You Can Be A Computer Detective Too, With OSForensics Beta

imageThe CSI TV franchise is great entertainment – but that’s what it is – entertainment. Nevertheless, the investigative techniques, despite the fact they are, in the main, pure science fiction – are pretty convincing.

One area where television productions, like this, and movies for that matter, generally get it right is – computer forensic investigation. While this type of investigation, with the investigators fingers flying across the keyboard, appears to be complex, in fact – the process is generally driven by software that is well organized, and logically constructed.

If you would like to try your hand at being a computer “Sherlock Holmes”, then checkout OSForensics Beta (latest release February 4, 2011), a menu driven forensic application that will allow you to identify, extract, document, and interpret data, on your computer.

The GUI is laid out in a functional and logical step by step process – easy to understand and navigate.


I won’t cover all of the capabilities of OSForensics ( I don’t want to spoil all your investigative fun), but as an example, the application can scan a system for evidence of recent activity, including accessed websites, USB drives, wireless networks, recent downloads, website logins and website passwords.


Just one example – in the screen shot below, you can see that the application has captured my login password (blacked out for privacy), for my Hotmail account.


The deleted file recovery function is particularly powerful and the application provides a graphical view of the allocation of the deleted file clusters on the physical disk.


Fast facts:

Search for Emails – An additional feature of being able to search within files is the ability to search email archives. The indexing process can open and read most popular email file formats (including pst) and identify the individual messages.

Recover Deleted Files – After a file has been deleted, even once removed from the recycling bin, it often still exists until another new file takes its place on the hard drive. OSForensics can track down this ghost file data and attempt to restore it back to useable state on the hard drive.

Uncover Recent Activity – Find out what users have been up to. OSForensics can uncover the user actions performed recently on the system, including but not limited to:

Opened Documents

Web Browsing History

Connected USB Devices

Connected Network Shares

Collect System Information – Find out what’s inside the computer. Detailed information about the hardware a system is running on:

CPU type and number of CPUs

Amount and type of RAM

Installed Hard Drives

Connected USB devices, and much more.

View Active Memory – Look directly at what is currently in the systems main memory. Attempt to uncover passwords and other sensitive information that would otherwise be inaccessible. Select from a list of active processes on the system to inspect. OSF can also dump their memory to a file on disk for later inspection.

Extract Logins and Passwords – Recover usernames and passwords from recently accessed websites in common web browsers, including Internet Explorer, Firefox, Chrome and Opera.

While the application is designed as a forensic recovery tool, I can think of a number of uses for this application (since it can be run from USB drive), over and above its expressed purpose. I’m sure you can too.

System requirements: Windows XP, Vista, Win 7, Server 2000, 2003, 2008 (32bit and 64bit support – 64bit recommended). Minimum 1GB of RAM. (4GB+ recommended), 30MB of free disk space – can be run from USB drive.

Download the beta at: PassMark Software

There are a number of worthwhile additional free tools which can be used in conjunction with OSForensics. Checkout the developer’s site here.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.


Filed under Beta Software, Computer Audit Applications, Computer Forensic Tools, Computer Tools, Deleted File Recovery, Freeware, Geek Software and Tools, Software, System Utilities

8 responses to “You Can Be A Computer Detective Too, With OSForensics Beta

  1. Mal

    Hey Bill,
    Looks pretty cool. I guess it could be handy from a security perspective, to see what is being recorded as we go about our daily computer activity. Worth a download and a tryout I think.

    • Hey Mal,

      Yes, you’re right. As well, there are a number of functions, including the “Verify/Create Hash” utility, that can be used to identify an infection/s which antimalware applications either cannot, or have not, picked up. The application “Help” file on this item is very instructive.



  2. I might actually get this just for the file recovery feature. It will definitely come in handy on those days when my head is floating and distracted.

  3. g

    Looks like fun!! Thanks Bill.

    • Hey G,

      I know you just love to get under the hood and get right in there, so you’ll have loads of fun with this one.

      Hope all is well in the Great Northwest. 🙂



  4. John Bent

    Hi Bill,

    Gave this a whirl and found it interesting. Only problem is I appear to have upwards of 3,500 mismatched files. As they all come from known and trusted software I assume I can leave well alone.

    Could be a case of a little knowledge being a dangerous thing? Unfortunately I can’t resist having a go. Fortunately I’m more than aware of my limitations.

    Kind regards

    • Hi John,

      This is the type of app where guys like you and I can really dig into things. I knew you’d take this for a spin.

      I found a high number of mismatched files as well – ran system file checker and no obvious issues were found.