What's New

The following is a version history for the various OSForensic's releases. You can download the latest version of OSForensics here.

v3.0.1001 - 19 of Aug 2014

  • Case Management
    • Images/drives without valid partition/file system info (ie. boot sector) can now be added to the case. This allows the drive to be viewable using the Raw Disk Viewer.
  • File Indexing
    • Added support for indexing extracted binary text from "hiberfil.sys" and "pagefile.sys" (not limited by max file size limit)
    • Fixed stemming problems during indexing
    • Fixed bug with updating indexing status causing small indexing jobs to report no files being indexed
    • Fixed bugs with identifying misnamed ZIP files during indexing
    • Updated Engine/CGIs to V7 build 1008
    • Image search results that are nested in archives are now displayed in the 'Images' tab
    • Image search results that are nested in archives are now displayed with an 'archive' overlay on the top left corner of the icon
    • Fixed bugs with accented characters in search result URLs
    • Fixed bug with opening search results in the Internal Viewer
  • Deleted Files Search
    • Fixed bug in file carving of .mov files (was including 4 additional bytes in the end, now removed)
    • Fixed file carving of .pdf files. Will now check buffer for four known combination for end markers. If not found, will default to look for %EOF.
    • Fixed scanning of deleted files on mounted drives without partition information
  • Raw Disk Viewer
    • Fixed divide by error bug when performing a raw disk search on a disk with sector size = 0
    • Fixed partition info in the Decode window not being updated correctly when a new disk is loaded
  • Web Browser
    • Module Will now load on first use instead of loading on startup. Starting Page is now set to about:blank (was set http://www.osforensics.com ). This minmises the impact on a live target system when running OSF from a USB drive.
  • Internal Viewer
    • Fixed image stored in the alternate stream of a file not being displayed
  • Misc
    • Fixed bug with FAT file system parsing caused by truncating errors when calculating cluster offset. This could prevent some FAT partitions from being mounted when the FAT partition's starting offset was a long way from the start of the disk.
    • Added debug statements to FAT file system parsing (when DEBUGMODE mode is enabled)
    • Added debug statements when there are NTFS file system parsing errors in applying fixup values to MFT and index records (when DEBUGMODE mode is enabled)
    • Updated WinPEBuilder.exe to include more debug messages.

v3.0.1000 - 14 of July 2014

  • New Modules:
    • ThumbCache viewer for viewing cached thumbnails stored in the Windows thumbnail cache database (Windows Vista and later only)
    • ESE database viewer for viewing the records stored in ESE database files (.edb). ESE database format is used by a variety of Microsoft applications and can often contain data of forensics value.
    • Prefetch Viewer for viewing the application prefech data stored by the operating system's prefetcher. This data includes when the application was last run and how frequently it has been run.
  • Case Management
    • Added option to "Make case default" when adding a device to a case so it is selected by default for future actions
    • When deleting cases, added prompt to allow the case files to be saved to another location before deleting
    • Adding attachments from case devices now supported
    • Multiple image partitions can now be mounted at the same time
    • VHD image files can now be mounted
    • Added 'Repeat action' checkbox to message box when adding a file already existing in case
    • Fixed a bug that was preventing undeleted files from being exported as part of a report
    • Fixed bug with selecting default drive when creating case. Also removed current case's devices from default drive dropdown list.
    • Fixed issue with setting newly mounted drives as default drive
    • Fixed bug with condensing white space when reading .OSFCfg files
    • When adding shadow drives, fixed combo box not being reset when changing drive selection
    • Changed the error message when adding an image file to a case to include the image name.
    • Fixed a bug preventing bookmark tables in reports from being sorted
  • Deleted Files Search
    • Searching for deleted files in HFS+ drives now supported
    • Results can now be displayed in 'thumbnail' and 'timeline' view
    • Timeline view now shows stacked bars grouped by file extension
    • Fixed overall system slowdown caused by large blocking file reads when file carving
    • Removed right click menu options that aren't unsupported by the file system
    • Fixed a crash when pressing a key with nothing selected
    • Fixed deleted directory icon not being displayed for non-NTFS file systems
    • Fixed deleted file fragmentation info not displaying for NTFS case devices
    • Fixed crash with invalid memory access when searching for ext2 deleted files
  • File System Browser
    • Added extra metadata column for the LCN of the first cluster of the file. This is useful for seeing if files are grouped together on the disk.
    • Deleted files/directories can now be displayed (in red text). Added menu option to enable deleted files to be displayed.
    • Added right-click menu option to attach selected files to case
    • Attribute modify date is now displayed for ext2 file systems
    • Fixed deleted icon overlay so that it displays correctly on XP
  • File Indexing
    • Indexer updated to the new Zoom Engine, which includes support for real-time logging
    • Indexing now supported for Shadow Volumes
    • Timeline view now shows stacked bars grouped by file type
    • Multiple history items can now be added to case
    • Multiple history items can now be deleted
    • Changed indexing/searching limit to 25000 items for Free version
    • Optimized index search by not reloading dictionary for every search
    • Fixed a crash when indexing multiple partitions mounted from image files
    • Fixed potential Thumbnail view crash due to lists being deleted while thumbnails are loading
    • Fixed bug with DBX message count not being included in total e-mail count
    • Fixed Custom Limits not being saved/applied in Edit Template.
    • Fixed 'default' button not deselecting non-default filters in log window
    • Fixed unallocated cluster indexing not working for drives mounted in Standard mode
    • Fixed timeline date filter not filtering items correctly
    • Fixed regex filter combo box in 'Browse Index' tab showing invalid characters
    • Fixed invalid characters showing up in 'History' under the 'Settings' column
  • File Name Search
    • Timeline view now shows stacked bars grouped by file extension
    • Deleted files/directories can now be displayed (in red text). Added menu option to enable deleted files to be displayed.
    • Attribute modify date now displayed for ext2/hfs file systems
    • Fixed a memory leak when closing window
  • Hash set lookup
    • Added list of matched files when performing hash set look up of more than 1 items. The list view contains a list of files that are found in the hash set. Previously, only the number of matches are displayed without any information on the files that matched.
    • Added support for deleted files hash lookup
  • Internal Viewer
    • Metadata viewer tab now displays $I30 entries (normal + deleted) for NTFS directories
    • Metadata View tab now displays EXIFTool metadata for deleted files
    • Metadata View tab now displays carved $I30 records for deleted directories
    • Added jump to index right-click menu option
    • Deleted files opened from the file system browser can now be viewed
    • Thumbnail cache data opened from the ThumbCache viewer can now be viewed
    • File Info tab now shows the file's starting LCN
    • Increased the default number of strings limit in Hex view tab to 50,000. Increased the max number of strings limit to 1,000,000
    • Improved loading and caching of files
    • Reduced file loading time by optimizing file system accesses
    • Ctrl-C (copy)/Ctrl-A (select all) keyboard shortcuts now work in Text View
    • Fixed minor issue in File Info tab with short filenames appearing incorrectly
    • Fixed bug with hex viewer string extraction not stopping when max # results reached
    • Fixed viewer string extraction omitting words in results
    • Fixed 'Copy ASCII' in Hew view tab to copy all characters other than '\0' to clipboard
    • Fixed icon transparency not displaying correctly in Windows 8
    • Fixed metadata view tab showing icons when displaying EXIF metadata
    • 'Unsupported file type' text is now displayed when failing to convert document files to text
    • 'Fixed crash due to buffer overflow bug with handling Excel document conversions
  • Email Viewer
    • Added support for searching message body
    • Added support for date filtering
    • Updated "Print" functionality
    • Fixed a bug with HTML email printing not having any headers
    • Fixed a bug with not printing full headers, RTF, and plain text mail
  • Recent Activity
    • Added scanning of Windows search database (Windows.edb) index records
    • Added scanning of prefetch items
    • Added scanning of windows credential manager for browser passwords
    • Added 'Config' window for configuring scan options (date range, items to scan)
    • Added additional filter for MRU sub-categories when filtering by 'MRU'
    • Timeline view now shows the breakdown of activity types via stacked bar graph
    • Changed behaviour when using the right click "Export to" options in the timeline so only the items from the active timeline section are included (previously all the found items were exported)
    • Timeline view is now synchronized with File List view
    • Removed 'Summary' button. Summary dialog now appears when clicking the 'Total Items' hyperlink
    • Fixed crash when pressing 'Enter' with nothing selected
    • Fixed item selection when 'End' is pressed
    • Fixed stack overflow bug
    • Fixed error when opening the selected item with the registry viewer
    • For Chrome downloads, results now show filename from source URL if destination download path unavailable
    • Fixed scanning of IE history not working for certain versions of IE
    • Fixed a bug preventing the name of items from being output correctly for CSV export
  • Mismatch search
    • Added text colour to "Identified Type:" field for emphasis
    • Fixed a bug that was causing a crash when adding a file to a case
  • SQLite Browser
    • Files saved in temp folder are removed when exiting
    • Fixed unitialized pointer bug when exiting program
  • Password Recovery
    • Added "a-z A-Z 0-9" Alphanumeric option to password recovery random character options
    • Updated the Firefox password recovery feature to work with the latest version of Firefox (24)
    • Fixed a bug where the password was not displayed if there was only one password entry stored in the Firefox database
    • Updated error message to show correct error code when permissions prevented some registry changes
    • Fixed crash when adding .rti rainbow tables without valid file segments
    • Under 'Generate Rainbow Table' tab, moved the character set definition in the combo box to an edit control due to length
    • Under 'Generate Rainbow Table' tab, changed character set combo box to non-editable
  • Drive Preparation
    • Fixed Write pattern function incorrectly reporting a write error near the very end of the drive for some USB flash drives
  • Drive Imaging
    • Restoring VHD image files now supported
    • Disk image name and type is now maintained when using the browse button (if already entered)
    • Fixed bug with imaging drives as Encase files
  • Install to USB
    • Added window message processing during the USB installation process so the application doesn't display as "Not responding"
    • Disabled Install/Exit/Browse buttons when install process starts
    • Stopped "Install to USB" function from working when not installing to a USB/removable drive
  • Web Browser
    • No longer creates a web browser temporary dir as it was not being used and was not being cleaned up properly after program exit.
  • Misc
    • Deleted files are now supported in thumbnail view
    • Various performance improvements when loading thumbnails in thumbnail view
    • Fixed display of files without high resolution icons in thumbnail view. Previously this meant a tiny icon was drawn
    • Deleted file thumbnails now show the proper icon/thumbnail with a deleted overlay flag in thumbnail view
    • Fixed crash caused by bug with retrieving the file icon in thumbnail view
    • Fixed crash caused by overflow of the label exceeding 260 characters in thumbnail view
    • Added support for stacked bar graphs via groups in timeline view
    • Fixed bug when the data spans greater than 30 years in timeline view
    • Increased copy to clipboard limit from 100 to 10,000 files
    • Fixed a crash when handling compressed files on NTFS for cluster sizes <4KB
    • Redirected stdout containing Unicode characters should now work correctly (eg from System information tools)
    • Fixed some flickering when adding files to case
    • Updated OSFMount to v1.5.1015
    • Fixed several crashes that could occur when closing OSF
    • Fixed crash when attempting to shadow copy files from a drive mounted in standard mode
    • Non-raw image files that cannot be opened properly will be opened as raw
    • Reduced flickering when resizing window
    • Fixed copying of shadow copies of locked files into temporary directory

v2.2.1000 - 10th of September 2013

  • Added support for creating a self booting USB solution from the "Install to USB" section, this is a new tool called "WinPE builder" that can be launched after the "Install to USB" process. There is an in depth guide on how to use this new feature here.

v2.1.1000 - 9th of August 2013

  • Indexing changes;
    • Will now process e-mail headers
    • Added .zipx extension in filetypes to be recognized, handled as "Binary (filename only)"
    • Added handling of ZIPX as "Binary (filename only)"
    • Added checkbox to scan attachments in e-mails to advanced template configuration window
  • Added Volume shadow copies support to the File System Browser. Currently considers a file is a shadow if the modified time of file is different from the current volume file. Steps to use this feature are,
    • Add Disk Image OR Drive in forensics mode OR Disk to case
    • Add subsequent Volume Shadows for just added device.
    • Load File system browser and enable Show shadows under options menu.
    • Browse (the shadow copy files text/label will be a shade of grey).
  • Added "Add All" Volume Shadow Copies option to Add Device dialog window.
  • Added "loading" dialog box when parsing shadow copies.
  • Shadow copies can now only be loaded for devices that are already added to case.
  • Improved performance when using shadow copies as a result of caching data in RAM. This should also allow larger drives to be examined in a reasonable amount of time.
  • Added button to FSB Toolbar that launches a module to perform volume "diffs" for shadow copies, it behaves similarly to the Create/Compare signature function.
  • Added keyboard shortcuts to Internal file and email viewers.
  • Raw disk viewer searches are no longer aborted when the search window is hidden.
  • Made some change to the Chrome download section in recent activity to work with newer chrome versions (26.0.1410.64) as the database structure has changed.
  • Can now select 'Use entire image file' when selecting a partition from an image file.
  • Added Loading progress indicator for the advanced EmailViewer
  • When an error occurs when adding multiple items to case, added a Message Box to prompt if user wants to continue (or quit). This avoids a situation where hundreds of error boxes might otherwise be displayed in a loop.
  • Raw disk viewer decode window can now identify a dynamic volume as "Windows dynamic volume (LDM)
  • Can now detect dynamic volumes in dynamic disks (LDM)
  • In the 'Drive imaging' module, added 'Rebuild RAID' tab for rebuilding a single RAID image from multiple source disk images. Support for auto-detecting Intel Matrix RAID (IMSM) & software RAID was included. Additional auto-detecting features for other RAID formats are expected to be supported in future releases. Added support for manually changing image file offset/size for RAID rebuilding.
  • Rebuilding RAID images for the following RAID metadata types
    • SNIA DDFv1
    • Highpoint v2 RocketRAID
    • Highpoint v3 RocketRAID
    • Adaptec HostRAID
    • Integrated Technology Express RAID
    • JMicron RAID
    • LSILogic V2 MegaRAID
    • LSILogic V3 MegaRAID
    • nVidia MediaShield
    • Promise FastTrak
    • Silicon Image Medley RAID
    • Silicon Integrated Systems RAID
    • VIA Tech V-RAID
    • (Note that not all permutations have been tested)
  • Added RAID 0+1, RAID1+0, RAID 3, SPANNED rebuilding support
  • RAID "Info" dialog now shows the metadata for all matching RAID formats
  • Can select between multiple RAID metadata types if multiple formats detected
  • Added HPA/DCO imaging. This allows hidden area on the disk to be made accessible for copying. HPA = Host protected area. DCO = Device configuration overlay. Note that on some drives there is locking that will prevent changing the HPA/DCO disk extent limits.
  • Carved files will now have FILETIME set to Jan 1, 1601 12:00 PM when the real date information is not recoverable.
  • File Carving percent complete display bug fix.
  • File Carving put more safety checks when carving Zip / OfficeXML files to prevent crash.
  • Thumbnail Viewer, fixed a problem with thumbnails without a visible size being drawn as black box
  • Fixed some potential memory allocation in the internal file viewer issues when viewing buffers. (Which is how deleted files are viewed).
  • Fixed a crash that could occur in recent activity during the IE URL scan, some URL paths were longer than expected
  • Added 'Info' button to retrieve and display the RAID metadata from an image file in the Disk Imaging module.
  • Added ability to open Internet Explorer IE10 history databases and retrieve visited URLs (Vista and newer only). IE10 has a new internal format for storing this data compared to previous releases.
  • Updated document indexer to handle indexing recursive PST files (PST and MSG files attached to E-mails inside PST files).
  • Fixed issue where "Add to Case" menu item was enabled when a case is not yet opened.
  • Fixed some memory leaks when indexing emails and attachments.
  • Fixed Email Viewer appearing (with no error messages and no emails) when PST file cannot be opened (e.g. because Outlook is open and holding access). It now shows an error message and destroys the Email Viewer window before it displays.
  • Fixed EmailViewer appearing (with truncated email contents) when user hits "Cancel" during PST loading
  • Fixed the EMail viewer's handling of embedded emails (.msg files attached to a .msg file) in the EmailViewer.
  • Made some changes to stop a reported crash in the registry viewer.
  • Fixed a bug with the Windows Login Password when using "Live acquisition of current machine", a required registry permissions was failing to be set correctly
  • Old/simple PSTViewer is now restored in project and used when PST file is > 10GB
  • Changes to try and stop the recent activity/registry viewing crashing in invalid data circumstances (causes by null records in the registry).
  • Added help context for Volume Shadow Copies.
  • Help file updates for HPA / DCO hidden areas in Disk Imaging and 'RAID Rebuild' functionality.

v2.0.1003 - 22nd of March 2013

  • Forensic Copy
    • Fixed Forensic File Copy not copying folder 8.3 short names.
    • Made change to handle setting 8.3 short file names on files that have a read-only flag.
  • Added fractions of seconds to internal viewer file properties output.
  • Recent Activity - Now also searches registry location for typed IE URLs.
  • System information
    • Changed the dialog title to reflect that a command is being edited rather than a new command.
    • Fixed a bug where if the first entry in the list was editable then it wasn't loading correctly and defaulting to the new command dialog.
    • Fixed a bug where if the list management dialog was closed using the X button rather than OK the current command window display was not being updated to reflect any changes.
    • Added new system information functions (Get User Info, Get Timezone, Get computer name, Get network info) that can query the registry for information, these functions can be used on the local system as well as disk images and other system drives.
  • Navigation Bar - Added 'Registry Viewer' button.
  • Start Page - Dialog for selecting registry file now closes when the Registry Viewer is opened.
  • Registry Viewer
    • Correct icon is now displayed for Find/Goto windows.
    • All search types now selected by default in Find window.
    • and keys now work properly for Find/Goto windows.
    • Cancel button now works properly for Find/Goto windows.
    • Find/Goto windows stay open after search.
    • Added splitter bar and fixed resizing issues.
    • Added shortcut keys for searching (Ctrl+F, F3, Ctrl+G).
    • Find/Find next now traverses the tree in order according to currently selected entry.
    • Added support for opening multiple registry files in one viewer
    • Added icons for tree view
  • Email Viewer
    • Fixed bug with retrieving the HTML body using the MVCOM library. Should use _bstr_t instead of BSTR
    • Changed header fields to Edit controls to fix redraw issues when resizing
    • Improved parsing of Data/Time strings.
  • Hex View
    • Added Ctrl+C (copy hex) and Ctrl+A (select all) keyboard shortcuts
    • Fixed crash carving data.
    • Changed string extraction so that it no longer separates URL strings into components (eg. 'http', 'www'), this was preventing the URL filter be useful.
  • Password Recovery
    • Changed behaviour when recovering Firefox passwords so that is a firefox install isn't found on the drive being scanned OSForensics will also check for a FireFox install on the system drive.
    • If a FireFox location is not found an error message is now displayed.
    • Added warning to password recovery and system information functions when running on a live system and the permissions of the SAM registry files need to be changed

v2.0.1002 - 11th of March 2013

  • Fixed error when attempting to select a file in the listview with no items.
  • $I30 directory entries now returned even if the MFT record does not contain a $FILE_NAME attribute.
  • Fixed a bug in the report template where Web Snapshots, Notes, Emails and Bookmark tables were not being sorted when their heading columns were clicked.
  • Fixed a crash when changing hex view settings.
  • Changes to Forensic File Copy to better handle conflicts with 8.3 names on NTFS.
  • Fixed a bug in the recent activity scan on non-live systems where USB devices were not displaying a last connected time and date.
  • Fixed a bug where the scroll bar was not updating on the recent activity page when using the mousewheel.
  • In File Info tab, added 'Short file name' field for NTFS/FAT 8.3 short filenames.
  • Fixed a bug that was preventing the recent activity module from getting windows system event information for the live system.
  • Added filename and file extension sorting to index search.
  • Fixed a crash when viewing/export a download recent activity record.
  • Added right-click option to save file to disk for the filepath hyperlink in the Decode Window.
  • Added progress bar when saving file to disk, allowing the user to cancel if taking too long.
  • Fixed a crash that could occur when scrolling on the recent activity tab.
  • Fixed a bug where in the recent activity items the chrome form history items could be saved with the currently registered username for OSF not the local user.
  • Fixing a bug in the recent activity CSV save to case / export where the time offset was saved in the location field for MRU items.

v2.0.1001 - 4th of February 2013

  • Added Web Snapshots category to case management for exports from the web browser module.
  • Added additional URL meta data to Web Snapshots (viewable from case item properties window).
  • Fixed index search bug causing variant words like "testing" instead of "test" to not be found.
  • Fixed index search bug causing exact phrases using quote characters to not return any search results.

v2.0.1000 - 30th of January 2013

Major changes

  • Support for multiple drives & folders when indexing. So an single index can now span more than drive.
  • Support for templates in the file indexing module. (to save re-entering data each time an index in created)
  • Ability to capture pages from web sites and add them to a case (not finished in this Alpha release).
  • Add support for searching multiple set of index files in a single search.
  • Added much improved E-mail viewer / browser.
    • Will open automatically if viewing an E-mail archive.
    • Can now add Email attachments to case
  • Added the option to copy files from a case to the output directory when creating a case report (instead of just including a reference to the files).
  • Changes to the Internal File Viewer.
    • Window can now be maximized. Minimum window size limits removed.
    • Minor metadata fixes
    • Can now add string list to case in Hex Viewer
    • Exported string list now contains string extraction settings
    • Can now carve to file (and add to case) in Hex Viewer
    • Can now directly open Office documents without the need for an external tool to extract the text. Should be significantly faster to open large documents in images.
  • The index search function in now built into OSF (so it is no longer an external .exe). This allows better persistent caching of the index which in some cases leads to much faster searches e.g. 500% times faster, for large sets of index files and search terms that give small result sets. Even in the worst case there will be around a 10% improvement on search times.
  • Carved file can now be added to case in the raw disk viewer
  • Implemented functions for reading the $I30 info file for NTFS directories. I30 data now shown in Hex View tab for NTFS directories.
  • WebBrowser, Added ability to add/save complete webpage to case as MHTML (.mht) file and image file. Can select region of screen to save or full screen. Free version of software will contain watermark, Pro version won't.
  • Changes to the raw disk viewer
    • Added right-click menu to search results in raw disk viewer. In particular, users can now export the search results to disk
    • 'Select Range' dialog now populates 'Start offset' with current offset
    • 'Select Range' dialog shows the number of bytes between the start and end offset

Minor changes

  • Changed UI layout to tab-based of memory viewer module. Re-organized buttons.
  • Bug fix when accessing zip file content on FAT16 volume using direct image access.
  • Fixed bug where FAT clusters were incorrectly flagged as deleted
  • Several speed improvements on FAT volume with using direct image access
  • Bug fix for assert errors at startup on machines with large amounts of RAM (> 32GB)
  • Fixed pre-scan file counting bug relating to upper and lower case files names in the indexing module.
  • The last folder used for a report is now stored to avoid the need to re-enter it.
  • Fixed a crash on exit caused by the memviewer freeing resources that it shouldn't be freeing.
  • Fixed a bug that prevented case reports being generated on any drive other than the one the case resided on.
  • Made some changes to the Opera browser recent activity functions to prevent a possible crash.
  • Added toolbar for quick access to changing views in file system browser.
  • Fixed file name issues when exporting HFS+ files to an NTFS drive where the file name on the Mac system used characters that are illegal characters on a NTFS system.
  • Changed behaviour when adding emails from a search to overwrite existing ones (previously would create a second copy with a number appended to the name)
  • Change behaviour so that when an email overwrites one that already exists the list view item of the old item is updated with the new title
  • Added right-click function for directories in file system viewer to switch to 'Create Signature' module and automatically fill in location
  • Better handling of nested e-mail/attachments in the index search function
  • New indexer with fixes for index search results showing corrupted URLs for email attachments & also fixed binary string extraction skipping longer phrases
  • Fixed bug in Mbox Email Reader with attachments missing characters in the filename.
  • Fixed progress bar for adding email and attachment to the case
  • Fixed Email path issues in the file signature function.
  • DOS batch (.bat) files can now be run from the system information function.
  • Corrected an issue where the "Live system Capable" radio buttons was not checked when editing a command in system information function.
  • Allow right-click Copy/Copy All in the system information results tab
  • Fixed buffer overflow caused by long header fields (eg. 'To:')
  • More information about the index is displayed under the results window.
  • Changed default number of maximum search results to 1000 from 5000.
  • Adding logging and error conditions for searching an index
  • Fixed a bug preventing FireFox recent activity history from being read when directly accessing an image file
  • Fixed a bug where the location of IE & Safari recent activity entries could show uninitialised character values when directly accessing an image file
  • Fixed bug when in search index function when opening a word list that contains extended ASCII characters.
  • Fixed bug in search index history list view when a past search query contains spaces
  • Bulk searches performed via 'Browse Index' tab can now be cancelled by the user before they have completed
  • Added message box after successfully carving to file in the raw disk viewer
  • Fixed a bug with Chrome timestamps not being converted correctly in recent activity and new Chrome releases.
  • Fixed a typo in recent activity drop down (Form History)
  • Fixed incorrect display of Cyrillic characters in some recent activity output (Chrome and Firefox)

v1.2.1003 - 3rd of October 2012

  • Fixed indexing for drive root.

v1.2.1002 - 3rd of October 2012

  • Fixed bug causing certain case items to not load correctly.
  • Fixed bug where NTFS file data reads were not sector aligned.
  • Fixed error loading DirectIo Driver.
  • Added warning message that search reuslts are limited to 1,000,000

v1.2.1001 - 26th of September 2012

  • Added cancel button to stop drive scanning in the raw disk viewer
  • Added ability to jump to disk offset of deleted files in the deleted files search
  • The device name is now displayed for deleted ext2 files in the deleted files search
  • Fixed artifact issue when panning images in the internal file viewer
  • Fixed cancel functionality for FAT/ext2 in the deleted files search
  • Fixed a bug where if there were no hash databases then the "New DB" button was disabled at startup and no new databases could be created
  • Fixed a bug preventing the recent activity scan from searching the root directory of a drive
  • Fixed a crash when retrieving MFT values
  • File carving of physical disks bug fixes
  • Image restore now allows image files that are smaller than the disk size.
  • Added support for FAT12 file system.
  • Fixed a bug when recoving file when carving via partition number.
  • Changed create index progress bar to not complete when indexing was manually cancelled.
  • Added new "Max results" option to search index options.
  • Added "Display search results" and "Display search results & add to case" right click options for the history tab of search index.
  • Significantly reduced memory usage of open cases with a large number of items.

v1.2.1000 - 31st of August 2012

Major changes

  • Support for Apple Mac file systems. Including HFS+ as used in Mac, iPhone, iPod and iPad. So it is now possible to view & investigate files from a Mac or iPhone on your windows machine with OSForensics. Includes changes to,
    • Indexer
    • File viewer
    • Raw disk viewer
    • Device manager
  • Support for Linux file systems. Including EXT2, EXT3, EXT4. Includes changes most modules in OSF.
  • SQLite database viewer is now included in the OSF package. This is useful for looking into database files created by several applications on the iPhone and also by Firefox.
  • Added support for APM partition scheme (Apple Partition Map)
  • Updated RecentActivity Module to display Browser information for when querying Unbutu machines images.
  • Added firefox form history retriveal to the recent activity
  • Made CSV import into hash sets a significantly more robust and added better documentation.
  • Changed regular expression searching in search index to use a slower algorithm, but it is more able to execute complex regexes.
  • Deleted file search now supports hash set lookup and displays icons for status.
  • Internal file viewer supports right-click functionality for deleted files (Open/Hash lookup/Add to case)
  • Can now image drives to .E01, .AFF format, in addition to dd format. The compression level can now also be selected (None, Fast compression, Best compression).
  • Additional advanced indexing options to allow the user to select the type of content to be indexed. The user can now, for example, choose to just index document meta data without indexing the document content.
  • Sector number and byte offset are now displayed in the list of caved files in the undeleted files module.

Minor changes

  • Changed progress bar in Create Index to complete with 100% instead of 0%
  • Fixed Registry Viewer to use custom file selection dialog. Making it easier to view registry files with directly accessing an image file.
  • Help file updates
  • Fixed vmdk crash bug
  • Added a maximum limit for # of items in cache to prevent allocation of an abnormally large amount of RAM at startup by Thumbnail view.
  • Fixed handle/memory leaks causing potential crash in Thumbnail view.
  • Fixed crash when closing OSF when search is running in raw disk viewer
  • Changed double click of thumbnail in Image tab of "Search Index" to open in internal viewer
  • Extended vshadow executable timeout to 2 minutes for slow machines
  • Fixed a crash when a case with no indexes was selected and the "Browse Index" tab was clicked on.
  • Fixed a possible crash when using the scroll wheel in the recent activity window
  • Added cookie name and content to CSV export of cookies
  • Added cookie content to information displayed in the recent activiy window and included in the TXT and HTML exports
  • Fixed bug opening fileset from hash lookup dialog after first sorting
  • Can now sort by whether or not the file is in the hash set in deleted file search
  • The 'Include Special Characters' checkbox in the hex viewer settings is now functional
  • Changed 2GB max file size limit for indexing to 4GB
  • Fixed possible crash when adding file to case in free version in deleted files module
  • Fix possible crash problem when indexing PST files.
  • Fixed icons in "File List" tab for OSF devices
  • Can now image partitions without drive letters or without recognized file systems.
  • Sorting by bookmarks is now available from the File name search and index search functions.
  • The normally hidden NTFS MFT Modify Date field is now exposed. You can see it as an extra column in the File System browser for example. Note that this is a different value from the "Modified date" that is normally associated with a file and displayed in Windows Explorer.
  • The time line function in the File Name Search module can now generate a timeline based on different sets of dates. e.g. you can do a time line on file creation date or modified date. Previously the timeline always used modified date.
  • From the Manage Case module it is now possible to right click on a bookmark and add the bookmarked file directly to the case.
  • In the drive imaging function there is now a new Restore Image tab. This tab allows a disk image to to restored back to a physical drive. This might be useful if you want to attempt to boot a disk image from a physical drive.
  • From the search index module you can now right click on a word in the Browse Index tab and search for the word in the index and add it to the case in a single step.
  • You can now export a list of words from the index as CSV via the Browse Index tab.
  • Allowed multi-select when adding bookmarked files to case. Previously only 1 file could be done at a time.
  • Allowed multi-select when changing bookmark colors. Previously only 1 bookmark could be done at a time.
  • Added Export to CSV options to history tab in search index
  • Changed list on search index history tab to allow multiple selection.
  • File system browser - sorting by column click now works for access date and any extra date fields (if applicable, depending on file system and mount method)
  • Internal viewer - Added extra date fields to 'File Info' tab for "Attribute Modify Date" in HFS and NTFS MFT Modify Date.
  • File Name Search - When results are filtered via timeline, the date filter used is displayed above the tabs.
  • File Name Search - Configuration window now has filters for 'Access Date' and any extra date fields (if applicable)
  • File Name Search - Added new sorting criteria (access date and extra date field) to combo box
  • Added support for hidden "Attribute Modify Date" field in Apple Mac HFS file system.
  • Improved forensic disk access speed via caching.
  • Various other minor bug fixes in existing functionality.

v1.1.1002 - 5th of June 2012

  • Addressed problems with indexing many EML Email files. Code for the handling of EML files was completely re-written to be 80% more memory efficient. This can prevent crashes due to lack of memory when indexing large numbers of E-mails.
  • Fixed a bug in the Windows Login Passwords function preventing the help page opening correctly.
  • Fixed a crash bug when retrieving IE cookies on some systems. This correction was in common code used by several modules and so might correct other (unknown) issue.

v1.1.1001 - 4th of May 2012

  • Added support for directly accessing image files of the following formats from within OSF:
    • Split Raw Image (.00n)
    • Advanced Forensics Format Images (AFF)
    • Advanced Forensics Format Images w/ meta data (AFM)
    • Advanced Forensics Format Directories (AFD)
    • VMWare Image (.VMDK)
    • EnCase EWF (.E01)
    • SMART EWF (.S01)
  • Fixed bug opening unallocated clusters in OSF internal viewer.

v1.1.1000 - 26th of April 2012

  • Added ability to investigate raw NTFS image files directly from OSF without mounting them.
    • Images and physical drives can now be added to the case as devices.
    • All of OSF features have been updated to act on these devices.
    • Image files can now be given a short hand ‘display name’ handle. E.g. Case123:\
    • Completely by passes file system and file permissions.
  • Added File System Browser
    • View hidden NTFS files ($AttrDef, $MFT, $Boot, etc..)
    • View and copy locked files
    • Automatic calculation of directory size in a background thread.
    • Browse history location bar.
    • Integration into bookmark, hashing, indexing and file viewing functions
    • Can jump to file’s offset on the raw disk
    • Disk NTFS stream information (pro version only).
    • Display of cluster information and file fragmentation.
    • Added right-click functionality to jump to file's disk offset in raw disk viewer.
  • Registry Viewer
    • Improved speed of Registry Viewer.
    • Enabled the data/values/match whole options in the registry viewer search dialog.
    • Fixed a bug where the last search term in the registry viewer wasn't being cleared properly for a new search in some cases (leading to no results)
    • Various other crash bug fixes.
  • Added new warning when trying to import NSRL data into the existing example database.
  • Can now add notes to case without needing to add as an attachment.
  • Added From: and To: and Subject: fields for email exports from search results.
  • Can now attempt to crack passwords on encrypted 7zip files.
  • New right click option in case management to verify file hashes on case items.
  • Indexing now supports Email attachments with attachments being displayed on separate tab.
  • Improved image viewing quality in internal viewer.
  • Added option to use MD5 hashes when creating signatures, in addition to SHA1.
  • Can now set case acquisition mode. This will warn the user if they try to perform an acquisition task that does not make sense with their case setting. Some functions only make sense in the context of a live investigation.
  • Added timestamp fields to data decoder in raw disk viewer.
  • Fixed bug in displayed totals in signature comparison.
  • Reduced initial memory usage of the memory viewer which was allocating buffers unnecessarily at startup.
  • Fixed bug adding files with no extension to the case.
  • Fixed hash set creation freeze on certain locked files.
  • Added "Browse Index" tab to "Search Index" module. Loads currently selected index dictionary.
  • Recent activity and password recovery updated to support Opera 10/11 & Firefox 10.
  • Better support for long path names, up to 32,000 characters in a path.
  • MD5 is now calculated for items in the case (as well as SHA-1 & 256).
  • Signature/File listing may now include E-mails in PST, EML, MSG & MBOX. DBX is also possible but attachments are not listed at the moment.
  • Direct access to FAT16 and FAT32 image files.
  • Support for Win7 jump lists in recent activity.
  • Bug fixes and other minor changes. See this post for more detail.

v1.0.1005 - 6th of December 2011

  • Fixed XP compatibility issue caused by missing SHGetStockIconInfo function in SHELL32.dll
  • Fixed crash bug when opening the live registry or creating volume drive images via shadowcopy on Vista
  • Added support for multiple instances of registry viewer
  • Added "Export to text" function to registry viewer
  • Added "Save to case" right click menu option for keys and values in registry viewer
  • Added "Search" menu for registry viewer
  • Fixed a bug where REG_QWORD types were not being converted for display correctly
  • Fixed bug where registry viewer right click menu could be displayed when not clicking on the value list

v1.0.1004 - 1st of December 2011

  • Added "extra information" check box option to case report generation dialog. When checked it adds SHA1 and SHA256 fields to the case report
  • Added inbuilt Registry viewer functionality, available via the start page. It is now possible to view key update times and avoid registry permission issues.
  • Added "Open registry File..." to right click options for recent activity items that come from the registry, which will open the associated registry file and display the key and values
  • Added ability to open locked (live system) registry files, (via shadow copy to temp directory)
  • Changed some recent activity items, those sourced from the registry, to store the full location of the registry file data was collected from and the full key location as two separate items
  • Behaviour of IE password scanning for non-live drives changed to display "N/A" for username and password if found but fail to decrypt
  • Fixed bug on Windows Login password tab where both radio buttons could be selected at the same time
  • Fixed possible bug where scanning for passwords on a read-only mounted drive image could give an "I/O error", affected files are now copied to the temp directory before opening
  • Changes to Rainbow Table generation and recovery
    • Can now use indexed rainbow table files (.RTI) to decrypt passwords. This inlcudes support for the tables from freerainbowtables.com in RTI1 format.
    • Added checkbox to turn RT to RTC compression on/off
    • Added configuration file to define character sets
    • Updated Rainbow Table help file
    • Fixed several bugs
  • New builds of the indexer that fixes datetime bug that caused files to be dated 1 second behind.
  • Fixed bug where valid license keys were not accepted if username was too big.
  • Added filetype for OpenOffice documents and Recycle Bin Meta files. So .ODT files can now be indexed and searched. This also includes support for KOffice & Google Docs.
  • Fixed a deleted files search crash bug.
  • Fixed bug with indexing OpenDocument support and Recycle Bin Meta files.
  • Fixed bug with searching index for unallocated clusters, and filename only files. Results were displayed incorrectly and may not open in the internal viewer.
  • Fixed bug with missing context descriptions for some search results, and stemmed base words appearing in context.
  • Fixed bugs with some initial word variants missing from index.

v1.0.1003 - 8th of November 2011

  • Added silent copy to temp directory of registry files if they can't be opened due to read-only error (eg mounted a disk image as read only) when retrieving windows passwords
  • Fixed a bug that was preventing individual partitions from being imaged correctly and displaying an access denied message
  • Fixed a bug where if a username associated with a licence key was too large it would not be recognised as a valid key
  • Fixed a datetime bug in the create index / search index that caused files to be dated 1 second behind

v1.0.1002 - 2nd of November 2011

  • Removed beta expiry from create index process that was mistakenly left in.
  • Indexing now supports OpenOffice documents, Windows Recycle Bin Meta file indexing, and soft hyphen indexing.
  • Fixed rare crash in the raw disk viewer.

v1.0.1001 - 13th of October 2011

  • Added icon for mounted drives in recent activity list.
  • Fixed bug with cookie recent activity export not exporting date correctly.
  • Added silent copy to temp directory of registry files if they can't be opened due to read-only error (eg mounted a disk image as read only)
  • Added retrieval of user assist items from registry to recent activity.
  • Improved internal viewer to better display various text document formats.
  • Fixed a crash creating a new case when entering too much data into the organization or contact fields.
  • Added warning message to disk imaging when trying to image a partition without a drive letter.

v1.0.1000 - 10th of October 2011

  • Increased index log window from 5000 to 10000 lines.
  • Added search MRU items for Windows7 in recent activity.
  • Added mounted drive letters + volumes to recent activity.
  • Fixed a bug where on some systems file carving would end up in an infinite loop.
  • Fixed bug with creating an index with Custom Limits being stuck on Step 3.
  • Updated OSF Icon to have 256x256 size.

v0.99j Beta - 28th of September 2011

  • Fixed a crash when indexing certain email files.
  • Improved Drive Imaging. Now locks drives when unable to shadow copy, also has option to force shadow copy off.
  • Changed drive imaging so that image write re-attempts on failure.
  • Updated report export to include emails
  • Fixed email export to case for eml files, plus other rare instances with possible name conflicts.
  • Fixed crash exporting emails before opening the internal email viewer that left OSF in a state that would crash on next export or email view.
  • Fixed DPI issue in email viewer.
  • Improvements to ZIP password cracking.
  • Added ability to get Recent Documents MRU from registry files
  • Added ability to get Autorun items from registry and display in recent activity
  • Fixed a bug where the random password definition was not being created correctly when a known character was entered
  • Fixed crash when exporting recent activity items
  • Fixed a bug on the recent activity dialog where "Included dateless items" was not being disabled correctly after a scan finished
  • Fixed a bug in the recent activities export where dateless items were not being exported
  • Fixed bug with hexviewer ascii/hex radio buttons
  • Updated FileCarving to handle .EML format.
  • Added display of registry key location where registry passwords were retrieved from
  • Made some changes to PDF password cracking to add 0-9 and 00-99 to each word in the dictionary
  • Index search, fixed bug with not opening files and folders containing entitized characters (e.g. apostrophes) in its name.
  • Create Index
    • Added handling for temp. Office created "owner files" e.g. "~$MyDoc.dot"
    • Added handling for "Could not open file" errors from RTF messages in PST files
    • Fixed problem with "Activation context generation failed" error messages in the Windows Event Log.

Version 0.99i Beta - 15th of September 2011

  • Fixed a crash collecting recent activity on some systems.
  • Fixed a rare crash manipulating files in the thumbnail view.
  • Added ability to retrive list of installed programs in recent activity function.
  • When picking a particular drive in the recent activity scan, registry files will now also be searched for in the root of the drive.
  • Updated common password list.
  • Added code to search both halves LM hash for Windows password recovery.
  • Can now detects empty Windows passwords.
  • Improved cracking of passwords in PWDUMP files.
  • LM and NTLM hashes will only be searched within their respective tables.
  • Support for cracking of zip files with directory encryption (PKZIP format)
  • Zip file cracking now up to 10 times faster.

Version 0.99h Beta - 6th of September 2011

  • Added registry password retrieval dialog to password recovery tab and support code to get windows logins and password hashes from SAM hives.
  • Undelete Files
    • For FAT formatted disks, files in deleted directories are now also shown (rather than just directly deleted files).
    • For NTFS formatted disks, deleted files that are older than the directories they are in are now also shown.
  • Disk Preparation
    • The list of disks is now shown by default (without pressing the refresh button).
    • The SMART parameters are refreshed from the disk at the end of the disk test.
    • The disk test didn't seem to be able to open the disk for writing, this has been corrected.
  • Fixed issues with .eml files containing CRLF in Subject: headings which broke the index file format.
  • Added support for carving files from EXT2 partitioned drives.
  • Added support for filtering file search results by attributes.
  • Fixed bug in "ole" file parsing.
  • Auto-update of disk dropdown list when new disks are inserted/mounted.
  • Fixed identification of unicode strings for binary string extraction.
  • Rainbow Table cracking now supports PWDUMP text format.

Version 0.99g Beta - 24th of August 2011

  • Moved expiry date forward to November 15th.
  • Ctrl-a now works in deleted files module.
  • Significantly increased speed of browser password recovery in certain circumstances.
  • Added support for Firefox 6 in recent activity module.
  • Fixed a number of possible crashes in recent activity module.
  • Fixed critical memory leak in thumbnail view.
  • Change made to indexing process to allow searching for email addresses within the content of a document.
  • Fixed "Performing Search…" message in index search.

Version 0.99f Beta - 12th of August 2011

  • Fixed bug in Index search causing 0 results to be returned on first try.
  • Updated file carving to handle mounted images without volume letters and no physical drive numbers.
  • Can now carve .wma, .wmv and .mov files.
  • Additional bug fixes to email indexing.

Version 0.99e Beta - 11th of August 2011

  • Moved beta expiry to 15th of October
  • Fixed crash in sig creation when creating hashes and first file hashed is 0 length.
  • Fixed potential infinite loop in sig creation when creating hashes.
  • Fixed possible buffer overflow issue in signature creation when trying to hash a file that is inaccessible.
  • Added ability to change color of bookmarks in case management window.
  • Added file name search presets for video and audio files.
  • Fixed a crash when comparing signatures that had extermely long registry key paths.
  • Fixed a index search crash relating to certain exact phrase searches.
  • Several fixes and improvements to Rainbow Table generation and recovery.
  • Rainbow Table changes have rendered any previously generated tables unusable. Tables will have to be re-generated.
  • Fixed problems with not extracting From: and To: for some emails during indexing.
  • Added button to minimise/maximise navigation buttons to make low resolution use easier.
  • Added right click menu to navigation bar to make the buttons thinner.
  • Can now use the raw disk viewer on unpartitioned or corrupted drive images.
  • Added a second check for locked chrome database.
  • Added a way of remembering the copy on locked choice so user doesn't have to sit though multiple dialogs.
  • Renamed "Get Network drive Info" to "Get Network Info".
  • Added Edit option to command list management to edit customised (not default) commands.
  • Internal viewer can now view office documents and pdf files.
  • Fixed keyboard shortcuts in email list of index search.
  • Fixed a thumbnail bug in index search lists.
  • Fixed a bug where bookmarks would not be removed from case management window when they were removed elsewhere in OSF.

Version 0.99d Beta - 29th of July 2011

  • Fixed critical bugs in both the index creation and search.
  • Added thumbnail for loading video files.
  • Added a few extra index bulk search sample lists.

Version 0.99c Beta - 28th of July 2011

  • Index Search history functionality added.
  • Index bulk search functionality added.
  • Internal viewer can now play audio/video files.
  • Added keyboard shortcuts to internal viewer.
  • Added keyboard shortcuts to many of the results lists.
  • Changed report export to allow multiple report types, added ability to select output location.
  • Added more report tags (organisation, contact details, tiezeone, default drive, case folder)
  • Fixed a bug where 40bit encryption would not start correctly if a root folder was selected (eg c:\)
  • Fixed registry signature comparison.
  • Added Raw Disk Viewer Bookmark functionality.
  • Some Rainbow Table UI problems fixed.
  • Default Rainbow Table format has been changed from .RT to .RTC for compression.
  • Rainbow Table Recovery now supports both .RT and .RTC files.
  • OSFMount updated.

Version 0.99b Beta - 13th of July 2011

  • Fixed a bug preventing the creation of a new case.

Version 0.99 Beta - 12th of July 2011

  • New file bookmarking functionality.
  • Can now see which files have already been viewed for a particular case.
  • Can now brute force passwords using random passwords and specify the randok pattern.
  • Can get Chrome and Firefox password even if the browsers are still open.
  • Updated a few of the password dictionaries.
  • Updated indexer executable with some minor bug fixes. Most noteably fixed a crash that occured indexing emails on Windows XP.
  • Fixed a bug preventing overwriting USB installs with more recent versions of OSF

Version 0.98 Beta - 22th of June 2011

  • Beta expiry moved to the beginning of August.
  • New "Forensic Folder Copy" feature added that allows copying the contents of folders whilst maintaining timestamps.
  • Can now add emails found from searching an index to the case (via right click on the E-mail).
  • Files copied to case now retain their original timestamps.
  • Can now search index for foreign characters with unicode input in the search field.
  • Index searching now natively supports 64-bit for increased speed (when running 64-bit OSF).
  • 64-bit index search support also corrects a bug when searching very large indexes.
  • Can now add registry keys/values to signatures (in addition the the file system). This allows snap shots of the registry to be compared, and a list of differences exported. Which can be important for tracking malware behavior.
  • Improved Rainbow Table benchmark performance.
  • Can now run multiple create index tasks concurrently by opening multiple copies of OSF.
  • File Decryption can now use dictionaries to try and brut force the password of encrypted documents.
    • Added a dictionary containing a list of most commonly used passwords.
    • Added a dictionary of the english language.
    • Also has the ability to use the custom dictionaries created by the create index process, which contain every word found by the indexer on the disk being examined.
  • Added ability to Force OSF to quit if a task fails to stop.
  • Fixed a number of minor UI quirks.
  • Fixed a bug copying hash sets between databases.

Version 0.97 Beta - 27th of May 2011

  • Added drive imaging module. Can now create drive images of live systems.
  • Mismatch files date filter
    • Can now filter on both modify and create date
    • Is now inclusive of end dates
    • Now correctly respects the case time zone
  • File decryption tab renamed to Decryption & Password Recovery
    • Now supports Word/Excel/Powerpoint/PDF/ZIP/RAR password recovery based on a dictionary attack (currently only a default english dictonary is used)
    • Different options will be available depending on the type of file encryption detected
  • Rainbow Tables
    • In Rainbow Table Generation, added automatic and manual input modes for basic and advanced users respectively
    • Separated Rainbow Tables Inputs into two groups, Password Parameters and Table Dimensions

Version 0.96 Beta - 6th of May 2011

  • Fixed crash when trying to use the file decryption module.
  • Fixed list of default drives in new case and edit case dialogs.
  • Fixed an issue with the right click menu not working in the thumbnail view on XP systems.
  • Fixed an issue with the thumbnail list not updated on XP
  • Fixed tabbing, and tab ordering in most windows.
  • Rainbow Tables
    • Added an LM specific character set.
    • Added automatic incrementing of rainbow tables with the same parameters (by incrementing the rainbow table index/reduction offset) to prevent overwriting of files and to add breadth the coverage of the tables.
    • Removed a hash input, so that the text edit box is shared between the raw hash input and the select hash file input.
    • Rearranged the UI to be more space efficient.
  • Fixed Create Rainbow Table button, which was not getting re-enabled when generation is cancelled.
  • Fixed rainbow table file text control to have left to right text.
  • Fixed issue with drive list not refreshing in "Browser Password" and "Create/Verify Hash" modules.
  • Indexing
    • Fixed bug with foreign characters in text files
    • Fixed error message regarding date script

Version 0.95b Beta - 21st of April 2011

  • Fixed error when trying to create an index with the 64-bit version of OSF.
  • Changed order of indexing process so that when no errors occur pre-scan will move straight into indexing.
  • Added cancel button to create index pre-scan.
  • Updated OSFMount to V1.5.1003.
  • Fixed an occasional bug in setting the default drive letter.

Version 0.95 Beta - 20th of April 2011

  • Improved IE password discovery.
  • Bug fixes and improvements for creating indexes.
    • Fixed issues with non-English date formats in Outlook e-mail messages
    • Changed handling of errors when indexing unallocated clusters. Will now continue to index next start point or finish indexing instead of aborting.
    • Fixed issue with SWF plugin crashes (due to invalid SWF files) appearing.
    • Fixed bug with not indexing RTF format e-mail messages in .PST or .MSG files
  • Changed all list exports to use utf-8 instead of utf-16.
  • Fixed bug exporting recent activity to HTML format.
  • Added option to switch choose between UTF-8 or UTF-16 when hashing text.
  • Column sorting in password recovery window is no longer case sensitive.
  • Fixed bug copying some items from browser password list.
  • Updated OSFMount to v1.5.1002
  • Minor improvements to internal system information gathering commands.
  • Minor improvements to rainbow tables UI.

Version 0.94b Beta - 15th of April 2011

  • Fixed a crash in the recent activity page.
  • Added 'Hash Text' option to hashing window.
  • Fixed column sorting issue in browser password recovery.

Version 0.94 Beta - 14th of April 2011

  • New password recovery and file decryption module.
    • Moved browser passwords recovery from recent activity to passwords window.
    • New rainbow tables for recovering a password from a hash.
    • Can now decrypt PDF, DOC and XLS files with 40-bit encryption.
  • Added a visual indication in the side bar of what modules are currently running tasks.
  • Fixed bug collecting some system information on 32-bit systems.
  • Can now copy files to clipboard so they can be pasted in windows explorer.
  • Fixed crash when scanning recent activity on system with Firefox 4.
  • Fixed bug causing default system information lists to not be added.
  • Fixed bug causing crash when deleting multiple indexes.
  • Change NSRL import feature to allow pointing at a directory without sub folders.
  • Links in emails viewed internally now work and open an external browser.
  • Internal report links in system information report now work.
  • Removed useless link accidentally placed in signature window.
  • Corrections for undelete file across a physical disk (i.e. multiple partitions).
  • Corrected bugs related to undelete files on Files Systems with MFT's with more than 500000 entries.
  • Changed deleted recycle bin meta data file display to be clearer that it is not the original file.
  • DiskViewer changes
    • "Select Range..." option in right-click menu.
    • Data interpreter window now resizable.
    • Jump/Select range dialog now holds previous settings.
  • MemViewer
    • Added legend for memory layout map
    • Removed Idle process (PID: 0) and System process (PID: 4) from combo box.
    • Combo box is now sorted alphabetically.
    • Refresh now retains the current process.
    • Fixed memory layout map bug for Wow64 processes with IMAGE_FILE_LARGE_ADDRESS_AWARE flag set.
    • Fixed bug with memory walking routine.
  • Improved CSV export. OSForensics now generates valid CSV formatted files.
  • Can now undelete files directly to case.
  • Added ability to index Chinese/Japanese text.
  • Can now sort by user in recent activity.
  • Added 'Exit' navigation button.
  • Drive Preperation now allow sselection of byte pattern, some like zeros, some like ones, and some like h7F.
  • Changed it so that clicking the captions in the help index expands the item.
  • Fixed bug in case export where empty tables would cause sorting on subsequent tables to fail.
  • Moved beta expiry date forward to 15th of July 2011.

Version 0.93 Beta - 18th of March 2011

  • Redesigned System Information module with greater flexibility.
  • Fixed RTF Viewer in built-in email viewer.
  • Updated packaged OSFMount to v1.5
  • Fixed bug when adding files from very long paths to case.
  • Fixed crash related to retrieving non-English bookmarks from Chrome.
  • Changed font in search lists to support unicode where available.
  • Fixed bug allowing adding of files to case when case not open.
  • Disk Viewer
    • Fixed MFT scan lock-up bug
    • Moved button functionality to right-click (View with viewer, Carve, etc...)
    • Changed decode window to be open by default
    • Misc. performance enhancements
    • Code refactoring + documentation
    • Improved error message for drive scanning errors
    • Fixed minor auto-highlighting issue
  • Internal viewer
    • Resizable FileInfoViewer
    • FileInfo Viewer metadata information for raw disk bytes
  • MemViewer
    • Fixed “Select Process” bug
    • “Select Process” now supports multiple monitors

Version 0.92 Beta - 4th of March 2011

  • Unified x86/x64 installer.
  • Improved USB Install both versions of OSF are now installed to USB and the correct version is launched automatically depending on the system.
  • Include OSF Mount in OSF Installer and allowed OSF Mount to be launched from within OSF
  • Added link from start page detailing how to create drive images.
  • Improved file carving functionality.
  • Fixed export functionality for attachments.
  • Disk Viewer
    • Auto-highlight (files, system files, slack space, streams, etc...)
    • Decode window is now resizable
    • Decode window includes an extra field to identify the object type (eg. file, directory, slack space, streams, etc...)
    • Fixed auto-highlight colour scheme
    • Added auto-highlight legend
    • Auto-highlight of MBR
    • MBR decode
    • Support for volume/file system slack space
    • FAT parse bug fixes
    • Delay disk scanning until user selects tab
    • Miscellaneous bug fixes and performance improvements
  • Can now filter lists to only show a specific date range in the timeline view
  • Fixed File Name Search date range lookup, previous fix broke end date conditions.
  • Fixed date range in recent activity lookup.
  • Date and time display format is now based on the Windows regional settings.

Version 0.91 Beta - 22nd of February 2011

  • Fixed bug preventing the creation of new hash sets.
  • Date range selection in File Name Search now works correctly. Previously it was slightly off due to lack of correcting for time zone differences.
  • Added message on memory viewer warning user that this feature is only useful for live acquisitions.
  • If trying to install a USB copy to the root of a drive OSF will automatically specify a sub-directory to install to.
  • Current OSForensics configuration is now copied with USB installation.

Version 0.90 Beta - 18th of February 2011

  • Fixed bug preventing the creation of a new case.
  • Added sector markers to raw disk viewer.
  • Added progress info when searching raw disk.
  • Updated help file pages on raw disk veiwer.

Version 0.89 Beta - 16th of February 2011

  • Added raw disk viewer.
  • Can now specify a default drive to perform actions on as part of the case.
  • Fixed memory handle leak when searching for alternate streams.
  • Fixed opening a files location where the file exists in a folder with a comma
  • Indexing process now skips known file types that are deselected when choosing to index unknown file types.
  • Fixed bug in advanced index configuration not allowing max file size less than 2GB
  • Can now view alternate streams in internal viewer
  • Fixed progress bar being wrong by a factor of 10 during the hashing stage of signature creation.
  • Fixed a bug preventing some files from being opened from the index log.
  • Added progress bar to indexing status window.
  • Added maximum number of files to index status window.
  • Improved some indexing failure error messages.
  • Fixed incorrect counting of .dbx files in some instances during indexing pre-scan.
  • Indexing process by default now excludes '.zdat' files (index files)
  • Fixed bug with indexing Outlook .msg files.
  • Fixed bug with missing from and to addresses for some HTML emails from .pst files.
  • Max file size indexed is now determined by the amount of RAM in the system rather than the largest file on disk.
  • File search no longer shows folder when limits on streams are set.
  • Can now sort by number and size of streams in File Search.
  • Index search now shows an indication when context has been truncated.
  • Fixed minor bug that would re-enable the controls in the deleted files search before the search was completed if the user browsed to another window and back.
  • Add ability to stop the deleted file search while running.
  • Fixed crash when closing the internal file viewer while a large file was being loaded into the text viewer.
  • Case management item list now shows the date the item was added.
  • Renaming indexes in the case management window now correctly updates the names in the search index window.
  • Fixed crash in recent activity search when limiting by date range.
  • Minor improvements to NSRL import speed.

Version 0.88 Beta - 4th of February 2011

  • External documents can now be attached and included into case reports.
  • Can now sort images by foreground or background color in file search.
  • Can now perform file carving in the deleted files window, finding deleted files that no longer have any associated file table entries.
  • Recent Activity scan now threaded so other actions can be performed while the scan is going.
  • Fixed a potential issue where the recent activity can could end up in an infinite loop.
  • Can now recover browser bookmarks in recent activity module.
  • Indexing file size limitation no longer apply to container files such as zip and pst. (Files within containers are still subject to the limit)
  • Can now import the National Software Reference Library (NSRL) data set as a hash database (all 62 million records).
  • Invalid character checking on case creation fixed
  • OSF will now launch as admin by default, however there is a start menu option to launch as non elevated admin. Admin permissions are required for operations like recovering deleted files. But it is important that the software can still run on systems where the administrator's password is not available.
  • System information window now shows more memory information.
  • Threaded document loading for the internal text viewer. (with cancel button for large documents)
  • Case sensitive checkbox for text search in the internal text viewer.
  • Possible fix for text search on unallocated sector in internal viewer, which was previously very slow.
  • Internal Text Viewer GUI fixes
  • Fixed resize issue when minimizing/maximizing internal HEX viewer.
  • Indexing process no longer tries to index the files it is creating.
  • Fixed a DPI issue on the start page.
  • Added functionality to search and filter files by NTFS streams (based on the number and size of the stream)

Version 0.87 Beta - 16th of December 2010

  • Fixed bug in 64-bit indexing causing files to be skipped when max file size was greater than 2GB. Max file size is now limited to 2GB.
  • Fixed bug in 32-bit where pre-scan would never allow a max file size greater than 50MB, limit is now 512MB in 32-bit pre-scan.
  • Various other fixes/improvements to the indexing process.
  • Improved stability in the recent activity module.

Version 0.86 Beta - 13th of December 2010

  • Redesigned case management module for easier selection between multiple cases. Some underlying changes with this will make cases created with previous versions of OSF incompatible.
  • Indexing process has had significant improvements, especially in the area of binary string extraction and indexing unallocated sectors.
  • Different levels of binary string extraction can now be selected from the advanced indexing options.
  • Any file can now be added as an attachment to a case.
  • Case creation date now stored.
  • Organization and Contact Details can now be stored as part of a case.
  • Extra details about created indexes are now stored in the case and can be viewed through the case item properties window.
  • Fixed issue indexing unallocated clusters from a drive image mounted with OSFMount.
  • Fixed issue with file name search populating thumbnail view for searches that complete quickly.
  • Fixed a rare index search crash on browsing results.
  • Better support for recent activity gathering of Internet Explorer related activities on non active drives.
  • Fixed big in saving window size that caused the window to shrink vertically slightly between runs.
  • Added ability to get logins/passwords from IE, Chrome and Opera.

Version 0.85 Beta - 1st of December 2010

  • Faster Unallocated Cluster indexing.
  • Can now open unallocated index search results in the internal viewer.
  • Fixed rare crash browsing unallocated cluster index search results.
  • Fixed crash on Recent Activity related to new Firefox login extraction.
  • Improved System Memory Information.
  • Search Index, searches with a single result now show properly.

Version 0.84 Beta - 29th of November 2010

  • Redesigned create index module into a wizard. It is now much more user friendly.
  • The indexing process should also now be more reliable with a number of bug fixes and other assorted improvements.
  • Recent activity module can now retrieve saved passwords from Firefox (where the user is not using a master password).
  • Upgraded removable drive to also allow for drive zeroing
  • Made a change to the indexing process to better support Thunderbird mail files.
  • Fixed issue with dates from emails in mbox files.
  • Fixed Index searching when dealing with non English characters.
  • OSF now saves last window size.
  • Updated start page descriptions and icons.
  • Re-arranged left panel.
  • Deleted files search now applies filters on when clicking the search button as well as the apply filter button.

Version 0.83 Beta - 10nd of November 2010

  • New Start Page tab to better navigate the features of OSForensics.
  • Fixed bug on Windows XP preventing the creation of Case Files.
  • Can now gather recent activity from system event logs.
  • Fixed bug getting browser recent activity from non active drives.
  • Improved Indexing max limits.
  • Improved index gathering of dates in emails.
  • Improved Undelete functionality on highly fragmented FAT partitions.
  • Increased number of strings extractable using Hex viewer.
  • Fixed memory viewer window so that all information fits correctly.
  • Added warning for users running the 32-bit version on 64-bit Windows.
  • Minor additions to help file on certain topics.

Version 0.82 Beta - 22nd of October 2010

  • By default OSF now displays in local time rather than UTC
  • Added ability to select time zone for display as part of case properties
  • Added time zone information to html, csv and text exports
  • Fixed bug causing radio to remain on volume after no admin warning in hash lookup
  • Update need admin message in deleted files and create hash modules
  • Changed website link in about window to point to osforensics.com
  • Changed about window to display 32/64 bit version info
  • Added feedback button (for Beta only, will be removed in final release)

Version 0.81 Beta - 13th of October 2010

  • Beta period extended to 1st of July 2011
  • Added ability to hash entire drives
  • Additional information about where the data was retrieved from in the recent activity module, for WLAN, USB and URL items.
  • Miscellaneous help file improvements
  • Added “add to case” functionality in “Recent activity”, “Search index”,  “Deleted file search” and “system information” modules.
  • Allowed adding CSV exports to case
  • Fixed bug causing an error to display at start-up about no disk in drive when certain USB devices are connected (such as USB card readers)
  • Fixed crash while scrolling recent activity window.
  • Added CSV export to “Recent activity” module.
  • Improve error for new case when non existent folder is selected.
  • No longer attempt to hash folders when hashing files found in the File Search  module.
  • No longer lose selection when hashing files in the file search module if sort order is anything other than sort by "In hash set"
  • Minor modifications to the Deleted Files Search interface.
  • Added additional templates for case export.
  • Added a better default mismatch search filter.
  • Extra sort options in Recent Activity Module.
  • When exceeding theoretical word/page limits in Indexing the log now shows a proper error.

Version 0.8 Beta

  • Initial Release
Upgrade