expose the HPA and DCO hidden areas of a hard disk, which can be used for malicious intent including hiding illegal data. The Host Protected Area (HPA) and Device Configuration Overlay (DCO) are features for hiding sectors of a hard disk from being accessible to the end-user.

The app includes built-in support for accessing Volume Shadow Copies. Shadow copies provide a glimpse of the volume at a point in time in the past. This will allow for the discovery of changes to files and even view possible deleted files.

It provides a basic web viewer with the ability to load web pages from the web and save screen captures of web pages to the case.
The Web Browser can be optionally configured to capture the webpages from a user-specified list of URLs. In addition, the Web Browser can capture all or a subset of linked pages (up to a single level)

Features and Highlights
  • Import and export of hash sets
  • Customizable system information gathering
  • No limits on the number of cases being managed through OSForensics
  • Restoration of multiple deleted files in one operation
  • List and search for alternate file streams
  • Sort image files by color
  • Disk indexing and searching not restricted to a fixed number of files
  • No watermark on web captures
  • Multi-core acceleration for file decryption
  • Customizable System Information Gathering
  • Find files faster, search by filename, size and time
  • Search within file contents using the Zoom search engine
  • Search through email archives from Outlook, ThunderBird, Mozilla and more
  • Recover and search deleted files
  • Uncover recent activity of website visits, downloads, and logins
  • Collect detailed system information
  • Password recovery from web browsers, decryption of office documents
  • Discover and reveal hidden areas in your hard disk
  • Browse Volume Shadow copies to see past versions of files
Note: 30 days trial version. Limited functionality.

  • OSForensics 11.0.1008 Screenshots

    The images below have been resized. Click on them to view the screenshots in full size.

    OSForensics 11.0.1008 Screenshot 1
  • OSForensics 11.0.1008 Screenshot 2
  • OSForensics 11.0.1008 Screenshot 3

What's new in this version:

Android Artifacts:
- Updated to allow double-clicking tagged items from Manage Case dialog to open Android Artifacts module, select the item on the tree-view and display on the tab view

Updated list-view:
- Added Tag Flag column
- Added Read column to the MMS/SMS Messages
- Added Read/Unread status to the preview
- Removed Read column from Conversations

- Updated right-click menu options

Deleted Files:
- Added additional sanity checks to JPG carving to prevent buffer out of bounds access

Disk Imaging:
- Display total time taken + avg speed

File Viewer:
- Fixed issue opening docx files with non-ASCII filenames

Hash Sets:
- Fixed issue where some Project VIC sets could not be imported
- Changed import button to resize after changing selection

Prefetch Viewer:
- Fix possible crash when prefetch artifact paths are too long

User Activity:
- Added evidence location column to the Windows Search category list-view
- Fixed possible crash when running Event Log option with Linux image

$UsnJrnl Viewer:
- Added line to indicate what the entries with the file name in read represent

- Added minimum size limits to SQLite Browser and Registry Selection windows
- Updated VolatilityWorkbench to V3.0.1007