Deleted files search
If you're especially interested in deleted files, there's no need to spend lots of time performing unallocated sector searches. Just click the 'Deleted files search' tab and you'll find that OSForensics comes packaged with its own easy to use, built-in undelete tool.
The tool may appear confusing at first, but is straightforward if you understand how it works. On our test PC, for instance, the deleted files search announced that it would, by default, search the disk '\\. \PhysicalDrive0' – which, if you're used to Windows drive letters, isn't exactly clear.
It's not that bad, though. All '\\. \PhysicalDrive0' means is that the program will search all the partitions on your first physical drive, however many there may be. If you want to restrict your search to a particular partition, then select it from the list, which for us produced something like '\\. \PhysicalDrive0: Partition 0, C: [931.21GB NTFS'. Rather lengthy, but you'll know what it means.
When you're finished, click 'Search', and the program will produce a list of all the deleted files it's found almost instantly. If you know what you're looking for, enter all or a part of the file name in the 'Filter string' box, and click 'Apply filter' to display only matching files. (You can also filter by multiple file specifications if you separate them with semi-colons, such as '*.gif;*.xls'.)
BACK FROM THE DEAD: A simple Undelete tool enables you to view and recover deleted files
What the report won't give you, unfortunately, is any preview thumbnails, so if you're looking for images then you won't be able to spot them at a glance. However, if you suspect you've found the right file, then OSForensics can usually display it for you. Simply right-click it, select 'View with internal viewer', and the program will display the image. Not the right one? Use the 'Back' and 'Forward' buttons to step through the list.
When you've found what you need, right-click the file and use one of the 'Save' options to bring it back from the dead.
Signatures
One particularly interesting feature of OSForensics is its ability to create a signature of a particular set of files, folders, or an entire hard drive. You could create one signature now, for example, and another tomorrow, then use the program's 'Compare signature' option to show you everything that's been changed – that's new and modified files.
This clearly has all kinds of applications. You might use it to highlight changes another user has made to your PC. You could also compare signatures taken before and after installing an application to view the changes that it's made to your PC.
What about creating a signature of your Windows folder, then looking for changes that could indicate malware? Then you might create a signature of your entire system partition every day, then compare it to the previous version and look for unusual activity – whether it's malware or just applications that are creating unnecessary files.
Whatever your reasons, this is definitely worth trying and is very easy to do. Just click 'Create signature', then specify the starting folder for whatever you'd like to scan (try an entire drive to begin with), and click 'Start'. The process only takes a few seconds to complete, and you can save the results to your desktop.
Open a browser window and visit a site or two, then switch back to OSForensics and click 'Start' again to create a second signature of the same area. Finally, click 'Compare signature', point OSForensics to the two signature files and let it highlight the differences.
It's quick, easy to use, and can be very informative.
Our favourite OSForensics feature, for its sheer originality, is the Mismatch File Search. The core idea is a simple one. All you have to do is point the program at a starting folder – 'C:\' , say – then click 'Scan'.
The program will begin to scan your files, looking for any where the content doesn't match the extension. This might uncover all kinds of odd behaviour. If another user of your PC has renamed some videos to have ZIP extensions, for example, then the Mismatch File Search will reveal what's going on.
If a piece of malware has renamed key executables to an apparently harmless TXT extension, then again, this OSForensics report will highlight the change.
What's in a format
More generally, you'll discover the real file formats behind many of your applications. The program revealed that our old Empire Earth '.ee3sav' save game files were actually ZIP files, and that CyberLink's '.thl' files were PNG thumbnails – information that could come in very handy if these files were ever corrupted and we needed to make manual repairs.
In our experience, the file search can be an extremely revealing look at what's really going on with your PC. The same can be said of almost all of OSForensics' utilities – the program has many possible applications, and there's no telling what it might be able to do for you until you try it.
So give it a try – download a copy, explore the functions and see what this excellent forensics package can uncover about your computer, its software and users.
An incredible $100 billion bet to get rid of Nvidia dependence — tech experts reckon Microsoft will build a million-server strong data center that will primarily use critical inhouse components
HP launched a very promising ultra portable XPS13 killer laptop — the 1kg EliteBook 635 Aero G11 is only available in Japan with seemingly no plans for a global launch, but why?
