OS Forensic is a program for the simple detection and retrieval of specific forensic data concealed in a device within a short period of time. This tool will allow the user to scan / find files faster than the pre-installed Windows operating system default search feature. It’s considered to be one of the fastest and most efficient tools to scan or locate files. During the search operation, OS forensics does not skip or delete files, a limitation associated with the default search tool which comes with Windows systems. Its fastness does not affect the results so the user can be well assured that OS forensics will locate every single file on the hard disk.
In locating files, a user may use criteria such as size, filename, development, and changed dates. The results of the search returned by OS forensics are made available in various views including timeline view, thumbnail view and file listing (Beijnum, 2009, p. 23). This helps the user to determine the pattern of activity on the computer and know where a significant change in the file took place. Besides locating the files, this tool can go further to search within contents of each file for a full analysis. OS forensics has a powerful pre-indexed search feature that provides hundreds of file formats with full text access. Below is a list of what results OS forensics can offer:
- Wildcard searches
- Relevance ranked search results
- Exclusion searches
- Date sorting or date range searching
- Exact phrase matching
- “Google-like” context results
File listing view of search results
The file formats that can be indexed by OS forensics include: RTF, WPD, SWF, DJVU, DOC, PDF, PPT, XLS, JPG, GIF, PNG, TIFF, XLSX, MHT, ZIP, MP3, DWF, DOCX, PPTX and more. Additionally, it has a feature that helps to analyze files in order to determine their type of file if they lack extension. In OS forensics, the advanced hashing algorithm can help create a unique fingerprint to identify a file.
OS forensics will help the investigator organize the discovered evidence into a single file which is cryptographically secure. In future reference and analysis, the specialist should attach additional findings and facts to the case file, and be sure that the case file can not be manipulated. Case management supports the customer in the coordination and collection of case objects and forensic OS tests. An benefit of this program is that it can be enabled and run from a USB flash drive, which allows you to manage your research tools and reports you are mobile when you are (Cansolvo & Scholtz, 2004, p. 85). A user should avoid installing any software on the target machine so as to avoid the risk that the suspect will unintentionally overwrite or delete valuable forensic data.
For OS forensics, the computer expert will be able to export case files as personalized and downloadable reports showing all the evidence collected. This feature helps to provide at any time during the investigation a summary of readable forensic findings to law enforcement agents or clients. OS forensics can be used to directly retrieve emails from their archives without installing email client programs such as thunderbird or Outlook (Dimitrova, Bellotti, Lozanova) & Roumenin, 2011). It reads directly into the archive and displays all of the message headers, HTML, Rich Text Format, and regular text. Supported file formats are:
- Mbox for thunderbird, UNIX mail, Eudora and more.
- Pst for outlook.
- Msg for outlook.
- Dbx for outlook express.
- Eml for outlook express.
All attachments associated with the email you assign can also be removed. Email search features found in OS forensics can be used to easily scan all material within the database of the email quickly.
OS forensics Email Viewer
The forensic value of performing the above processes may vary depending on different factors, such as who needs the information and for what purpose the information is needed at issue (Lin & Stead, 2009, p. 67). This valuable process helps in figuring out what took place, how it happened, the time it happened and the parties involved. Some fields in which computer forensics techniques and methodologies are applied include:
- Finding out the root cause of a system failure.
- Finding the people behind misuse of computer systems.
- Finding who committed a crime.
- Finding victims of a suspected criminal.
- Figuring out criminal events planned and stopping them from happening.
Examples of more specific criminal activities that would require computer experts to carry out forensics would be such as murder cases, financial fraud, child pornography, theft of trade secrets, harassment, infringement of copyrights and many more (Dimitrova, Bellotti, Lozanova & Roumenin, 2011, p. 38). Incriminating files are likely to be located on the suspect’s or victim’s computer. OS forensics works by use of advanced hashing algorithms which create a digital fingerprint that is unique and used in identifying a file. By comparing hash values, OS forensics determines if a file has been tampered with or corrupted (Ksherti, 2010). This can also help identify if an unknown file belongs to a set of known files regardless of file extension or differing file name. Use the Create/Verify hash module to create a digital identifier that is unique to a disk volume or file by calculating its hash value. You can choose any of the cryptographic algorithms in creating a hash such as MD5, SHA-256 and SHA-1.
A single hash value created for disk volumes helps in describing directory structures, unallocated space and content of files. Comparing the original and new hash value helps detect if a disk volume has been tampered with or corrupted. A process known as disk cloning is done using a free OS forensics tool known as OSF Clone to create exact disk duplicates which are used alongside the original disk (Fowler, 2003).
The shortcomings associated with the open source version of OS forensics are:
- Inability to mine deeper in the data
- Lack of dedicated support from developers at any time.
Having the ability to dig deeper into the data features is critical when managing very complicated cases involving computer experts as criminals suspects. Computer experts who know what the software capabilities are may try to hide incriminating evidence more deeply in the files, making it difficult for the software to locate the evidence piece of information (Napa, 2011). Commercial versions of forensic software come with an added advantage of official product user support unlike the unguaranteed open source edition (Cimino & Shortlife, 2006). A client may request for a particular feature to be included in the commercial version and the response time is expected to be much faster as compared to one requesting for the same feature added in the open source version.
The commercial alternatives of digital forensic software are; Internet Evidence Finder, Spector CNE Investigator, Registry Recon, EnCase, EPRB, COFEE, Windows to go, Forensic Assistant, Nuix, PeerLab, X-Way Forensics, Intella, Forensics Apprentice, FTK, Paraben P2 Commander and SafeBack. Not all commercially available forensics software can match the open source equivalent versions (Adigun, Ojo & Olugbara, 2011). This depends on several factors that the companies may have taken into consideration before developing the commercial software. The factors considered include,
- The target market.
- Financial capabilities of the company in hiring highly skilled programmers and marketing.
- Features to be included.
- The research carried out.
These factors may help determine whether the commercial alternatives will be useful, efficient, productive and reliable than the open source equivalent.
- Adigun, O., Ojo, S. O., & Olugbara, O. O. (2011) A grid enabled framework for ubiquitous healthcare service provisioning. Advances in Grid Computing, 230-252. Retrieved: http://cdn.intechopen.com/pdfs/13951/InTech-A_grid_enabled_framework_for_ubiquitous_healthcare_service_provisioning.pdf
- Beijnum, V. et al. (2009) Mobile virtual communities for telemedicine: research challenges and opportunities. International Journal of Computer Science and Applications, 6 (2), 19-37.
- Cansolvo, S. & Scholtz, J. (2004) Towards a framework for evaluating ubiquitous computing applications. Pervasive Computing, 82-88.
- Cimino, J. & Shortlife, H. (2006) Biomedical Informatics: Computer Applications in Health Care and Biomedicine. New York: Springer.
- Dimitrova, M., Bellotti, L., Lozanova, S. & Roumenin, C. (2011) Cloud computing framework for new medical interface technologies. Institute of Systems Engineering and Robotics, Bulgarian Academy of Sciences.
- Fowler, M. (2003) Patterns of Enterprise Application Architecture. New York:
- Addison-Wesley Professional.
- Ksherti, N. (2010) Cloud computing in developing economies: drivers, effects and policy measures. Retrieved: http://www.ptc.org/ptc10/program/images/papers/papers/Paper_Nir%20Kshetri_B8.pdf
- Lin, H. & Stead, W. (2009) Computational Technology for Effective Health Care: Immediate Steps and Strategic Directions. New York: National Academies Press.
- Napa, A. (2011) Wireless Mobile Communication and Healthcare: Second International ICST Conference; Revised Selected Papers. New York: Springer.