osforensics v5 review by jarno baselier · 3 finalist for the forensic 4:cast’s "computer...

By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/

of 23

OSForensics v5 Review by Jarno Baselier

I have been curious for quite some time about the forensic software “OSForensics” from Passmark

Software. As befits every good forensic package, many tasks can be performed to retrieve files, content

and events that can serve as evidence in a legal case. OSForensics costs $899 USD, which currently

amounts to around €725 euros. It’s certainly not inexpensive, but still less than competitors such as X-

Ways, AccessData and EnCase. OSForensics has a clean graphical user interface (GUI) with many

interesting options that I would like to examine further. Let's go!

After a friendly email exchange with personnel at Passmark Software, I received a full-featured license for OSForensics V5. Of course, this review remains completely impartial but it is still very cool to get a full-featured license. My questions in my e-mails were answered promptly and completely, so in terms of pre-sales assistance, they seem to provide good customer service. The current version is OSForensics is V5.2, so that is what I will be using in this review. The software is

Windows-based and simple and easy to download from https://www.osforensics.com/osforensics.html.

The installation of OSForensics is straightforward and after just a few clicks of the mouse we are asked if

we want to register or if we want to continue with the limited demo version. Of course we register the

software after which unlocks access to all the functionalities that the Professional package has to offer

us. The Start screen looks like this:

OSForensics distinguishes itself in a number of areas. The most important are:

Price: The price is absolutely more affordable than that of its competitors. Passmark Software is able to

offer their low-price because they operate with minimal overhead. 100% of their employees are

experienced programmers and/or forensic experts. The company does not have a traditional sales or

marketing department and therefore they can keep prices low and their service professional and

customer-focused as a result. In addition, OSForensics uses no dongles to register the software but

instead uses a standard license key. This also helps keep costs down for the company, which they can

then pass-on to their customers. This is also beneficial as there is no physical hardware device to be lost.

https://jarnobaselier.nl/osforensics-v5-review/

https://www.osforensics.com/osforensics.html


of 23

Portability: Users can make a bootable USB drive with OSForensics from the licensed product. This USB

drive offers full functionality and is not sold as a separate product. We will also look at this function in

this post.

Speed: OSForensics is one of the faster forensic packages on the market.

Reports: The software provides the ability to create customized reports using a built-in HTML editor.

Concise or robust reports are all possible and fully customizable. Even reports from other vendors tools

can be inserted to generate a complete report that makes OSForensics a complete Case Management

solution.

Lab & Live analysis: OSForensics actively develops their software and recently released many "live

analysis" tools for the analysis of live data, in particular the internal memory. The demand for this is also

increasing with all the increase of ransomware. The software is therefore multi-purpose and useful in

either for either offline (lab) analysis, or for live analysis in the field.

Respected in the community: OSForensics is a respected product and finished last year (2017) as a Top

3 finalist for the Forensic 4:cast’s "Computer Forensic Software of the Year" award at the SANS DFIR

event in Austin, Texas. In addition, PassMark has created and distributes several free and open-source

tools for the digital forensics community. Passmark Software currently has 4 free forensic tools, namely:

Volatility Workbench, ImageUSB, OSFMount, and OSFClone.

OSForensics Interface: The OSForensics interface gives you access to the following parts of the main

menu with 1 click:

- Triage Wizard - The Triage Wizard is a feature for non-forensic people who want to quickly and

easily retrieve data. The Triage Wizard is an automated wizard which easily and quickly identifies

system information, evidentiary files and more with a click or two of the mouse.

- Manage Case - With these options you can create new cases, open existing cases and delete

cases. Through this item you can also create reports of your cases, view details and add reports.

- File Name Search - Searches the target media for specific file types and/ or file names.

- Create Index - This module allows the researcher to create a searchable index. This index

consists of numerous customizable options that the user can choose when creating the index of

a drive, drive image, or other target media.

- Search Index – Once created, the index can then be searched here using various methods.

- Recent Activity - This module can help a researcher gain more insight into the recent user

activity of the device. Artifacts such as websites visited, wireless networks, removable media,

recent downloads, and much more are discovered in this scan.

- Deleted Files Search - Searches and restores files that have recently been deleted.

- Mismatch File Search - This module detects the files that have a different content than the

extension suggests. Think of a JPG file which is actually a renamed text file.

- Memory Viewer - With the Memory Viewer, digital evidence can be collected and analyzed from

the temporary (volatile) memory such as the RAM. Due to the non-persistent nature of this

memory, some digital data may only be available on the live system.



of 23

- Prefetch Viewer - A service that also collects interesting data is the Windows’ Prefetcher. This

OSForensics module reads the Prefetch files with which you can, for example, see how often

and when a certain application is opened.

- Raw Disk Viewer - The Raw Disk Viewer is a viewer that analyzes the disk at the sector level.

Data that is hidden in sectors outside the file system can be traced.

- Registry Viewer – The Registry Viewer module automatically locates and identifies all main

registry hives (including the backup hives) on a system. This can be used on hives from within

the case or with the hives of a live system.

- File System Browser - This browser allows you to browse through all file structures added to the

project. You can search physical disks, forensic images, folders, the network, Volume Shadow

Copies, BitLocker encrypted drives etc.

- SQLite DB Browser - This database browser lets the content of SQLite databases in a clear way

and offers a powerful search function.

- Web Browser - This is a basic web browser with various forensic features such as creating

screenshots that can be added directly to the project.

- Passwords - With this function you can automatically retrieve passwords from different sources

and decrypt them. This module scans an entire system or forensic image for passwords, user

accounts and more. The results show you where the passwords have been found and how

strong the passwords are. You can also create rainbow tables in this module which can then be

used by OSForensics to decrypt stronger passwords that weren’t automatically decrypted.

- System Information - This tool helps you to collect all kinds of system information. Perform pre-

programmed DOS commands or get all kinds of system information such as OS, volume

information, hardware information, memory information etc.

- Verify / Create Hash - With this tool you can make hashes of files, text or volumes against

various algorithms such as MD5, SHA1, CRC32 and SHA-256.

- Hash Sets - This module allows you to create, import and manage various hash sets for file

identification.

- Create Signature - A signature is a snapshot of the directory structure over a certain period. Use

this function to create a signature of a live system, a forensic image, or even a particular folder

or user directory.

- Compare Signature - Compares different signatures (directory structures) with each other and

identifies differences (New, Deleted, and Modified).

- Drive Preparation - Perform a disk action such as testing a drive or fully formatting or

overwriting (zero) the drive.

- Forensic Imaging – Create different types of forensic images, plus other tasks such as restoring

an image to a disk, viewing hidden areas on the disk (HPA/DCO), or even rebuilding a RAID disk.

- Mount Drive Image - Mounts a drive image (IMG / DD / ISO / BIN / 000/001 / NRG / SDI / AFF /

AFD / AFM / VMDK / E01 / S01 / VHD)

- Install to USB - Installs the software to a USB for live system analysis and also provides the

option to create a bootable USB drive.

- About - Information about the software and the active license.

- Exit - Closes the application.



of 23

So, OSForensics offers a huge package of tools to search, retrieve and build a case. The interface consists

of 1 large main menu. The absence of submenus found in many other solutions makes everything very

clear. Navigating through the menus is smooth and fast and each item clearly shows what the intention

is. However, there are still a number of other applications to start via the "Start" link, especially a

number of viewers such as the e-mail viewer, thumbnail cache viewer, ESE DB viewer, Plist viewer and

$UsnJrnl viewer (which is useful to detect files that are no longer present on the OS.)

Triage Wizard

One of OSForensics' newest features is the Triage Wizard. This wizard is designed to easily create a case

and collect system and user information automatically and quickly. The wizard is ideal for law

enforcement officers or system administrators who may lack forensic experience or training, by allowing

them to quickly collect data automatically on-site. The Triage Wizard is for live systems and performs

certain functionalities that are not logical on a forensic image such as a RAM dump, process list etc. In

this example we will run the Triage Wizard on our live system



of 23

When the correct drive is selected, we start the scan. Unfortunately, this is the moment that I ran into a

problem. The following pop-up appeared and the application was aborted.

A second attempt received the same result. Within 6 hours I had received a message from PassMark

support that the problem was probably a printer returning a null description. PassMark Software

immediately sent a new build of the software which fixed the bug and the Triage Wizard scan completed

successfully.



of 23

After the Triage Wizard completes (which is really fast as it took less than 5 minutes on my system), a

new case is created which contains all the reports that we have checked. So after running the Triage

Wizard, a complete memory dump, recent activity, deleted file cache, stored passwords, screenshot and

a directory file list are available for review. Of course you can perform additional actions yourself such as

creating and searching an index or creating a forensic image. (These actions are not available from the

initial Triage Wizard scan.)

Create a Case: The basis of every research is of course your case. Your case is where you keep all

important information and files found. A case also forms the basis for your reports. The Triage Wizard

automatically created a case with interesting data from a live system but what if we want to analyze

data from a forensic image? For this we can manually create a case.

We have already made a forensic image for this demo. We can analyze this image file without mounting

it. By mounting an image, the NTFS permissions also take effect and that can be a disadvantage. The

only reason to mount an image is if you want to give other applications access to the image. (So be

careful with this approach.) Let's mount the image for this example. We mount the image via "Mount

Drive Image".

After we have mounted the image (consisting of 4 partitions) click on "Manage Case" to create a new

case. When we create a new case, we get the following fields to provide the case with initial data.



of 23

After filling in the desired data (and remember, the more information the better) the case can be started

via "Load Case".

In order to be able to perform indexed searching for content contained in files or anywhere within the

disk image, a so-called "index" must be created. Use the "Create Index" module to first create an index

that we can use later.



of 23

Indexing this 453 GB drive (including unallocated space) took about 5 hours. That is pretty fast.

OSForensics uses their own “Zoom” search engine which they developed, for indexing and other search

tasks.

After the index has been created we can search through all indexed items (also in the content of the

item). Through "Search Index" we can easily perform various search tasks. For example, we can search

the indexed items with a predefined glossary and with wildcards to keep our search area as wide as

possible. We can also reduce searches by date range:

Now let's add an extra drive. Via the Manage Case we select the "Add Device" button.



of 23

The screen below appears and here we are going to add the Q partition (of course we can also choose

an image file, physical drive or a specific folder or file). The following file systems are supported here.

NTFS (also Windows 10 CompactOS is supported for the XPRESS format and for the LZX format). FAT32 /

FAT16 , exFAT, Ext2 / Ext3 / Ext4, HFS + / HFSX.

The support of the Mac based file systems are especially a nice addition because most packages do not

support these formats.

The following partition formats are supported: MBR - Master Boot Record, GPT - GUID Partition Table,

APM - Apple Partition Map

In this example, we add the Q partition in forensic mode.



of 23

Now that this partition has been added, we can also have a search index made here. If we have indexed

all the mediums that we want to search, we can make use of an advance defined word list. OSForensics

comes with a number of predefined word lists, but you can of course easily create them yourself.

Old search results can easily be viewed and retrieved with the "History" tab.



of 23

In the same way, you can also search for file names or types in the "File Name Search" module. Again

you can use certain presets such as searching for images or video files and you can reduce your search

by enabling certain search options.

Also detecting deleted files is a breeze with the "Deleted Files Search" option. This module searches for

files that have been deleted but whose sectors have not yet been overwritten. So these files can be

retrieved by the program.



of 23

With deleted files you can do various things. You can of course open or view them. But you can also add

it to the case which makes it easy to find later. For further analysis, the file can be analyzed with the

OSForensics Internal Viewer or the file can be saved on the hard disk. You could even add all the results

of the search to the case.

The above properties are characteristic of the software and actually apply to all files. So files found in

the "Search Index" or the "File Name Search" can easily be added to the case or analyzed later.

OSForensics makes file building very easy. It is also a breeze to gain insight into which files have a

different format than their extension suggests. This is looking for the "Mismatch File Search" module for

you.



of 23

Another valuable module is the "Prefetch Viewer". This module allows the researcher to view potentially

valuable forensic information stored by the Prefetcher in the Windows operating system. The Prefetcher

is a special component that improves the performance of the OS by pre-caching applications in RAM.

This reduces access to the disk. To pre-cache, the prefetcher uses application usage information, such as

the number of times the application was run, the last time it was executed, and all files that the

application uses when it is started. With this information forensic researchers can discover certain

(suspicious) usage patterns, such as a recently used cleaner.

The "Raw Disk Viewer" shows the RAW data from the disk (or image). This makes it easy to view and

analyze the content per sector. With the Raw Disk Viewer it is thus possible to examine all sectors and

thus to search for data outside the directories and files of the operating system. Users can manually

analyze free clusters and file slack space. The viewer is clearly organized with colors and subdivided into

sectors. Sectors and data can of course also be exported or added to the case.



of 23



of 23

The Registry Viewer makes it possible to view and analyze the registry of the OS. The Registry Viewer is

well-organized, searches can be made and keys can be added to the case. What is striking is that the

search queries are fast and accurate.

The "Passwords" module is a very useful feature of OSForensics. This allows searching for certain types

of passwords, usernames, hashes and license keys. If the passwords cannot be automatically decrypted

by OSForensics, you can create or import a rainbow table here and then retrieve the password. Even

encrypted files can be tested here against different passwords.



of 23

Live Analysis

The above features can be used during both live analysis and offline analysis settings. However, there

are also tools in the OSForensics suite that are specific to the analysis of live systems. These tools are

primarily used for live acquisition, when a forensic investigator processes a malicious system that is still

powered "on". These tools can also be used while running the Triage Wizard. There are 2 indispensable

live-acquisition tools:

#1 - The "Recent Activity" module. This module provides insight into which tasks were recently

performed on the OS. Think of used USB sticks, downloads, Windows Run commands etc. The Recent

Activity module can also be executed on a forensic image (i.e., offline media), but may discover less

artifacts because less data is accessible.

The "Memory Viewer" module can be used in "live analysis" mode to examine the memory of the

running system. Each process has 47 columns of metadata and can be investigated further with the

build-in viewer. A memory dump can also be investigated by clicking on the Static Analysis tab.



of 23

Create Case Report

We generated a report of a case from the case manager. Here we click on the button "Generate Report"

to make a report. There are several report templates to choose from.



of 23

If we opt for a default report, OSForensics generates an HTML report that looks like this:



of 23

However, we can fully customize the report with our own logos, different layout and additional

information.

Via the buttons "Add Attachment", "Add External Report", "Add Note" and "Add Evidence Photo" we

can add extra information. As a test I added a photo and a note.

If I then use the reporting generator, I use the "Custom Logos" button to add my own logos.

Now the report looks a lot nicer:



of 23

To further fine-tune the reports, some HTML knowledge is required. The templates can be found in the

"C: \ ProgramData \ PassMark \ OSForensics \ ReportTemplates" folder.

To create a report yourself, you can copy a basic template and edit the files you want to modify. A

template consists of several HTML files as well as CSS and JavaScript files.

Reports can be saved as HTML, PDF and both. In short: OSForensics gives you the freedom to generate

reports with exactly the right information in the desired layout.

Make Bootable OSForensics USB Drive

The last feature that I would like to test is making a bootable OSForensics USB drive. Let's do an empty

USB stick in the OSForensics machine and click on "Install to USB". Then we are asked for the location of

the USB drive and the license key for OSForensics. Please note, the license key shown is for illustrative

purposes only and is fake (saves a lot of retyping work).



of 23

Within 2 minutes the following message appears and the copying of the OSForensic files is complete.

WinPE then starts to make the USB drive bootable. We chose WinPE for Win10 and must first install the

ADK (Assessment and Deployment Kit) for Windows 10. When that happens we chose the first 3 options

(default):



of 23

All follow-up steps are all default. In the last step (create) select your USB drive and click “Create”.

After the USB drive is fully operational it can be used to boot a computer. If the computer is booted

from USB, we will see the same familiar environment that we are used to. All options are available and

ready for use!



of 23

Conclusion

OSForensics seriously surprised me on a number of fronts. OSForensics offers a complete suite of tools

(which they themselves call modules) for both live-acquisition and non-live acquisition forensics. There

are many viewers present and the case structure is unique. From any position, adding data to your case

is as easy as a simple push of a button. The reports are also very extensive and can be arranged entirely

according to your own insights. If you want fast search results, OSForensics is a very good choice. The

price and the ability to make a full-featured USB are fantastic extras. There are actually no tools that I

am missing in this suite. Viewers, Registry tools, Mounting possibilities and the many automated

discovery tools make OSForensics a dignified, complete and very clear forensic solution.

My experience with their support was very pleasant and fast. There was always a friendly and helpful

email reply within 12 hours.

Finally, I’ll finish this review with the only 2 minus points of the application. The first is that the tool

crashed a few times during my tests. Obviously there was a reason (as outlined earlier in this review)

and support was extremely helpful and resolved the problem quickly and professionally. It is always a bit

annoying when an application crashes, but fortunately with OSForensics, your cases and all gathered

information remain intact and the application can easily be restarted after a crash.

The second point is the Triage Wizard itself. I miss the ability to create an index in the Wizard. It would

be ideal to complete the case with this function after the Triage Wizard has been completed. Support

staff could already create a complete case in the time that the forensic investigator is not yet on site.

This can save a lot of time and the expression "the sooner the better" also applies here.

OSForensics is a fantastic package which surprised me with all the modules, functions and fine-tuning

that are present in this powerful toolkit. OSForensics can compete with the “big boys” among the

forensic applications and its price tag and technical abilities make this an absolute must for the digital

forensics professional.

Review by:

Jarno Baselier, CEH, MCSE, CCNA, and IINS

https://jarnobaselier.nl/

(Review translated from Dutch to English)


https://jarnobaselier.nl/

osforensics v5 review by jarno baselier · 3 finalist for the forensic 4:cast’s "computer...

Documents