The basic technologies of this software are automatic analysis and parallel forensics which enable investigators to set different strategies and conduct digital investigation on several hard disks efficiently.
Forensics Master provides investigators essential functions such as systemand user artifacts, messenger & mail parser, file analysis, deleted
data & signature recovery, hash verification, etc.
Forensics Master is the most easy-to-use forensic analysis software. Investigators can acquire common artifacts from source drive by a three-step operation (Create Case->Add Source->OneKey Forensic).
• System Artifacts: Automatically parse Windows system information, involving OS, network configuration, installed application, services, etc.
• Application Artifacts: Search and acquire application artifacts automatically, including Windows Prefetch, registry UserAssist (ROT13 decryption),Windows search items, thumbnail artifact, printer artifacts (SPL), etc.
• USB Artifacts: Analyze system and application program artifacts; acquire USB usage records.
• Recycle Bin Artifacts: Extract user artifacts and deleted files in the Recycle Bin.
• Web Browser Artifacts: Acquire web history from Internet Explorer, Google Chrome, FireFox, 360, Maxthon, Opera, and other Internet browsers.
• Instant Messaging Artifacts: Load chat logs of Yahoo, Skype, MSN, and other IM programs without password.
• E-Mail Artifacts: Parse Outlook Express(DBX), Office Outlook(PST) and Foxmail (IND,BOX) and e EML compound files; recover deleted items from Outlook Express (DBX) and Foxmail (BOX).
• Anti-Forensic Detection: Search for anti-forensic applications and encryption applications (executable files),including Steganography tools, common encrypted files (Zip,Office, RAR, PDF,etc.) and containers (Private Disk, TrueCrypt, PGP Disk).
File System and Image Format Supported
• Disks: Support static disk, dynamic disk, MBR & GPT partitioned disks.
• File system: Support FAT12, FAT16, FAT32, exFAT, NTFS, CDFS, UDF, Ext2/3/4, HFSX/HFS+ file system; recover deleted files from FAT, NTFS, Ext2, and HFSX/HFS+ file system.
• Image Format: Acquire evidence to E01, DD, 001, and L01 image files; support VHD, VMDK, ISO, and AFF virtual machine disk image files.
File View Files
• Support fast view file especially pictures
• Simple keyword search, support most common codepages. Support fragmented email keyword searching (automatic keyword base64 conversion) and regular expression (like GREP).
• Support signature-based file recovery, formatted partition data recovery (like EnCase –Recover Folders) including FAT,NTFS,exFAT file system.
• Support video frame division,including AVI, WMV,ASF,RM,RMVB,etc.
• Parse Windows Event Logs and IIS logs.
• Verify file signatures and search for suspect files automatically.
• MD5, SHA-1, SHA-2 hashing for whole drive or single files.
• Perform forensic analysis in unallocated clusters, Pagefile.sys, and Hiberfil.sys.
• Generate analysis reports automatically.