The program is a system information gathering software. It is currently offered as a beta version. The developers Passmark Software will release a free and commercial version once the final version is released. The free version comes with several limitations, a disk indexing limit of 200k files for instance, no searching for alternate file streams, multi-core acceleration for file decryption or support that is limited to the company’s public forum. The beta version on the other hand comes without restrictions.

The tool has been designed by its developers to aid analyzers with the discovery of relevant forensic data, the identification of suspicious files and activities and the management of the information.

When you start the program for the first time, you see a list of available options on the left side, and a selection of those tools in the larger area on the right.

It is possible to run a specific tool right away, or use the case management module to create a case for the analysis first. A case consists of a name and save location, an investigator, organization and optional contact details.

Once you have created the case you can use the tools on the left to search, gather and analyze information. You could start by creating an index of a hard drive’s or folder’s contents. It is possible to search for specific type of data, like emails, zip files, office documents or web files, or specify custom files during the advanced configuration step. The advanced options basically allow you to specify file extensions that you want included in the scan. OS Forensics will not only index existing files on the drive, but also traces of deleted files on unallocated sectors of the hard drive.

The data indexing may take some time depending on the size of the selected folder or drive and the performance of the computer. Once you have created the index you can use the search to find specific files that have been indexed previously.

But that is only one of the options available to search for information on a computer. Recent Activity for instance displays information about a user’s recently opened files, opened websites, cookies and event records.

Here is an overview of some of the other tools:

• Search within files, emails
• Drive Image: Create an image of a hard drive or partition to mount the drive and work with the image instead of the physical drive.
• Forensic Copy: Copy files from a folder to another one. The destination files maintain the time stamps of the original files. Faster than creating and working with a drive image.
• Hash Sets: Load hash sets to identify safe files to reduce the time it takes to analyze files.
• Raw Disk Viewer: Analyze the raw data sectors of all physical drives.
• Memory Viewer: View memory details of all processes currently in memory.
• Deleted File Search: Search for traces of deleted files on any hard drive.
• Mismatch file search: Search for files with contents that do not match the file type, e.g. with hidden containers or false extensions.
• Signatures: Create signatures to compare directory structures.
• Password Recovery: Find browser passwords, use rainbow tables to look up password hashes and automatic file decryption for specific file types.
• File Viewer: Os Forensics includes an image, hex, string, text, file and meta data viewer.
• Install to USB: Install the application to an USB drive

OS Forensics is a very sophisticated system information gathering software with an incredible set of features. Users who are interested in the program can download the latest version from the developer website. The program is compatible with 32-bit and 64-bit editions of recent Microsoft Windows client and server systems. The developers offer hash sets for download to identify and ignore safe operating system files. The download page offers some rainbow table downloads as well. (via)

Firefox 3 History Recovery helps in all other cases. It is a command line tool that can analyse uncompressed disk images to discover traces of the four SQLite tables moz_places, moz_historyvisits, moz_formhistory and moz_downloads. What the recovery tool can return are therefor the visited urls, the form history and the downloads.

Firefox 3 History Recovery is a forensic tool and therefor not designed with usability in mind. It can only be executed from the command line and the biggest problem that users face is that they need to create a disk image for this process. The developer mentioned a few tools that can be used to create those disk images: winhex, ftk imager and dcfldd.

The program itself is easy to use in comparison. All the user needs to do is to enter the command

ff3hr -i


to start the recovery process. The command line tool will create four new text documents in its directory that will contain the information found on the disk image. Firefox 3 History Recovery is an Open Source software program that is available at the Sourceforge website.

Registry hives can be loaded into the software program by clicking on File > Open Registry Files.

A click on File > Create Report or pressing CTRL R will create the report of the selected Registry hive. The report will display various information about the hive which can be summed up as various system settings. Depending on the hives that are loaded in the software information such as Windows accounts and users, Windows services, printers, firewalls, network settings and various other information.

The Ntuser.dat file is probably the most interesting hive that can be loaded in the Registry software as it displays recently opened documents, recently opened applications and last typed applications. The settings can be used to add or remove data from the report. Various modules are not enabled by default. Enabling them can increase the depth of the report. Registry Report can be downloaded from the developer’s website.

The main interface of Windows File Analyzer is driven by five buttons in the top toolbar that each open up a file browser window. The file analysis software can be used to analyse the following five files: index.dat, prefetch, thumbs.db , shortcuts and recycle bins. Not every Windows system makes use of all of those files as some functions like the thumbnail generation can be deactivated.

Windows File Analyzer will analyse the contents of the selected file and display the results in a table. The table will contain various information depending on the file that has been analyzed. Analyzing a thumbs.db file will for example display all the thumbnails that it contains while the analysis of the prefetch data will display information about the applications that are prefetched, the time the entry has been created and last used on the computer system.

Windows File Analyzer combines various tools that can be used to analyse a computer system and reveal information about its users. Multiple file analysis’ can be open at the same time. Each report can be printed in user friendly form for further analysis. Some knowledge is required to start a file analysis which might require research on the Internet to find out where the files that can be analyses are located on the computer system.

Drive Look is a free forensic disk investigation tool from the developers of Drive Image XML. The forensic data recovery software is free to use and runs on many Microsoft operating systems like Windows 2000 or Windows XP but not Windows Vista. Registration data has been posted on the download page that needs to be entered into the software.

The forensic software will scan a selected hard drive, partition, logical drives, network drives or images and index all words that meet specific criteria. The user can select the minimum and maximum word length and chars during setup. There is also the possibility to specify words that should be included in the scan.

Drive Look will list all words that it has found during scan in a searchable interface in the end. It is possible to scroll through the words on the left side or enter a search term to find out if a word or phrase has been discovered in the specified location. The forensic data software will display the locations on the storage device in either Ascii or Hex mode and list the sector and offset information of each hit. It is possible to read the text that is surrounding the discovered phrase to get a better understanding.

An alternative to Drive Look is The hard drive data retrieval tool Disk Investigator which makes use of a realtime search.

It’s a standalone tool which means it can be run from external devices connected to the computer which is definitely a prerequisite for all forensic tools. It analyses the user level at startup and displays information like the local IP and hostname. A click on Start Collecting processes 14 sequences, some with subsequences, that collect data and write that data into logfiles in the Evidence Collector directory.

The software did write 25 different log files into the log directory including a list of opened files, installed applications and processes. Evidence Collector concentrates on hardware and software only while law enforcement agencies would definitely scan the computer for files as well, probably using a software like Locate to find information in filenames and contents.

A detailed list of what is analysed:

• Shares and policies applied on shares
• Started and stopped services
• Installed software
• Installed Hotfixes
• Enumerated Processes
• Events logs
• TCP / UDP mapping endpoints
• Process handles tracking
• List start-up programs
• Suspected modules
• Users policies
• USB history

Evidence Collector is a free software currently in beta. There is no information on the homepage about compatibility, it runs fine on my Windows XP Service Pack 3 system.