Uncover Recent Activity
OSForensics™ scans your system for evidence of recent activity, such as accessed websites, USB drives, wireless networks, recent downloads, website logins and website passwords. This is especially useful for identifying trends and patterns of the user, and any material or accounts which which have been accessed recently.
OSForensics helps you uncover web browser activity from users such as browsing history, cookies and stored usernames from web browsers. The table below shows which items can be retrieved from commonly used web browsers using OSForensics' Recent Activity module:
|Browser Name||Browsing History||Cookies||Download History||Usernames and Passwords|
|Microsoft Internet Explorer|
|Microsoft Internet Explorer|
|Yes, supported for all users||Yes, for current user only||Unsupported|
Most Recently Used (MRU) Lists
OSForensics can retrieve data about recently accessed applications, documents, media and network shares by scanning locations in the registry which store a user's Most Recently Used (MRU) lists. The data which can be tracked by OSForensics includes (but isn't limited to) files accessed in Microsoft Office applications, Microsoft Wordpad, Microsoft Paint, Microsoft Media Player, Windows Search, Connected Network Drives and the Windows Run command.
Connected USB Devices
OSForensics can display the details of USB devices which have been recently connected to the computer, providing information about the last connection date and device information such as Manufacturer Name, Product ID and Serial Number. The types of devices which can be detected include USB Flash Drives (UFDs), Portable Hard Disk Drives and external USB-connected devices such as DVD-ROM drives.
Wireless Network Connections
OSForensics can list the MAC address of wireless networks connected using the Windows Zero Config Service. This feature is available on machines running Windows XP only.
OSForensics will scan the Windows logs for system activity such as the following events:
- Security Log Events such as account login attempts, logouts and password changes
- System Log Events such as Windows update attempts, system boot/shutdown, and driver installations
- Application Log Events such as application installation attempts
- Microsoft Office user interaction events (OAlerts)
OSForensics is capable of scanning for jumps lists, which is a feature introduced in Windows 7 that allows for fast access to programs and favorites. Because it functions as a most recently used list for some programs, it can provide hints of possible recent behaviour.
OSForensics is able to scan the Windows Search index for recent file activity. Windows Search is a desktop indexer that has been integrated and enabled by default in Windows operating systems since Vista. During its normal operating, Windows Search runs in the background, creating a full-text index of the files on the computer. This index allows for fast searching of filenames and file contents matching the specified search term.
In a forensics point of view, the index database can contain valuable artifacts that can be useful for mapping user activity during any given time frame.
Because Windows Search is enabled by default, the index database acts as a digital footprint of the system activity. The typical user is likely to be unaware of the indexing operation taking place in the background.
As with many of OSForensics' features, you can use the Timeline View to identify patterns in the system activity.
Read more about Timeline View »
OS X Artifacts
OSForensics uncovers the following OS X artefacts on Mac drives:
- Safari history, bookmarks, downloads, and cookies
- Most Recently Used (MRU) items, network locations, documents, multimedia
- Installed Programs
- USB connected iOS devices
- Mounted Volumes
- Mobile backups for iOS devices