V6.1 (Build 1005)
Latest release date:
28th November 2018
What's new for this release.
Professional edition: US$845.75
(15% off) $995.00
Professional Upgrade: US$497.50
Both editions includes 12 months of support and updates.
(See feature comparison for more information)
Windows Vista, Win 7, Win 8, Win 10, Server 2000, 2003, 2008, 2012. Available for both 32-bit and 64-bit platforms.
Minimum 1GB of RAM. (4GB+ recommended)
200MB of free disk space, or can be run from USB drive
OSForensics allows you to identify suspicious files and activity with hash matching, drive signature comparisons, e-mails, memory and binary data.
It lets you extract forensic evidence from computers quickly with advanced file searching and indexing and enables this data to be managed effectively.
Click the images to view screenshots.
New in V6
- Indexing is now 3x faster with a vastly improved indexing engine featuring multi-threading, RAM drive, and pre-scan bypass options
- OCR (Optical Character Recognition) allows you to search for text within photos and images *Win10 only
- Encrypted PDF reports
- Primary and Secondary Hash functions for Disk Imaging
- Jump to MFT record from the Raw Disk Viewer
- Disk Model and Serial Numbers saved in Disk Imaging
- Quick Hash Set feature
- Import Project VIC JSON files
- EFS (Encrypted File System) support
- Latest version of Volatility Workbench with Mac and Linux support
- Collect new Win10 Timeline database for Recent Activity artifacts
- Check for Skype Sqlite database files
- Recovery of BitLocker keys
- Extract videos in MP4 format from sites such as YouTube
- Improved Auto-Triage feature
Discover Forensic Evidence Faster
- Find files faster, search by filename, size and time
- Index and Search within the file contents of Office, Acrobat documents, image files and more
- Search through email archives from Outlook, ThunderBird, Mozilla and more
- Recover and search deleted files
- Uncover recent activity of website visits, downloads and logins
- Collect detailed system information
- Password recovery from web browsers, decryption of office documents
- Discover and reveal hidden areas in your hard disk
- Browse Volume Shadow copies to see past versions of files
Identify Suspicious Files and Activity
- Verify and match files with MD5, SHA-1 and SHA-256 hashes
- Find misnamed files where the contents don't match their extension
- Create and compare drive signatures to identify differences
- Timeline viewer provides a visual representation of system activity over time
- File viewer that can display streams, hex, text, images and meta data
- Email viewer that can display messages directly from the archive
- Registry viewer to allow easy access to Windows registry hive files
- File system browser for explorer-like navigation of supported file systems on physical drives, volumes and images
- Raw disk viewer to navigate and search through the raw disk bytes on physical drives, volumes and images
- Web browser to browse and capture online content for offline evidence management
- ThumbCache viewer to browse the Windows thumbnail cache database for evidence of images/files that may have once been in the system
- SQLite database browser to view the and analyze the contents of SQLite database files
- ESEDB viewer to view and analyze the contents of ESE DB (.edb) database files, a common storage format used by various Microsoft applications
- Prefetch viewer to identify the time and frequency of applications that been running on the system, and thus recorded by the O/S's Prefetcher
- Plist viewer to view the contents of Plist files commonly used by MacOS, OSX, and iOS to store settings
- $UsnJrnl viewer to view the entries stored in the USN Journal which is used by NTFS to track changes to the volume
Manage Your Digital Investigation
- Case management enables you to aggregate and organize results and case items
- HTML case reports provide a summary of all results and items you have associated with a case
- Centralized management of storage devices for convenient access across all OSForensics' functionality
- Drive imaging for creating/restoring an exact copy of a storage device
- Rebuild RAID arrays from individual disk images
- Install OSForensics on a USB flash drive for more portability
- Maintain a secure log of the exact activities carried out during the course of the investigation
Professional and Bootable Editions
The professional and bootable editions of OSForensics have many features not available in the free edition, including;
- Import and export of hash sets
- Customizable system information gathering
- No limits on the amount of cases being managed through OSForensics
- Restoration of multiple deleted files in one operation
- List and search for alternate file streams
- Sort image files by colour
- Disk indexing and searching not restricted to a fixed number of files
- No watermark on web captures
- Multi-core acceleration for file decryption
- Customizable System Information Gathering
- View NTFS directory $I30 entries to identify potential hidden/deleted files
The bootable edition contains all the professional features plus the ability to be run on systems without a valid operating system. See the full comparison list between the editions.
Volume & Site Licensing Pricing
We offer discounts for volume licensing and site licenses.
|Quantity||Price Per License|
|1-4 OSForensics Licenses||Request a Quote|
|5-10 OSForensics Licenses||Request a Quote|
|11+ OSForensics Licenses||Request a Quote|
|OSForensics Site License||Request a Quote|
For further information on multi-user licenses and site licenses, please read our FAQ.
Upgrading to Version 6
To upgrade any version of OSForensics to OSForensics V6, please visit our Upgrade order page for details.
Free upgrades are available for all existing users with active support. This includes users who purchased on or after 21st December 2017.