OSForensics

OSForensics™ provides one of the fastest and most powerful ways to locate files on a Windows computer. You can search by filename, size, creation and modified dates, and other criteria. Results are returned and made available in several different useful views. This includes the Timeline View which allows you to sift through the matches on a timeline, making evident the pattern of user activity on the machine.

OSForensics™ includes one of the fastest and most powerful ways to search within the contents of all the files on a hard disk, powered by the acclaimed Zoom Search Engine. With powerful pre-indexed searching capabilities offering full-text searching of hundreds of file formats,

OSForensics offers:

  • Relevance ranked search results
  • Date sorting and date range searching
  • Wildcard searches
  • OCR (Optical Character Recognition)
  • Exact phrase matching “Google-like” context results
  • Highlighting
  • Exclusion searches (aka negative searches).

It lets you extract forensic evidence from computers quickly with advanced file searching and indexing and enables this data to be managed effectively.

  • Find files faster, search by filename, size and time
  • Index and Search within the file contents of Office, Acrobat documents, image files and more
  • Search through email archives from Outlook, ThunderBird, Mozilla and more
  • Recover and search deleted files
  • Uncover recent activity of website visits, downloads and logins
  • Collect detailed system information
  • Password recovery from web browsers, decryption of office documents
  • Discover and reveal hidden areas in your hard disk
  • Browse Volume Shadow copies to see past versions of files
  • Verify and match files with MD5, SHA-1 and SHA-256 hashes
  • Find misnamed files where the contents don’t match their extension
  • Create and compare drive signatures to identify differences
  • Timeline viewer provides a visual representation of system activity over time
  • File viewer that can display streams, hex, text, images and meta data
  • Email viewer that can display messages directly from the archive
  • Registry viewer to allow easy access to Windows registry hive files
  • File system browser for explorer-like navigation of supported file systems on physical drives, volumes and images
  • Raw disk viewer to navigate and search through the raw disk bytes on physical drives, volumes and images
  • Web browser to browse and capture online content for offline evidence management
  • ThumbCache viewer to browse the Windows thumbnail cache database for evidence of images/files that may have once been in the system
  • SQLite database browser to view the and analyze the contents of SQLite database files
  • ESEDB viewer to view and analyze the contents of ESE DB (.edb) database files, a common storage format used by various Microsoft applications
  • Prefetch viewer to identify the time and frequency of applications that been running on the system, and thus recorded by the O/S’s Prefetcher
  • Plist viewer to view the contents of Plist files commonly used by MacOS, OSX, and iOS to store settings
  • $UsnJrnl viewer to view the entries stored in the USN Journal which is used by NTFS to track changes to the volume
  • Case management enables you to aggregate and organize results and case items
  • HTML case reports provide a summary of all results and items you have associated with a case
  • Centralized management of storage devices for convenient access across all OSForensics’ functionality
  • Drive imaging for creating/restoring an exact copy of a storage device
  • Rebuild RAID arrays from individual disk images
  • Install OSForensics on a USB flash drive for more portability
  • Maintain a secure log of the exact activities carried out during the course of the investigation

File Formats

OSForensics can index the content of a huge variety of file formats. This includes: DOC, DOCX, PDF, PPT, XLS, RTF, WPD, SWF, DJVU, JPG, GIF, PNG, TIFF, MP3, DWF, DOCX, PPTX, XLSX, MHT, ZIP, PST, MBOX, MSG, DBX, ZIP, ZIPX, RAR, ISO, TAR, 7z and more. Recusive containers are also supported. So it is possible to correctly index a DOCX file attached to an E-mail in a PST file which is in turn compressed in a ZIPX file.