The CSI TV franchise is great entertainment – but that’s what it is – entertainment. Nevertheless, the investigative techniques, despite the fact they are, in the main, pure science fiction – are pretty convincing.
One area where television productions, like this, and movies for that matter, generally get it right is – computer forensic investigation. While this type of investigation, with the investigators fingers flying across the keyboard, appears to be complex, in fact – the process is generally driven by software that is well organized, and logically constructed.
If you would like to try your hand at being a computer “Sherlock Holmes”, then checkout OSForensics Beta (latest release February 4, 2011), a menu driven forensic application that will allow you to identify, extract, document, and interpret data, on your computer.
The GUI is laid out in a functional and logical step by step process – easy to understand and navigate.
I won’t cover all of the capabilities of OSForensics ( I don’t want to spoil all your investigative fun), but as an example, the application can scan a system for evidence of recent activity, including accessed websites, USB drives, wireless networks, recent downloads, website logins and website passwords.
Just one example – in the screen shot below, you can see that the application has captured my login password (blacked out for privacy), for my Hotmail account.
The deleted file recovery function is particularly powerful and the application provides a graphical view of the allocation of the deleted file clusters on the physical disk.
Search for Emails – An additional feature of being able to search within files is the ability to search email archives. The indexing process can open and read most popular email file formats (including pst) and identify the individual messages.
Recover Deleted Files – After a file has been deleted, even once removed from the recycling bin, it often still exists until another new file takes its place on the hard drive. OSForensics can track down this ghost file data and attempt to restore it back to useable state on the hard drive.
Uncover Recent Activity – Find out what users have been up to. OSForensics can uncover the user actions performed recently on the system, including but not limited to:
Web Browsing History
Connected USB Devices
Connected Network Shares
Collect System Information – Find out what’s inside the computer. Detailed information about the hardware a system is running on:
CPU type and number of CPUs
Amount and type of RAM
Installed Hard Drives
Connected USB devices, and much more.
View Active Memory – Look directly at what is currently in the systems main memory. Attempt to uncover passwords and other sensitive information that would otherwise be inaccessible. Select from a list of active processes on the system to inspect. OSF can also dump their memory to a file on disk for later inspection.
Extract Logins and Passwords – Recover usernames and passwords from recently accessed websites in common web browsers, including Internet Explorer, Firefox, Chrome and Opera.
While the application is designed as a forensic recovery tool, I can think of a number of uses for this application (since it can be run from USB drive), over and above its expressed purpose. I’m sure you can too.
System requirements: Windows XP, Vista, Win 7, Server 2000, 2003, 2008 (32bit and 64bit support – 64bit recommended). Minimum 1GB of RAM. (4GB+ recommended), 30MB of free disk space – can be run from USB drive.
Download the beta at: PassMark Software
There are a number of worthwhile additional free tools which can be used in conjunction with OSForensics. Checkout the developer’s site here.
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.