Tuesday, June 28, 2011

OSForensics: Windows Forensic Investigation Tool

OSForensics is a free forensic investigation software created by Passmark Software, for locating and analyzing digital evidence that are found in computer systems and digital storage devices.

The forensic suite contains a number of modules with specific functions - discover and read files, recover deleted files, find good and bad files using known hashes, search within files, recover passwords and much more. The modules can be run independently to perform a particular task, such as recover passwords or recover deleted files. You can also use the case management module to create a new case before analysis. This allows you to perform analysis on different hard disks or computers and save data from each case separately.


Once you have created a case you can use the different tools to perform an exhaustive search and data gathering operations that includes creation of an index of all files on the hard drive, including deleted files, search for emails from specific persons or containing specific key words anywhere within the email, scan for evidence of recent activity, such as accessed websites, details of USB devices which have been recently connected to the computer, such as Manufacturer Name, Product ID and Serial Number, wireless networks, website logins and passwords, and a number of other things.

OSForensics has some pretty interesting tools. For instance, the program is able to create signatures of a hard disk drive, preserving information about file and directory structures present on the system at the time of signature creation. You can then compare newer signatures with previously generated signatures, and quickly identify any changes to files or directory structure.


Another interesting module is the Mismatch File Search tool. This can identify files whose contents do not match their file extension – a Text file, which is actually a JPEG. This can help uncover personal documents and files that user is trying to hide by renaming the file extension.

With OSForensics you can also recovery browser passwords from IE, Firefox and Chrome. This can be done on the live machine or from an image of hard drive. The program also reports blacklisted URLs, showing the user has visited the site but elected not to store a password in the browser.

The program also gives you the option to recover passwords using Rainbow tables for MD5, LM and SHA1 hashes that can be either generated through OSForensics or downloaded from the website. OSForensics can also give users access to encrypted office documents using brute force attack.

Other tools include a raw disk viewer, active memory viewer, file meta data viewer, and a detailed system information viewer.

OSForensics is sure a powerful package, that is currently available for free during the beta stage. Passmark Software says that once the software is released, they will create two editions, a feature restricted free version and a Pro edition that will cost $499. At the moment, the one that is offered for free contains all features that will be found in the Pro edition, so get it while the beta lasts.


Post a Comment

Popular Posts