Forensic analysis of a PC is a time consuming process as there are tons of data that has to be assimilated, dissected and analyzed. Not to mention organizing the information in the first place is a lot of hassle. Yes, there are applications that aid you, but the best ones are always expensive. Luckily, with OSForensics you might just have found a solution to your “investigation woes”.
OSForensics is a PC forensic analysis tool that lets you extract and analyze hidden information from a computer and manage all your forensic data. Though a number of similar open source software exist, few are loaded with as many features or work as efficiently as this app.
OSForensics is available as a freeware. There is also a pro version with a few extra options and a bootable version that lets you run this software without the need for a valid operating system.
What OSForensics Does
What OSForensics has is an equivalent of the freeware Undelete when it comes to its file recovery utility. OSForensics provides a host of options and filters that allows you to search for and recover deleted files with ease.
You can specify the search criteria such as the file quality, and the size limit. To do this go to Deleted Files Search -> Config and specify the search criteria. Once you’ve customized the search criteria, OSForensics will go around unearthing all your deleted files matching your criteria.The search results will be shown along with a percentage value indicating the quality of the file.
On opening a file you are presented with additional information such as its metadata, hex string, date of creation of the file, etc.
This is good for recovering files that have just been deleted and hence easily retrievable. But to dig deeper, you might want to look at other file recovery software.
File Search Utility
The file search utility of OSForensics is faster and more efficient than the default search utility of Windows. You can search by filename, size, creation and modified dates, and other criteria.
The search results are presented as a list, as thumbnails and as a timeline. The timeline view is a graph showing you the number of files modified over due course of time. Initially shown as number of files per year, you can narrow it down to files modified on a particular day. I found the timeline view more interesting than the usually dreary list view.
Right click on the graph and click “Show These Files” to view the files modified on that particular year, month or day. You also can export the search results into html, text or csv formats.
The search utility can be supercharged to perform faster with perfection by creating search indexes in OSForensics.
With OSForensics you can recover browser passwords from Internet Explorer, Firefox and Chrome. Blacklisted URLs are also listed along with the information whether the user has opted not to store passwords in the browser for such sites. The data recovered includes the website URL, the username and password used for login, the browser used and the Windows user name.
You can also gain access to encrypted office documents using OSForensics. The password retrieval method used currently is meant only for older documents such as xls, doc and pdf files that use 40bit encryption and are not meant to crack open office documents of the current era.
With OSForensics you can scan for and analyze the history of a person’s recent activity in his computer such as the websites he accessed, the USB drives that were recently connected to his computer, wireless networks, recent downloads, etc.
This app also shows you information about recently accessed applications, documents and media by scanning locations in the registry which store a user’s Most Recently Used lists.
The Recent Activity tool coupled with the Timeline view for the files helps you identify the trends and patterns of a user
Identify Mismatched Files
Changing the extension of a file is a simple but mostly effective and often used method to hide the nature of a file. OSForensics can identify such concealed files using its Mismatch File Search tool.
You can configure the filter criteria by choosing from the presets or you can specify a custom preset by clicking the Config button and where you can add or delete presets. You can view and analyze mismatched or inaccessible files via the File List view or the Thumbnails view.
Compare Drive Signatures
With the signature creation utility of OSForensics you can take snapshots of a hard disk which comes in handy when you want to keep track of any modifications that might be made to the directories and files in it.
The Compare Signature tool lets you quickly identify changes to files or directory structures by comparing newer signatures with the previous ones. As usual you have several options to filter the comparison results. You can also export the results for future reference.
In a real life investigation all the evidences and other documents pertaining to a particular case are put in a case folder for better organization. OSForensics replicates this concept digitally via virtual briefcases. A case is used to group together all your findings from within OSForensics into a single location.
You can also export your case file as a customizable report. OSForensics comes with five pre-defined and customizable report templates.
In short, this app has a ton of features, all working to perfection.
You can install your copy of OSForensics along with all your settings to a USB disk using the Install to USB feature and take it with you wherever you go.
None that I can think of. If I were nitpicking, I would go on rambling about the look and feel of the app which feels a bit dated.
With its overwhelming list of tools, each having a multitude of options, and the fact that it is a freeware, I would say that OSForensics a “must have” or at least a “must try” software for anyone with a computer.