Install one program, run another, remove a third, and all kinds of changes will be made to your system: files added, others deleted, Registry keys modified and more. Understanding exactly what’s going on can help you uncover malware, troubleshoot conflicts and solve many other problems, and the latest beta of OSForensics makes this very easy indeed.
The program has always been able to monitor and report on file-based changes. So you could use it to create “before” and “after” signatures of your current system, then compare the two for a report of all the files that have been created, modified or deleted.
And OSForensics 0.98 has extended this by adding the ability to check for Registry changes, too.
To make this happen, click Create Signature > Config. By default the program is configured to monitor all changes to drive C:\ and subfolders, but the Directory list now also includes each of the Registry hives. So if you’d also like to monitor changes to HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE, say, just select them, and click Add To List > OK.
Now the process essentially works as before. Use the Create Signature option to record a baseline of your system as it is now; install or uninstall something, or do whatever else you’d like to monitor; create a second signature, and use the Compare Signature option to see everything that’s changed on your system – both files and Registry keys.
While this can be useful for all kinds of purposes, it’s just one of OSForensic’s many interesting features.
The Recent Activity module shows everything that’s happened on your system in the past day or so: documents opened, websites visited, wireless networks accessed, USB devices connected, and a whole lot more.
The Mount Drive Image option allows you to mount all kinds of image file formats as virtual drives in Explorer, for easy access (ISO, BIN, NRG, VMDK, IMG, DD and more).
And you also get comprehensive file search, an undelete tool, a password revealer, basic system information, a sector-level hard drive viewer, a RAM viewer which allows you to access the contents of live memory, and more.
Overall OSForensics provides a very useful suite of tools, then, which have applications well beyond that of computer forensics. And while the full, finished version won’t be cheap ($499), PassMark are going to make a very capable Free Edition available, so you won’t be wasting time installing the beta. If you manage one or more PCs, and would find tools like the system signature creation/ comparison useful, then we’d recommend you give OSForensics a try right now.