Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 1 of 23
OSForensics v5 Review by Jarno Baselier
I have been curious for quite some time about the forensic software “OSForensics” from Passmark
Software. As befits every good forensic package, many tasks can be performed to retrieve files, content
and events that can serve as evidence in a legal case. OSForensics costs $899 USD, which currently
amounts to around €725 euros. It’s certainly not inexpensive, but still less than competitors such as X-
Ways, AccessData and EnCase. OSForensics has a clean graphical user interface (GUI) with many
interesting options that I would like to examine further. Let's go!
After a friendly email exchange with personnel at Passmark Software, I received a full-featured license for OSForensics V5. Of course, this review remains completely impartial but it is still very cool to get a full-featured license. My questions in my e-mails were answered promptly and completely, so in terms of pre-sales assistance, they seem to provide good customer service. The current version is OSForensics is V5.2, so that is what I will be using in this review. The software is
Windows-based and simple and easy to download from https://www.osforensics.com/osforensics.html.
The installation of OSForensics is straightforward and after just a few clicks of the mouse we are asked if
we want to register or if we want to continue with the limited demo version. Of course we register the
software after which unlocks access to all the functionalities that the Professional package has to offer
us. The Start screen looks like this:
OSForensics distinguishes itself in a number of areas. The most important are:
Price: The price is absolutely more affordable than that of its competitors. Passmark Software is able to
offer their low-price because they operate with minimal overhead. 100% of their employees are
experienced programmers and/or forensic experts. The company does not have a traditional sales or
marketing department and therefore they can keep prices low and their service professional and
customer-focused as a result. In addition, OSForensics uses no dongles to register the software but
instead uses a standard license key. This also helps keep costs down for the company, which they can
then pass-on to their customers. This is also beneficial as there is no physical hardware device to be lost.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 2 of 23
Portability: Users can make a bootable USB drive with OSForensics from the licensed product. This USB
drive offers full functionality and is not sold as a separate product. We will also look at this function in
this post.
Speed: OSForensics is one of the faster forensic packages on the market.
Reports: The software provides the ability to create customized reports using a built-in HTML editor.
Concise or robust reports are all possible and fully customizable. Even reports from other vendors tools
can be inserted to generate a complete report that makes OSForensics a complete Case Management
solution.
Lab & Live analysis: OSForensics actively develops their software and recently released many "live
analysis" tools for the analysis of live data, in particular the internal memory. The demand for this is also
increasing with all the increase of ransomware. The software is therefore multi-purpose and useful in
either for either offline (lab) analysis, or for live analysis in the field.
Respected in the community: OSForensics is a respected product and finished last year (2017) as a Top
3 finalist for the Forensic 4:cast’s "Computer Forensic Software of the Year" award at the SANS DFIR
event in Austin, Texas. In addition, PassMark has created and distributes several free and open-source
tools for the digital forensics community. Passmark Software currently has 4 free forensic tools, namely:
Volatility Workbench, ImageUSB, OSFMount, and OSFClone.
OSForensics Interface: The OSForensics interface gives you access to the following parts of the main
menu with 1 click:
- Triage Wizard - The Triage Wizard is a feature for non-forensic people who want to quickly and
easily retrieve data. The Triage Wizard is an automated wizard which easily and quickly identifies
system information, evidentiary files and more with a click or two of the mouse.
- Manage Case - With these options you can create new cases, open existing cases and delete
cases. Through this item you can also create reports of your cases, view details and add reports.
- File Name Search - Searches the target media for specific file types and/ or file names.
- Create Index - This module allows the researcher to create a searchable index. This index
consists of numerous customizable options that the user can choose when creating the index of
a drive, drive image, or other target media.
- Search Index – Once created, the index can then be searched here using various methods.
- Recent Activity - This module can help a researcher gain more insight into the recent user
activity of the device. Artifacts such as websites visited, wireless networks, removable media,
recent downloads, and much more are discovered in this scan.
- Deleted Files Search - Searches and restores files that have recently been deleted.
- Mismatch File Search - This module detects the files that have a different content than the
extension suggests. Think of a JPG file which is actually a renamed text file.
- Memory Viewer - With the Memory Viewer, digital evidence can be collected and analyzed from
the temporary (volatile) memory such as the RAM. Due to the non-persistent nature of this
memory, some digital data may only be available on the live system.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 3 of 23
- Prefetch Viewer - A service that also collects interesting data is the Windows’ Prefetcher. This
OSForensics module reads the Prefetch files with which you can, for example, see how often
and when a certain application is opened.
- Raw Disk Viewer - The Raw Disk Viewer is a viewer that analyzes the disk at the sector level.
Data that is hidden in sectors outside the file system can be traced.
- Registry Viewer – The Registry Viewer module automatically locates and identifies all main
registry hives (including the backup hives) on a system. This can be used on hives from within
the case or with the hives of a live system.
- File System Browser - This browser allows you to browse through all file structures added to the
project. You can search physical disks, forensic images, folders, the network, Volume Shadow
Copies, BitLocker encrypted drives etc.
- SQLite DB Browser - This database browser lets the content of SQLite databases in a clear way
and offers a powerful search function.
- Web Browser - This is a basic web browser with various forensic features such as creating
screenshots that can be added directly to the project.
- Passwords - With this function you can automatically retrieve passwords from different sources
and decrypt them. This module scans an entire system or forensic image for passwords, user
accounts and more. The results show you where the passwords have been found and how
strong the passwords are. You can also create rainbow tables in this module which can then be
used by OSForensics to decrypt stronger passwords that weren’t automatically decrypted.
- System Information - This tool helps you to collect all kinds of system information. Perform pre-
programmed DOS commands or get all kinds of system information such as OS, volume
information, hardware information, memory information etc.
- Verify / Create Hash - With this tool you can make hashes of files, text or volumes against
various algorithms such as MD5, SHA1, CRC32 and SHA-256.
- Hash Sets - This module allows you to create, import and manage various hash sets for file
identification.
- Create Signature - A signature is a snapshot of the directory structure over a certain period. Use
this function to create a signature of a live system, a forensic image, or even a particular folder
or user directory.
- Compare Signature - Compares different signatures (directory structures) with each other and
identifies differences (New, Deleted, and Modified).
- Drive Preparation - Perform a disk action such as testing a drive or fully formatting or
overwriting (zero) the drive.
- Forensic Imaging – Create different types of forensic images, plus other tasks such as restoring
an image to a disk, viewing hidden areas on the disk (HPA/DCO), or even rebuilding a RAID disk.
- Mount Drive Image - Mounts a drive image (IMG / DD / ISO / BIN / 000/001 / NRG / SDI / AFF /
AFD / AFM / VMDK / E01 / S01 / VHD)
- Install to USB - Installs the software to a USB for live system analysis and also provides the
option to create a bootable USB drive.
- About - Information about the software and the active license.
- Exit - Closes the application.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 4 of 23
So, OSForensics offers a huge package of tools to search, retrieve and build a case. The interface consists
of 1 large main menu. The absence of submenus found in many other solutions makes everything very
clear. Navigating through the menus is smooth and fast and each item clearly shows what the intention
is. However, there are still a number of other applications to start via the "Start" link, especially a
number of viewers such as the e-mail viewer, thumbnail cache viewer, ESE DB viewer, Plist viewer and
$UsnJrnl viewer (which is useful to detect files that are no longer present on the OS.)
Triage Wizard
One of OSForensics' newest features is the Triage Wizard. This wizard is designed to easily create a case
and collect system and user information automatically and quickly. The wizard is ideal for law
enforcement officers or system administrators who may lack forensic experience or training, by allowing
them to quickly collect data automatically on-site. The Triage Wizard is for live systems and performs
certain functionalities that are not logical on a forensic image such as a RAM dump, process list etc. In
this example we will run the Triage Wizard on our live system
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 5 of 23
When the correct drive is selected, we start the scan. Unfortunately, this is the moment that I ran into a
problem. The following pop-up appeared and the application was aborted.
A second attempt received the same result. Within 6 hours I had received a message from PassMark
support that the problem was probably a printer returning a null description. PassMark Software
immediately sent a new build of the software which fixed the bug and the Triage Wizard scan completed
successfully.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 6 of 23
After the Triage Wizard completes (which is really fast as it took less than 5 minutes on my system), a
new case is created which contains all the reports that we have checked. So after running the Triage
Wizard, a complete memory dump, recent activity, deleted file cache, stored passwords, screenshot and
a directory file list are available for review. Of course you can perform additional actions yourself such as
creating and searching an index or creating a forensic image. (These actions are not available from the
initial Triage Wizard scan.)
Create a Case: The basis of every research is of course your case. Your case is where you keep all
important information and files found. A case also forms the basis for your reports. The Triage Wizard
automatically created a case with interesting data from a live system but what if we want to analyze
data from a forensic image? For this we can manually create a case.
We have already made a forensic image for this demo. We can analyze this image file without mounting
it. By mounting an image, the NTFS permissions also take effect and that can be a disadvantage. The
only reason to mount an image is if you want to give other applications access to the image. (So be
careful with this approach.) Let's mount the image for this example. We mount the image via "Mount
Drive Image".
After we have mounted the image (consisting of 4 partitions) click on "Manage Case" to create a new
case. When we create a new case, we get the following fields to provide the case with initial data.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 7 of 23
After filling in the desired data (and remember, the more information the better) the case can be started
via "Load Case".
In order to be able to perform indexed searching for content contained in files or anywhere within the
disk image, a so-called "index" must be created. Use the "Create Index" module to first create an index
that we can use later.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 8 of 23
Indexing this 453 GB drive (including unallocated space) took about 5 hours. That is pretty fast.
OSForensics uses their own “Zoom” search engine which they developed, for indexing and other search
tasks.
After the index has been created we can search through all indexed items (also in the content of the
item). Through "Search Index" we can easily perform various search tasks. For example, we can search
the indexed items with a predefined glossary and with wildcards to keep our search area as wide as
possible. We can also reduce searches by date range:
Now let's add an extra drive. Via the Manage Case we select the "Add Device" button.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 9 of 23
The screen below appears and here we are going to add the Q partition (of course we can also choose
an image file, physical drive or a specific folder or file). The following file systems are supported here.
NTFS (also Windows 10 CompactOS is supported for the XPRESS format and for the LZX format). FAT32 /
FAT16 , exFAT, Ext2 / Ext3 / Ext4, HFS + / HFSX.
The support of the Mac based file systems are especially a nice addition because most packages do not
support these formats.
The following partition formats are supported: MBR - Master Boot Record, GPT - GUID Partition Table,
APM - Apple Partition Map
In this example, we add the Q partition in forensic mode.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 10 of 23
Now that this partition has been added, we can also have a search index made here. If we have indexed
all the mediums that we want to search, we can make use of an advance defined word list. OSForensics
comes with a number of predefined word lists, but you can of course easily create them yourself.
Old search results can easily be viewed and retrieved with the "History" tab.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 11 of 23
In the same way, you can also search for file names or types in the "File Name Search" module. Again
you can use certain presets such as searching for images or video files and you can reduce your search
by enabling certain search options.
Also detecting deleted files is a breeze with the "Deleted Files Search" option. This module searches for
files that have been deleted but whose sectors have not yet been overwritten. So these files can be
retrieved by the program.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 12 of 23
With deleted files you can do various things. You can of course open or view them. But you can also add
it to the case which makes it easy to find later. For further analysis, the file can be analyzed with the
OSForensics Internal Viewer or the file can be saved on the hard disk. You could even add all the results
of the search to the case.
The above properties are characteristic of the software and actually apply to all files. So files found in
the "Search Index" or the "File Name Search" can easily be added to the case or analyzed later.
OSForensics makes file building very easy. It is also a breeze to gain insight into which files have a
different format than their extension suggests. This is looking for the "Mismatch File Search" module for
you.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 13 of 23
Another valuable module is the "Prefetch Viewer". This module allows the researcher to view potentially
valuable forensic information stored by the Prefetcher in the Windows operating system. The Prefetcher
is a special component that improves the performance of the OS by pre-caching applications in RAM.
This reduces access to the disk. To pre-cache, the prefetcher uses application usage information, such as
the number of times the application was run, the last time it was executed, and all files that the
application uses when it is started. With this information forensic researchers can discover certain
(suspicious) usage patterns, such as a recently used cleaner.
The "Raw Disk Viewer" shows the RAW data from the disk (or image). This makes it easy to view and
analyze the content per sector. With the Raw Disk Viewer it is thus possible to examine all sectors and
thus to search for data outside the directories and files of the operating system. Users can manually
analyze free clusters and file slack space. The viewer is clearly organized with colors and subdivided into
sectors. Sectors and data can of course also be exported or added to the case.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 14 of 23
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 15 of 23
The Registry Viewer makes it possible to view and analyze the registry of the OS. The Registry Viewer is
well-organized, searches can be made and keys can be added to the case. What is striking is that the
search queries are fast and accurate.
The "Passwords" module is a very useful feature of OSForensics. This allows searching for certain types
of passwords, usernames, hashes and license keys. If the passwords cannot be automatically decrypted
by OSForensics, you can create or import a rainbow table here and then retrieve the password. Even
encrypted files can be tested here against different passwords.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 16 of 23
Live Analysis
The above features can be used during both live analysis and offline analysis settings. However, there
are also tools in the OSForensics suite that are specific to the analysis of live systems. These tools are
primarily used for live acquisition, when a forensic investigator processes a malicious system that is still
powered "on". These tools can also be used while running the Triage Wizard. There are 2 indispensable
live-acquisition tools:
#1 - The "Recent Activity" module. This module provides insight into which tasks were recently
performed on the OS. Think of used USB sticks, downloads, Windows Run commands etc. The Recent
Activity module can also be executed on a forensic image (i.e., offline media), but may discover less
artifacts because less data is accessible.
The "Memory Viewer" module can be used in "live analysis" mode to examine the memory of the
running system. Each process has 47 columns of metadata and can be investigated further with the
build-in viewer. A memory dump can also be investigated by clicking on the Static Analysis tab.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 17 of 23
Create Case Report
We generated a report of a case from the case manager. Here we click on the button "Generate Report"
to make a report. There are several report templates to choose from.
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 18 of 23
If we opt for a default report, OSForensics generates an HTML report that looks like this:
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 19 of 23
However, we can fully customize the report with our own logos, different layout and additional
information.
Via the buttons "Add Attachment", "Add External Report", "Add Note" and "Add Evidence Photo" we
can add extra information. As a test I added a photo and a note.
If I then use the reporting generator, I use the "Custom Logos" button to add my own logos.
Now the report looks a lot nicer:
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 20 of 23
To further fine-tune the reports, some HTML knowledge is required. The templates can be found in the
"C: \ ProgramData \ PassMark \ OSForensics \ ReportTemplates" folder.
To create a report yourself, you can copy a basic template and edit the files you want to modify. A
template consists of several HTML files as well as CSS and JavaScript files.
Reports can be saved as HTML, PDF and both. In short: OSForensics gives you the freedom to generate
reports with exactly the right information in the desired layout.
Make Bootable OSForensics USB Drive
The last feature that I would like to test is making a bootable OSForensics USB drive. Let's do an empty
USB stick in the OSForensics machine and click on "Install to USB". Then we are asked for the location of
the USB drive and the license key for OSForensics. Please note, the license key shown is for illustrative
purposes only and is fake (saves a lot of retyping work).
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 21 of 23
Within 2 minutes the following message appears and the copying of the OSForensic files is complete.
WinPE then starts to make the USB drive bootable. We chose WinPE for Win10 and must first install the
ADK (Assessment and Deployment Kit) for Windows 10. When that happens we chose the first 3 options
(default):
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 22 of 23
All follow-up steps are all default. In the last step (create) select your USB drive and click “Create”.
After the USB drive is fully operational it can be used to boot a computer. If the computer is booted
from USB, we will see the same familiar environment that we are used to. All options are available and
ready for use!
By Jarno Baselier https://jarnobaselier.nl/osforensics-v5-review/
Page 23 of 23
Conclusion
OSForensics seriously surprised me on a number of fronts. OSForensics offers a complete suite of tools
(which they themselves call modules) for both live-acquisition and non-live acquisition forensics. There
are many viewers present and the case structure is unique. From any position, adding data to your case
is as easy as a simple push of a button. The reports are also very extensive and can be arranged entirely
according to your own insights. If you want fast search results, OSForensics is a very good choice. The
price and the ability to make a full-featured USB are fantastic extras. There are actually no tools that I
am missing in this suite. Viewers, Registry tools, Mounting possibilities and the many automated
discovery tools make OSForensics a dignified, complete and very clear forensic solution.
My experience with their support was very pleasant and fast. There was always a friendly and helpful
email reply within 12 hours.
Finally, I’ll finish this review with the only 2 minus points of the application. The first is that the tool
crashed a few times during my tests. Obviously there was a reason (as outlined earlier in this review)
and support was extremely helpful and resolved the problem quickly and professionally. It is always a bit
annoying when an application crashes, but fortunately with OSForensics, your cases and all gathered
information remain intact and the application can easily be restarted after a crash.
The second point is the Triage Wizard itself. I miss the ability to create an index in the Wizard. It would
be ideal to complete the case with this function after the Triage Wizard has been completed. Support
staff could already create a complete case in the time that the forensic investigator is not yet on site.
This can save a lot of time and the expression "the sooner the better" also applies here.
OSForensics is a fantastic package which surprised me with all the modules, functions and fine-tuning
that are present in this powerful toolkit. OSForensics can compete with the “big boys” among the
forensic applications and its price tag and technical abilities make this an absolute must for the digital
forensics professional.
Review by:
Jarno Baselier, CEH, MCSE, CCNA, and IINS
https://jarnobaselier.nl/
(Review translated from Dutch to English)