OSForensics - Tool For Extracting Forensic Data From Computers

OSForensics Tool To Extract Forensic Data From Computers

OSForensics is a forensic tool that allows you to identify suspicious files and activities by using hash matching, drive signature comparisons, e-mails, memory, and binary data. In other words, this tool allows you to discover exactly what someone's been doing on their computer.

OSForensics Main Window Screenshot

Let's take a look at the features...


  • Find files faster, search by filename, size and time.
  • Search within file contents using the Zoom search engine.
  • Search through email archives from Outlook, ThunderBird, Mozilla and more.
  • Recover and search deleted files.
  • Uncover recent activity of website visits, downloads, and logins.
  • Collect detailed system information.
  • Password recovery from web browsers, decryption of office documents.
  • Discover and reveal hidden areas on your hard disk.
  • Browse Volume Shadow copies to see past versions of files.
  • Verify and match files with MD5, SHA-1, and SHA-256 hashes.
  • Find misnamed files where the contents don't match their extension.
  • Create and compare drive signatures to identify differences.
  • Timeline viewer provides a visual representation of system activity over time.
  • File viewer that can display streams, hex, text, images and metadata.
  • Email viewer that can display messages directly from the archive.
  • Registry viewer to allow easy access to Windows registry hive files.
  • File system browser for explorer-like navigation of supported file systems on physical drives, volumes, and images.
  • Raw disk viewer to navigate and search through the raw disk bytes on physical drives, volumes, and images.
  • Web browser to browse and capture online content for offline evidence management.
  • ThumbCache viewer to browse the Windows thumbnail cache database for evidence of images/files that may have once been in the system.
  • SQLite database browser to view the and analyze the contents of SQLite database files.
  • ESEDB viewer to view and analyze the contents of ESE DB (.edb) database files, a common storage format used by various Microsoft applications.
  • Prefetch viewer to identify the time and frequency of applications that been running on the system, and thus recorded by the O/S's Prefetcher.
  • Case management enables you to aggregate and organize results and case items.
  • HTML case reports provide a summary of all results and items you have associated with a case.
  • Centralized management of storage devices for convenient access to all OSForensics' functionality.
  • Drive imaging for creating/restoring an exact copy of a storage device.
  • Rebuild RAID arrays from individual disk images.
  • Install OSForensics on a USB flash drive for more portability.
  • Maintain a secure log of the exact activities carried out during the course of the investigation.

OSForensics comes in 3 flavors: Free (30-day trial), Professional, and Bootable. The professional and bootable editions of OSForensics have many features that are not available in the free edition, such as importing and exporting of hash sets, customizable system information gathering, unlimited case management, restoration of multiple deleted files in one operation, alternate file streams listing and searching, image file sorting, disk indexing and searching (not restricted to a fixed number of files), watermark free web capture, multi-core acceleration for file decryption, and the ability to view NTFS directory $I30 entries to identify potential hidden/deleted files.

The bootable edition contains all the professional features, and it has the ability to be run on a computer without a valid operating system.

No comments

Powered by Blogger.