Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

crime   Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]Whether it’s the FBI digging into a computer owned by a hacker, a company doing an internal computer audit, or a network administrator trying to figure out why a virus originated from a particular PC – the bottom line is that a thorough PC forensics analysis requires software that can dig deeply and do the job right.

In my own experiences, it’s rare that you can find free software that does a good job with this. Most police agencies across the world purchase expensive software for their computer forensics unit.


However, there are free computer troubleshoot and repair tools out there, such as the data recovery apps Guy covered and Net Tools 2008, an admin tool that Karl covered. One more free tool that is just as powerful and capable as many paid computer forensics software packages is known as OSForensics.

Conducting A Forensics Analysis

The best way to go about analyzing and troubleshooting a computer system from top to bottom is in a slow and methodical way.  The great thing about OSForensics is that it’s like a virtual briefcase where you can store all of the work you’re doing. If you have several computers that you’re working on, you can set this software up on your work PC and then map the hard drive of the remote PC for analysis. The software will let you store a “case” for each computer you’re working on.

forensics1   Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

As you can see from the picture above, all of the tools are lined down the left menu bar. All you have to do is work your way down them if you’re not really sure where to start. If you have a more focused goal in mind, then skip ahead to the area of the PC you want to investigate more closely. One of the best tools for any support staff looking to identify a virus or trojan file are “hash sets.”

forensics2   Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

This area lets you analyze specific applications that you define, not only files. Each application has a set of files that you can review when you double click on the app. The Hash Set Viewer displays all have calculations for each file.

The next available tool is the ability to create a “signature.” This is useful for a long-term study, when it’s suspected that certain activities are taking place at a specific location on the computer.

forensics3   Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

You can create a signature which will take a snapshot of files and directories. Then you can use the “compare signature” tool to check whether changes were made a few weeks or a month down the road. The software also comes with a file search utility, where you can filter results by images, office documents or compressed files.

forensics4   Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

Even better, you can use the unique and very useful “Mismatch File Search” tool to sift through suspect directories and identify any files that the PC owner might have renamed simply to cover-up the true identify of the file. For example, renaming an image file with a “txt” extension, or a classified document with a “.jpg” extension.

forensics5   Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

Getting back to using the hash approach for file analysis, the “Verify/Create Hash” utility lets you compare a known hash value for a file (what the has value should be), and the calculated hash value for the file on this computer.

forensics6   Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

Another area where this software really excels in forensic analysis is the ability to sift through thousands of files very quickly in order to identify specific text keywords. The first step to speed up the process is to create an index for any directory on the computer. When it’s done, it will report the number of unique words found within all of the files.

forensics7   Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

When it’s done, just use the “Search Index” tool to dig through files, images and emails to track down whatever specific occurrence or content that you’re looking for.

Another computer forensics tool that most Windows users will recognize is the “Recent Activity” tool. While it looks similar to the “Recent Documents” tool, this utility actually digs quite a bit deeper, searching MRU records, USB records, cookies, downloads and more. The owner might have tried cleaning up the PC already, but many people don’t understand all of the places that activity is logged – so this tool can find any remaining trace of that activity.

forensics8   Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

Another very cool feature is the “Deleted File Search” tool that lets you sift through the records for any indication of questionable recently deleted files. I noticed that this particular feature isn’t fool-proof. It’ll try to identify trace elements of any deleted files, but it isn’t always successful.

forensics9   Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

Finally, when you’re really desperate to find some remaining shred of evidence for a crime, you may need to take the “memory viewer” for a ride. This computer forensics app displays all of the hard memory addresses and how much information is stored. You can dump the contents of memory to a CSV file so you can poke around for any clues or a smoking gun.

forensics10   Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

As you can see, OSForensics is pretty powerful software for anyone that has the sometimes unfortunate task of having to investigate the computer system of someone who is accused of doing something wrong. Sometimes, a proper, thorough forensics investigation of the computer can turn up compelling evidence that can make or break a case.

Have you ever used OSForensics? What do you think? Do you know of any other similar apps that are just as good or better? Share your thoughts in the comments section below.

Image credit: Peter Hostermann

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

6 Comments -

Frank Merlott

You can also use Caine (http://www.caine-live.net/) Computer Aided INvestigative Environment. A free Linux live CD for computer forensics.

Aibek

thanks for share

Frank Merlott

You can also use Caine (http://www.caine-live.net/) Computer Aided INvestigative Environment. A free Linux live CD for computer forensics.

Mauley

This would be useful for me seeing as I am studying Digital Forensics and Ethical Hacking, i had not known this existed until now. Will definately be giving this a try.

Anonymous

Thanks for this review, i tried it and while indexing my drive c, the process interrupted and i submitted a ticket to them.

acmz123

Oh, it’s easy. Many people have such problem. You can try the software “tuneup360″. My friends and I all use it.