Portable Passmark OSForensics Professional v5.2.1000

passmark osforensics portable



OSForensics portable is a new digital investigation tool which lets you extract forensic data or uncover hidden information from computers. OSForensics has a number of unique features which make the discovery of relevant forensic data even faster, such as high-performance deep file searching and indexing, e-mail and e-mail archive searching and the ability to analyze recent system activity and active memory. OSForensics can build and let you view an events timeline which shows you the context and time of activities. You can even recover data and files that have been deleted by users. OSForensics comes with a built-in file viewer which lets you examine a file contents, properties and meta-data, as well as an e-mail viewer which is compatible with most popular mail client formats.

Discover Forensic Evidence Faster

Find files faster, search by filename, size and time
Search within file contents using the Zoom search engine
Search through email archives from Outlook, ThunderBird, Mozilla and more
Recover and search deleted files
Uncover recent activity of website visits, downloads and logins
Collect detailed system information
Password recovery from web browsers, decryption of office documents
Discover and reveal hidden areas in your hard disk
Browse Volume Shadow copies to see past versions of files

Identify Suspicious Files and Activity
Verify and match files with MD5, SHA-1 and SHA-256 hashes
Find misnamed files where the contents don’t match their extension
Create and compare drive signatures to identify differences
Timeline viewer provides a visual representation of system activity over time
File viewer that can display streams, hex, text, images and meta data
Email viewer that can display messages directly from the archive
Registry viewer to allow easy access to Windows registry hive files
File system browser for explorer-like navigation of supported file systems on physical drives, volumes and images
Raw disk viewer to navigate and search through the raw disk bytes on physical drives, volumes and images
Web browser to browse and capture online content for offline evidence management
ThumbCache viewer to browse the Windows thumbnail cache database for evidence of images/files that may have once been in the system
SQLite database browser to view the and analyze the contents of SQLite database files
ESEDB viewer to view and analyze the contents of ESE DB (.edb) database files, a common storage format used by various Microsoft applications
Prefetch viewer to identify the time and frequency of applications that been running on the system, and thus recorded by the O/S’s Prefetcher
Plist viewer to view the contents of Plist files commonly used by MacOS, OSX, and iOS to store settings
$UsnJrnl viewer to view the entries stored in the USN Journal which is used by NTFS to track changes to the volume

Manage Your Digital Investigation
Case management enables you to aggregate and organize results and case items
HTML case reports provide a summary of all results and items you have associated with a case
Centralized management of storage devices for convenient access across all OSForensics’ functionality
Drive imaging for creating/restoring an exact copy of a storage device
Rebuild RAID arrays from individual disk images
Install OSForensics on a USB flash drive for more portability
Maintain a secure log of the exact activities carried out during the course of the investigation

Professional and Bootable Editions
The professional and bootable editions of OSForensics have many features not available in the free edition, including:
Import and export of hash sets
Customizable system information gathering
No limits on the amount of cases being managed through OSForensics
Restoration of multiple deleted files in one operation
List and search for alternate file streams
Sort image files by colour
Disk indexing and searching not restricted to a fixed number of files
No watermark on web captures
Multi-core acceleration for file decryption
Customizable System Information Gathering
View NTFS directory $I30 entries to identify potential hidden/deleted files


V5.2.1000 – 10th of October 2017

  • NEW Triage wizard
    • Wizard launch icon on Start page. Huge amount of data can now be rapidly collected by inexperienced users with single click.
  • Customize workflow
    • Now also removes icons from the Start page (and the menu)
    • It is possible to lock down the workflow with a password so inexperienced users can’t re-enable all the features so easily.
  • Case Manager
    • Items added to a case can now be categorized into a type of Crime, this list can be customised by editing the “Categories.txt” file in the ProgramData folder.
    • On the “add to case” dialog when using the “Use same details for all” option if the title has not been changed by the user a special <Use item name> flag will be displayed. This will then be replaced by each item’s name when added to the case.
    • PDF reporting bug fix.
    • Fixed sorting by clicking on title in Case Management window.
    • Added new tag <!–OSF_CASE_CASEINFOTABLE–> to customisable reports for generating Case Info table. Only non-blank fields shall be outputted
  • File Index
    • Fixed a buffer overflow bug due to illegally long filenames in ZIP files
  • Recent Activity
    • Started sanitising the HTML output for some items when exporting to HTML so that HTML special characters (eg <>&) are safely encoded.
  • Thumbnail Viewer
    • Now has a faster option to switch between the various thumbnail files found on drive via a drop down list.
  • Drive preparation
    • 1 click drive preparation function. Can wipe, verify, format drive with 1 click. A log file is also now written to the drive recording the preparation steps.
  • Hash Set Lookup
    • Added check if SHA256 hash is stored in the hash set. If not, SHA256 is not calculated. This saves a small amount of CPU time.
  • Email viewer
    • A bug fix for parsing some rare corrupted PST flies
  • Misc
    • Correction of various multi-threading bugs, which came to light when running a large number of tasks simultaneously.
      • Registry access code wasn’t thread safe & could crash if multiple tasks were reading registry entries at same time, especially password recovery.
      • Caching of disk’s MFT into RAM didn’t work well with multiple threads. Solution was to enlarged cache slightly and unified it into a shared cache. Multiple threads should run significantly faster than before.
      • Some handles to various internal resources were not being free. Resulting in memory leaks and possible crashes.
    • Even larger cache sizes and more advanced cache lookup algorithm to speed up various operation that involve reading MFT (is a RAM usage / speed trade off). Slightly more RAM is used, but disk operations are faster. For example file name searches are now 33% faster.
    • Some help file updates
    • Fixed up the opening of the Help file to get the navigation menu showing again. The Edge browser in Win10 unexpectedly broke some of the help functions.
    • Fixed a crash in the 32bit version when trying to start a filename search