OSForensics v5 Review by Jarno Baselier

Size: px

Start display at page:

Download "OSForensics v5 Review by Jarno Baselier"

Ami Lloyd
5 years ago
Views:

OSForensics v5 Review by Jarno Baselier I have been curious for quite some time about the forensic software OSForensics from Passmark Software.

1 OSForensics v5 Review by Jarno Baselier I have been curious for quite some time about the forensic software OSForensics from Passmark Software. As befits every good forensic package, many tasks can be performed to retrieve files, content and events that can serve as evidence in a legal case. OSForensics costs $899 USD, which currently amounts to around 725 euros. It s certainly not inexpensive, but still less than competitors such as X- Ways, AccessData and EnCase. OSForensics has a clean graphical user interface (GUI) with many interesting options that I would like to examine further. Let's go! After a friendly exchange with personnel at Passmark Software, I received a full-featured license for OSForensics V5. Of course, this review remains completely impartial but it is still very cool to get a full-featured license. My questions in my s were answered promptly and completely, so in terms of pre-sales assistance, they seem to provide good customer service. The current version is OSForensics is V5.2, so that is what I will be using in this review. The software is Windows-based and simple and easy to download from The installation of OSForensics is straightforward and after just a few clicks of the mouse we are asked if we want to register or if we want to continue with the limited demo version. Of course we register the software after which unlocks access to all the functionalities that the Professional package has to offer us. The Start screen looks like this: OSForensics distinguishes itself in a number of areas. The most important are: Price: The price is absolutely more affordable than that of its competitors. Passmark Software is able to offer their low-price because they operate with minimal overhead. 100% of their employees are experienced programmers and/or forensic experts. The company does not have a traditional sales or marketing department and therefore they can keep prices low and their service professional and customer-focused as a result. In addition, OSForensics uses no dongles to register the software but instead uses a standard license key. This also helps keep costs down for the company, which they can then pass-on to their customers. This is also beneficial as there is no physical hardware device to be lost. Page 1 of 23

2 Portability: Users can make a bootable USB drive with OSForensics from the licensed product. This USB drive offers full functionality and is not sold as a separate product. We will also look at this function in this post. Speed: OSForensics is one of the faster forensic packages on the market. Reports: The software provides the ability to create customized reports using a built-in HTML editor. Concise or robust reports are all possible and fully customizable. Even reports from other vendors tools can be inserted to generate a complete report that makes OSForensics a complete Case Management solution. Lab & Live analysis: OSForensics actively develops their software and recently released many "live analysis" tools for the analysis of live data, in particular the internal memory. The demand for this is also increasing with all the increase of ransomware. The software is therefore multi-purpose and useful in either for either offline (lab) analysis, or for live analysis in the field. Respected in the community: OSForensics is a respected product and finished last year (2017) as a Top 3 finalist for the Forensic 4:cast s "Computer Forensic Software of the Year" award at the SANS DFIR event in Austin, Texas. In addition, PassMark has created and distributes several free and open-source tools for the digital forensics community. Passmark Software currently has 4 free forensic tools, namely: Volatility Workbench, ImageUSB, OSFMount, and OSFClone. OSForensics Interface: The OSForensics interface gives you access to the following parts of the main menu with 1 click: - Triage Wizard - The Triage Wizard is a feature for non-forensic people who want to quickly and easily retrieve data. The Triage Wizard is an automated wizard which easily and quickly identifies system information, evidentiary files and more with a click or two of the mouse. - Manage Case - With these options you can create new cases, open existing cases and delete cases. Through this item you can also create reports of your cases, view details and add reports. - File Name Search - Searches the target media for specific file types and/ or file names. - Create Index - This module allows the researcher to create a searchable index. This index consists of numerous customizable options that the user can choose when creating the index of a drive, drive image, or other target media. - Search Index Once created, the index can then be searched here using various methods. - Recent Activity - This module can help a researcher gain more insight into the recent user activity of the device. Artifacts such as websites visited, wireless networks, removable media, recent downloads, and much more are discovered in this scan. - Deleted Files Search - Searches and restores files that have recently been deleted. - Mismatch File Search - This module detects the files that have a different content than the extension suggests. Think of a JPG file which is actually a renamed text file. - Memory Viewer - With the Memory Viewer, digital evidence can be collected and analyzed from the temporary (volatile) memory such as the RAM. Due to the non-persistent nature of this memory, some digital data may only be available on the live system. Page 2 of 23

3 - Prefetch Viewer - A service that also collects interesting data is the Windows Prefetcher. This OSForensics module reads the Prefetch files with which you can, for example, see how often and when a certain application is opened. - Raw Disk Viewer - The Raw Disk Viewer is a viewer that analyzes the disk at the sector level. Data that is hidden in sectors outside the file system can be traced. - Registry Viewer The Registry Viewer module automatically locates and identifies all main registry hives (including the backup hives) on a system. This can be used on hives from within the case or with the hives of a live system. - File System Browser - This browser allows you to browse through all file structures added to the project. You can search physical disks, forensic images, folders, the network, Volume Shadow Copies, BitLocker encrypted drives etc. - SQLite DB Browser - This database browser lets the content of SQLite databases in a clear way and offers a powerful search function. - Web Browser - This is a basic web browser with various forensic features such as creating screenshots that can be added directly to the project. - Passwords - With this function you can automatically retrieve passwords from different sources and decrypt them. This module scans an entire system or forensic image for passwords, user accounts and more. The results show you where the passwords have been found and how strong the passwords are. You can also create rainbow tables in this module which can then be used by OSForensics to decrypt stronger passwords that weren t automatically decrypted. - System Information - This tool helps you to collect all kinds of system information. Perform preprogrammed DOS commands or get all kinds of system information such as OS, volume information, hardware information, memory information etc. - Verify / Create Hash - With this tool you can make hashes of files, text or volumes against various algorithms such as MD5, SHA1, CRC32 and SHA Hash Sets - This module allows you to create, import and manage various hash sets for file identification. - Create Signature - A signature is a snapshot of the directory structure over a certain period. Use this function to create a signature of a live system, a forensic image, or even a particular folder or user directory. - Compare Signature - Compares different signatures (directory structures) with each other and identifies differences (New, Deleted, and Modified). - Drive Preparation - Perform a disk action such as testing a drive or fully formatting or overwriting (zero) the drive. - Forensic Imaging Create different types of forensic images, plus other tasks such as restoring an image to a disk, viewing hidden areas on the disk (HPA/DCO), or even rebuilding a RAID disk. - Mount Drive Image - Mounts a drive image (IMG / DD / ISO / BIN / 000/001 / NRG / SDI / AFF / AFD / AFM / VMDK / E01 / S01 / VHD) - Install to USB - Installs the software to a USB for live system analysis and also provides the option to create a bootable USB drive. - About - Information about the software and the active license. - Exit - Closes the application. Page 3 of 23

4 So, OSForensics offers a huge package of tools to search, retrieve and build a case. The interface consists of 1 large main menu. The absence of submenus found in many other solutions makes everything very clear. Navigating through the menus is smooth and fast and each item clearly shows what the intention is. However, there are still a number of other applications to start via the "Start" link, especially a number of viewers such as the viewer, thumbnail cache viewer, ESE DB viewer, Plist viewer and $UsnJrnl viewer (which is useful to detect files that are no longer present on the OS.) Triage Wizard One of OSForensics' newest features is the Triage Wizard. This wizard is designed to easily create a case and collect system and user information automatically and quickly. The wizard is ideal for law enforcement officers or system administrators who may lack forensic experience or training, by allowing them to quickly collect data automatically on-site. The Triage Wizard is for live systems and performs certain functionalities that are not logical on a forensic image such as a RAM dump, process list etc. In this example we will run the Triage Wizard on our live system Page 4 of 23

When the correct drive is selected, we start the scan. Unfortunately, this is the moment that I ran into a problem. The following pop-up appeared and the application was aborted.

5 When the correct drive is selected, we start the scan. Unfortunately, this is the moment that I ran into a problem. The following pop-up appeared and the application was aborted. A second attempt received the same result. Within 6 hours I had received a message from PassMark support that the problem was probably a printer returning a null description. PassMark Software immediately sent a new build of the software which fixed the bug and the Triage Wizard scan completed successfully. Page 5 of 23

After the Triage Wizard completes (which is really fast as it took less than 5 minutes on my system), a new case is created which contains all the reports that we have checked.

6 After the Triage Wizard completes (which is really fast as it took less than 5 minutes on my system), a new case is created which contains all the reports that we have checked. So after running the Triage Wizard, a complete memory dump, recent activity, deleted file cache, stored passwords, screenshot and a directory file list are available for review. Of course you can perform additional actions yourself such as creating and searching an index or creating a forensic image. (These actions are not available from the initial Triage Wizard scan.) Create a Case: The basis of every research is of course your case. Your case is where you keep all important information and files found. A case also forms the basis for your reports. The Triage Wizard automatically created a case with interesting data from a live system but what if we want to analyze data from a forensic image? For this we can manually create a case. We have already made a forensic image for this demo. We can analyze this image file without mounting it. By mounting an image, the NTFS permissions also take effect and that can be a disadvantage. The only reason to mount an image is if you want to give other applications access to the image. (So be careful with this approach.) Let's mount the image for this example. We mount the image via "Mount Drive Image". After we have mounted the image (consisting of 4 partitions) click on "Manage Case" to create a new case. When we create a new case, we get the following fields to provide the case with initial data. Page 6 of 23

In order to be able to perform indexed searching for content contained in files or anywhere

7 After filling in the desired data (and remember, the more information the better) the case can be started via "Load Case". In order to be able to perform indexed searching for content contained in files or anywhere within the disk image, a so-called "index" must be created. Use the "Create Index" module to first create an index that we can use later. Page 7 of 23

After the index has been created we can search through all indexed items (also in the content of the item).

8 Indexing this 453 GB drive (including unallocated space) took about 5 hours. That is pretty fast. OSForensics uses their own Zoom search engine which they developed, for indexing and other search tasks. After the index has been created we can search through all indexed items (also in the content of the item). Through "Search Index" we can easily perform various search tasks. For example, we can search the indexed items with a predefined glossary and with wildcards to keep our search area as wide as possible. We can also reduce searches by date range: Now let's add an extra drive. Via the Manage Case we select the "Add Device" button. Page 8 of 23

The screen below appears and here we are going to add the Q partition (of course we can also choose an image file, physical drive or a specific folder or file).

FAT32 / FAT16, exfat, Ext2 / Ext3 / Ext4, HFS + / HFSX.

9 The screen below appears and here we are going to add the Q partition (of course we can also choose an image file, physical drive or a specific folder or file). The following file systems are supported here. NTFS (also Windows 10 CompactOS is supported for the XPRESS format and for the LZX format). FAT32 / FAT16, exfat, Ext2 / Ext3 / Ext4, HFS + / HFSX. The support of the Mac based file systems are especially a nice addition because most packages do not support these formats. The following partition formats are supported: MBR - Master Boot Record, GPT - GUID Partition Table, APM - Apple Partition Map In this example, we add the Q partition in forensic mode. Page 9 of 23

10 Now that this partition has been added, we can also have a search index made here. If we have indexed all the mediums that we want to search, we can make use of an advance defined word list. OSForensics comes with a number of predefined word lists, but you can of course easily create them yourself. Old search results can easily be viewed and retrieved with the "History" tab. Page 10 of 23

certain search options. Also detecting deleted files is a breeze with the "Deleted Files Search" option.

11 In the same way, you can also search for file names or types in the "File Name Search" module. Again you can use certain presets such as searching for images or video files and you can reduce your search by enabling certain search options. Also detecting deleted files is a breeze with the "Deleted Files Search" option. This module searches for files that have been deleted but whose sectors have not yet been overwritten. So these files can be retrieved by the program. Page 11 of 23

With deleted files you can do various things. You can of course open or view them. But you can also add it to the case which makes it easy to find later.

The above properties are characteristic of the software and actually apply to all files.

12 With deleted files you can do various things. You can of course open or view them. But you can also add it to the case which makes it easy to find later. For further analysis, the file can be analyzed with the OSForensics Internal Viewer or the file can be saved on the hard disk. You could even add all the results of the search to the case. The above properties are characteristic of the software and actually apply to all files. So files found in the "Search Index" or the "File Name Search" can easily be added to the case or analyzed later. OSForensics makes file building very easy. It is also a breeze to gain insight into which files have a different format than their extension suggests. This is looking for the "Mismatch File Search" module for you. Page 12 of 23

Another valuable module is the "Prefetch Viewer". This module allows the researcher to view potentially valuable forensic information stored by the Prefetcher in the Windows operating system.

13 Another valuable module is the "Prefetch Viewer". This module allows the researcher to view potentially valuable forensic information stored by the Prefetcher in the Windows operating system. The Prefetcher is a special component that improves the performance of the OS by pre-caching applications in RAM. This reduces access to the disk. To pre-cache, the prefetcher uses application usage information, such as the number of times the application was run, the last time it was executed, and all files that the application uses when it is started. With this information forensic researchers can discover certain (suspicious) usage patterns, such as a recently used cleaner. The "Raw Disk Viewer" shows the RAW data from the disk (or image). This makes it easy to view and analyze the content per sector. With the Raw Disk Viewer it is thus possible to examine all sectors and thus to search for data outside the directories and files of the operating system. Users can manually analyze free clusters and file slack space. The viewer is clearly organized with colors and subdivided into sectors. Sectors and data can of course also be exported or added to the case. Page 13 of 23

14 Page 14 of 23 By Jarno Baselier

What is striking is that the search queries are fast and accurate. The "Passwords" module is a very useful feature of OSForensics.

15 The Registry Viewer makes it possible to view and analyze the registry of the OS. The Registry Viewer is well-organized, searches can be made and keys can be added to the case. What is striking is that the search queries are fast and accurate. The "Passwords" module is a very useful feature of OSForensics. This allows searching for certain types of passwords, usernames, hashes and license keys. If the passwords cannot be automatically decrypted by OSForensics, you can create or import a rainbow table here and then retrieve the password. Even encrypted files can be tested here against different passwords. Page 15 of 23

These tools are primarily used for live acquisition, when a forensic investigator processes a malicious system that is still powered "on". These tools can also be used while running the Triage Wizard.

16 Live Analysis The above features can be used during both live analysis and offline analysis settings. However, there are also tools in the OSForensics suite that are specific to the analysis of live systems. These tools are primarily used for live acquisition, when a forensic investigator processes a malicious system that is still powered "on". These tools can also be used while running the Triage Wizard. There are 2 indispensable live-acquisition tools: #1 - The "Recent Activity" module. This module provides insight into which tasks were recently performed on the OS. Think of used USB sticks, downloads, Windows Run commands etc. The Recent Activity module can also be executed on a forensic image (i.e., offline media), but may discover less artifacts because less data is accessible. The "Memory Viewer" module can be used in "live analysis" mode to examine the memory of the running system. Each process has 47 columns of metadata and can be investigated further with the build-in viewer. A memory dump can also be investigated by clicking on the Static Analysis tab. Page 16 of 23

17 Create Case Report We generated a report of a case from the case manager. Here we click on the button "Generate Report" to make a report. There are several report templates to choose from. Page 17 of 23

18 If we opt for a default report, OSForensics generates an HTML report that looks like this: Page 18 of 23

19 However, we can fully customize the report with our own logos, different layout and additional information. Via the buttons "Add Attachment", "Add External Report", "Add Note" and "Add Evidence Photo" we can add extra information. As a test I added a photo and a note. If I then use the reporting generator, I use the "Custom Logos" button to add my own logos. Now the report looks a lot nicer: Page 19 of 23

$To further fine-tune the reports, some HTML knowledge is required. The templates can be found in the "C: \ ProgramData \ PassMark \ OSForensics \ ReportTemplates" folder.$ Reports can be saved as HTML, PDF and both. In short: OSForensics gives you the freedom to generate reports with exactly the right information in the desired layout.

Reports can be saved as HTML, PDF and both. In short: OSForensics gives you the freedom to generate reports with exactly the right information in the desired layout.

20 To further fine-tune the reports, some HTML knowledge is required. The templates can be found in the "C: \ ProgramData \ PassMark \ OSForensics \ ReportTemplates" folder. To create a report yourself, you can copy a basic template and edit the files you want to modify. A template consists of several HTML files as well as CSS and JavaScript files. Reports can be saved as HTML, PDF and both. In short: OSForensics gives you the freedom to generate reports with exactly the right information in the desired layout. Make Bootable OSForensics USB Drive The last feature that I would like to test is making a bootable OSForensics USB drive. Let's do an empty USB stick in the OSForensics machine and click on "Install to USB". Then we are asked for the location of the USB drive and the license key for OSForensics. Please note, the license key shown is for illustrative purposes only and is fake (saves a lot of retyping work). Page 20 of 23

We chose WinPE for Win10 and must first install the ADK (Assessment and

21 Within 2 minutes the following message appears and the copying of the OSForensic files is complete. WinPE then starts to make the USB drive bootable. We chose WinPE for Win10 and must first install the ADK (Assessment and Deployment Kit) for Windows 10. When that happens we chose the first 3 options (default): Page 21 of 23

After the USB drive is fully operational it can be used to boot a computer.

22 All follow-up steps are all default. In the last step (create) select your USB drive and click Create. After the USB drive is fully operational it can be used to boot a computer. If the computer is booted from USB, we will see the same familiar environment that we are used to. All options are available and ready for use! Page 22 of 23

23 Conclusion OSForensics seriously surprised me on a number of fronts. OSForensics offers a complete suite of tools (which they themselves call modules) for both live-acquisition and non-live acquisition forensics. There are many viewers present and the case structure is unique. From any position, adding data to your case is as easy as a simple push of a button. The reports are also very extensive and can be arranged entirely according to your own insights. If you want fast search results, OSForensics is a very good choice. The price and the ability to make a full-featured USB are fantastic extras. There are actually no tools that I am missing in this suite. Viewers, Registry tools, Mounting possibilities and the many automated discovery tools make OSForensics a dignified, complete and very clear forensic solution. My experience with their support was very pleasant and fast. There was always a friendly and helpful reply within 12 hours. Finally, I ll finish this review with the only 2 minus points of the application. The first is that the tool crashed a few times during my tests. Obviously there was a reason (as outlined earlier in this review) and support was extremely helpful and resolved the problem quickly and professionally. It is always a bit annoying when an application crashes, but fortunately with OSForensics, your cases and all gathered information remain intact and the application can easily be restarted after a crash. The second point is the Triage Wizard itself. I miss the ability to create an index in the Wizard. It would be ideal to complete the case with this function after the Triage Wizard has been completed. Support staff could already create a complete case in the time that the forensic investigator is not yet on site. This can save a lot of time and the expression "the sooner the better" also applies here. OSForensics is a fantastic package which surprised me with all the modules, functions and fine-tuning that are present in this powerful toolkit. OSForensics can compete with the big boys among the forensic applications and its price tag and technical abilities make this an absolute must for the digital forensics professional. Review by: Jarno Baselier, CEH, MCSE, CCNA, and IINS (Review translated from Dutch to English) Page 23 of 23

Contact Details and Technical Information

Contact Details and Technical Information GetData Forensic Pty Ltd GetData Forensics USA Suite 204 1007 North Sepulveda Blvd # 1543 13a Montgomery St Manhattan Beach, CA 90267 Kogarah NSW 2217 USA Australia