OSForensics allows you to identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory, and binary data.
It lets you extract forensic evidence from computers quickly with advanced file searching and indexing and enables this data to be managed effectively. Discover Forensic Evidence Faster
|
|
Identify Suspicious Files and Activity
Manage Your Digital Investigation
Platforms
- Verify and match files with MD5, SHA-1 and SHA-256 hashes
- Find misnamed files where the contents don't match their extension
- Create and compare drive signatures to identify differences
- Timeline viewer provides a visual representation of system activity over time
- File viewer that can display streams, hex, text, images and meta data
- Email viewer that can display messages directly from the archive
- Registry viewer to allow easy access to Windows registry hive files
- File system browser for explorer-like navigation of supported file systems on physical drives, volumes and images
- Raw disk viewer to navigate and search through the raw disk bytes on physical drives, volumes and images
- Web browser to browse and capture online content for offline evidence management
- ThumbCache viewer to browse the Windows thumbnail cache database for evidence of images/files that may have once been in the system
- SQLite database browser to view the and analyze the contents of SQLite database files
- ESEDB viewer to view and analyze the contents of ESE DB (.edb) database files, a common storage format used by various Microsoft applications
- Prefetch viewer to identify the time and frequency of applications that been running on the system, and thus recorded by
the O/S's Prefetcher - Plist viewer to view the contents of Plist files commonly used by MacOS, OSX, and iOS to store settings
- $UsnJrnl viewer to view the entries stored in the USN Journal which is used by NTFS to track changes to the volume
Manage Your Digital Investigation
- Case management enables you to aggregate and organize results and case items
- HTML case reports provide a summary of all results and items you have associated with a case
- Centralized management of storage devices for convenient access across all OSForensics' functionality
- Drive imaging for creating/restoring an exact copy of a storage device
- Rebuild RAID arrays from individual disk images
- Install OSForensics on a USB flash drive for more portability
- Maintain a secure log of the exact activities carried out during the course of the investigation
Platforms
- Windows XP SP3, Vista, Win 7, Win 8, Win 10, Server 2000, 2003, 2008, 2012
- Available for both 32-bit and 64-bit platforms
- Minimum 1GB of RAM (4GB+ recommended)
- 200MB of free disk space, or can be run from USB drive