Complete suite for forensic investigation

Search files fast
Extensive file type support
Recover deleted evidence
Uncover user activity
Password recovery
Reveal hidden areas on a hard disk
Browse Volume Shadow copies
card-img

OSF provides one of the fastest and most powerful ways to locate files on a Windows computer or Forensic image.
Learn more

Search within the contents of files with the use of our acclaimed indexing engine providing industry leading relevance ranking, date range searching, exact phrase matching, “Google-like” context results and more.

card-img

Investigate and search within hundreds of file types including Office and Acrobat documents, image files (with OCR), e-mails (Outlook, Thunderbird, Mozilla and more), attachments, ZIP files, and even binary files and unallocated clusters.
Learn more

card-img

Search and recover files that a user may have attempted to destroy or have been removed from the Recycle Bin.
Learn more

card-img

Scan the computer for evidence of recent activity, including accessed websites, USB drives that have been connected, wireless networks, recent downloads, website logins and website passwords.
Learn more

card-img

OSF provide powerful tools to uncover and crack passwords on a live system or forensic image.
These include:

  • Web site logins and passwords (used in Chrome, Edge, IE, Firefox and Opera)
  • Outlook and Windows Live passwords
  • Saved Wifi passwords
  • Windows autologon password
  • Windows and other Microsoft product keys
  • Ports (Serial/Parallel)
  • Network adapters
  • Physical and optical drives
  • Bitlocker detection

OSF also provide tools to crack hashes with the use of rainbow tables, and dictionary attacks.
Learn more.

card-img

OSF can expose the HPA and DCO hidden areas of a hard disk which can be used for malicious intent, including hiding illegal data.
Learn more

card-img

Use OSF to access Volume Shadow Copies. This allows you to look at how a disk appeared at a point of in time in the past and see what has changed. Discover changes to files and even view deleted files.
Learn more

Identify suspicious files and activity

Verify and match files
Identify changes
Timeline viewer
File analysis tools

Use OSF to confirm that files have not been corrupted or tampered with by comparing hash values or identify whether an unknown file belongs to a known set of files. Verify and match files with MD5, SHA-1 and SHA-256 hashes. Find misnamed files where the contents don't match their extension.
Learn more

card-img

Create and compare drive signatures to identify differences and changes made on a system. OSF lets you create a forensic signature of a hard disk drive, preserving information about file and directory structures present on the system at the time of signature creation.
Learn more

card-img

OSF features a Timeline Viewer that provides a visual representation of file and system activity over time, helping you to identify date ranges where significant activity has occurred, or build up a pattern of behavior over years, months or days.
Learn more

card-img

OSF provides a comprehensive suite of tools to analyze files, emails, and system information including:

  • File viewer that can display streams, hex, text, images and meta data
  • Email viewer that can display messages directly from the archive
  • Registry viewer to allow easy access to Windows registry hive files
  • File system browserFile system browser for explorer-like navigation of supported file systems on physical drives, volumes and images
  • Raw disk viewerRaw disk viewer to navigate and search through the raw disk bytes on physical drives, volumes and images
  • Web browserWeb browser to browse and capture online content for offline evidence management
  • ThumbCache viewer to browse the Windows thumbnail cache database for evidence of images/files that may have once been in the system
  • SQLite database browser to view the and analyze the contents of SQLite database files
  • ESEDB viewer to view and analyze the contents of ESE DB (.edb) database files, a common storage format used by various Microsoft applications
  • Prefetch viewer to identify the time and frequency of applications that been running on the system, and thus recorded by the O/S's Prefetcher
  • Plist viewe to view the contents of Plist files commonly used by MacOS, OSX, and iOS to store settings
  • $UsnJrnl viewer to view the entries stored in the USN Journal which is used by NTFS to track changes to the volume

Manage your digital investigation

Create case
Generate Report
Storage device management
Drive and system imaging
Audit trace
Take OSF with you
card-img

Organize all the evidence you have discovered into a single, cryptographically secure case file.
Learn more

card-img

Export your case file as an accessible and customizable report showing all evidence associated with the case. Deliver a readable summary of forensic findings to clients or law enforcement agents at any point in your investigation.
Learn more

card-img

Manage your storage devices in a centralized manner for convenient access throughout OSF.
Learn more

card-img

Create and restore disk images of evidence disks, to support forensics analysis without risking the integrity of the original data.
Learn more

Rebuild a complete RAID image from a set of RAID member disk images.
Learn more

Make exact copies of the partitions or drives of an active system. Useful for live acquisitions while running OSF from your USB drive.
Learn more

card-img

OSF can automatically maintain a secure audit trail of the exact activities carried out during the course of the investigation.
Learn more

card-img

OSForensics can be installed and run from a portable USB drive. Take the investigation straight to the target computer without risking the contamination of valuable forensic information.
Learn more

Subscription, Perpetual and Bootable Editions

The Subscription, Perpetual and Bootable editions of OSForensics have many features not available in the Free edition, including;

  • Import and export of hash sets
  • Customizable system information gathering
  • No limits on the amount of cases being managed through OSForensics
  • Restoration of multiple deleted files in one operation
  • List and search for alternate file streams
  • Sort image files by colour
  • Disk indexing and searching not restricted to a fixed number of files
  • No watermark on web captures
  • Multi-core acceleration for file decryption
  • Customizable System Information Gathering
  • View NTFS directory $I30 entries to identify potential hidden/deleted files
  • Memory viewer and dumper - Kernel mode acquisition to bypass anti-dump tools

The bootable edition contains all the features plus the ability to be run on systems without a valid operating system. See the full comparison list between the editions.

card-img

Free Tools

The following collection of tools are provided as free downloads for use with OSForensics™.


OSFMount

OSFMount allows you to mount local disk image files in Windows as a physical disk or a logical drive letter.

OSFClone

OSFClone enables you to create or clone exact raw disk images quickly and independent of the installed operating system.

Volatility Workbench

Volatility Workbench is a graphical user interface (GUI) for the Volatility tool.

ImageUSB

ImageUSB is a free utility which lets you write an image concurrently to multiple USB Flash Drives.