OSForensics

OSForensics allows users to identify malicious files and actions that are harmful to the system such as comparing hash values ​​(the result obtained after the hash will be a value smaller than the original data) , find and match. driver, binary data for email as well as memory.

The program is able to extract 'evidence' from your computer quickly, along with advanced file indexing and searching, and helps you manage data effectively.

Function:

Search files faster

OSForensics provides one of the fastest and most powerful methods for locating files on a Windows computer. You can search by file name, size, date created and changed, .

Results found will be displayed in a variety of ways. In it Timeline View allows you to filter through the results on the timeline, clarifying the user activity model on the machine.

OSForensics is capable of searching files many times faster than the built-in search engine in Windows. Unlike Windows, which often misses files, you can be sure that OSForensics will find every file on your drive.

Search for file content

OSForensics can also search file contents and display results immediately after indexing. With the powerful Zoom Search Engine, it is capable of searching inside most common file formats.

Timeline Viewer

The built-in Timeline Viewer in OSForensics visually displays system and file activity over time, helping you determine the date range during which important activity took place, or building behavioral models over the years. , month or day.

This viewer is an interactive bar chart that displays system activity such as file creation dates, web browser history, cookies, USB and MRU profiles, etc.

The details of the time period on the Timeline Viewer can be adjusted from year to month to day by clicking on the corresponding bar in the viewer. As you move the cursor over the timeline, you can see the number of all events in that time period.

Thumbnail View

Thumbnail View is quite useful when searching media files, allowing you to quickly browse through the thumbnail image and resize it by adjusting the sidebar.

Search within the file

OSForensics offers you the Wrensoft Zoom Search Engine - one of the fastest and most powerful ways to search within the contents of all files on a hard drive.

With the ability to search the indexed text of hundreds of file formats, OSForensics provides:

• Search results are sorted by correspondence.
• Sort dates and search for date ranges.
• Search for characters.
• Match the phrase correctly.
• Context results 'as Google'.
• Highlights.
• Search for exclusions.

File format

OSForensics can index the content of many different file formats including DOC, PDF, PPT, XLS, RTF, WPD, SWF, DJVU, JPG, GIF, PNG, TIFF, MP3, DWF, DOCX, PPTX, XLSX, MHT, ZIP, .

In addition, the program also has a file analysis function to determine their file type if file extensions are missing.

Search for an email

OSForensics allows you to perform a text search inside email archives used by many popular email programs such as Microsoft Outlook, Mozilla Thunderbird, Outlook Express, etc.

Indexing

The first step to being able to search emails is to create an index of archives. This can take a long time but will allow searches to repeat faster later. An average computer can index about 10,000 moderate sized emails within 2 minutes.

Email file format supported

• .pst (Outlook);
• .mbox (Thunderbird, Eudora, Unix mail, and more);
• .msg (Outlook);
• .eml (Outlook Express);
• .dbx (Outlook Express).

Note that OSForensics can index these formats without installing the corresponding email program. In addition, the indexing process will be limited not only to emails but also to many other files such as Word documents and PDFs to allow searching the content within.

Advanced search criteria

When the index is created, you can start the search process. Typically, the program will try and search for any specific keyword included in the email. However, it is also possible to search emails based on date field, To, From or CC.

Performance

The index search can be done very quickly with about 20,000 emails in just 1 second. Moreover, you can also perform a search with the same table of contents that only need to be created once.

See results

Once a favorite email is found, it can be opened and viewed directly within OSForensics via the integrated mail viewer without downloading the corresponding mail program.

Recover deleted files

OSForensics allows you to recover and search for deleted files, even after they are removed from the Recycle Bin. This will help you review the files the user is trying to delete.

Each deleted file found will be displayed with a corresponding quality indicator between 0 - 100. A value of up to 100 means that the deleted file is largely intact, with only a few data clusters being deleted. short.

View deleted file assemblies

OSForensics also provides a graphical viewer for the distribution of deleted file clusters on physical drives. This table shows segmentation information for deleted files. For smaller sizes, deleted files may be in MFT (NTFS only).

The map displays the locations of the segments with the physical drive containing them visually.

Discover recent activity

OSForensics scans your system for evidence of recent activity such as visited websites, USB drives, wireless networks, downloads, website logins and web passwords. This is especially useful when identifying user trends and patterns and any documents or accounts that have been recently accessed.

Web browser activity

OSForensics helps you discover web browsing activity from users such as browsing history, cookies and usernames stored from web browsers. The program then displays the items that can be accessed from commonly used web browsers thanks to its Recent Activity module.

USB device is connected

OSForensics can display details of recently connected USB devices, providing information about the last connection date and device information such as Manufacturer Name, Product ID and Serial Number. Supported devices include USB Flash Drives (UFDs), Portable Hard Disk Drives and external USB-connected devices such as DVD-ROM drives.

Collect system information

The System Information module displays detailed information about the central components of the system including but not limited to:

• CPU, main board and memory.
• BIOS.
• Video card / display device.
• Controller and USB device.
• Port (serial / parallel).
• Adapters.
• Optical drive and physical drive.

Decode and recover the password

Username and web browser password

With OSForensics, you can recover browser passwords from Internet Explorer, Firefox and Chrome. This can be done on a running computer or from a hard drive copy. The recovery data includes the website URL (usually HTTPS), the login username, the site's password, the browser used to access the page and the Windows username. The blackist URL is also reported, indicating that the user has visited the site but does not store the password in the browser.

Decode and recover passwords for office documents

OSForensics supports 2 ways to access encrypted office documents:

• The first method is for older documents that use 40-bit encryption (XLS, DOC and older PDF files).For these documents, the program will try all possible keys to decode them and output an unencrypted file.
• The second method is currently being researched and developed to provide more advanced decoding capabilities.

Drive signature

Create signature

The signature creation is to create a screenshot of the drive's directory structure at the time of creation. This information includes data about directory path, size and file attributes. OSForensics can be installed to include or exclude different directories and drives when generating drive signatures, or even calculate SHA1 hashes for each file on the system.

Signature analysis

OSForensics can compare new signatures with previously created signatures, allowing you to quickly identify changes to files or directory structure. Comparing the two signatures will give a summary of all file differences, which can be sorted by file name, difference type, file attribute, SHA1 hash, etc. Can be filtered to show only files that have been changed, new or deleted. All comparison results can be easily exported to your local drive for later use.

Case management (managing unauthorized access cases)

Cases allow you to aggregate and sort case results and entries from other OSForensics discovery and verification functions, such as File Search, File Mismatch Search, Recent Activity, Deleted Files, etc. created or opened, case directories such as lists and files can be opened or deleted directly by the tester for quick access.

The case directory property viewer also allows you to edit titles and notes that you have previously created for each folder.

Create a case report

The case report provides a summary of all the results and directories you have worked in accessible HTML format. Case folders are organized in lists and files can be categorized in web browsers by title (for example, Item Title, Originating OSForensics Module, Export Filename and Investigator Notes). You can search for more details on each case folder by clicking on each title.

Although OSForensics is designed with 5 report templates available, you can still customize the template to suit individual needs.

Rebuild RAID

OSForensics can rebuild RAID images from a set of physical drive images belonging to the RAID array. Supported RAID levels include: RAID 0, RAID 1, RAID 3, RAID 4, RAID 5, RAID 0 + 1, RAID 1 + 0.

Once you know the RAID parameters, you can use them to rebuild the logical RAID image.

System requirements:

• RAM: 1 GB or more (4 GB or more recommended).
• Hard drive space: 30 MB, or run from a USB drive.

Pactimza