Investigate Or Troubleshoot Computer Systems With OSForensics [Windows]

Ryan Dube 11-11-2010

computer forensics softwareWhether it’s the FBI digging into a computer owned by a hacker, a company doing an internal computer audit, or a network administrator trying to figure out why a virus originated from a particular PC – the bottom line is that a thorough PC forensics analysis requires software that can dig deeply and do the job right.


In my own experiences, it’s rare that you can find free software that does a good job with this. Most police agencies across the world purchase expensive software for their computer forensics unit.

However, there are free computer troubleshoot and repair tools out there, such as the data recovery apps 3 Remarkable File Recovery Tools Read More Guy covered and Net Tools 2008, an admin tool that Karl covered. One more free tool that is just as powerful and capable as many paid computer forensics software packages is known as OSForensics.

Conducting A Forensics Analysis

The best way to go about analyzing and troubleshooting a computer system from top to bottom is in a slow and methodical way.  The great thing about OSForensics is that it’s like a virtual briefcase where you can store all of the work you’re doing. If you have several computers that you’re working on, you can set this software up on your work PC and then map the hard drive of the remote PC for analysis. The software will let you store a “case” for each computer you’re working on.

computer forensics software

As you can see from the picture above, all of the tools are lined down the left menu bar. All you have to do is work your way down them if you’re not really sure where to start. If you have a more focused goal in mind, then skip ahead to the area of the PC you want to investigate more closely. One of the best tools for any support staff looking to identify a virus or trojan file are “hash sets.”


Investigate Or Troubleshoot Computer Systems With OSForensics [Windows] forensics2

This area lets you analyze specific applications that you define, not only files. Each application has a set of files that you can review when you double click on the app. The Hash Set Viewer displays all have calculations for each file.

The next available tool is the ability to create a “signature.” This is useful for a long-term study, when it’s suspected that certain activities are taking place at a specific location on the computer.

advanced computer forensics


You can create a signature which will take a snapshot of files and directories. Then you can use the “compare signature” tool to check whether changes were made a few weeks or a month down the road. The software also comes with a file search utility, where you can filter results by images, office documents or compressed files.

advanced computer forensics

Even better, you can use the unique and very useful “Mismatch File Search” tool to sift through suspect directories and identify any files that the PC owner might have renamed simply to cover-up the true identify of the file. For example, renaming an image file with a “txt” extension, or a classified document with a “.jpg” extension.

Investigate Or Troubleshoot Computer Systems With OSForensics [Windows] forensics5


Getting back to using the hash approach for file analysis, the “Verify/Create Hash” utility lets you compare a known hash value for a file (what the has value should be), and the calculated hash value for the file on this computer.

advanced computer forensics

Another area where this software really excels in forensic analysis is the ability to sift through thousands of files very quickly in order to identify specific text keywords. The first step to speed up the process is to create an index for any directory on the computer. When it’s done, it will report the number of unique words found within all of the files.

computer forensics


When it’s done, just use the “Search Index” tool to dig through files, images and emails to track down whatever specific occurrence or content that you’re looking for.

Another computer forensics tool that most Windows users will recognize is the “Recent Activity” tool. While it looks similar to the “Recent Documents” tool, this utility actually digs quite a bit deeper, searching MRU records, USB records, cookies, downloads and more. The owner might have tried cleaning up the PC already, but many people don’t understand all of the places that activity is logged – so this tool can find any remaining trace of that activity.

computer forensics

Another very cool feature is the “Deleted File Search” tool that lets you sift through the records for any indication of questionable recently deleted files. I noticed that this particular feature isn’t fool-proof. It’ll try to identify trace elements of any deleted files, but it isn’t always successful.

computer forensics

Finally, when you’re really desperate to find some remaining shred of evidence for a crime, you may need to take the “memory viewer” for a ride. This computer forensics app displays all of the hard memory addresses and how much information is stored. You can dump the contents of memory to a CSV file so you can poke around for any clues or a smoking gun.

computer forensics software

As you can see, OSForensics is pretty powerful software for anyone that has the sometimes unfortunate task of having to investigate the computer system of someone who is accused of doing something wrong. Sometimes, a proper, thorough forensics investigation of the computer can turn up compelling evidence that can make or break a case.

Have you ever used OSForensics? What do you think? Do you know of any other similar apps that are just as good or better? Share your thoughts in the comments section below.

Image credit: Peter Hostermann

Related topics: Computer Maintenance, Tech Support.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. acmz123
    December 14, 2010 at 2:52 am

    Oh, it's easy. Many people have such problem. You can try the software "tuneup360". My friends and I all use it.

  2. Anonymous
    November 12, 2010 at 1:07 pm

    Thanks for this review, i tried it and while indexing my drive c, the process interrupted and i submitted a ticket to them.

  3. Mauley
    November 11, 2010 at 9:16 pm

    This would be useful for me seeing as I am studying Digital Forensics and Ethical Hacking, i had not known this existed until now. Will definately be giving this a try.

  4. Frank Merlott
    November 11, 2010 at 9:14 pm

    You can also use Caine ( Computer Aided INvestigative Environment. A free Linux live CD for computer forensics.

  5. Frank Merlott
    November 11, 2010 at 8:14 pm

    You can also use Caine ( Computer Aided INvestigative Environment. A free Linux live CD for computer forensics.

    • Aibek
      November 15, 2010 at 8:45 am

      thanks for share