PassMark OSForensics Professional 1.1.1000 | 42 Mb
Extract forensic data from computers, quicker and easier than ever. Uncover everything hidden inside a PC.
Search within Files
If the basic file search functionality is not enough, OSForensics can also create an index of the files on a hard disk. This allows for lightning fast searches for text contained inside the documents. Powered by the technology behind Wrensoft's acclaimed Zoom Search Engine.
Search for Emails
An additional feature of being able to search within files is the ability to search email archives. The indexing process can open and read most popular email file formats (including pst) and identify the individual messages.
This allows for a fast text content search of any emails found on a system
Recover Deleted Files
After a file has been deleted, even once removed from the recycling bin, it often still exists until another new file takes its place on the hard drive. OSForensics can track down this ghost file data and attempt to restore it back to useable state on the hard drive.
Uncover Recent Activity
Find out what users have been up to. OSForensics can uncover the user actions performed recently on the system, including but not limited to:
Opened Documents
Web Browsing History
Connected USB Devices
Connected Network Shares
Collect System Information
Find out what's inside the computer. Detailed information about the hardware a system is running on:
CPU type and number of CPUs
Amount and type of RAM
Installed Hard Drives
Connected USB devices
and much more.
View Active Memory
Look directly at what is currently in the systems main memory. Attempt to uncover passwords and other sensitive information that would otherwise be inaccessible.
Select from a list of active processes on the system to inspect. OSF can also dump their memory to a file on disk for later inspection.
Extract Logins and Passwords
Recover usernames and passwords from recently accessed websites in common web browsers, including Internet Explorer, Firefox, Chrome and Opera.
What is new in v1.1.1000
Added ability to investigate raw NTFS image files directly from OSF without mounting them.
Images and physical drives can now be added to the case as devices.
All of OSF features have been updated to act on these devices.
Image files can now be given a short hand ‘display name’ handle. E.g. Case123:\
Completely by passes file system and file permissions.
Added File System Browser
View hidden NTFS files ($AttrDef, $MFT, $Boot, etc..)
View and copy locked files
Automatic calculation of directory size in a background thread.
Browse history location bar.
Integration into bookmark, hashing, indexing and file viewing functions
Can jump to file’s offset on the raw disk
Disk NTFS stream information (pro version only).
Display of cluster information and file fragmentation.
Added right-click functionality to jump to file's disk offset in raw disk viewer.
Registry Viewer
Improved speed of Registry Viewer.
Enabled the data/values/match whole options in the registry viewer search dialog.
Fixed a bug where the last search term in the registry viewer wasn't being cleared properly for a new search in some cases (leading to no results)
Various other crash bug fixes.
Added new warning when trying to import NSRL data into the existing example database.
Can now add notes to case without needing to add as an attachment.
Added From: and To: and Subject: fields for email exports from search results.
Can now attempt to crack passwords on encrypted 7zip files.
New right click option in case management to verify file hashes on case items.
Indexing now supports Email attachments with attachments being displayed on separate tab.
Improved image viewing quality in internal viewer.
Added option to use MD5 hashes when creating signatures, in addition to SHA1.
Can now set case acquisition mode. This will warn the user if they try to perform an acquisition task that does not make sense with their case setting. Some functions only make sense in the context of a live investigation.
Added timestamp fields to data decoder in raw disk viewer.
Fixed bug in displayed totals in signature comparison.
Reduced initial memory usage of the memory viewer which was allocating buffers unnecessarily at startup.
Fixed bug adding files with no extension to the case.
Fixed hash set creation freeze on certain locked files.
Added "Browse Index" tab to "Search Index" module. Loads currently selected index dictionary.
Recent activity and password recovery updated to support Opera 10/11 & Firefox 10.
Better support for long path names, up to 32,000 characters in a path.
MD5 is now calculated for items in the case (as well as SHA-1 & 256).
Signature/File listing may now include E-mails in PST, EML, MSG & MBOX. DBX is also possible but attachments are not listed at the moment.
Direct access to FAT16 and FAT32 image files.
Support for Win7 jump lists in recent activity.
Bug fixes and other minor changes.
PassMark OSForensics Professional | v1.1.1000 | 42 MB
