1. One-Click Forensic
Forensics Master is the most easy-to-use forensic analysis software. Investigators can acquire common artifacts from source drive by a three-step operation (Create Case->Add Source->OneKey Forensic).
• System Artifacts: Automatically parse Windows system information, involving OS, network configuration, installed application, services, etc.
• Application Artifacts: Search and acquire application artifacts automatically, including Windows Prefetch, registry UserAssist (ROT13 decryption),Windows search items, thumbnail artifact, printer artifacts (SPL), etc.
• USB Artifacts: Analyze system and application program artifacts; acquire USB usage records.
• Recycle Bin Artifacts: Extract user artifacts and deleted files in the Recycle Bin.
• Web Browser Artifacts: Acquire web history from Internet Explorer, Google Chrome, FireFox, 360, Maxthon, Opera, and other Internet browsers.
• Instant Messaging Artifacts: Load chat logs of Yahoo, Skype, MSN, and other IM programs without password.
• E-Mail Artifacts: Parse Outlook Express(DBX), Office Outlook(PST) and Foxmail (IND,BOX) and e EML compound files; recover deleted items from Outlook Express (DBX) and Foxmail (BOX).
• Anti-Forensic Detection: Search for anti-forensic applications and encryption applications (executable files),including Steganography tools, common encrypted files (Zip,Office, RAR, PDF,etc.) and containers (Private Disk, TrueCrypt, PGP Disk).
2. File System and Image Format Supported
• Disks: Support static disk, dynamic disk, MBR & GPT partitioned disks.
• File system: Support FAT12, FAT16, FAT32, exFAT, NTFS, CDFS, UDF, Ext2/3/4, HFSX/HFS+ file system; recover deleted files from FAT, NTFS, Ext2, and HFSX/HFS+ file system.
• Image Format: Acquire evidence to E01, DD, 001, and L01 image files; support VHD, VMDK, ISO, and AFF virtual machine disk image files.
3. File View Files
• Support fast view file especially pictures
4. Other Features
• Simple keyword search, support most common codepages. Support fragmented email keyword searching (automatic keyword base64 conversion) and regular expression (like GREP).
• Support signature-based file recovery, formatted partition data recovery (like EnCase –Recover Folders) including FAT,NTFS,exFAT file system.
• Support video frame division,including AVI, WMV,ASF,RM,RMVB,etc.
• Parse Windows Event Logs and IIS logs.
• Verify file signatures and search for suspect files automatically.
• MD5, SHA-1, SHA-2 hashing for whole drive or single files.
• Perform forensic analysis in unallocated clusters, Pagefile.sys, and Hiberfil.sys.
• Generate analysis reports automatically.
