WHO’S DOING WHAT ON YOUR PC?
What you need: Osforensics, Windows XP, Vista, 7 or 8 Time required: 20 mins
Have you ever wondered whether someone else has been using your PC? Or, if you use a shared PC at home or work, have you ever wanted to know what the other users have been up to; what programs have been used, what sites have been visited – even what USB devices have been connected? Osforensics is a free program that lets you find out all this and more, helping you analyse all activity carried out on your computer, find out what’s slowing your PC and you can also use it to recover deleted files.
STEP1
Go to www.snipca.com/17309 and click the Download button. Run the downloaded file and follow the instructions to install it (there’s no hidden software to opt out of). At the end of the process, leave the Launch Osforensics option ticked and click Finish. When the program launches you’ll be prompted to upgrade to the Pro version (which costs £320), but the basic program (including everything in this Workshop) is free for personal use, so click Continue Using Free Version 1 instead.
STEP2
Before you start using any of the tools, you need to create a ‘Case’. These are files that let you gather information and save your findings. You can export data from these Cases and produce reports based on the saved information. In the main window, click Create Case (in the Case Management section) at the top. Now type a name for your file next to Case Name 1 . Adding information in the other fields is optional. Ensure ‘Live Acquisition of Current Machine’ is selected 2 , then click OK 3 .
STEP 3
To analyse activity on your PC, click the Recent Activity button 1 in the left-hand pane. Make sure ‘Live Acquisition of Current Machine’ is selected at the top. Click the Config button at the top right. By default, all boxes are ticked but you can click the Uncheck All button 2 and tick only the activities you want to include in your scan. Next, select the ‘Search date range only’ option 3 and choose a date range for which you want to monitor your PC’S activity by clicking the From and To fields and selecting the dates. Click OK.
STEP4
Now click the Scan button at the top right. Once the scan is complete, you’ll see a summary of all the items found. Click OK and browse the results. In the left-hand column 1 you’ll see a list of categories. Click a category – URLS, for example – to see all the items of that type or select All (at the top) to see all items. The main pane 2 shows the items themselves, along with which PC user accessed them and when 3 . By default, the results are listed by type, but you can re-order them by date, user or file name, using the Sort By menu at the bottom right.
STEP5
At the top of the pane you’ll see three tabs 1 . Click File Details for more details on each item and Timeline for a bar chart displaying when each activity took place. Now go back to the File List tab. Press Ctrl+click to select multiple items, then right-click one of them and move your cursor to ‘Add to Case’ 2 . From here you can either add the item(s) you’ve selected or opt to add all the items in the activity list to your Case 3 . In the box that opens, type a name (‘PC activity’, for example), then click OK.
STEP6
Click Manage Case 1 and ensure your Case is ticked in the Select Case pane 2 . In the lower pane, you should see the item you added in Step 5. Double-click it to see a report of that activity in your browser, including who last used your PC and when. You can add further activity scans if you want to continue monitoring your PC’S usage over a longer period. At any time you can click Generate Report 3 to export a file summarising all the activity you’ve monitored. You can also attach files (click Add Attachment 4 ) if you want to include further information – documents that have been opened, for example.
STEP7
Osforensics has many other uses. For example, to find out what processes are running in your system memory, click Memory Viewer 1 . One of the program’s most useful functions is the ability to scan for and restore deleted files. To do that, click Deleted Files Search 2 . Now select your PC’S hard drive from the Disk dropdown menu at the top. You can narrow your search – choose Images from the Presets menu 3 , for example – then click Search. Right-click an item in the list that appears to view or save it. ●