Every organization is faced by cyber-crime this makes it not surprising that utilities for investigating incidents are rapidly developing. These tools are focused on reviewing temporary file browser that can tell a lot about user activity, search hard disk for text contained inside the documents, open and read most popular email file formats and identify the individual messages.
Here there is a new utility called OSForensics, currently it is freely available that I found very useful for conducting a computer forensics. OSForensics can retrieve data about recently accessed applications, documents, media and network shares by scanning locations in the registry which store a user’s Most Recently Used (MRU) lists. The data which can be tracked by OSForensics includes files accessed in Microsoft Office applications, Microsoft Wordpad, Microsoft Paint, Microsoft Media Player, Windows Search, Connected Network Drives and the Windows Run command.
By running the tool you will find a user friendly dashboard that is divided to several categories. On start menu you have:
- First categories for managing cases (create new case, Import case or generate reports).
- Second category for conducting Indexing and file searching (search by name, mismatched files search and search within files).
- Hashing files and identification (create new hash database, create a hash set on a database, calculate the hash for a file, and create a snapshot of a file for making it a baseline for later comparison or compare files snapshot).
- Viewers to open a file as text, hex or image. Dump the content of system memory or loaded processes and view a drive or a partition as RAW data.
- Final category in the system artifacts to search and recover deleted files, finding recent activities on the system, system information , finding all stored passwords on the system and crack or open encrypted files.
You can display the details of USB devices which have been recently connected to the computer, providing information about the last connection date and device information such as Manufacturer Name, Product ID and Serial Number. The types of devices which can be detected include USB Flash Drives (UFDs), Portable Hard Disk Drives and external USB-connected devices such as DVD-ROM drives.
After using the tool extracted data are presented in an easy way to browse and search but it is important to note that area of forensics are not only PCs and laptops but any device that may contain information such as mobile phone which require more sophisticated tools.