Home » What's new in OSForensics

What's New

The following is a version history for the various OSForensic's releases. You can download the latest version of OSForensics here.

v1.1.1001 - 4th of May 2012

  • Added support for directly accessing image files of the following formats from within OSF:
    • Split Raw Image (.00n)
    • Advanced Forensics Format Images (AFF)
    • Advanced Forensics Format Images w/ meta data (AFM)
    • Advanced Forensics Format Directories (AFD)
    • VMWare Image (.VMDK)
    • EnCase EWF (.E01)
    • SMART EWF (.S01)
  • Fixed bug opening unallocated clusters in OSF internal viewer.

v1.1.1000 - 26th of April 2012

  • Added ability to investigate raw NTFS image files directly from OSF without mounting them.
    • Images and physical drives can now be added to the case as devices.
    • All of OSF features have been updated to act on these devices.
    • Image files can now be given a short hand ‘display name’ handle. E.g. Case123:\
    • Completely by passes file system and file permissions.
  • Added File System Browser
    • View hidden NTFS files ($AttrDef, $MFT, $Boot, etc..)
    • View and copy locked files
    • Automatic calculation of directory size in a background thread.
    • Browse history location bar.
    • Integration into bookmark, hashing, indexing and file viewing functions
    • Can jump to file’s offset on the raw disk
    • Disk NTFS stream information (pro version only).
    • Display of cluster information and file fragmentation.
    • Added right-click functionality to jump to file's disk offset in raw disk viewer.
  • Registry Viewer
    • Improved speed of Registry Viewer.
    • Enabled the data/values/match whole options in the registry viewer search dialog.
    • Fixed a bug where the last search term in the registry viewer wasn't being cleared properly for a new search in some cases (leading to no results)
    • Various other crash bug fixes.
  • Added new warning when trying to import NSRL data into the existing example database.
  • Can now add notes to case without needing to add as an attachment.
  • Added From: and To: and Subject: fields for email exports from search results.
  • Can now attempt to crack passwords on encrypted 7zip files.
  • New right click option in case management to verify file hashes on case items.
  • Indexing now supports Email attachments with attachments being displayed on separate tab.
  • Improved image viewing quality in internal viewer.
  • Added option to use MD5 hashes when creating signatures, in addition to SHA1.
  • Can now set case acquisition mode. This will warn the user if they try to perform an acquisition task that does not make sense with their case setting. Some functions only make sense in the context of a live investigation.
  • Added timestamp fields to data decoder in raw disk viewer.
  • Fixed bug in displayed totals in signature comparison.
  • Reduced initial memory usage of the memory viewer which was allocating buffers unnecessarily at startup.
  • Fixed bug adding files with no extension to the case.
  • Fixed hash set creation freeze on certain locked files.
  • Added "Browse Index" tab to "Search Index" module. Loads currently selected index dictionary.
  • Recent activity and password recovery updated to support Opera 10/11 & Firefox 10.
  • Better support for long path names, up to 32,000 characters in a path.
  • MD5 is now calculated for items in the case (as well as SHA-1 & 256).
  • Signature/File listing may now include E-mails in PST, EML, MSG & MBOX. DBX is also possible but attachments are not listed at the moment.
  • Direct access to FAT16 and FAT32 image files.
  • Support for Win7 jump lists in recent activity.
  • Bug fixes and other minor changes. See this post for more detail.

v1.0.1005 - 6th of December 2011

  • Fixed XP compatibility issue caused by missing SHGetStockIconInfo function in SHELL32.dll
  • Fixed crash bug when opening the live registry or creating volume drive images via shadowcopy on Vista
  • Added support for multiple instances of registry viewer
  • Added "Export to text" function to registry viewer
  • Added "Save to case" right click menu option for keys and values in registry viewer
  • Added "Search" menu for registry viewer
  • Fixed a bug where REG_QWORD types were not being converted for display correctly
  • Fixed bug where registry viewer right click menu could be displayed when not clicking on the value list

v1.0.1004 - 1st of December 2011

  • Added "extra information" check box option to case report generation dialog. When checked it adds SHA1 and SHA256 fields to the case report
  • Added inbuilt Registry viewer functionality, available via the start page. It is now possible to view key update times and avoid registry permission issues.
  • Added "Open registry File..." to right click options for recent activity items that come from the registry, which will open the associated registry file and display the key and values
  • Added ability to open locked (live system) registry files, (via shadow copy to temp directory)
  • Changed some recent activity items, those sourced from the registry, to store the full location of the registry file data was collected from and the full key location as two separate items
  • Behaviour of IE password scanning for non-live drives changed to display "N/A" for username and password if found but fail to decrypt
  • Fixed bug on Windows Login password tab where both radio buttons could be selected at the same time
  • Fixed possible bug where scanning for passwords on a read-only mounted drive image could give an "I/O error", affected files are now copied to the temp directory before opening
  • Changes to Rainbow Table generation and recovery
    • Can now use indexed rainbow table files (.RTI) to decrypt passwords. This inlcudes support for the tables from freerainbowtables.com in RTI1 format.
    • Added checkbox to turn RT to RTC compression on/off
    • Added configuration file to define character sets
    • Updated Rainbow Table help file
    • Fixed several bugs
  • New builds of the indexer that fixes datetime bug that caused files to be dated 1 second behind.
  • Fixed bug where valid license keys were not accepted if username was too big.
  • Added filetype for OpenOffice documents and Recycle Bin Meta files. So .ODT files can now be indexed and searched. This also includes support for KOffice & Google Docs.
  • Fixed a deleted files search crash bug.
  • Fixed bug with indexing OpenDocument support and Recycle Bin Meta files.
  • Fixed bug with searching index for unallocated clusters, and filename only files. Results were displayed incorrectly and may not open in the internal viewer.
  • Fixed bug with missing context descriptions for some search results, and stemmed base words appearing in context.
  • Fixed bugs with some initial word variants missing from index.

v1.0.1003 - 8th of November 2011

  • Added silent copy to temp directory of registry files if they can't be opened due to read-only error (eg mounted a disk image as read only) when retrieving windows passwords
  • Fixed a bug that was preventing individual partitions from being imaged correctly and displaying an access denied message
  • Fixed a bug where if a username associated with a licence key was too large it would not be recognised as a valid key
  • Fixed a datetime bug in the create index / search index that caused files to be dated 1 second behind

v1.0.1002 - 2nd of November 2011

  • Removed beta expiry from create index process that was mistakenly left in.
  • Indexing now supports OpenOffice documents, Windows Recycle Bin Meta file indexing, and soft hyphen indexing.
  • Fixed rare crash in the raw disk viewer.

v1.0.1001 - 13th of October 2011

  • Added icon for mounted drives in recent activity list.
  • Fixed bug with cookie recent activity export not exporting date correctly.
  • Added silent copy to temp directory of registry files if they can't be opened due to read-only error (eg mounted a disk image as read only)
  • Added retrieval of user assist items from registry to recent activity.
  • Improved internal viewer to better display various text document formats.
  • Fixed a crash creating a new case when entering too much data into the organization or contact fields.
  • Added warning message to disk imaging when trying to image a partition without a drive letter.

v1.0.1000 - 10th of October 2011

  • Increased index log window from 5000 to 10000 lines.
  • Added search MRU items for Windows7 in recent activity.
  • Added mounted drive letters + volumes to recent activity.
  • Fixed a bug where on some systems file carving would end up in an infinite loop.
  • Fixed bug with creating an index with Custom Limits being stuck on Step 3.
  • Updated OSF Icon to have 256x256 size.

v0.99j Beta - 28th of September 2011

  • Fixed a crash when indexing certain email files.
  • Improved Drive Imaging. Now locks drives when unable to shadow copy, also has option to force shadow copy off.
  • Changed drive imaging so that image write re-attempts on failure.
  • Updated report export to include emails
  • Fixed email export to case for eml files, plus other rare instances with possible name conflicts.
  • Fixed crash exporting emails before opening the internal email viewer that left OSF in a state that would crash on next export or email view.
  • Fixed DPI issue in email viewer.
  • Improvements to ZIP password cracking.
  • Added ability to get Recent Documents MRU from registry files
  • Added ability to get Autorun items from registry and display in recent activity
  • Fixed a bug where the random password definition was not being created correctly when a known character was entered
  • Fixed crash when exporting recent activity items
  • Fixed a bug on the recent activity dialog where "Included dateless items" was not being disabled correctly after a scan finished
  • Fixed a bug in the recent activities export where dateless items were not being exported
  • Fixed bug with hexviewer ascii/hex radio buttons
  • Updated FileCarving to handle .EML format.
  • Added display of registry key location where registry passwords were retrieved from
  • Made some changes to PDF password cracking to add 0-9 and 00-99 to each word in the dictionary
  • Index search, fixed bug with not opening files and folders containing entitized characters (e.g. apostrophes) in its name.
  • Create Index
    • Added handling for temp. Office created "owner files" e.g. "~$MyDoc.dot"
    • Added handling for "Could not open file" errors from RTF messages in PST files
    • Fixed problem with "Activation context generation failed" error messages in the Windows Event Log.

Version 0.99i Beta - 15th of September 2011

  • Fixed a crash collecting recent activity on some systems.
  • Fixed a rare crash manipulating files in the thumbnail view.
  • Added ability to retrive list of installed programs in recent activity function.
  • When picking a particular drive in the recent activity scan, registry files will now also be searched for in the root of the drive.
  • Updated common password list.
  • Added code to search both halves LM hash for Windows password recovery.
  • Can now detects empty Windows passwords.
  • Improved cracking of passwords in PWDUMP files.
  • LM and NTLM hashes will only be searched within their respective tables.
  • Support for cracking of zip files with directory encryption (PKZIP format)
  • Zip file cracking now up to 10 times faster.

Version 0.99h Beta - 6th of September 2011

  • Added registry password retrieval dialog to password recovery tab and support code to get windows logins and password hashes from SAM hives.
  • Undelete Files
    • For FAT formatted disks, files in deleted directories are now also shown (rather than just directly deleted files).
    • For NTFS formatted disks, deleted files that are older than the directories they are in are now also shown.
  • Disk Preparation
    • The list of disks is now shown by default (without pressing the refresh button).
    • The SMART parameters are refreshed from the disk at the end of the disk test.
    • The disk test didn't seem to be able to open the disk for writing, this has been corrected.
  • Fixed issues with .eml files containing CRLF in Subject: headings which broke the index file format.
  • Added support for carving files from EXT2 partitioned drives.
  • Added support for filtering file search results by attributes.
  • Fixed bug in "ole" file parsing.
  • Auto-update of disk dropdown list when new disks are inserted/mounted.
  • Fixed identification of unicode strings for binary string extraction.
  • Rainbow Table cracking now supports PWDUMP text format.

Version 0.99g Beta - 24th of August 2011

  • Moved expiry date forward to November 15th.
  • Ctrl-a now works in deleted files module.
  • Significantly increased speed of browser password recovery in certain circumstances.
  • Added support for Firefox 6 in recent activity module.
  • Fixed a number of possible crashes in recent activity module.
  • Fixed critical memory leak in thumbnail view.
  • Change made to indexing process to allow searching for email addresses within the content of a document.
  • Fixed "Performing Search…" message in index search.

Version 0.99f Beta - 12th of August 2011

  • Fixed bug in Index search causing 0 results to be returned on first try.
  • Updated file carving to handle mounted images without volume letters and no physical drive numbers.
  • Can now carve .wma, .wmv and .mov files.
  • Additional bug fixes to email indexing.

Version 0.99e Beta - 11th of August 2011

  • Moved beta expiry to 15th of October
  • Fixed crash in sig creation when creating hashes and first file hashed is 0 length.
  • Fixed potential infinite loop in sig creation when creating hashes.
  • Fixed possible buffer overflow issue in signature creation when trying to hash a file that is inaccessible.
  • Added ability to change color of bookmarks in case management window.
  • Added file name search presets for video and audio files.
  • Fixed a crash when comparing signatures that had extermely long registry key paths.
  • Fixed a index search crash relating to certain exact phrase searches.
  • Several fixes and improvements to Rainbow Table generation and recovery.
  • Rainbow Table changes have rendered any previously generated tables unusable. Tables will have to be re-generated.
  • Fixed problems with not extracting From: and To: for some emails during indexing.
  • Added button to minimise/maximise navigation buttons to make low resolution use easier.
  • Added right click menu to navigation bar to make the buttons thinner.
  • Can now use the raw disk viewer on unpartitioned or corrupted drive images.
  • Added a second check for locked chrome database.
  • Added a way of remembering the copy on locked choice so user doesn't have to sit though multiple dialogs.
  • Renamed "Get Network drive Info" to "Get Network Info".
  • Added Edit option to command list management to edit customised (not default) commands.
  • Internal viewer can now view office documents and pdf files.
  • Fixed keyboard shortcuts in email list of index search.
  • Fixed a thumbnail bug in index search lists.
  • Fixed a bug where bookmarks would not be removed from case management window when they were removed elsewhere in OSF.

Version 0.99d Beta - 29th of July 2011

  • Fixed critical bugs in both the index creation and search.
  • Added thumbnail for loading video files.
  • Added a few extra index bulk search sample lists.

Version 0.99c Beta - 28th of July 2011

  • Index Search history functionality added.
  • Index bulk search functionality added.
  • Internal viewer can now play audio/video files.
  • Added keyboard shortcuts to internal viewer.
  • Added keyboard shortcuts to many of the results lists.
  • Changed report export to allow multiple report types, added ability to select output location.
  • Added more report tags (organisation, contact details, tiezeone, default drive, case folder)
  • Fixed a bug where 40bit encryption would not start correctly if a root folder was selected (eg c:\)
  • Fixed registry signature comparison.
  • Added Raw Disk Viewer Bookmark functionality.
  • Some Rainbow Table UI problems fixed.
  • Default Rainbow Table format has been changed from .RT to .RTC for compression.
  • Rainbow Table Recovery now supports both .RT and .RTC files.
  • OSFMount updated.

Version 0.99b Beta - 13th of July 2011

  • Fixed a bug preventing the creation of a new case.

Version 0.99 Beta - 12th of July 2011

  • New file bookmarking functionality.
  • Can now see which files have already been viewed for a particular case.
  • Can now brute force passwords using random passwords and specify the randok pattern.
  • Can get Chrome and Firefox password even if the browsers are still open.
  • Updated a few of the password dictionaries.
  • Updated indexer executable with some minor bug fixes. Most noteably fixed a crash that occured indexing emails on Windows XP.
  • Fixed a bug preventing overwriting USB installs with more recent versions of OSF

Version 0.98 Beta - 22th of June 2011

  • Beta expiry moved to the beginning of August.
  • New "Forensic Folder Copy" feature added that allows copying the contents of folders whilst maintaining timestamps.
  • Can now add emails found from searching an index to the case (via right click on the E-mail).
  • Files copied to case now retain their original timestamps.
  • Can now search index for foreign characters with unicode input in the search field.
  • Index searching now natively supports 64-bit for increased speed (when running 64-bit OSF).
  • 64-bit index search support also corrects a bug when searching very large indexes.
  • Can now add registry keys/values to signatures (in addition the the file system). This allows snap shots of the registry to be compared, and a list of differences exported. Which can be important for tracking malware behavior.
  • Improved Rainbow Table benchmark performance.
  • Can now run multiple create index tasks concurrently by opening multiple copies of OSF.
  • File Decryption can now use dictionaries to try and brut force the password of encrypted documents.
    • Added a dictionary containing a list of most commonly used passwords.
    • Added a dictionary of the english language.
    • Also has the ability to use the custom dictionaries created by the create index process, which contain every word found by the indexer on the disk being examined.
  • Added ability to Force OSF to quit if a task fails to stop.
  • Fixed a number of minor UI quirks.
  • Fixed a bug copying hash sets between databases.

Version 0.97 Beta - 27th of May 2011

  • Added drive imaging module. Can now create drive images of live systems.
  • Mismatch files date filter
    • Can now filter on both modify and create date
    • Is now inclusive of end dates
    • Now correctly respects the case time zone
  • File decryption tab renamed to Decryption & Password Recovery
    • Now supports Word/Excel/Powerpoint/PDF/ZIP/RAR password recovery based on a dictionary attack (currently only a default english dictonary is used)
    • Different options will be available depending on the type of file encryption detected
  • Rainbow Tables
    • In Rainbow Table Generation, added automatic and manual input modes for basic and advanced users respectively
    • Separated Rainbow Tables Inputs into two groups, Password Parameters and Table Dimensions

Version 0.96 Beta - 6th of May 2011

  • Fixed crash when trying to use the file decryption module.
  • Fixed list of default drives in new case and edit case dialogs.
  • Fixed an issue with the right click menu not working in the thumbnail view on XP systems.
  • Fixed an issue with the thumbnail list not updated on XP
  • Fixed tabbing, and tab ordering in most windows.
  • Rainbow Tables
    • Added an LM specific character set.
    • Added automatic incrementing of rainbow tables with the same parameters (by incrementing the rainbow table index/reduction offset) to prevent overwriting of files and to add breadth the coverage of the tables.
    • Removed a hash input, so that the text edit box is shared between the raw hash input and the select hash file input.
    • Rearranged the UI to be more space efficient.
  • Fixed Create Rainbow Table button, which was not getting re-enabled when generation is cancelled.
  • Fixed rainbow table file text control to have left to right text.
  • Fixed issue with drive list not refreshing in "Browser Password" and "Create/Verify Hash" modules.
  • Indexing
    • Fixed bug with foreign characters in text files
    • Fixed error message regarding date script

Version 0.95b Beta - 21st of April 2011

  • Fixed error when trying to create an index with the 64-bit version of OSF.
  • Changed order of indexing process so that when no errors occur pre-scan will move straight into indexing.
  • Added cancel button to create index pre-scan.
  • Updated OSFMount to V1.5.1003.
  • Fixed an occasional bug in setting the default drive letter.

Version 0.95 Beta - 20th of April 2011

  • Improved IE password discovery.
  • Bug fixes and improvements for creating indexes.
    • Fixed issues with non-English date formats in Outlook e-mail messages
    • Changed handling of errors when indexing unallocated clusters. Will now continue to index next start point or finish indexing instead of aborting.
    • Fixed issue with SWF plugin crashes (due to invalid SWF files) appearing.
    • Fixed bug with not indexing RTF format e-mail messages in .PST or .MSG files
  • Changed all list exports to use utf-8 instead of utf-16.
  • Fixed bug exporting recent activity to HTML format.
  • Added option to switch choose between UTF-8 or UTF-16 when hashing text.
  • Column sorting in password recovery window is no longer case sensitive.
  • Fixed bug copying some items from browser password list.
  • Updated OSFMount to v1.5.1002
  • Minor improvements to internal system information gathering commands.
  • Minor improvements to rainbow tables UI.

Version 0.94b Beta - 15th of April 2011

  • Fixed a crash in the recent activity page.
  • Added 'Hash Text' option to hashing window.
  • Fixed column sorting issue in browser password recovery.

Version 0.94 Beta - 14th of April 2011

  • New password recovery and file decryption module.
    • Moved browser passwords recovery from recent activity to passwords window.
    • New rainbow tables for recovering a password from a hash.
    • Can now decrypt PDF, DOC and XLS files with 40-bit encryption.
  • Added a visual indication in the side bar of what modules are currently running tasks.
  • Fixed bug collecting some system information on 32-bit systems.
  • Can now copy files to clipboard so they can be pasted in windows explorer.
  • Fixed crash when scanning recent activity on system with Firefox 4.
  • Fixed bug causing default system information lists to not be added.
  • Fixed bug causing crash when deleting multiple indexes.
  • Change NSRL import feature to allow pointing at a directory without sub folders.
  • Links in emails viewed internally now work and open an external browser.
  • Internal report links in system information report now work.
  • Removed useless link accidentally placed in signature window.
  • Corrections for undelete file across a physical disk (i.e. multiple partitions).
  • Corrected bugs related to undelete files on Files Systems with MFT's with more than 500000 entries.
  • Changed deleted recycle bin meta data file display to be clearer that it is not the original file.
  • DiskViewer changes
    • "Select Range..." option in right-click menu.
    • Data interpreter window now resizable.
    • Jump/Select range dialog now holds previous settings.
  • MemViewer
    • Added legend for memory layout map
    • Removed Idle process (PID: 0) and System process (PID: 4) from combo box.
    • Combo box is now sorted alphabetically.
    • Refresh now retains the current process.
    • Fixed memory layout map bug for Wow64 processes with IMAGE_FILE_LARGE_ADDRESS_AWARE flag set.
    • Fixed bug with memory walking routine.
  • Improved CSV export. OSForensics now generates valid CSV formatted files.
  • Can now undelete files directly to case.
  • Added ability to index Chinese/Japanese text.
  • Can now sort by user in recent activity.
  • Added 'Exit' navigation button.
  • Drive Preperation now allow sselection of byte pattern, some like zeros, some like ones, and some like h7F.
  • Changed it so that clicking the captions in the help index expands the item.
  • Fixed bug in case export where empty tables would cause sorting on subsequent tables to fail.
  • Moved beta expiry date forward to 15th of July 2011.

Version 0.93 Beta - 18th of March 2011

  • Redesigned System Information module with greater flexibility.
  • Fixed RTF Viewer in built-in email viewer.
  • Updated packaged OSFMount to v1.5
  • Fixed bug when adding files from very long paths to case.
  • Fixed crash related to retrieving non-English bookmarks from Chrome.
  • Changed font in search lists to support unicode where available.
  • Fixed bug allowing adding of files to case when case not open.
  • Disk Viewer
    • Fixed MFT scan lock-up bug
    • Moved button functionality to right-click (View with viewer, Carve, etc...)
    • Changed decode window to be open by default
    • Misc. performance enhancements
    • Code refactoring + documentation
    • Improved error message for drive scanning errors
    • Fixed minor auto-highlighting issue
  • Internal viewer
    • Resizable FileInfoViewer
    • FileInfo Viewer metadata information for raw disk bytes
  • MemViewer
    • Fixed “Select Process” bug
    • “Select Process” now supports multiple monitors

Version 0.92 Beta - 4th of March 2011

  • Unified x86/x64 installer.
  • Improved USB Install both versions of OSF are now installed to USB and the correct version is launched automatically depending on the system.
  • Include OSF Mount in OSF Installer and allowed OSF Mount to be launched from within OSF
  • Added link from start page detailing how to create drive images.
  • Improved file carving functionality.
  • Fixed export functionality for attachments.
  • Disk Viewer
    • Auto-highlight (files, system files, slack space, streams, etc...)
    • Decode window is now resizable
    • Decode window includes an extra field to identify the object type (eg. file, directory, slack space, streams, etc...)
    • Fixed auto-highlight colour scheme
    • Added auto-highlight legend
    • Auto-highlight of MBR
    • MBR decode
    • Support for volume/file system slack space
    • FAT parse bug fixes
    • Delay disk scanning until user selects tab
    • Miscellaneous bug fixes and performance improvements
  • Can now filter lists to only show a specific date range in the timeline view
  • Fixed File Name Search date range lookup, previous fix broke end date conditions.
  • Fixed date range in recent activity lookup.
  • Date and time display format is now based on the Windows regional settings.

Version 0.91 Beta - 22nd of February 2011

  • Fixed bug preventing the creation of new hash sets.
  • Date range selection in File Name Search now works correctly. Previously it was slightly off due to lack of correcting for time zone differences.
  • Added message on memory viewer warning user that this feature is only useful for live acquisitions.
  • If trying to install a USB copy to the root of a drive OSF will automatically specify a sub-directory to install to.
  • Current OSForensics configuration is now copied with USB installation.

Version 0.90 Beta - 18th of February 2011

  • Fixed bug preventing the creation of a new case.
  • Added sector markers to raw disk viewer.
  • Added progress info when searching raw disk.
  • Updated help file pages on raw disk veiwer.

Version 0.89 Beta - 16th of February 2011

  • Added raw disk viewer.
  • Can now specify a default drive to perform actions on as part of the case.
  • Fixed memory handle leak when searching for alternate streams.
  • Fixed opening a files location where the file exists in a folder with a comma
  • Indexing process now skips known file types that are deselected when choosing to index unknown file types.
  • Fixed bug in advanced index configuration not allowing max file size less than 2GB
  • Can now view alternate streams in internal viewer
  • Fixed progress bar being wrong by a factor of 10 during the hashing stage of signature creation.
  • Fixed a bug preventing some files from being opened from the index log.
  • Added progress bar to indexing status window.
  • Added maximum number of files to index status window.
  • Improved some indexing failure error messages.
  • Fixed incorrect counting of .dbx files in some instances during indexing pre-scan.
  • Indexing process by default now excludes '.zdat' files (index files)
  • Fixed bug with indexing Outlook .msg files.
  • Fixed bug with missing from and to addresses for some HTML emails from .pst files.
  • Max file size indexed is now determined by the amount of RAM in the system rather than the largest file on disk.
  • File search no longer shows folder when limits on streams are set.
  • Can now sort by number and size of streams in File Search.
  • Index search now shows an indication when context has been truncated.
  • Fixed minor bug that would re-enable the controls in the deleted files search before the search was completed if the user browsed to another window and back.
  • Add ability to stop the deleted file search while running.
  • Fixed crash when closing the internal file viewer while a large file was being loaded into the text viewer.
  • Case management item list now shows the date the item was added.
  • Renaming indexes in the case management window now correctly updates the names in the search index window.
  • Fixed crash in recent activity search when limiting by date range.
  • Minor improvements to NSRL import speed.

Version 0.88 Beta - 4th of February 2011

  • External documents can now be attached and included into case reports.
  • Can now sort images by foreground or background color in file search.
  • Can now perform file carving in the deleted files window, finding deleted files that no longer have any associated file table entries.
  • Recent Activity scan now threaded so other actions can be performed while the scan is going.
  • Fixed a potential issue where the recent activity can could end up in an infinite loop.
  • Can now recover browser bookmarks in recent activity module.
  • Indexing file size limitation no longer apply to container files such as zip and pst. (Files within containers are still subject to the limit)
  • Can now import the National Software Reference Library (NSRL) data set as a hash database (all 62 million records).
  • Invalid character checking on case creation fixed
  • OSF will now launch as admin by default, however there is a start menu option to launch as non elevated admin. Admin permissions are required for operations like recovering deleted files. But it is important that the software can still run on systems where the administrator's password is not available.
  • System information window now shows more memory information.
  • Threaded document loading for the internal text viewer. (with cancel button for large documents)
  • Case sensitive checkbox for text search in the internal text viewer.
  • Possible fix for text search on unallocated sector in internal viewer, which was previously very slow.
  • Internal Text Viewer GUI fixes
  • Fixed resize issue when minimizing/maximizing internal HEX viewer.
  • Indexing process no longer tries to index the files it is creating.
  • Fixed a DPI issue on the start page.
  • Added functionality to search and filter files by NTFS streams (based on the number and size of the stream)

Version 0.87 Beta - 16th of December 2010

  • Fixed bug in 64-bit indexing causing files to be skipped when max file size was greater than 2GB. Max file size is now limited to 2GB.
  • Fixed bug in 32-bit where pre-scan would never allow a max file size greater than 50MB, limit is now 512MB in 32-bit pre-scan.
  • Various other fixes/improvements to the indexing process.
  • Improved stability in the recent activity module.

Version 0.86 Beta - 13th of December 2010

  • Redesigned case management module for easier selection between multiple cases. Some underlying changes with this will make cases created with previous versions of OSF incompatible.
  • Indexing process has had significant improvements, especially in the area of binary string extraction and indexing unallocated sectors.
  • Different levels of binary string extraction can now be selected from the advanced indexing options.
  • Any file can now be added as an attachment to a case.
  • Case creation date now stored.
  • Organization and Contact Details can now be stored as part of a case.
  • Extra details about created indexes are now stored in the case and can be viewed through the case item properties window.
  • Fixed issue indexing unallocated clusters from a drive image mounted with OSFMount.
  • Fixed issue with file name search populating thumbnail view for searches that complete quickly.
  • Fixed a rare index search crash on browsing results.
  • Better support for recent activity gathering of Internet Explorer related activities on non active drives.
  • Fixed big in saving window size that caused the window to shrink vertically slightly between runs.
  • Added ability to get logins/passwords from IE, Chrome and Opera.

Version 0.85 Beta - 1st of December 2010

  • Faster Unallocated Cluster indexing.
  • Can now open unallocated index search results in the internal viewer.
  • Fixed rare crash browsing unallocated cluster index search results.
  • Fixed crash on Recent Activity related to new Firefox login extraction.
  • Improved System Memory Information.
  • Search Index, searches with a single result now show properly.

Version 0.84 Beta - 29th of November 2010

  • Redesigned create index module into a wizard. It is now much more user friendly.
  • The indexing process should also now be more reliable with a number of bug fixes and other assorted improvements.
  • Recent activity module can now retrieve saved passwords from Firefox (where the user is not using a master password).
  • Upgraded removable drive to also allow for drive zeroing
  • Made a change to the indexing process to better support Thunderbird mail files.
  • Fixed issue with dates from emails in mbox files.
  • Fixed Index searching when dealing with non English characters.
  • OSF now saves last window size.
  • Updated start page descriptions and icons.
  • Re-arranged left panel.
  • Deleted files search now applies filters on when clicking the search button as well as the apply filter button.

Version 0.83 Beta - 10nd of November 2010

  • New Start Page tab to better navigate the features of OSForensics.
  • Fixed bug on Windows XP preventing the creation of Case Files.
  • Can now gather recent activity from system event logs.
  • Fixed bug getting browser recent activity from non active drives.
  • Improved Indexing max limits.
  • Improved index gathering of dates in emails.
  • Improved Undelete functionality on highly fragmented FAT partitions.
  • Increased number of strings extractable using Hex viewer.
  • Fixed memory viewer window so that all information fits correctly.
  • Added warning for users running the 32-bit version on 64-bit Windows.
  • Minor additions to help file on certain topics.

Version 0.82 Beta - 22nd of October 2010

  • By default OSF now displays in local time rather than UTC
  • Added ability to select time zone for display as part of case properties
  • Added time zone information to html, csv and text exports
  • Fixed bug causing radio to remain on volume after no admin warning in hash lookup
  • Update need admin message in deleted files and create hash modules
  • Changed website link in about window to point to osforensics.com
  • Changed about window to display 32/64 bit version info
  • Added feedback button (for Beta only, will be removed in final release)

Version 0.81 Beta - 13th of October 2010

  • Beta period extended to 1st of July 2011
  • Added ability to hash entire drives
  • Additional information about where the data was retrieved from in the recent activity module, for WLAN, USB and URL items.
  • Miscellaneous help file improvements
  • Added “add to case” functionality in “Recent activity”, “Search index”,  “Deleted file search” and “system information” modules.
  • Allowed adding CSV exports to case
  • Fixed bug causing an error to display at start-up about no disk in drive when certain USB devices are connected (such as USB card readers)
  • Fixed crash while scrolling recent activity window.
  • Added CSV export to “Recent activity” module.
  • Improve error for new case when non existent folder is selected.
  • No longer attempt to hash folders when hashing files found in the File Search  module.
  • No longer lose selection when hashing files in the file search module if sort order is anything other than sort by "In hash set"
  • Minor modifications to the Deleted Files Search interface.
  • Added additional templates for case export.
  • Added a better default mismatch search filter.
  • Extra sort options in Recent Activity Module.
  • When exceeding theoretical word/page limits in Indexing the log now shows a proper error.

Version 0.8 Beta

  • Initial Release