Portable Passmark OSForensics Professional v6.1.10056 (x64)
OSForensics portable is a new digital investigation tool which lets you extract forensic data or uncover hidden information from computers. OSForensics has a number of unique features which make the discovery of relevant forensic data even faster, such as high-performance deep file searching and indexing, e-mail and e-mail archive searching and the ability to analyze recent system activity and active memory. OSForensics can build and let you view an events timeline which shows you the context and time of activities. You can even recover data and files that have been deleted by users. OSForensics comes with a built-in file viewer which lets you examine a file contents, properties and meta-data, as well as an e-mail viewer which is compatible with most popular mail client formats.
Discover Forensic Evidence Faster
Find files faster, search by filename, size and time
Search within file contents using the Zoom search engine
Search through email archives from Outlook, ThunderBird, Mozilla and more
Recover and search deleted files
Uncover recent activity of website visits, downloads and logins
Collect detailed system information
Password recovery from web browsers, decryption of office documents
Discover and reveal hidden areas in your hard disk
Browse Volume Shadow copies to see past versions of files
Identify Suspicious Files and Activity
Verify and match files with MD5, SHA-1 and SHA-256 hashes
Find misnamed files where the contents don’t match their extension
Create and compare drive signatures to identify differences
Timeline viewer provides a visual representation of system activity over time
File viewer that can display streams, hex, text, images and meta data
Email viewer that can display messages directly from the archive
Registry viewer to allow easy access to Windows registry hive files
File system browser for explorer-like navigation of supported file systems on physical drives, volumes and images
Raw disk viewer to navigate and search through the raw disk bytes on physical drives, volumes and images
Web browser to browse and capture online content for offline evidence management
ThumbCache viewer to browse the Windows thumbnail cache database for evidence of images/files that may have once been in the system
SQLite database browser to view the and analyze the contents of SQLite database files
ESEDB viewer to view and analyze the contents of ESE DB (.edb) database files, a common storage format used by various Microsoft applications
Prefetch viewer to identify the time and frequency of applications that been running on the system, and thus recorded by the O/S’s Prefetcher
Plist viewer to view the contents of Plist files commonly used by MacOS, OSX, and iOS to store settings
$UsnJrnl viewer to view the entries stored in the USN Journal which is used by NTFS to track changes to the volume
Manage Your Digital Investigation
Case management enables you to aggregate and organize results and case items
HTML case reports provide a summary of all results and items you have associated with a case
Centralized management of storage devices for convenient access across all OSForensics’ functionality
Drive imaging for creating/restoring an exact copy of a storage device
Rebuild RAID arrays from individual disk images
Install OSForensics on a USB flash drive for more portability
Maintain a secure log of the exact activities carried out during the course of the investigation
Professional and Bootable Editions
The professional and bootable editions of OSForensics have many features not available in the free edition, including:
Import and export of hash sets
Customizable system information gathering
No limits on the amount of cases being managed through OSForensics
Restoration of multiple deleted files in one operation
List and search for alternate file streams
Sort image files by colour
Disk indexing and searching not restricted to a fixed number of files
No watermark on web captures
Multi-core acceleration for file decryption
Customizable System Information Gathering
View NTFS directory $I30 entries to identify potential hidden/deleted files
- Case Manager
- New feature: Paste Clipboard to Case. Can now add external BITMAP (e.g. screenshots) and Copy/Paste Text to case. This provide an additional method of capturing web pages.
- Added support for mounting an image file as a “group” device. Partitions are listed as a folder of the top device.
- When displaying the volume shadow info to add to case, the creation time now includes the GMT offset
- Create Index
- Updates to handle indexing Apple’s APFS file system (indexing encrypted volumes is not supported, but coming soon).
- Fixed multi-threaded indexing problems with some image filesystems such as EXT2
- Improved memory estimation (was previously not including some offline buffers)
- New “broad numeric matching” feature. Allows for better searching of currency values and part numbers with hashes in the number.
- Added Precognitive Search feature, return matches for trigger keywords during the “Create Index” process. So you don’t need to wait for the indexing process to be completed before seeing the search results. It is also possible to use pre-made word lists with the Precog search.
- The concept of a template has been removed, instead you can now save and load previously used configurations. Some of the advanced template options, like extreme binary string extraction and stemming are now on Step 2 of the create index process.
- Deleted Files
- Fixed NTFS MFT record size calculation, which can prevent parsing of the MFT in the raw disk viewer and in deleted files module.
- Partial support for scanning “group” devices for deleted files
- Fixed buffer overrun crash when parsing slack space for $I30 record
- Email Viewer
- Single Email Viewer can view Gmail email stored within Android email@example.com.
- File Name Search
- Fixed a bug when searching for deleted files
- File System Browser
- Fixed crash with internal viewer when clicking prev/next after file system browser is closed
- File system support
- Apple’s APFS file system is now supported. Including support for compression (zlib & lzvn) and encryption. So you can browse and search files from a Mac machine in Windows.
- Forensic Imaging
- Made some changes to how Encase format images (.E01 and .Ex01) are created to work around an issue that limited the final image creation to a maximum of 64 .E01/.Ex01 files, which resulted in images larger than 100GB in size and more than 64 files being unreadable.
- Added copy Logical Android Image. Will obtain files off Android device using ‘adb pull’ command over a USB connection. To use this with a device connected over USB, you must enable USB debugging in the Android device system settings, under Developer options. So the device needs to be unlocked to do this.
- Fixed image type not displaying correctly for unicode filenames
- Hash lookup
- Fixed hang when error occurs while attempting to read from deleted files
- Install to USB
- Updated WinPEBuilder used for self boot USB, added option under Program Tab to allow selection of Storage Area Network (SAN) Policy. The recommend setting for OSForensics is, 3 – Doesn’t mount storage devices, to prevent introduction of artifacts. However, if you need access to disks, e.g. external disk drive to image to, you can change it accordingly
- Internal Viewers
- Started saving viewer x,y positions (previously was just size) in config file and will restore them to the last position on next open
- Internal Viewer – File Info
- When viewing compress archived (e.g. .7z or .ab), added right-click option to save file to disk.
- Show the total/used/free space for “partition” folders. Show the disk size for devices/partitions
- Fixed multithreading issues with sharing a handle to a video file. This potentially can cause a crash.
- Added checkbox to link the selected file in the list (file name search, mismatch search, etc…), and the current file in the internal viewer. This allows for faster selecting and previewing of pictures.
- Android Artifacts
- Addition of new module to scan for android mobile device information. A limited number of artifacts are supported in this release. Additional data will be extracted in future releases.
- Currently only supports Android disk image (looks for items in data folder) and/or backup (apps folder)
- Initial support for password encrypted android backups. When opening file in FileViewer, OSF will prompt for password and attempt to decrypt the backup.
- Password Recovery
- Fixed crash when running windows login / password search simultaneously due to shared global variable
- Fixed bug with list view column widths not being saved correctly, could cause URL column to be incorrectly hidden and column widths to be reset each time OSF was started.
- Now displays available dictionaries before file is selected, will display an info message when a 40bit encrypted file selected (which don’t use the dictionaries).
- Added a “Add Dictionary” button that will copy a selected text file to the OSF dictionaries folder and create a simple default definition file to use the dictionary
- Renamed folder where pre-installed and user dictionaries are stored (from PDF to Dictionaries)
- Raw disk viewer
- Regular expression searching, made a change to prevent an infinite loop when a partial match was found
- Added clickable link for File Rec#
- Fixed bug with jumping to an LBA from the MBR/GPT
- Added option to jump to MFT record
- Added decoding of $FILE_NAME attribute
- Added decoding of NTFS attribute common header
- Added support for parsing MFT attributes SECURITY_DESCRIPTOR, OBJECT_ID, VOLUME_NAME, VOLUME_INFORMATION, INDEX_ROOT
- APFS GPT partition GUID now detected and displayed in Data Decode window
- APFS file system string now properly displayed in Disk Info window
- Fixed excessive quotes for ‘Context’ field in exported CSV
- Replace unprintable characters with ‘.’ when displaying context
- Recent Activity
- Now collects more information from LNK files (Windows Explorer – Recent Items) such as volume name, volume serial and link target create/access/modified dates
- Fixed a bug where subitems counts in the treeview was not actively reflecting the actual filtered counts.
- Made a change so windows timeline entries always display the same amount of lines in the file list tab for consistency
- Report Templates
- Updated report templates to include Mobile Artifacts
- SQLite Browser
- Changed SQLite Browser into a viewer so users can have multiple instances open (Up to 10).
- Fixed bug that prevented additional sqlite viewers to be open even after closing opened sqlite viewers.
- Fixed bug with “View Cell with internal viewer” returning “Not an Error” message.
- Added “Add to case” action on start screen and left hand menu button to allow quick access to add a device to a case
- File and Hex Viewer, will now open File Preview Tab as default.
- Reordered the left side buttons. Removed Android Artifact and About button from the Navigation Menu, but still accessible from the Start page. User Workflow configuration setting will reset to defaults with changes upon first starting V6.1.1000
- System Information
- Added new commands to get Windows information (product name, build and install date) and last shutdown time from the registry
- Fixed crash bug due to buffer overflow with long case device names. Device names over 12 characters caused problems in the system information module
- UsnJrnl Viewer
- Fixed incorrect filenames due to incorrect length truncation
- Web Browser
- Export Webpage Dialog can be resized vertically to fit smaller screens.
- Added support for mounting “group” devices such as entire physical disks. Contained partitions are mounted as “subdevices” and appears as folders under the parent device
- Changed timezone drop down for GMT/UTC 0 from “GMT +0:00” to “GMT 0:00” to visually stand out more in list
- Made some changes so that the logo and version text on the main start page are now next to the help / mouse over text area to save some vertical space