In my own experiences, it’s rare that you can find free software that does a good job with this. Most police agencies across the world purchase expensive software for their computer forensics unit.
However, there are free computer troubleshoot and repair tools out there, such as the data recovery apps Guy covered and Net Tools 2008, an admin tool that Karl covered. One more free tool that is just as powerful and capable as many paid computer forensics software packages is known as OSForensics.
Conducting A Forensics Analysis
The best way to go about analyzing and troubleshooting a computer system from top to bottom is in a slow and methodical way. The great thing about OSForensics is that it’s like a virtual briefcase where you can store all of the work you’re doing. If you have several computers that you’re working on, you can set this software up on your work PC and then map the hard drive of the remote PC for analysis. The software will let you store a “case” for each computer you’re working on.
As you can see from the picture above, all of the tools are lined down the left menu bar. All you have to do is work your way down them if you’re not really sure where to start. If you have a more focused goal in mind, then skip ahead to the area of the PC you want to investigate more closely. One of the best tools for any support staff looking to identify a virus or trojan file are “hash sets.”
This area lets you analyze specific applications that you define, not only files. Each application has a set of files that you can review when you double click on the app. The Hash Set Viewer displays all have calculations for each file.
The next available tool is the ability to create a “signature.” This is useful for a long-term study, when it’s suspected that certain activities are taking place at a specific location on the computer.
You can create a signature which will take a snapshot of files and directories. Then you can use the “compare signature” tool to check whether changes were made a few weeks or a month down the road. The software also comes with a file search utility, where you can filter results by images, office documents or compressed files.
Even better, you can use the unique and very useful “Mismatch File Search” tool to sift through suspect directories and identify any files that the PC owner might have renamed simply to cover-up the true identify of the file. For example, renaming an image file with a “txt” extension, or a classified document with a “.jpg” extension.
Getting back to using the hash approach for file analysis, the “Verify/Create Hash” utility lets you compare a known hash value for a file (what the has value should be), and the calculated hash value for the file on this computer.
Another area where this software really excels in forensic analysis is the ability to sift through thousands of files very quickly in order to identify specific text keywords. The first step to speed up the process is to create an index for any directory on the computer. When it’s done, it will report the number of unique words found within all of the files.
When it’s done, just use the “Search Index” tool to dig through files, images and emails to track down whatever specific occurrence or content that you’re looking for.
Another computer forensics tool that most Windows users will recognize is the “Recent Activity” tool. While it looks similar to the “Recent Documents” tool, this utility actually digs quite a bit deeper, searching MRU records, USB records, cookies, downloads and more. The owner might have tried cleaning up the PC already, but many people don’t understand all of the places that activity is logged – so this tool can find any remaining trace of that activity.
Another very cool feature is the “Deleted File Search” tool that lets you sift through the records for any indication of questionable recently deleted files. I noticed that this particular feature isn’t fool-proof. It’ll try to identify trace elements of any deleted files, but it isn’t always successful.
Finally, when you’re really desperate to find some remaining shred of evidence for a crime, you may need to take the “memory viewer” for a ride. This computer forensics app displays all of the hard memory addresses and how much information is stored. You can dump the contents of memory to a CSV file so you can poke around for any clues or a smoking gun.
As you can see, OSForensics is pretty powerful software for anyone that has the sometimes unfortunate task of having to investigate the computer system of someone who is accused of doing something wrong. Sometimes, a proper, thorough forensics investigation of the computer can turn up compelling evidence that can make or break a case.
Have you ever used OSForensics? What do you think? Do you know of any other similar apps that are just as good or better? Share your thoughts in the comments section below.
Image credit: Peter Hostermann