OSForensics

OSForensics lets you extract forensic evidence from computers quickly with high-performance file searches and indexing. Identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory, and binary data.

Manage your digital investigation and create reports from collected forensic data. Enjoy!

OSForensics can index the content of a huge variety of file formats. This includes: DOC, DOCX, PDF, PPT, XLS, RTF, WPD, SWF, DJVU, JPG, GIF, PNG, TIFF, MP3, DWF, DOCX, PPTX, XLSX, MHT, ZIP, PST, MBOX, MSG, DBX, ZIP, ZIPX, RAR, ISO, TAR, 7z and more.

Recursive containers are also supported. So it is possible to correctly index a DOCX file attached to an E-mail in a PST file which is in turn compressed in a ZIPX file.

It provides one of the fastest and most powerful ways to locate files on a Windows computer. You can search by filename, size, creation and modified dates, and other criteria. Results are returned and made available in several different useful views. This includes the Timeline View which allows you to sift through the matches on a timeline, making evident the pattern of user activity on the machine.

The first stage in being able to search emails is to create an index of the archives in question. This can take some time but it is what allows for repeated fast searches later on. OS Forensics allows you to perform full-text searches within email archives used by many popular e-mail programs such as Microsoft Outlook, Mozilla Thunderbird, Outlook Express, and more.

OSForensics allows you to recover and search deleted files, even after they have been removed from the Recycle Bin. This allows you to review the files that the user may have attempted to destroy. Each deleted file found is displayed with a corresponding Quality indicator between 0-100. A value towards 100 means that the deleted file is largely intact, with only a few missing clusters of data.

OSForensics scans your system for evidence of recent activity, such as accessed websites, USB drives, wireless networks, recent downloads, website logins, and website passwords. This is especially useful for identifying trends and patterns of the user, and any material or accounts that have been accessed recently.

With the program, you can recover browser passwords from Chrome, Edge, IE, Firefox, and Opera. This can be done on the live machine or from an image of a hard drive. Data recovered include, the URL of the website (usually HTTPS), the login username, the site's password, the browser used to access the site & the Windows user name. Blacklisted URLs are also reported, showing the user has visited the site but elected not to store a password in the browser.

It can discover and expose the HPA and DCO hidden areas of a hard disk, which can be used for malicious intent including hiding illegal data. The Host Protected Area (HPA) and Device Configuration Overlay (DCO) are features for hiding sectors of a hard disk from being accessible to the end-user.

The app includes built-in support for accessing Volume Shadow Copies. Shadow copies provide a glimpse of the volume at a point in time in the past. This will allow for the discovery of changes to files and even view possible deleted files.

It provides a basic web viewer with the ability to load web pages from the web and save screen captures of web pages to the case.
The Web Browser can be optionally configured to capture the webpages from a user-specified list of URLs. In addition, the Web Browser can capture all or a subset of linked pages (up to a single level)

Features and Highlights

• Import and export of hash sets
• Customizable system information gathering
• No limits on the number of cases being managed through OSForensics
• Restoration of multiple deleted files in one operation
• List and search for alternate file streams
• Sort image files by color
• Disk indexing and searching not restricted to a fixed number of files
• No watermark on web captures
• Multi-core acceleration for file decryption
• Customizable System Information Gathering
• Find files faster, search by filename, size and time
• Search within file contents using the Zoom search engine
• Search through email archives from Outlook, ThunderBird, Mozilla and more
• Recover and search deleted files
• Uncover recent activity of website visits, downloads, and logins
• Collect detailed system information
• Password recovery from web browsers, decryption of office documents
• Discover and reveal hidden areas in your hard disk
• Browse Volume Shadow copies to see past versions of files

What`s New

Email Viewer: Fixed crashes when using “Jump to message” and exporting PST to MSG.

Hash Sets: Fixed issues with saving active hash databases and displaying them properly; updated import behavior and database warnings; resolved problems with inactive states and disabled fields.

Manage Case: Now shows an error if an incorrect key/password is used when adding BDE volumes.

USB Write-Block: Restores settings on exit/case deletion, adds detailed status info, verifies write-block by writing log files, auto-hides results, and includes a new per-device verification button. Removed from customize workflow.

License Comparison

• Trial Edition offers a 30-day free trial with forum support only, no upgrades, and one install.
• Perpetual License never expires, includes major/minor upgrades during the support period, and provides support via phone, email, and forum.
• Subscription License is valid as long as the subscription is active and includes all upgrades and full support.
• Support for Perpetual and Subscription includes phone, email, and forum; Trial only includes forum.
• Installations for Perpetual and Subscription allow 2 machine installs (e.g., lab and laptop) + 1 USB install for the same user.
• Auto-Renewal is only available for Subscription plans via credit card.

Pricing

Trial: Free.

Perpetual: $1599 (12-month support) or $3499 (36-month support).

Subscription: $89/month or $899/year.

How to Use

• Launch the software and choose your desired workspace
• Use "Start" panel to access main forensic tools
• Perform file system scans using the "File Search" tab
• Capture memory and drive images for evidence
• Analyze emails, web history, and system artifacts
• Use hash matching to compare known file signatures
• Recover deleted files and view system activity
• Generate detailed reports from investigation results
• Save or export reports for legal documentation

System Requirements

• OS: Windows 11, 10, 8, 7
• CPU: 1 GHz or faster processor
• RAM: Minimum 2 GB (4 GB or more recommended)
• Disk Space: 500 MB free space (more for data analysis)
• Display: 1024x768 resolution or higher
• Other: Administrator rights required for full access

PROS

• Comprehensive forensic analysis toolkit
• Fast and powerful file search engine
• Live memory and drive imaging support
• Supports hash matching and signature analysis
• Portable version available for field use

CONS

• Interface may feel outdated to some users
• Learning curve for beginners
• Some features locked in free version
• Limited cloud or remote investigation tools
• Requires admin rights for full functionality

Note: 30 days trial version. Limited functionality.