The purpose of this project is to review and compare OSForensics (restricted version), a free tool created by PassMark Software,to see if it could be used as an alternative to higher priced forensic tools. This will hopefully provide another resource for local law enforcement agencies to use. This project will analyze the effectiveness and accuracy of this software as compared to EnCase, one of the most widely used acquisition and analysis tools, and one of the tools we have available here at the LCDI. Although the free OSForensics edition has limited capabilities when compared to the OSForensics pro edition, it can do most of the same analysis that other professional grade forensics software can do. To see the differences between OSForensics free and pro editions, go to the OSForensics site: http://www.osforensics.com/compare.html
For this project we conducted all of the tests at the LCDI and produced our own results. We generated all of our data (web browsing, downloading of files, deletion of files, installing software, USB registry activity, etc.) on a test hard drive, which we then acquired and analyzed with OSForensics and EnCase v7. There has been prior research conducted on capabilities of OSForensics, but not done to compare it to another tool. The LCDI wanted to compare OSForensics to industry professional grade forensics software with a student influence.
OSForensics is a powerful forensic acquisition and analysis tool that can easily be compared to other leading tools in the industry, such as EnCase v7. OSForensics has similar features to that of EnCase, and the only thing that OSForensics could not do, out of the options that we were able to conduct research on, was acquire encrypted drives. The data produced by OSForensics is accurate; we were able to find the same information while using EnCase v7 and OSForensics in a side by side comparison. Also, after testing quite a few different scenarios, we found OSForensics to be forensically sound, as it did not alter or change the data during acquisition.
http://www.youtube.com/watch?v=dA-k1aiwORU
Click the here to read the full report: OSForensics