OS Forensics

Discover Forensic Evidence Faster

• Find files faster, search by filename, size and time
• Index and Search within the file contents of Office, Acrobat documents, image files and more
• Search through email archives from Outlook, ThunderBird, Mozilla and more
• Recover and search deleted files
• Uncover recent activity of website visits, downloads and logins
• Collect detailed system information
• Password recovery from web browsers, decryption of office documents
• Discover and reveal hidden areas in your hard disk
• Browse Volume Shadow copies to see past versions of files

Identify Suspicious Files and Activity

• Verify and match files with MD5, SHA-1 and SHA-256 hashes
• Find misnamed files where the contents don't match their extension
• Create and compare drive signatures to identify differences
• Timeline viewer provides a visual representation of system activity over time
• File viewer that can display streams, hex, text, images and meta data
• Email viewer that can display messages directly from the archive
• Registry viewer to allow easy access to Windows registry hive files
• File system browser for explorer-like navigation of supported file systems on physical drives, volumes and images
• Raw disk viewer to navigate and search through the raw disk bytes on physical drives, volumes and images
• Web browser to browse and capture online content for offline evidence management
• ThumbCache viewer to browse the Windows thumbnail cache database for evidence of images/files that may have once been in the system
• SQLite database browser to view the and analyze the contents of SQLite database files
• ESEDB viewer to view and analyze the contents of ESE DB (.edb) database files, a common storage format used by various Microsoft applications
• Prefetch viewer to identify the time and frequency of applications that been running on the system, and thus recorded by the O/S's Prefetcher
• Plist viewer to view the contents of Plist files commonly used by MacOS, OSX, and iOS to store settings
• $UsnJrnl viewer to view the entries stored in the USN Journal which is used by NTFS to track changes to the volume

Manage Your Digital Investigation

• Case management enables you to aggregate and organize results and case items
• HTML case reports provide a summary of all results and items you have associated with a case
• Centralized management of storage devices for convenient access across all OSForensics' functionality
• Drive imaging for creating/restoring an exact copy of a storage device
• Rebuild RAID arrays from individual disk images
• Install OSForensics on a USB flash drive for more portability
• Maintain a secure log of the exact activities carried out during the course of the investigation