Passmark OSForensics v10

The forensics software is ideal for checking the integrity of data and tracking system changes.


Free shipping

Processing within 24 hours, Shipping by e-mail

Further information
OSF licensing
Request a quote
Product number: PM060
Manufacturer: Passmark


OSForensics is a diagnostic tool that is also suitable for beginners due to its user-friendly structure.  The forensics software is ideal for checking the integrity of data and tracking system changes.


  • Identify suspicious files and activities
  • Quickly extract evidence from computers.
  • Manage your investigations

Complete suite for forensic investigations

OSF offers one of the fastest and most powerful ways to find files on a Windows computer or forensic image.
Search the contents of files with our highly acclaimed indexing engine that offers industry-leading relevance ranking, date range searching, exact phrase matching, "Google-like" context results, and more.
Examine and search hundreds of file types, including Office and Acrobat documents, image files (with OCR), emails (Outlook, Thunderbird, Mozilla and others), attachments, ZIP files, and even binary files and unallocated clusters.
Find and restore files that a user may have tried to destroy or that have been removed from the Recycle Bin.
Find and restore files that a user may have tried to destroy or that have been removed from the Recycle Bin.

OSF provides powerful tools to detect and crack passwords on a live system or forensic image.
These include:

  • Website logins and passwords (used in Chrome, Edge, IE, Firefox and Opera).
  • Passwords for Outlook and Windows Live
  • Stored WLAN passwords
  • Password for Windows automatic login
  • Windows and other Microsoft product keys
  • Ports (serial/parallel)
  • Network adapters
  • Physical and optical drives
  • Bitlocker detection

OSF also provides tools for cracking hashes using Rainbow tables and dictionary attacks.



OSF can expose the hidden HPA and DCO areas of a hard drive that can be used for malicious purposes, such as hiding illegal data.



Use OSF to access volume shadow copies. This allows you to see what a volume looked like at a certain point in the past and what has changed. You can detect changes to files and even view deleted files.



Identify suspicious files and activities

Use OSF to confirm that files have not been corrupted or tampered with by comparing hash values or determining if an unknown file belongs to a known group of files. Verify and match files with MD5, SHA-1, and SHA-256 hashes. Find misnamed files whose contents do not match their extension.
Create and compare drive signatures to identify differences and changes on a system. With OSF, you can create a forensic signature of a hard disk drive, preserving information about file and directory structures that were present on the system at the time the signature was created.
OSF has a Timeline Viewer that provides a visual representation of file and system activity over time, helping you identify date ranges where significant activity occurred or build a pattern of behavior over years, months, or days.

OSF offers a comprehensive suite of tools for analyzing files, emails and system information, including:

  • File viewer that can display streams, hex, text, images and metadata
  • Email viewer that can display messages directly from the archive
  • Registry viewer for easy access to Windows registry hive files
  • File system browserFile system browser for Explorer-like navigation through supported file systems on physical disks, volumes, and images
  • Raw disk viewerRaw disk viewer for navigating and browsing raw disk bytes on physical disks, volumes, and images
  • Web browserWeb browser for browsing and capturing online content for offline evidence management
  • ThumbCache viewer to browse ThumbCache viewer to browse the Windows thumbnail cache database for evidence of images/files that may have once been on the system
  • SQLite database browser to view and analyze the contents of SQLite database files
  • ESEDB viewer to view and analyze the contents of ESE DB database files (.edb), a common storage format used by various Microsoft applications
  • Prefetch viewer to identify the time and frequency of applications running on the system and thus recorded by the operating system's prefetcher
  • Plist viewer to view the contents of plist files commonly used by macOS, OSX, and iOS to store settings
  • $UsnJrnl viewer to view the entries stored in the USN journal, which is used by NTFS to track changes to the volume

Manage your digital investigations

Organize all the evidence you've discovered into a single, cryptographically secure case file.
Export your case file as an accessible and customizable report that includes all evidence associated with the case. Provide clients or law enforcement with a readable summary of forensic findings at any point in your investigation.
Manage your storage devices centrally for convenient access across OSF.

Create and recover disk images from evidence disks to support forensic analysis without compromising the integrity of the original data.

Re-create a complete RAID image from a set of RAID member disk images.

Create exact copies of the partitions or disks of an active system. Useful for live captures while OSF is running from your USB drive.

OSF can automatically maintain a secure audit trail of the exact activities performed during the course of the investigation.
OSForensics can be installed and run from a portable USB drive. Bring the investigation directly to the target computer without risking the contamination of valuable forensic information.

Professional and bootable edition


The professional and bootable editions of OSForensics have many features not available in the free edition, including:

  • Import and export of hash sets
  • Customizable system information collection
  • No limit to the number of cases managed by OSForensics
  • Recovery of multiple deleted files in one operation
  • Listing and searching for alternative file streams
  • Sorting of image files by color
  • Disk indexing and search not limited to a fixed number of files
  • No watermarks on web captures
  • Multi-core acceleration for file decryption
  • Customizable collection of system information
  • Display of NTFS directory $I30 entries to identify potentially hidden/deleted files
  • Memory viewer and dumper - kernel mode detection to bypass anti-dump tools

The bootable edition includes all professional features plus the ability to run on systems without a valid operating system. See the full comparison list between the editions.

Free Tools


First steps with OSForensics

Technical Data

Version comparisonTrialSubscription EditionPurchase EditionBootable Edition
Memory Viewer and Dumper  
Raw Disk Viewer    
Verify & Generate hash    
Create and compare signatures    
Zero drive & test    
Drive Imaging    
Mismatched file search    
Hash Set Management    
Search by filename    
Scan for deleted files    
File System Browser    
Collect system information    
Rebuild RAID Arrays    
Hidden disk areas    
Volume Shadow Copies    
Email viewer    
Registration Display    
Prefetch Viewer    
SQLite Database Browser    
ESE Database Viewer    
Plist property file viewer    
$UsnJrnl File Journal Viewer    
Detect user activityCan only export 10 at a time   
Web browser screenshotImage is watermarked   
Face Recognition    
Python scripting    
Cloud Imaging    
Email Export    
Forbidden image detection    
Support for AFF4 file format    
Web server logfiltering    
Install and run from USBX   
List and find alternate file streamsX    
Sort files by colorX    
Multi-core acceleration for file decryptionX    
Customizable collection of system informationX    
Import/Export Hash SetsX    
Manage CasesLimited to 3 cases at a time and a maximum of 10 items per case   
Disk Indexing and SearchLimited to 2,500 files or emails & 250 results per search   
Find Passwords & File decryptionMax. 5 passwords per browser type   
Recover deleted filesLimited to one file at a time.   
Show NTFS $I30 directory entriesX   
Runs without a valid operating systemX XX