You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
OSForensics 5.2.1005
V5.2.1005 - 22nd of February 2018
- Disk test
- Fixed a crash when formatting as FAT32 fails.
- Fixed an issue with formatting as FAT32 on small drives.
- Deleted Files
- Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
- Fixed an uncaught exception error when loading MFT for some OSF devices.
- Fix a Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
- Fixed error box appearing when failing to read non-resident MFT attributes (eg. LCN is invalid as the MFT attribute has been overwritten). Instead, the error is logged and the search silently continues
- When parsing $ATTRIBUTE_LIST, buffer is now properly allocated according to the size of the attribute. Previously, this caused an assert error to occur due to the buffer size being too small
- Internal Viewer
- Fixed potential memory leak when generating video thumbnails
- Fixed potential concurrency issues when loading videos
- Mismatch File Search
- Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV
- Password recovery
- Removed a "File not found" error when running the windows password search on a non system drive
- System Information
- Fixed a possible crash when getting printer information
- Triage Wizard
- Fixed an uncaught exception error that could occur when running a scan on a non system drive (eg D) and having only windows passwords selected.
- Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
- Dołączył
- 26 Maj 2015
- Posty
- 19243
- Reakcje/Polubienia
- 56070
OSForensics 5.2.1006
v5.2.1006 - 26th of February 2018
- Case Manager
- Report Fix, if the background thread copying files for report didn't exit cleanly OSF may warn of background activity when quitting.
- Case Details Dialog
- Fixed bug that might cause case narrative text to be reset to default when editing case details.
- Will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
- Case Export
- Changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
OSForensics 6.0.1000
V6.0.1000 - 21st of June 2018
V5.2.1007 - 16th of March 2018
- Case Management
- Added "Export case" feature
- Added a list of reports that have been generated (in case directory or last known export directory)
- When creating/editing case, user can now specify whether or not USB write-block should be enabled. Whenever the USB write-block settings are changed, a warning is displayed to the user to detach/re-attach connected USB devices for the settings to take effect.
- Changed list view to allow groups (devices, reports, files etc) to be collapsible
- Added last access date to case management when case is loaded
- Fixed error copying files with long file paths in when a report was created and the report contained deep / long paths.
- Fixed a bug when creating a case report that was leaving a file handle open
- Added support for encrypting PDF report
- Added predefined offenses list to 'Offense' drop down list when creating/editing case
- Case Details Dialog, fixed bug that might cause case narrative text to be reset to default when editing case details.
- Case Details Dialog, will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
- Case Export, changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.
- Re-added "E-mail Delivery Time" to report and the associated timezone
- Case load window was added at startup and when a case is loaded from the Case Management window. This is useful for showing load progress for very large cases with 10,000s of files in the case.
- Report production progress window was added to show some progress activity when very large reports are produced.
- New Command Line Parameter to load a specific case (-C ), if path does not exists or CaseDetails.OSFCase file cannot be found, OSF will default to loading the the last case used.
- Can now insert images into the case narrative text using the HTML editor. Images need to have already been added to the case. Previously images could be added, but the links where broken when a report was produced.
- Added unique 'Case Item ID' attribute to each case item. This ID is displayed in the 'Manage Case' window, as well as included in the generated reports. The ID is stored within the .OSFMeta file for each case item. Case Manager maintains 'Next Case Item ID' variable that gets assigned to any new items added to the case.
- Fixed special characters not being escaped when generating reports
- Create index
- New indexing engine (Zoom V8 with multi-threaded offline indexing)
- Much better indexing performance (3x speed increase)
- Updated Create Index interface with new file type selections,
- New "Memory optimization / Indexing Limits" step to bypass Pre-scan
- Added support for user configurable number of indexing threads (up to 10)
- Added options to enable RAM drive for temporary files
- Improved RAM estimations and Indexing Limits settings
- Improved indexing Status interface
- Updated OSF interface to show multi-threaded indexing
- Updated OSF Create Index options to offer more control with file type selection
- Removed unnecessary indexing warnings
- Added count display for Prescan
- Added thousands grouping for large numbers shown in Create Index windows
- Increased sleep/wait time while starting indexer to allow for a slower initialisation which could cause an error to be displayed
- Renamed indexing process. Now using "OSFIndexer32.exe" and "OSFIndexer64.exe" instead of ZoomEngine32.exe and ZoomEngine64.exe, this should make it more obvious what is running in task manager.
- Added some internal checking to clean up detached instances of OSFIndexer and temporary RAM drives.
- Fixed a bug with indexing the compete content of Emails in PST files that were text only EMails.
- OCR (Optical Character Recognition) can now be done on photographic images while they are being indexed. Like all OCR, the results depend on the quality and resolution of the source image, how clear the text is and the level of contrast. This is only supported on Win10. Depending on the images >10 images per second are possible.
- Deleted Files
- Column ordering, visibility and size now saved in OSForensics config file
- Configuration options now saved in OSForensics config file
- Fixed a crash caused by logging a magic number incorrectly when getting deleted files
- Fixed uncaught exception error when loading MFT for some OSF devices
- Fix Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
- Added check for buffer overrun when looking for slack $I30 entries
- Errors when parsing non-resident attributes of deleted MFT records no longer causes the search to terminate and throw an error message. This is an expected case. Errors are now written to the debug log and the process continues.
- Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
- File Carver, added minimum file size option when carving. Changed "Reserved/Future Use" field in osf_filecarve.conf to "Min File Size"
- File Carver, TIFF/CR2 extraction should be better.
- Disk Imaging
- Added extra check if the first read fails when verifying the image created.
- Previously if the disk did not contain a valid MBR this would cause it not to show up in the list (as it would have no partitions) But the disk might be file system boot sector. These disk are now correctly shown.
- There is now the option to specify primary and/or secondary hash functions for imaging disk. So the user can select SHA1 instead of just MD5. Or calculate two hashes at the same time.
- Disk Preparation
- Can now wipe BitLocked drives. Previously these drives appeared to be lock and could not be formatted.
- In case of a physical drive failure, additional error codes have been added to the status window
- Disk Test
- Fixed issue with formatting as FAT32 on small drives.
- Fixed Crash when formatting as FAT32 fails.
- E-mail Viewer
- E-mail times now include the timezone offset, both 'Delivery Time' and 'Client Submit Time'
- Fixed printed e-mails missing e-mail addresses due to HTML entities not being escaped
- Fixed bug where case item title set to '' when selecting 'Use same details for all'
- File System Browser
- Added right-click menu option to jump to MFT record in the raw disk viewer
- Fixed stack overflow when attempting to add device to case
- File Name Search
- Added an "Uncheck all" menu item to uncheck currently selected items
- Added 'Windows Shortcut Files' (ie. lnk files) to the file name search presets list
- Column ordering, visibility and size now saved in OSForensics config file
- Removed folders from results when filtering using hash set
- When filtering using hash set, fixed bug with current file being added to results after cancelling search
- 'In hash set' flag is now set for results when hash set is used and made active
- Added support for filtering by whether or not the file belongs in the hash set. This allows the user to search for files on disk that match a set of hash values
- Re-arranged configuration dialog
- Forensic Imaging
- Re-arranged tabs
- Create Image, for physical disks, disk model and serial number are now saved in the info file
- Added new 'Device and SMART Info' for displaying physical disk attributes + SMART info
- Device & SMART Info, Added support for export and adding report to case
- Device/SMART Info, added mouseover tooltip descriptions for SMART attributes
- Forensics Copy
- Moved allocation of virtual disk image to thread to prevent system from being unresponsive
- Hash Set
- Added option to create 'Quick hash set', allowing the user to quickly create a hash set by specifying a list of hashes
- Fixed deleted hash set databases appearing in the file name search config drop down box
- Re-organised buttons in main window
- Added functionality for importing Project VIC JSON files with MD5 hashes & optimised the import load time.
- Added default database name when importing VIC data set
- Stopped navigation bar being disabled when importing hash set. User can now do other tasks in parallel to importing a large hash set.
- Fixed hash set operation LED still "active" when there's an error
- Fixed number display and file size formatting to be more readable for large import files (> 4GB)
- When creating hash set databases, columns are no longer created for hashes that don't exist (eg. VIC/NSRL datasets)
- Hash set lookup
- Added right click menu option to open files in internal viewer
- Fixed incorrect # files hashed text due to not updating the dialog once all files are hashed
- When performing hash set lookups, hashes are no longer checked for columns that do not exist. This reduces the query time for large hash sets. e.g. we don't check for SHA1 matches if the particular hash set doesn't have SHA1 values. Results were a significant speed up for hash lookups.
- When performing single file hash lookups, filename matches are no longer queried. This reduces the query time for large hash sets.
- Install and run from USB
- Added help Link
- Added separate "temp build" directory field when using WinPEBuilder.
- Updated WinPE builder to deal with new latest WinPE10 changes
- Internal File Viewer
- EFS Support (encrypted file system). When an EFS file now opened in the file viewer a temp copy will be created and passed to the hex and text viewer. If the matching certificate has been installed on the system then the text should appear decrypted.
- Hex View, added right-click option to add selected strings to case (as HTML file)
- Fixed potential mem leak when generating video thumbnails
- Fixed potential concurrency issues when loading videos
- Added OCR view (Win10 only)
- Memory viewer
- Column ordering, visibility and size now saved in OSForensics config file
- Added button to add memory dump to case
- Removed 'Error' text and icon from message box when process memory cannot be dumped because of access restrictions
- Updated version of Volatility Workbench, with Mac & Linux support and ability to add your own profiles.
- Mismatch File Search
- Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV
- NSRL Hash Import
- Import 9x faster. While importing repeated file hashes, checks for duplicity are no longer being done using a lookup on non-indexed database (very slow). Now checks are done by comparing product code between two consecutive lines in input file.
- Import will create new database automatically with default name based on date and time. Thus, incremental import is no longer an option.
- New NSRL import config window to specify input and (temp) output folders
- Temp Output folder can be specified so that user can specify RAM drive or SSD to speed up the import. Database is then moved from temp location to default hash sets location.
- Updated help file with info about allocating enough space on a RAM drive.
- Status now displays percentage counter during file importing
- Password Recovery
- Added tab to allow PFX certificates to be installed on the local system, to facilitate opening EFS encrypted files when the certificate and password are available
- Column ordering, visibility and size now saved in OSForensics config file
- Browser passwords, made some changes to Firefox login recovery, now has a 64bit and 32bit helper executable (as FireFox have started distributing as 64bit).
- Registry passwords, now displaying password hint value next to 'NT Password' column. Displays '(empty)' if not present.
- Registry Passwords , added support for win10 anniversary update for live system in Forensics mode
- Removed a "File not found" error when running the windows password search on a non system drive
- Prefetch Viewer
- Added right-click option to export selected items to CSV
- Rainbow Tables
- Fixed crash occurring when cracking hashes from a pwdump txt file - wrong data types were being past to format string when secure case logger was enabled
- Raw Disk Viewer
- Added progress window when carving to file
- Renamed 'Decode' window to 'Disk Info'
- Renamed 'Data Interpreter' window to 'Data Decode', split windows and shuffled content between decode window.
- Added right-click menu options to 'Data Decode' window, Jump to File and Jump to File Record.
- Clicking on file paths now open the internal viewer
- Clicking on LCN/offsets now jump to the offset in the raw disk viewer
- Data Interpreter window now shows the MFT record number and filepath if the current cursor position is inside the $MFT file
- Fixed crash issue when sector size could not be determined
- Fixed right-click "Jump to offset" not working some of the time
- Hexadecimal addresses copied from the Windows calculator into the search box didn't work. The calculator was inserting non printable characters into the string. Non printable characters are now being removed.
- Recent Activity
- Added a quick filter option (text box and button) to quickly apply a text filter to recent activity items
- "Show empty activity types" checkbox to default to on so empty types are displayed
- Results are now sorted by Date (desc order) by default
- Fixed possible crash when reading jumplist info
- Added function to collect new Win10 Timeline database for artifacts
- Added more displayed information for windows event items.
- Registry Viewer
- Support for generating reports for known registry hives (currently only SOFTWARE hive at the moment)
- Fixed a possible crash when processing a registry file
- SQLite Browser
- Will checks for Skype Sqlite database files during "Scan for DB Files".
- Resizeable Dialog/Controls
- Option (enabled by default) to convert known timestamps to readable format
- Scan Folder button is now more useful. Will now populate with locations of known SQLite files (e.g. Chrome and Firefox profile directories)
- Scan Folder button will scan for known Android user data directory (where apps usually store their own data) on currently selected drive
- System Information
- A new tab is now created for every new system information command
- Added option to restore command lists back to default
- Added "Recovery of Bitlocker Keys" to command list
- Added ability to assign a name to an entered command. This name will then be displayed in the output/report.
- Added support for Embedded Python 3.6.5
- Removed the "Get" from the start of some item names.
- Changed button text from 'Add...' to 'New...' when adding new commands
- Moved 'Reset lists to default' option to dialog window. Added confirmation prompt to prevent accidental press.
- Replaced spin control for moving items up/down due to overriding the handling of mouse wheel messages
- Re-organized controls
- Added command to get current clipboard contents
- Added command to get anti malware (windows defender) software status
- Added command to get current TPM status
- Started encoding HTML special entities in output from tools so anything with HTML characters will display correctly
- Fixed crash possible with getting printer info when system returns bad information.
- Triage Wizard (now renamed to Auto-Triage)
- Changed Wizard icon to fingerprint icon & removed forensics dude. R.I.P forensics dude, we loved you, but the world just wan't ready for you.
- Added option to create logical image with known system files
- Added agent help text when mouse is hovering over a control
- Added a free disk space check (for at least 1GB + memory size if memory dump selected)
- Fixed a unhandled exception that could occur in the triage wizard when running a scan on a non system drive (eg D) and having only windows passwords selected.
- Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found
- Fixed a crash caused by trial limitations when running the triage wizard
- Web Browser
- Added status bar to browser.
- Can now select export format as Web Archive Format (.mht) when exporting webpage.
- Can now export linked PDF, ZIP and other files. Also added check boxes to allow user to select what is downloaded.
- There is an option to download videos (MP4 format) from sites such as YouTube and add them to the case.
- Added a progress indicator for downloading large files.
- Misc
- Added colour coding of encrypted files displayed in a file list
- Added exit confirmation message
- Added warning message on OSF shutdown whenever the USB write-protect settings are changed during the course of execution
- Fixed a long delay at startup when not running as Admin
- Removed agent icon from feature description text on start window
- After successfully saving a file to disk, fixed a bug with activity monitor displaying task is still active
- Changed how temp files are stored, each thread now has a temp folder
- Increased a timeout (from 60 seconds to 180 seconds) when trying to repair esedb databases with esetutl as was timing out during triage runs
- To prevent machine from sleeping when running from USB, the mouse will jiggle if the time between user input (i.e. keyboard or mouse input) surpasses 10 secs.
- Added DLL (MSVCR120.dll) required by wkhtmltopdf.exe to installer (error seen on windows )
- Switched debug logging to logging library g3log for thread-safe, crash-safe, faster logging
- Recent Activity
- Fixed an error that could display when a jumplist was finished being processed
- Registry Viewer
- Fixed a crash that could occur when reading a registry file
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
krisluck60
Bardzo aktywny
OSForensics 7.0.1000
V7.0 build 1000 31st July 2019
- Platform support
- OSF will no longer run on Windows XP systems. (But disk images from XP machines can still be investigated). If support for installing the software on a XP system is required, then V6 will need to be used.
- Add Device
- Bitlocker volume details (eg. key protectors, encryption, etc) now displayed when adding a bitlocker-encrypted drive to case Removed "Forensics Dude" from the Add Device window. The formatting of the help text was changed to the same look as the other windows.
- Android Logical
- Fixed issue where during logical copy, some directories were not being included.
- Android Artifact
- Removed misleading text indicated "images" can be added to scan. Added warning if adding ".vhd" (e.g. from logical copy) that it needs to be added to device first.
- Photo artifacts were only looking at the "data\\com.google.android.apps.photos\\db\\gph otos 0.db" (specified in Help File). But will now also do a quick scan for known image file extensions. Added notification to user to use File Name Search module for more advance viewing/search options.
- MMS extracted with OSFExtract will show recipients on the message.
- Android Copy
- Copying to a Logical Image (VHD) will no longer require a full scan to calculate disk size. This should increase its responsiveness.
- Updated OSFExtract to V1.0.1003. Change: App will transfer "canonical_address" table from mmssms.db database file. Which contains the addresses (recipients) for MMS threads.
- Auto triage
- Added configuration options for logical image creation
- Moved deleted files report export to a separate thread to improve responsiveness
- Moved recent activity report export to a separate thread to improve responsiveness
- Disabled hashing of signature file list to improve responsiveness
- Boot Virtual Machine
- Added ability to boot an image as a VM from OSForensics.
- Image to be booted can be read only, as the image file is never modified. Instead changes to the image are written to separate cache files.
- Images format support includes E01, Raw, Split images, VMDK, VHD, etc..
- Write cache files are now used in mounting when 'Restore existing disk state' is checked, so VM can be restarted were you left off
- Added new menu option in Workflow navigation, "Boot Virtual machine" with 3 tabs showing running machines, and associated drives.
- Added 'Boot Virtual Machine' icon to Start page
- User can select number of cores to allocate to the VM, RAM size and if networking is enabled. Default values are scaled based on system specs of host.
- Support for booting partition images by pre-pending an MBR image to the disk in the .vmdk file. (normally it is impossible to boot just a bare partition). This includes images that use with ntldr for booting (Windows XP) and bootmgr + BCD images (Vista and above). Machines with EFI System Partitions are also supported.
- VMWare 14,15 and VirtualBox 6 are supported as hypervisors
- Host machine needs to be 64bit. Guest can be 32bit or 64bit. Guest image can be Mac OS X 10.13 (High Sierra), Windows XP to Win10 and some Linux distributions.
- Preliminary support for disk with multiple bootable partitions. Added warning text when multiple O/Ses are detected on the disk. Note: Not all permutations of multi-boot O/Ss will be supported (there are too many to test). Mac and Windows on the same disk is known to be problematic.
- Added option to bypass Windows login by patching a Windows system file and setting automatic logon option in the registry. This method is fast, but it doesn't crack the password of the user. So any files encrypted with EFS are not decrypted. As patching of system files are required, not all releases of Windows are supported. The Win 10 releases from March 2019 (17763) is known to have a problem.
- There is support for selecting which user account to auto-logon into in the case where the machine has multiple accounts.
- A new version of OSFMount is included with the package. V3.0 build 1005. This allows mounting of images as (emulated) physical drives and caching of disk writes to temp files.
- Case Manager
- Fixed bug with trailing space characters allowed in case name (causing invalid Windows folder names to be created)
- Defined new hash set flag level "major" for Project VIC
- Add info dialog when adding a Bitlocker-encrypted drive to Case
- Added new case item group for virtual machines
- Added case details tab for customizing category definitions
- Fixed an annoyance, sometimes when switching cases the OSForensics GUI will lose focus and another window will be on Top.
- Fixed a bug where sometimes the status dialog window size can appear too large while generating report.
- Reporting, "Extra Information" box will export and identify $FILE_NAME timestamps for applicable items and label it as such. Note: Applies to new items added to case. Existing items in cases will not have the extra timestamps.
- Reporting, "Skip Empty" checkbox to do not include empty artifact categories in the generated reports.
- Add button for the Case Narrative (html) editor in the main Manage Case module.
- Double-clicking on virtual machine case item switches to 'Boot Virtual Machine' module and selecting the VM in the list
- When deleting a device that was the case default device the default device will now be set to the first device associated with the case or the C drive if there are no more devices.
- Removed "Results of forensics analysis" and "Executive Overview" headings from case narrative / auto triage report
- When removing categories, all case items belonging to category shall be unassigned
- Categories can now have optional "Notes" property
- Added button to manage categories, when adding/editing case items, can click on 'Category' link to manage categories
- When adding or editing case items, a new category can be entered in the Category dropdown
- Separated "Offences" list and "Categories" list. Defined a new "Categories" list that reflects more common categorization types.
- Fixed bug where downloads/attachments were not being loaded into case after OSF restart.
- Removed all options other than 'Delete' when right-clicking multiple selected items
- Fixed possible crash when sorting Case Item name
- Added missing 'Raw Disk' exports to generated report
- Create Index / Browse Index
- New Indexing feature added, Optical character recognition (OCR) for PDF files. Previously this was only done on photographic images.
- Updated indexing engine, with lots of more minor changes for handling different file types & performance.
- Added ability to skip pre-scan when creating an index
- At Step 1, have all options check-marked by default except binary executable files, which don't contain much useful text.
- Fixed bug with search being prematurely truncated when indexed 0x1A character in meta data (title, description, etc.)
- Fixed bug with substring searches applying within exact phrases
- Fixed bug with exact phrase searches spanning across page SECTIONS. This caused some exact phrase searches (containing words which occur on the page many times but not in that sequence) to take extraordinarily long.
- Fixed Check/Uncheck all buttons not affecting new file type options
- Fixed buffer overflow issues & crash bugs in Browse Index (removed unnecessary dictionary counting) and when Filtering results
- Fixed bug with filenames not being indexed for PDF files and other plugin formats
- Improved error messages when failing to launch indexer
- Fixed "Failed to add folder" bug with Create Index -> Add folder
- Fixed bugs with handling multi-partition images
- Fixed bug with Index names ending with "." which caused various failures
- Fixed indexing unallocated clusters for entire disk images
- Create Signature
- File system cache is now cleared before creating a signature in Direct Access mode. This is important for live file systems where the content is changing while OSF is running.
- Compare Signature
- Increased number of recently selected signature comparison files (displayed in drop list when selecting a signature) from 10 to 15
- When creating a hash set from a comparison there is now the option to include all files in the comparison or just new ones
- Added a new difference type of "Attributes Modified"
- Deleted Files / File Carving
- Hashing of files will only be performed for non-empty files (0 byte files are skipped).
- Improved responsiveness by not redrawing window if not visible
- Fixed a lockup that could occur
- Added new status tab while scanning to show number of files (grouped by extension) found/recovered.
- Removed message dialog when no files are found
- Checkbox added to enable/disable extensions for file carving.
- Updated FileCarver to be threaded for better performance (by adding threading to several operations). Resulted in 2.6x faster carving on a test system.
- Added option to look within a sector for header pattern match. Enabled by default (same as previous behaviour) OSF only looks at the bytes only at the beginning of the sector.
- Added definition for HEIC/HEIF image file format to allow these types of images to be carved.
- Updated JPG file header definition to decrease number of false positive when carving.
- Added definition for SQLite files
- Added definition and extractors for Intel based Assembly Files (.asm)
- Added definition and extractors for .torrent, .nef (Nikon RAW Image), .orf (Olympus RAW Image), .arw (Sony RAW Image) and .raw (Lecia/Panasonic RAW Image) formats
- Added header definition for FUJI Raw Image Format (.raf) and Mobile Video Format (.3gp).
- List view in Status Window showing total files found is now sortable.
- Fixed issue when "Applying Filter" was not returning (stuck in loop).
- Fixed issue with double counting files with simliar header pattern.
- Drive preparation
- Fixed an open file handle from the Drive test that would prevent the data pattern write if the drive test was run first. This fixes a possible false report saying the drive was faulty, when in fact the drive was just locked
- Email Viewer
- Fixed UI issues when minimizing and restoring windows
- ESEDB Viewer
- Changed behaviour to load all items for selected table into data buffer so we can sort columns correctly, still only displaying 1000 entries per page. Will mean a slower initial load but much faster sorting and searching.
- Columns can now be sorted by clicking on the column heading
- Added SRUDB.dat to known esedb list when opening the ESEDB viewer and fixed some date display issues for the SRUDB date / time format.
- File Name Search
- Allow the user to enable the other four ($FILE_NAME attribute) time stamps in the File Name Search Details View.
- Added ability to create a New Preset option in the Config window. Defaults are still loaded from FileNameSearchPresets.txt file in AppData directory. User defined Presets are saved in the OSF config file, config.OSFCfg.
- Change the module icon from "disk" to "binocular" to be consistent with the main menu.
- Config, fixed bug where hash sets were not populating in the drop down selection.
- Added right-click option to show only checkmarked files.
- Added ability to include additional folders and/or exclude folders from the File Name Search.
- When switching cases, any previous search result previously performed will be cleared.
- Fixed a bug when enabling $FILE_NAMES attributes, the horizontal scroll will disappear in the List View.
- Added Right-Click menu option to "Jump to Thumbnail View" from the File Details and File List tab. And "Jump to File Details" from the Thumbnail Tab.
- Started saving column ordering, visibility and size in OSF config file
- Fixed default title not being updated when adding multiple files to case
- File Previewer/Image viewer
- Added support for single image HEIC files
- File System Browser
- Refreshing the current folder using the F5 now clears the file system cache and allows user to see changes to live file system.
- Fixed hidden scrollbar when minimizing/restoring the window
- Fixed vector Out of bounds crash
- Forensic Imaging
- Create a Drive Imaging queue to allow user to add other drives to image once the first imaging job is complete.
- Forensic Copy
- Added option to add individual files to the image list instead of just only folders.
- Improved performance of looking up duplicate paths by keeping track of hashes
- Fixed copy operation not aborting after pressing 'Stop'
- Changed source list view to owner draw for better performance
- Moved total file size calculation to a separate thread for better response
- Hash Set
- Added new built in hash sets for: Keyloggers, VPN Software, Peer to Peer (P2P) software, Cryptocurrency
- Added feature to import folder of VIC files. "Import VIC file set" will now prompt to either "import into existing active database" or "create new database". Updated import VIC feature to ignore Category: 0 which are considered Safe files
- Added support for importing V2.0 format VIC hash set.
- Added support for importing SHA1, MediaSize, LastUpdated fields from V1.3 VIC file format
- Fixed Bug with Right Click->Export to Text file output being corrupted. (Column Indexes to the ListView were not correct).
- Fixed Bug where Right Click->View with Internal Viewer was unable to open deleted files entries.
- Fixed Bug where false positive matches were being returned. (Previous result was not being cleared).
- When quitting, OSF will remember the current active hashset & reselect that hashset on startup.
- Made error message more descriptive on import failure. Fixed bug holding hast set open after failure to import that was preventing deletion.
- Fixed a bug preventing pasting folder locations into the NSRL data set input folder when importing
- Added "Delete" option from Hash Set Viewer window (right click menu)
- Added confirmation message box when deleting a hash set
- Added a more descriptive error message when an NSRL import fails due to errors in the file contents (eg invalid product number)
- Removed warning message about selecting a non-example / new hash set when importing an NSRL hash set (a new hash set is created by default when importing a NSRL hash set)
- Added more prominent highlighting when file is in hash set to highlight Project VIC hash sets
- Improved error message when failing to open .OSFHashSet file which is read only
- NSRL hash set import, added an error message when an operating system ID doesn't exist (eg corrupt/incomplete dataset). Will now add a dummy "unknown" entry and continue to import.
- Added support for highlighting files as "PF_IN_HASHSET_MAJOR" for Category 2 files
- Changed "Look up Hash Set" dialog to not close window when user cancels look up.
- Install to USB
- Added option to exclude password recovery dictionaries and rainbow tables from USB install
- Changed out of space error message to use MB instead of bytes
- Added option to include Hash Sets to be exported during install.
- Internal Viewer
- File Info, added text to indicate if the file does not exist at the location
- Added 'Help' link. Moved 'Capture' button and 'Alt Stream' Combo box to the left
- Added preservation of 'create' and 'access' times, when available
- Fixed contents of certain .rar files not being displayed (RAR5)
- CSVReader, fixed a possible crash opening CSV files with individual elements that contain over 512 characters (element will be truncated to 511 characters now)
- Hex View, will display file slack space in internal viewer. Can enable/disable in 'Settings'.
- Hex View, fixed bug where hex view would not load and return "Unable to open file: File access is denied" when a file failed to open the underlying disk in raw mode (to load slack space). Show Slack Space is not available for resident MFT files or files on devices not added in forensics mode within OSForensics.
- Hex View, will extract strings in file slack space if show slack is enabled.
- MemViewer
- Added warning if trying to save memory dump to a filesystem that doesn't support the file size of the dump e.g. Over 4GB on FAT32.
- Raw Memory Dump, added progress bar and estimated time remaining.
- Updated volatility compiled executable to 2.6.1 and volatility workbench to 2.1.1000 to support new profiles for Win 10 builds 17763 and 17134
- OSFDevMgr
- Fixed buffer overflow when calling FindFirstFile() on a group device's root directory (eg. "group_device:")
- Fixed FindFirstFile() not returning the list of subdevices for a group device's root directory (eg. "group_device:")
- Fixed a crash that could occur when a badly formed system path is passed to SplitFilePath
- Password Recovery
- Fixed an issue where passwords from the windows credential manager were returned when running using the "scan drive" option when they are only available for the "live acquisition" option
- Made some changes so the registry reading code at this point so it is now thread safe and will work better with the auto triage.
- Started saving column ordering, visibility and size in OSF config file
- Changed LM/NT references from "(disabled)" to "(empty)"
- Added ability to add sequential decryption jobs in the Decryption & Password Recovery tab.
- 40-Bit Encryption, fix for parsing output of 40-bit file.
- Windows Login Passwords, updated GUI so list views expand as the size of the main window expands.
- Enabled debug logging for run_server.exe when OSF is ran in debug mode. Log can be found in run_server.exe directory while running and then is moved to the OSF documents folder when finished.
- Fixed bug that could cause possible memory corruption issue if GPU decryption is enabled.
- Fixed bug where checked item count was not being reset if "Acquire password" was clicked again
- Prefetch Viewer
- Added all available run times to results list and exports
- Raw disk viewer
- Fixed incorrect GPT 'Partition name' in Data Decode window
- Added option to select where (beginning, current position, end) to jump from when jumping using bytes or sectors. (Using a negative sign will jump backwards.)
- Recent Activity – Renamed to User Activity
- User Activity
- Addition of System Resource Usage Monitor (SRUM) database scanning, will display items from the Application Resource Usage, Network Usage, Network Connectivity and Push Notifications database tables.
- Made the user activity navigation pane with the Tree view resizable.
- Started encoding HTML special characters (eg <>&) in the HTML output for some items when exporting
- P2P, Fixed crash when running on Ubuntu drive
- Changed "Show empty activity types" checkbox to default to on so empty types are displayed
- Windows search is now using the ESEDB viewer to load the windows search database, will sometimes be slower but should be more reliable (no need to repair database using esentutl which would often crash or leave database in a dirty state still).
- Installed programs, added date collection using the InstallDate registry value when available and when not available uses the last write date of the registry entry
- No longer stopping the windows search service when the windows search option is selected for a live system scan
- Added new Recycle Bin activity. Will show items in the Recycle Bin (original file path/name and date deleted).
- Added the Last-Visited and Open/Save MRU's to the MRU category: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi on\Explorer\ComDlg32\LastVisitedPidlMRU and NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi on\Explorer\ComDlg32\OpenSavePIDlMRU
- Added the other 7 run time stamps for Prefetch Files (for 8 total).
- Fixed bug with non-ascii characters for recent activities that use a sqlite database (mostly browser - chrome, firefox, opera - activities)
- Added Event Log Login Types description
- Added MRU Adobe Acrobat Reader DC Artifacts
- Added Office 16 and Office365 Word, Excel and Powerpoint Artifacts from desktop install
- MRU, Fixed crash when parsing Window's XP Registry files for OpenSave and LastVisit MRU
- Added subcategories for the various browser artifacts (Firefox, Chrome, Edge, IE, etc)
- Added checkmarks besides each artifact category. Users can then deselect any artifacts they don’t want without going into the config settings.
- Added +/- expand collapse for artifacts that have subcategories.
- Add subcategories for Windows Event Logs (OAlerts, System, Security, Application, etc.)
- Fixed bug where the number of checked items links was not being shown in the File List Tab.
- Added VLC artifacts for Windows and OSX/Mac
- Added Windows Media Player Last played and folders artifacts
- Added Mapped Network Locations from HKCU\Network
- Opera, fixed opera version being read incorrectly for new versions of opera
- Opera, fixed bug stopping opera password data being read correctly
- Fixed an issue seen where no Chrome information could be retrieved when doing a live scan due to not being able to get the current windows user/profile/known folders
- Registry Viewer
- Unknown value data types will be shown as hex data by default (previously the data was not displayed at all. Useful for looking at Windows Store App's settings.dat file which are special registry hive with non documented value data types).
- System Information
- Removed "Get" from the Registry Commands.
- Get User Info (Registry), fixed an issue where user accounts could display "Account disabled" incorrectly
- Changed error message slightly when only live acquisition tasks are in selected list when a drive letter is chosen instead of live acquisition
- Added a quick search box to search the text of the current result tab.
- Added full name, description and password hint to “Get user information (Registry)” output
- Fix to process "Enter" key notification while using the Find Text Control.
- Thumbnail View
- Items found in hash set are now entirely highlighted (not just text)
- Web Browser
- Updated video download script to support recent changes at Youtube which broke video download feature.
- Misc
- Consolidated Red/Green/Yellow bookmarks into single generic bookmark
- Renamed 'bookmarks' to 'tags'
- Added 'tag' icon to replace previous 'flag' icon
- Made some changes so OSF will start as the top most window (sometimes it would start in the background)
- Updated help file
- Fixed bug with unable to access Case devices as underlying drives. This caused problems reading from Bitlocker-encrypted drives
- Added ClearFileSystemCache_direct() function to clear the file system cache (for live disks). Previously changes in the live file system where not reflected in File System Browser due to caching.
- Updated 7zip DLL
- Better reporting of SQL errors with hashset databases
- Fix for bug with scroll bars in Compare Signature and Browse Index
- New logging engine when using DEBUGMODE. Has more detail and has less overhead.
- Changed warning message to be less severe when registry SAM permissions need changing on live system (for recent activity and password recovery)
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
OSForensics 7.1.1009
V7.1 build 1009 23rd March 2020
- Create Index
- Fixed crash bug when multi-threaded indexing and extracting text from system binary files and non-system binary files
- Password Recovery
- Added a dialog to allow individual partition selection when trying to run on a disk image mounted as the entire disk that contains multiple partitions
- Fixed a potential crash that could occur when recovering passwords (mostly affecting chrome passwords)
- Registry Viewer
- Made some changes to work better with disk images mounted as the entire disk that contains multiple partitions, will now scan multiple partitions for known registry files
- User Activity
- Added a dialog to allow individual partition selection when trying to run user activity on a disk image mounted as the entire disk that contains multiple partitions
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
OSForensics 8.0.1004
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
OSForensics 8.0.1005
December 30, 2020
- Auto Triage:
- Upgraded the screen capture to take screenshots of all running program windows.
- Removed the drive selection drop-down list and changed it to select the OS boot drive to perform live acquisition scanning.
- Case manager:
- Fixed an issue when exporting a report using the copy files option, if a source file was read only then multiple error messages could be show during the file copy process.
- Improved speed of export when large amounts of files are being exported as part of the report
- USEDB viewer:
- updated to library code for compatibility with newer helper libraries
- Verify Hash:
- Fixed a bug where clicking the "upper case output" option after generating a hash would not update the primary hash and instead replace the secondary hash with the upper case primary
- File system support:
- Updated library code for reading E01 and L01 files. While there were multiple changes under the hood, the most visiible change should be better support for L01 image files. In particular it fixes a case where a NTFS directory entry in a L01 could point to the wrong file.
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
OSForensics 10.0 Build 1013
V10.0 Build 1013 26th May 2023
- File Viewer/File Name Search
- Added MSVCP140.dll and vcruntime140.dll to fix missing system file issue that could happen when opening docx files and filtering on EXIF metadata in some Windows 11 builds
- Manage Case
- Fixed issue where USB write block was not being enabled/disabled
- Start Page
- Fixed issue where 'USB Write: Enabled/Disabled' icon text was not updating in custom workflows
- Fixed issue where 'USB Write: Enabled/Disabled' text was written onto the wrong icon
V10.0 Build 1012 16th May 2023
- Report Generation
- Fixed issue where all 'Photos of Acquired Evidence' were added to every 'Category' section
V10.0 Build 1011 12th May 2023
- ESEDB Viewer
- Fixed a bug where Windows.edb file could not be loaded from an image file
- Changed the selecting custom Windows.edb file behavior to make the Windows.edb filepath as the initial directory
- Logical Image - Android Copy
- Fixed possible crash during imaging due to long file names/extension
- Program Artifacts
- Fixed parsing of the prefetch files for windows 10 builds 1903 and newer to collect the correct run count
- Report Generation
- Fixed issue where all 'Exported Files' were added to every 'Category' section
- Enabled hiding of thumbnails for PDF reports
- Fixed issue where options was not disabled for certain report options
- Misc
- Fixed issue with hover text not displaying properly on toolbar icons (Script Player & SQLite Browser)
- Fixed issue where email files and BitLocker files could not be read in Forensics mode
V10.0 Build 1010 26th April 2023
- Case Manager
- Fixed tagged files not being saved to the case due to incorrect duplicate file check
- Hash Set
- Fixed bug with exporting CSV files, category was not being exported in the CSV
- Updated example export output in Help File
- Install to USB
- Fixed bug when Installing OSForensics to USB drive with an old version subscription key, it may wipe the current license from the local install
- Raw Disk Viewer
- Add support for ext4 64-bit feature
- System Information
- Fixed crash when “Live Acquisition - Current Machine” is selected for the scan and “Basic System Information” command is selected
- Web Browser
- Fix bug where OSF may fail to add downloaded video file to case
- Misc
- Updated VolatilityWorkbench to V3.0.1004
V10.0 Build 1009 23rd February 2023
- Misc
- Updated WinPEBuilder for ffmpeg support in WinPE
- Fixed signing issue with previous build
V10.0 Build 1008 22nd February 2023
- File Carver
- Fixed possible crash during carving when verifying carved images with GDI
- USB Install
- Fixed crash when trying to create a USB install with all checkboxes selected
- Misc
- Fixed ffmpeg library loading warning on machines with Visual C++ Redistributable not installed
V10.0 Build 1007 23rd January 2023
- Boot VM
- Fixed error booting MacOS image on VirtualBox for some systems
- Added a check to prevent user from adding VM to case if a case is not open
- Case Management
- Reports, added option to have a minimum font size when exporting report as PDF
- Increased font sizes for better readability when exporting as PDF
- Reports, added checkbox for case report dialog "Include thumbnails" to allow thumbnails to be enabled/disabled. It can be useful to disable thumbnails for reports with thousands of images otherwise they may not open correctly in a web browser
- Deleted Files
- Fixed possible crash when looking up carved files in hash set
- Email Viewer
- Fixed bug when exporting PST emails to list. The TO, CC, and BCC fields were not cleared between emails
- Internal Viewer
- Ffmpeg, fixed ffmpeg library error by re-arranging load order of DLLs (previously could display a “Failed to load library” error at OSForensics start-up)
- Mobile Artifacts
- Fixed bug with exporting SMS to CSV/Text where Sent/Received field was displaying only received
- Fixed bug with exporting SMS to CSV/Text where selected checked items were not being exported correctly. The export was incorrectly using fixed GUI list position index and not the internal list indexes
- Password Recovery
- Fixed some possible crashes that could occur
- User Activity
- Fixed possible crash when scanning MRU
V10.0 Build 1006 28th November 2022
- E-mail Viewer
- Fixed Ctrl+J jump to message shortcut not working
- Create / Search Index
- New indexer builds
- Fixed email indexing issue with delimiter character
- Internal Viewer
- Metadata, allow the user to manually extract EXIF data For large files that need to be saved temporarily on disk
- Ffmpeg, fixed pts-related bug affecting certain video files (eg. mjpeg/Microsoft PCM)
- Images, added file size limit for reading to buffer when using libheif
- Misc
- Replace file size limit with warning prompt when creating temporary copy of a large file
V10.0 Build 1005 14th November 2022
- Analyze Shadow Copy
- Fixed bug where it exported results as HTML when CSV was selected
- Case Manager
- Fix possible crash when calculating case folder sizes
- Create / Search Index
- Fixed possible crash during device prescan of unallocated cluster
- Search index option dialog, fixed a crash when adding additional indexes
- Email Viewer
- Fixed a crash that could occur when searching
- Internal Viewer
- FFmpeg Player, fixed crash when scaling video frames (for videos that are rotated)
- Video will now scale to window size if larger than the video resolution
- Misc
- Improved error message when failing to create temporary file when opening a file in an external program
V10.0 Build 1004 27th September 2022
- Case Management
- Reporting, increased PDF report generation timeout
- Reporting, added a progress window when exporting report as a PDF
- Devices, added support for BDE volumes with a clear key
- Create Index
- Fixed bug where if multiple folders/unallocated are added, the indexers fails to run
- Deleted Files
- Fixed crash when carving MFT records on disks without valid file systems
- Email Viewer
- Added checkbox option to search for attachment filenames
- Password Recovery
- Added an error message and retry option if Chrome local state file was locked (triggered if using Chrome to login into a site or switch profiles at the same time as running a scan in OSF)
- Now clearing file system cache before performing scan. This is to fix issues due to inconsistent data when scanning live system drives in Forensics Mode
- Fixed a failure to decrypt passwords due to unnecessary encoding/decoding operations of the keys when scanning Browsers passwords. This caused incorrect AES key and key length returned which caused the failure
- Decryption and Password Recovery, made a change so that the number of available GPUs is not checked until clicking on the tab (previously it would happen at OSF startup and could cause a crash if GPU drivers are out of date)
- Fixed bug where scan was being preformed on Live system regardless of which drive was selected
- Rainbow Tables
- Fixed bug where 'recover passwords' button did not resize properly after recovery is completed/cancelled
- Start Page
- Added icon and button to display USB write blocking current setting, displayed as "USB Write: Enabled" or "USB Write: Disabled", and can be toggled on and off using this button (current case setting will be changed)
- User Activity
- Now clearing file system cache before performing scan. This is to fix issues due to inconsistent data when scanning live system drives in Forensics Mode
- Fixed a failure to decrypt passwords due to unnecessary encoding/decoding operations of the keys when scanning Browsers passwords. This caused incorrect AES key and key length returned which caused the failure
V10.0 Build 1003 9th August 2022
- Auto Triage
- Fixed crash in Auto Triage > Logical Image Configuration when selecting Peer 2 Peer option (pattern string length was too long)
- Fixed crash in Auto Triage > Password recovery
- Memory Viewer
- Fixed a "certificate was explicitly revoked by its issuer" error when saving a memory dump to disk
- Password Recovery
- Fixed windows login passwords not scanning when using live acquisition
- User Activity
- Fixed bug when trying to re-order columns for USB items that would cause the columns to disappear until OSF was restarted
- User Interface
- Mitigated Window drag lag (effect was more prominent with mouse using with high polling rates (>300/s))
- Misc
- Fixed issue with OSF not validating some key.dat files because of extra lines in the file
V10.0 Build 1002 5th August 2022
- Create / Search Index
- Fixed crash when saving and loading index configurations
- File System Browser
- Fixed file entries not appearing in Details/List View in Win 7
- Install to USB
- Added config link to adjust auto triage options in USB install window
- Localisation
- Further UI adjustments for localisation
- Start Window
- Fixed filename bug when opening a file directly from the start window (registry, email, etc) where the filename could be random text or not open correctly
- ThumbCache Viewer
- Fixed thumbnails not appearing in List View in Win 7
V10.0 Build 1001 22nd July 2022
- Localisation
- UI adjustments for localisation
- Added some missing strings to localisation
- OSFMount
- Updated OSFMount files to fix driver and program version mismatch
- User Activity
- Increased event info string size to avoid overflow
- Volatility Workbench
- Updated Volatility tool from "3 1.0.1 - beta" to "3 2.0.1"
- Added new volatility commands to volatility workbench
V10.0 Build 1000 14th July 2022
- Auto Triage
- Added option to enable running auto triage automatically on startup, which can be enabled in the install to usb dialog and use settings last set
- Added splash screen and progress bar when running auto triage as a standalone option
- Analyze Shadow Copy
- Added ability to find shadow copies from analyze dialog without adding to case first
- Boot VM
- Will now display a proper error message when booting from VirtualBox failed (eg. when Intel VT-x/AMD-V is not enabled)
- Added check for whether VirtualBox extension pack is installed if USB 2.0 or USB 3.0 controller is selected
- Added check and display error for partition-only images without a supported OS before mounting as physical disk
- Added support for password bypass for Win 10/Server 2016 Builds 17763 and 19041 (via PEPassPass v1.2.3)
- Case Manager
- Support for adding recovered partitions to case
- Added ability to save and load custom templates for evidence categories
- Added ability to rename case devices after they have been added
- Add Device, changed the default display name to include the date the shadow copy was taken
- Added time zone names to time zone drop down and case report
- Report Generation, separated the HTML and PDF report options into different templates, no longer need to generate a HTML report to get a PDF copy
- Report Generation, added the details of OSFOrensics digital signature to generated reports
- Report Generation, updated "Link to case files" and "Copy files to report location" options to "Create Redacted Report" and "Create Full Length Report" to be more descriptive
- Report Generation, added ability to toggle the inclusion of signature certificate verification information in report generation dialog
- Report Generation, Added "Software Verification" link in report sidebar
- Report Generation, Added certificate verification information to non HTML reports
- Clipboard Viewer / ThumbCache Viewer
- Will now draw checkerboard background for improved display of transparent images
- Improved drawing of images to reduce flickering
- Deleted Files
- File carving, optimization. Improved accuracy for JPG files and overall performance. Compared to final V9 release, current file carving code is over 6x faster (benchmarked with an Mac E01 disk image with default carving config)
- File carving, optimization, updated extensions with header signature ????ftyp to \x00\x00\x00?ftyp instead. Changed empty buffer detection to faster implementation to detect empty or repeating blocks read from disk. Scanning empty sectors is now 6 times faster
- File carving, optimization, improved efficiency of pattern matching code. This change roughly doubles the speed of file carving
- File carving, optimization, improved the responsiveness for OSForensics when carving is running
- File carving, optimization, increased the number of carving threads to 75% of available logical processors, up to a max of 32
- For FAT and NTFS files systems, added option to carve only Allocated sectors
- Updated to allow selecting of carving of MFT Only, MFT and Carving, or Carving Only
- MFT and Carving now enabled by default
- Added minimum size requirement for carved JPGs (126 bytes), GIFs (43 Bytes), PNGs (68 bytes)
- Changed name Plist to Binary Plist and improved detection to limit false positives
- File carving, fixed possible crash when carving MP3 files
- File carving, improved MP3/JPG detection to cut down on the number of false positive results returned
- Added secondary sorting on second column (via dropdown and/or control click on details tab)
- Disabled sorting while deleted file scan is in progress
- Lowered priority level of carving threads to improve response from computer when carving is in progress
- Thumbnail Tab, added a quality level indicator to the thumbnails preview
- Added support for carving MFT file records on non-NTFS quick formatted volumes
- Added support for recovering files from carved MFT records. This enables recovery of files from a quick-formatted volume
- Added new scan method to config window, changed dropdown box to checkboxes
- Prepend "Carved MFT" to 'Source String' of files recovered from carved MFT records to differentiate from normal deleted files
- Added check for large buffer sizes before allocating memory when detecting faces
- Background LED indicator fixed, indicator would incorrectly reset after "Saving Delete File to Disk" while scan is running
- File carving, improved carving of HTML files
- File carving, reduced false positives for FLV files
- File carving, changed the naming of file to be more informative, new format "Carved .JPG file found at 310GB - byte offset 0x482D709C00.jpg"
- File carving, better handling of .eml files (will verify that both "From:" and "Date:" field are present
- File carving, reduced repeated carving for file signatures with the same headers (e.g. TIFF family, ZIP family)
- File carving, ensure recovered carved file will not exceed the max file size specified by extension (or 100 MB, whichever is less)
- Opening internal viewer for Plist Files from within the deleted files module should now work
- NTFS, fixed potential memory issue when restoring deleted files
- NTFS, added more debug verbosity when restoring deleted files to disk
- Device Manager
- Scan up to a maximum number of sectors when looking for recovered partitions. This prevents unbounded scanning of disks with large amount of unpartitioned space
- Disk Image and Filesystem Support
- HFS+, preliminary support for compressed files
- HFS+, fixed bug in decompressing zlib-compressed file data
- HFS+, support for reading lzvn-compressed file data stored in resource fork
- APFS, fixed bug causing buffer overflow when reading extended attributes (eg. compressed files)
- APFS, fixed reading compressed file data for files with hard links
- APFS, fixed bug in decompressing zlib-compressed file data
- NTFS, fixed bug in incorrect file being opened due to hash collision
- E-mail Viewer
- Message body containing inline content (eg. base64-encoded jpgs) now displayed as attachments
- Thumbnail preview for supported image attachments on mouse over
- ESEDB Viewer
- Viewer now displays when binary data has been found
- Search now looks for ASCII strings present in binary data fields
- Event Log Viewer
- Added "Device Connected/Disconnected" option to the filter preset list
- File Name Search
- Added Hash Set column which identifies which hash set the file was located in
- Fixed $FILE_NAME dates not being displayed for entire disk images added to case
- Added a reset button to config dialog which sets all changes made by user back to their defaults
- Made several popup dialogs to close when 'esc' is pressed
- Now using ffmpeg library instead of exiftool for counting video tracks for better performance
- Forensic and Cloud Imaging
- Rebuild RAID Disk, added support for detecting and rebuilding Linux mdadm RAID using superblock v1.X
- Forensics Copy, added ability to export forensic image as zip file
- Internal Viewer
- Perform initialization/shutdown of Media Foundation once rather than for every internal viewer instance
- Fixed issue that prevented deleted files opened from File System Browser from showing in the File Viewer
- Fixed incorrect thumbnail being draw for current item, after the list is updated
- Migrated library for media playback from Windows Media Foundation to ffmpeg
- Added support for playing media from memory buffer sources (eg. deleted files)
- Will now display a specific error message when attempting to open media file with corrupted attributes (duration, video pixel format, etc)
- Fixed flickering from redrawing thumbnails from deleted search result
- Automatically rotate videos if rotation metadata available
- Added a check to only redraw thumbnails if the items changed
- Metadata, display an error message if exiftool executable was not found
- Fixed multithreading bug causing media playback issues when opening multiple instances of the same file
- Fixed video paint issues when resizing window
- Fixed first video frame occasionally being displayed immediately after loading preview thumbnail images
- File viewer support, added opening deleted files (image, video/audio, android backup, compressed archive, office files)
- Added right-click menu support for deleted files
- Install to USB
- Fixed bug, files required by the web browser module were not being copied
- Localisation
- Added localisation support for Korean, Chinese (simplified and traditional), Japanese, Spanish, German and French
- Mismatch File Search
- Separated default and user-created filters, removed "built-in" text
- OSForensics Digital Signature Verification
- Added button to start screen (in housekeeping section) that verifies the integrity the program and displays a dialog with the information. Equivalent to going to the properties for the OSF executable, going to the digital signatures tab and clicking the details of the signature to verify the digital certificate is valid
- Password Recovery
- Fixed decrypting of wifi passwords on some machines due to a bug in PBKDF2 algorithm
- Updated common passwords dictionary with passwords obtained from more recent data breaches, increased number of unique passwords from ~10,000 to ~2.3 Million
- Fixed password recovery issue with the records in "Windows.old" folder
- Fixed crash in ZIP password recovery when testing a single password
- Search Index
- Fixed GDI handle leak
- SQLite Browser
- New Tab to shown Unallocated Space (Free Pages/Blocks) within SQLite database file
- Fixed bug to address possible circular reference/offset when parsing corrupted/bad free blocks
- Added Run SQL tab, allows users to write their own SQL statements
- Updated sqlite source files from 3.8.11.1 to V3.38.0
- Start Window
- Added settings option to allow for selecting language in use
- System Information
- Added partition selection dialog when scanning whole disk image with multiple partitions
- Added category for basic system information collection from non Windows machines
- Thumbnail Cache / Viewer
- Attempt to generate video file thumbnails if file extension is a known video type
- Attempt to load thumbnails only if the filename has a known file extension
- Set maximum thumbnail cache size of 2000 to prevent exceeding GDI handle limit
- Fixed multithreaded handling of video thumbnail generation using Media Foundation
- Fixed thumbnail icons not appearing in thumbnail view
- Added check for large buffer sizes before allocating memory for displaying thumbnails
- Migrated library used for video thumbnail generation from Windows Media Foundation to ffmpeg
- Fixed pixelated play icon for video thumbnails
- User Activity
- Added Cortana history category. Finds reminders, events, contacts and search history as well as location at time of creation
- Added "Create Super Timeline" button that performs a complete scan of all activity sub-categories
- USB timeline, added support to collect USB Artifacts of USB storage device connection and disconnection history. This feature is achieved by analyzing event ID 1006 (from Microsoft-Windows-Partition%4Diagnostic.evtx) and event IDs 2003 and 2012 (Microsoft-Windows-DriverFrameworks-UserMode/Operational channel). Event logging of the later channel is not enabled by default, users / system administrators need to have enabled it in the past in order for OSF to collect the relevant events
- Added parsing for Linux log files located in the /var/log directory
- Passwords, added an option to scan "Windows.old" folder which stores the backups of the previously installed Windows, this option is enabled by default and can be disabled from the Config dialog
- Fixed an issue where Moved Downloads not recognizing the system drive on live acquisition mode
- Added browser artifact support for some modern versions of Linux
- MRU, shortcut Files, will prompt users if they would like to open the .lnk file itself if the target file/directory is no longer available
- Added warning when attempting to scan a drive image that does not exist
- Shellbag, fixed possible heap corruption crash when parsing (corrupted) URI shell item
- Added check and warning message for missing case device when starting scan
- Web Server Log Viewer
- Added menu for filtering for common web exploits such as SQL injections
- Misc
- Refresh physical disk info only when there is device change notification, to reduce costly re-scanning of physical disks
- Keep single instance of physical disk info shared between all modules
- Fixed bugs with some MessageBoxes opening to wrong handle
- Changed some dialogs to close when 'esc' is pressed and centred others
- Installer, added language selection when running installer
- Rearranged some ok/cancel buttons for consistency, fixed up some out of place buttons/controls
- GPUSupport DLLs, changed the runtime library for them to /MT instead of /MD to avoid a missing VC runtime error on older Windows systems
- Centred some dialogs to main window for consistency
- Help file, updated file carving config info + images
- UI adjustments, centred additional dialogs
- Installer, updated OSFMount to v3.1.1001
- Installer, added Japanese language selection option
- Removed "Selected items" option from the right-click menu for consistency. Affected modules include JSON Viewer, ThumbCache Viewer, Web Server Log Viewer
- Updated DirectIO driver used for system information collection to work with Win11 22H2 release
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
OSForensics 11.0.1006
Mar 4, 2024
- Email Viewer:
- Added warning message when system lacks Outlook MAPI library that exported MSG files will be saved in OLE format
- Hashing:
- Fixed possible crash when calculating hashes
- User Activity:
- Changed to auto-uncheck Moved Downloads if Downloads was unchecked (needs Download checked to run)
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
OSForensics 11.0.1007
Mar 20, 2024
- Android Artifacts:
- Added destination target write permissions check before launching acquisition
- Fixed issue that OSFExtract-data.xml file was not created properly under certain conditions (e.g. Failed to create OSFExtract folder in the destination target)
- Fixed issue where the image was not loaded properly when the OSFExtract-data.xml file was placed in the root folder instead of in the OSFExtract folder
- Updated logs display format
- Deleted Files Search:
- Fixed hash calculation using "DirectAccess" version instead of "buffer" version of file
- Drive Preparation:
- Fixed issue where this module was unable to be run on Drive-0
- File Viewer:
- Fix lockup of internal viewer when attempting to read past media stream size
- Hash Sets:
- Updated to include total # files to hash in 'Files hashed' field
- Updated to display # files with errors
- Manage Case:
- Removed category ID column from Case Edit window - Case Categories tab
- User Activity:
- Fixed possible crash when scanning VLC .ini file
- Fixed issue where OSF is stuck scanning Event Logs on Linux
- Config, Changed to auto uncheck Moved Downloads if Downloads is unchecked
- Misc:
- Fixed possible crash when running USB install
- Updated OSFMount to V3.1.1003
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
OSForensics 11.0.1013
Sep 24, 2024
- File Viewer:
- Fixed possible crash on some machines when opening files
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
OSForensics 11.0 Build 1015
V11.0 build 1015 29th October 2024
- File Viewer
- File Info, Change LCN to display "<Sparse>" instead of "-1" for sparse fragments
- User Activity
- Fixed a potential crash during cookie scans
- Misc
- Updated VolatilityWorkbench to V3.0.1009
Zaloguj
lub
Zarejestruj się
aby zobaczyć!
Udostępnij: