OSForensics, System Information Gathering Software
OSForensics is a commercial computer forensics package for the Windows operating system that reveals a plethora of information about the underlying PC.
Update: OSForensics is no longer available as a free version. Passmark Software has replaced the free version with a 30 day free trial with the release of version 4.0 on November 10, 2016. End
I recently wrote about tools and options people had to analyze computer usage. OSForensics is a program for Microsoft Windows systems that I would have included in the guide if it had been released back then.
The program is a system information gathering software. It is currently offered as a beta version. The developers Passmark Software will release a free and commercial version once the final version is released.
The free version comes with several limitations, a disk indexing limit of 200k files for instance, no searching for alternate file streams, multi-core acceleration for file decryption or support that is limited to the company's public forum. The beta version on the other hand comes without restrictions.
The tool has been designed by its developers to aid forensic specialists with the discovery of relevant forensic data, the identification of suspicious files and activities, and the management of the information.
When you start the program for the first time, you see a list of available options on the left side, and a selection of those tools in the larger area on the right.
It is possible to run a specific tool right away, or use the case management module to create a case for the analysis first. A case consists of a name and save location, an investigator, organization and optional contact details.
Once you have created the case you can use the tools on the left to search, gather and analyze information. You could start by creating an index of a hard drive's or folder's contents. It is possible to search for specific type of data, like emails, zip files, office documents or web files, or specify custom file types during the advanced configuration step.
The advanced options basically allow you to specify file extensions that you want included in the scan. OS Forensics will not only index existing files on the drive, but also traces of deleted files on unallocated sectors of the hard drive.
The data indexing may take some time depending on the size of the selected folder or drive and the performance of the computer. Once you have created the index you can use the search to find specific files that have been indexed previously.
But that is only one of the options available to search for information on a computer. Recent Activity for instance displays information about a user's recently opened files, opened websites, cookies and event records.
Here is an overview of some of the other tools:
- Search within files, emails
- Drive Image: Create an image of a hard drive or partition to mount the drive and work with the image instead of the physical drive.
- Forensic Copy: Copy files from a folder to another one. The destination files maintain the time stamps of the original files. Faster than creating and working with a drive image.
- Hash Sets: Load hash sets to identify safe files to reduce the time it takes to analyze files.
- Raw Disk Viewer: Analyze the raw data sectors of all physical drives.
- Memory Viewer: View memory details of all processes currently in memory.
- Deleted File Search: Search for traces of deleted files on any hard drive.
- Mismatch file search: Search for files with contents that do not match the file type, e.g. with hidden containers or false extensions.
- Signatures: Create signatures to compare directory structures.
- Password Recovery: Find browser passwords, use rainbow tables to look up password hashes and automatic file decryption for specific file types.
- File Viewer: Os Forensics includes an image, hex, string, text, file and meta data viewer.
- Install to USB: Install the application to an USB drive
OS Forensics is a very sophisticated system information gathering software with an incredible set of features. Users who are interested in the program can download the latest version from the developer website.
The program is compatible with 32-bit and 64-bit editions of recent Microsoft Windows client and server systems. The developers offer hash sets for download to identify and ignore safe operating system files. The download page offers some rainbow table downloads as well.Advertisement