Using forensic software does not, on its own, make the user a forensic analyst or the output court admissible. Publishing the whole or part of this list is licensed under the terms of the Creative Commons – Attribution Non-Commercial 4.0 license. Mac OS Tools Mobile Devices. Unix Tools Included with Mac OS X. Several Unix tools are included with Mac OS X that can be useful in forensic investigations. The first of these, the dd command, was discussed in part 1 of this series as a method for acquiring a forensic disk image. Due to the recent changes with Apple technology and recent security features included in macOS, we have extended the capabilities of our software to meet these new challenges and have released RECON ITR. To prevent future roadblocks, we decided to bring two of our best products together into one, to give forensic investigators the ability to adapt to the changes that Apple may have on the. The course was designed for both the beginner Mac examiner as well as the advanced. Surprising to most is that the entire course is taught using a Mac to examine a Mac without the use of expensive automated forensic tools. Even more surprising is that the participants realize that they can find more evidence and find it faster! BlackLight ® computer forensic software by BlackBag enables you to quickly analyze computer volumes and mobile devices to shed light on user actions. With easy searching, filtering and sifting through large data sets, it’s simply the best software available for smart, comprehensive analysis.
Version 8 Beta
A Beta release of V8 of OSForensics for community testing and feedback is now available. Please see this forum post about the new features and the download link.
Older Versions
We are no longer working on older versions of OSForensics, but you can download the older versions of OSForensics on our website. This is purely for supporting users of the previous versions.
We recommend upgrading to Version 7 where possible, as we have improved many aspects of OSForensics and have addressed many issues based on user feedback.
If you do not wish to upgrade to Version 7, you can download old software releases here.
| Version | Download |
| OSForensics v6.1.1005 | Download |
| OSForensics v5.2.1007 | Download |
| OSForensics v4.0.1002 | Download |
Forensic Tools For Mac
System requirements
Windows Vista, Win 7, Win 8, Win 10
Windows Server 2000, 2003, 2008, 2012, 2016, 2019
32bit and 64bit support, (64bit recommended)
Minimum 1GB of RAM. (8GB+ recommended)
200MB of free disk space, or can be run from USB drive
Download Hash Sets
OSForensics allows you to use Hash Sets to quickly identify known safe files (such as operating system and program files) or known suspected files (such as viruses, trojans, hacker scripts) to reduce the need for further time-consuming analysis. You can download some sample hash sets below. They are individually zipped.
| Hash sets | Size | Download |
| Windows 10 Home v1709 build:16299 (x64) hash set | 37,376 KB | Download |
| Windows 8.1 Professional (x64) hash set | 10,228 KB | Download |
| Windows 8.1 (x64) hash set | 10,232 KB | Download |
| Windows 8 Professional (x64) hash set | 9,785 KB | Download |
| Windows 8 (x64) hash set | 9,785 KB | Download |
| Win7 Ultimate (32-bit) hash set | 18,825 KB | Download |
| Win7 Enterprise (x64) hash set | 11,670 KB | Download |
| Vista Business (32-bit) hash set | 8,475 KB | Download |
| Vista Business (x64) hash set | 8,069 KB | Download |
| XP Professional SP3 (32-bit) hash set | 1,889 KB | Download |
| XP Professional SP2 (x64) hash set | 1,456 KB | Download |
| Office 365 v1806 build:10228 (Win10) hash set | 1,528 KB | Download |
| Office 2007 Enterprise (Vista) hash set | 1,313 KB | Download |
| Office 2007 Enterprise (Win7) hash set | 1,978 KB | Download |
| Common Keyloggers hash set. Old set from 2010 | 124 KB | Download |
| Common Keyloggers hash set on Win10 64bit, 2019 Already bundled with OSF V7 | 281 KB | Download |
| Common Peer to Peer P2P tools hash set on Win10 64bit, 2019. Already bundled with OSF V7 | 1177 КВ | Download |
| Common Cryptocurrency tools hash set on Win10 64bit, 2019. Already bundled with OSF V7 | 761 KB | Download |
| Common VPN tools hash set on Win10 64bit, 2019. Already bundled with OSF V7 | 761 KB | Download |
The hash sets can also be purchased as a complete set pre-loaded onto a hard disk.
Installing the Hash Sets
To install the hash sets, you must download the individual zip files (linked above), and unzip them into the OSForensics program data folder.
On Vista, Windows 7, Server 2008+ & Win10, this would typically be the following folder (you may need to enable viewing of hidden directories to see it or enter it directly into the Explorer address bar):
C:ProgramDataPassMarkOSForensicshashSets
On XP and Server 2000/2003, it is typically something like this:
C:Documents and SettingsAll UsersApplication DataPassMarkOSForensicshashSets
You will then need to restart OSForensics if you have it currently open. When you next start OSForensics, you should now find additional sets listed in the tree view under the 'Hash Sets' module.
Download Rainbow Tables
OSForensics enables you to utilize Rainbow Tables to retrieve passwords given that you have the hash (encrypted text) of that password. The use of rainbow tables serve essentially as a time-memory trade off in the decryption of a hash. That is, they store precomputed password to hash pairs, so that instead of generating these pairs on the fly, you can just search for a hash in the table to recover the password corresponding to that hash. OSForensics can generate Rainbow Tables for different input parameters. Some example Rainbow Tables are available below for download. They are individually zipped. To install the Rainbow Tables for use with OSForensics, refer to the paragraph below. To use these rainbow tables for password retrieval, click the 'Retrieve Password with Rainbow Table' tab in the Passwords module of OSForensics. You can also download and use Indexed Rainbow Tables from rainbowtables.com (use RTI1 files only) with OSForensics.
| Hash sets | Size | Download |
| md5_loweralpha-numeric#1-7_0_72656x4797112_OSF | 32.6 MB | Download |
| lm_alpha-numeric#1-7_0_23680x23656320_OSF | 172 MB | Download |
| sha1_loweralpha-numeric#1-6_0_4235x3708576_OSF | 20.4 MB | Download |
The rainbow tables can also be purchased as a set pre-loaded onto a hard disk.
Installing the Rainbow Tables
To install the Rainbow Tables, you must download the individual zip files (linked above), and unzip them into the RainbowTables folder located in the OSForensics program data folder.
On Vista, Windows 7-10, and Server 2008 and up, this would typically be the following folder (you may need to enable viewing of hidden directories to see it or enter it directly into the Explorer address bar):
C:ProgramDataPassMarkOSForensicsRainbowTables
Mac Forensic Software
On XP and Server 2000/2003, it is typically something like this:
C:Documents and SettingsAll UsersApplication DataPassMarkOSForensicsRainbowTables
Best Forensic Tools
If you already have OSForensics open, then you may need to click the 'Refresh' button under the rainbow tables display window to view the rainbow table/s you have added.