OSForensics

OSForensics lets you extract forensic evidence from computers quickly with high-performance file searches and indexing. Identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory, and binary data. Manage your digital investigation and create reports from collected forensic data. Enjoy!

OSForensics can index the content of a huge variety of file formats. This includes: DOC, DOCX, PDF, PPT, XLS, RTF, WPD, SWF, DJVU, JPG, GIF, PNG, TIFF, MP3, DWF, DOCX, PPTX, XLSX, MHT, ZIP, PST, MBOX, MSG, DBX, ZIP, ZIPX, RAR, ISO, TAR, 7z and more. Recursive containers are also supported. So it is possible to correctly index a DOCX file attached to an E-mail in a PST file which is in turn compressed in a ZIPX file.

It provides one of the fastest and most powerful ways to locate files on a Windows computer. You can search by filename, size, creation and modified dates, and other criteria. Results are returned and made available in several different useful views. This includes the Timeline View which allows you to sift through the matches on a timeline, making evident the pattern of user activity on the machine.

The first stage in being able to search emails is to create an index of the archives in question. This can take some time but it is what allows for repeated fast searches later on. OS Forensics allows you to perform full-text searches within email archives used by many popular e-mail programs such as Microsoft Outlook, Mozilla Thunderbird, Outlook Express, and more.

OSForensics allows you to recover and search deleted files, even after they have been removed from the Recycle Bin. This allows you to review the files that the user may have attempted to destroy. Each deleted file found is displayed with a corresponding Quality indicator between 0-100. A value towards 100 means that the deleted file is largely intact, with only a few missing clusters of data.

OSForensics scans your system for evidence of recent activity, such as accessed websites, USB drives, wireless networks, recent downloads, website logins, and website passwords. This is especially useful for identifying trends and patterns of the user, and any material or accounts that have been accessed recently.

With the program, you can recover browser passwords from Chrome, Edge, IE, Firefox, and Opera. This can be done on the live machine or from an image of a hard drive. Data recovered include, the URL of the website (usually HTTPS), the login username, the site's password, the browser used to access the site & the Windows user name. Blacklisted URLs are also reported, showing the user has visited the site but elected not to store a password in the browser.

It can discover and expose the HPA and DCO hidden areas of a hard disk, which can be used for malicious intent including hiding illegal data. The Host Protected Area (HPA) and Device Configuration Overlay (DCO) are features for hiding sectors of a hard disk from being accessible to the end-user.

The app includes built-in support for accessing Volume Shadow Copies. Shadow copies provide a glimpse of the volume at a point in time in the past. This will allow for the discovery of changes to files and even view possible deleted files.

It provides a basic web viewer with the ability to load web pages from the web and save screen captures of web pages to the case.
The Web Browser can be optionally configured to capture the webpages from a user-specified list of URLs. In addition, the Web Browser can capture all or a subset of linked pages (up to a single level)

Features and Highlights

• Import and export of hash sets
• Customizable system information gathering
• No limits on the number of cases being managed through OSForensics
• Restoration of multiple deleted files in one operation
• List and search for alternate file streams
• Sort image files by color
• Disk indexing and searching not restricted to a fixed number of files
• No watermark on web captures
• Multi-core acceleration for file decryption
• Customizable System Information Gathering
• Find files faster, search by filename, size and time
• Search within file contents using the Zoom search engine
• Search through email archives from Outlook, ThunderBird, Mozilla and more
• Recover and search deleted files
• Uncover recent activity of website visits, downloads, and logins
• Collect detailed system information
• Password recovery from web browsers, decryption of office documents
• Discover and reveal hidden areas in your hard disk
• Browse Volume Shadow copies to see past versions of files

Note: 30 days trial version. Limited functionality.