Identify suspicious files and activity.

Verify and Match Files

Using advanced hashing algorithms OSForensics can create a digital identifier that can be used to identify a file.

This identifier can be used both to verify a file has not been changed or to quickly find out if a file is part of a set of known files. More »

Verify and Match Files

Find Misnamed Files

By looking at the contents of a file OSForensics can identify what kind of file it is and then figure out if the file has an incorrect extension. This can help locate "Dark Data" that the user has tried to conceal. More »

Find Misnamed FilesFind Misnamed Files

Create & Compare Drive Signatures

By making a record of the details of the files on a hard drive a comparison can then be done at a later date to find out what has been changed. More »

Create & Compare Drive Signatures

Timeline Viewer

Many of the discovery features of OSF return data that has a time associated with it. Using this timeline viewer you can quickly see when activity has occured. More »

Timeline Viewer

Built-in File Viewer

Once you have found a file you are interested in you can view it multiple ways from within OSF without needing to rely on one or more external applications. Files can be viewed as:

  • Images (where applicable)
  • Binary Data
  • Text Data

Or you can view the file properties and meta data. More »

Built-in File Viewer

Binary String Extraction

Extract text strings from binary data allowing you to find text hidden in otherwise unreadable chunks of information. Do this for both files found on the hard drive or directly from active memory of processes running on the system. More »

Binary String Extraction

Email Viewer

Open emails from most popular formats directly inside OSForensics, without the need to install multiple mail clients in order to view emails from different sources. More »

Email Viewer

Registry Viewer

Open registry files from within OSF, both offline and live registry files currently locked by Windows, navigate to known key locations and fast searching. As it doesn't use Windows API calls more information can seen, eg the time and date of a key's last edit and registry entries that might be hidden by malicious software.  More »

Registry Viewer

File System Browser

Explorer-like navigation of supported file systems tailored specifically for forensics analysis. Using OSForensics' own file system implementations, forensics evidence can be quickly identified and recovered. More »

File System Browser

Raw Disk Viewer

View the raw, sector-by-sector contents of a disk. Data hidden in the sectors outside the file system can be identified and analyzed with this module.  More »

Raw Disk Viewer

Thumbnail Cache Viewer

Extracts the thumbnail images stored in Windows' thumbnail cache files for viewing. Thumbnail cache files may contain evidence of images that have been deleted on the system. More »

Thumbnail Cache Viewer

SQLite Database Browser

Browse and uncover valuable forensics data stored in SQLite database files used in the iPhone, Firefox and Chrome.  More »

SQLite Database Browser

ESE Database Viewer

View data containing potential forensics value stored by various Microsoft applications including Windows Search and Microsoft Exchange Server. More »

ESE Database Viewer

Prefetch Viewer

Identify when and how often an application is run by analyzing its prefetch data.  More »

Prefetch Viewer