The program is a system information gathering software. It is currently offered as a beta version. The developers Passmark Software will release a free and commercial version once the final version is released. The free version comes with several limitations, a disk indexing limit of 200k files for instance, no searching for alternate file streams, multi-core acceleration for file decryption or support that is limited to the company’s public forum. The beta version on the other hand comes without restrictions.

The tool has been designed by its developers to aid analyzers with the discovery of relevant forensic data, the identification of suspicious files and activities and the management of the information.

When you start the program for the first time, you see a list of available options on the left side, and a selection of those tools in the larger area on the right.

It is possible to run a specific tool right away, or use the case management module to create a case for the analysis first. A case consists of a name and save location, an investigator, organization and optional contact details.

Once you have created the case you can use the tools on the left to search, gather and analyze information. You could start by creating an index of a hard drive’s or folder’s contents. It is possible to search for specific type of data, like emails, zip files, office documents or web files, or specify custom files during the advanced configuration step. The advanced options basically allow you to specify file extensions that you want included in the scan. OS Forensics will not only index existing files on the drive, but also traces of deleted files on unallocated sectors of the hard drive.

The data indexing may take some time depending on the size of the selected folder or drive and the performance of the computer. Once you have created the index you can use the search to find specific files that have been indexed previously.

But that is only one of the options available to search for information on a computer. Recent Activity for instance displays information about a user’s recently opened files, opened websites, cookies and event records.

Here is an overview of some of the other tools:

• Search within files, emails
• Drive Image: Create an image of a hard drive or partition to mount the drive and work with the image instead of the physical drive.
• Forensic Copy: Copy files from a folder to another one. The destination files maintain the time stamps of the original files. Faster than creating and working with a drive image.
• Hash Sets: Load hash sets to identify safe files to reduce the time it takes to analyze files.
• Raw Disk Viewer: Analyze the raw data sectors of all physical drives.
• Memory Viewer: View memory details of all processes currently in memory.
• Deleted File Search: Search for traces of deleted files on any hard drive.
• Mismatch file search: Search for files with contents that do not match the file type, e.g. with hidden containers or false extensions.
• Signatures: Create signatures to compare directory structures.
• Password Recovery: Find browser passwords, use rainbow tables to look up password hashes and automatic file decryption for specific file types.
• File Viewer: Os Forensics includes an image, hex, string, text, file and meta data viewer.
• Install to USB: Install the application to an USB drive

OS Forensics is a very sophisticated system information gathering software with an incredible set of features. Users who are interested in the program can download the latest version from the developer website. The program is compatible with 32-bit and 64-bit editions of recent Microsoft Windows client and server systems. The developers offer hash sets for download to identify and ignore safe operating system files. The download page offers some rainbow table downloads as well. (via)

OSFClone is currently offered as a free solution, which is likely to change after the current beta test. The program is offered as an ISO image that can be burned to CD or DVD, and as a version for removable storage devices like Flash storage.

The software is self-booting which means that it is independent of operating systems installed on the system. It is based on Tiny Core Linux and boots into a command line interface and not a graphical user interface.

Your first task is to burn the ISO image to DVD, or to copy the contents of the zip file to an USB drive. The USB installation requires additional steps, like launching ImageUSB.exe once you have copied the files to the drive. The steps are explained in detail on the developer homepage.

You end up with a self-booting image that you can start instead of the installed operating systems. This can also be handy if the operating systems are not starting anymore.

The program loads its basic interface and displays the available options in a text menu. You can use the keyboard to select an entry from the available options.

OFSClone can create raw images of a selected drive or partition, or disk images in the Advance Forensics Format. You need to have enough free space available to create the disk image.

Another interesting option is the ability to verify that the cloned drive is identical to the drive source, which is done by comparing hashes between the clone and source drive.

You can then mount the created image on the same or another computer to analyze, access or recover its contents.

OSFClone is easy to use. That, and the fact that it is OS independent make it an interesting tool for users who want to copy or clone a hard disk on a computer system. The program is currently free of charge, and it remains to be seen if this stays this way, or if the developers have intentions to charge for it in the future.

So…when you know you have to get rid of a file, so that it can never be recovered, what do you do? Well, in Linux you have a number of options. One of those options is secure-delete. This tool is quite handy in that it can securely remove files, folders, and even securely clean free space on your drive. In this article I am going to show you how to install and use secure-delete.

Installation

Installation of secure-delete is easy. Since this tool is a command-line only tool, I will show you how to install it from the command line. Here are the steps.

1. Open up a terminal window.
2. Issue the command sudo apt-get install secure-delete.
3. Type your sudo password (that’s your user password, in case you weren’t aware) and hit Enter.
4. Allow the installation to complete.

You now have secure-delete installed on your machine and ready to start trashing those files and folders.

Deleting a file

Let’s say you have a file in your home directory (~/) called secret_stuff.txt. To delete this with secure-delete you would use the srm command (secure remove). To do that you would issue the command like so:

srm ~/secret_stuff.txt

That file is now VERY gone. Don’t expect the removal of he file to be as fast as it would with the rm command. Why does it take longer? When you issue the srm command on a file, secure-delete does the following:

1. 1 Pass with 0xff.
2. 5 Random passes.
3. 27 Passes with special values defined by Peter Gutmann (a leading cryptographer).
4. Rename the file to random value.
5. Truncate the new file.

Between each pass the file is also opened by O_SYNC mode and then an fsync() call is made.

Deleting a folder

Deleting a folder is as simple as deleting a file. Let’s say you have the folder ~/secret_stuff that needs to be deleted for good. To do this with srm you would use the -r (recursive) switch like so:

srm -r ~/secret_stuff

Depending upon the size and the amount of the directory contents, the deletion will take some time.

Clearing free space

If you have installed and re-installed OSes on your computer, you could very easily have residual files remaining in the free space of your current installation. You can ensure that space is free of any traces of files or folders with the command sfill. There are two things about this command you need to know: You have to have admin rights (so you have to use sudo) and you have to know the mount point of the free space. This command is very slow, so make sure you give it plenty of time to run. Let’s say you have a drive attached to your machine that has been used a number of times and is mounted to /media/external. To completely clean out  the free space on this drive you would issue the command:

sudo sfill /media/external

After some time the free space on that particular drive would be completely free of any trace of directories or files.

Final thoughts

Using the secure-delete tools is a sure-fire way to permanently and irrevocably remove data from a drive. This tool is so powerful even forensics teams would have trouble extracting data from the drive. Just make sure you use this tool with caution, so you do not securely delete files you actually want to keep!

The database was not initially accessible online. Only CDs containing the data sets were offered on the project’s website which made it impracticable to use for everyone who wanted to look up a single file or hash.

The Internet Storm Center (ISC) has converted the full set of hashes into an online application that can be checked on the new Find A Hash beta testing website.

The database of non-malicious software programs and files consists of 39,944,023 samples. Supported are the search for filenames and SHA1 or MD5 hashes.

We are using version 2.27 (December 2009). You can search for SHA1 or MD5 hashes. There are no Windows 7 hashes yet. NIST offers a Knoppix bootable CD that can be used to collect hashes. We are interested in adding more sources of hashes and would be interested in your hash collection if you have one to offer. Note: The NIST NSRL database only includes hashes of files from original install media. Currently, no patched versions are included. As a result, your hash may differ if that particular file was patched after the original release.

In addition to the NIST database, we also run a test agains the Team Cymru Hash Registry. It covers malware. If a match is found we will post a link to the respective page at Threatexpert.com (only for MD5 hashes right now).

The concentration on original install media and only unpatched files makes the database impracticable for many uses but the developer’s are asking for hash contributions to improve the database.