Fixed possible crash when using the 'Don't know/Prescan' option
Logical Cloud Drive Imaging - OneDrive
Fixed possible discrepancy between the file size when summing all the files and the drive size from querying the user's root. When creating a logical drive, it will use the maximum size between both methods.
Password Decrypt - Brute Force
Fixed bug when using Custom Random Dictionary for individual work queue items, the Brute Force settings were not being saved
Search Index
Fixed issue when loading a UTF-8 wordlist file without a BOM
User Activity
Fixed possible crash when using the 'Autorun Commands' option
V10.0 Build 1014 14th June 2023
Create Index
Added mp4 and mv4 to default video formats
Fixed detecting UTF-8 text files without a BOM
V10.0 Build 1014 14th June 2023
Create Index
Added mp4 and mv4 to default video formats
Fixed detecting UTF-8 text files without a BOM
V10.0 Build 1013 26th May 2023
File Viewer/File Name Search
Added MSVCP140.dll and vcruntime140.dll to fix missing system file issue that could happen when opening docx files and filtering on EXIF metadata in some Windows 11 builds
Manage Case
Fixed issue where USB write block was not being enabled/disabled
Start Page
Fixed issue where 'USB Write: Enabled/Disabled' icon text was not updating in custom workflows
Fixed issue where 'USB Write: Enabled/Disabled' text was written onto the wrong icon
V10.0 Build 1012 16th May 2023
Report Generation
Fixed issue where all 'Photos of Acquired Evidence' were added to every 'Category' section
V10.0 Build 1011 12th May 2023
ESEDB Viewer
Fixed a bug where Windows.edb file could not be loaded from an image file
Changed the selecting custom Windows.edb file behavior to make the Windows.edb filepath as the initial directory
Logical Image - Android Copy
Fixed possible crash during imaging due to long file names/extension
Program Artifacts
Fixed parsing of the prefetch files for windows 10 builds 1903 and newer to collect the correct run count
Report Generation
Fixed issue where all 'Exported Files' were added to every 'Category' section
Enabled hiding of thumbnails for PDF reports
Fixed issue where options was not disabled for certain report options
Misc
Fixed issue with hover text not displaying properly on toolbar icons (Script Player & SQLite Browser)
Fixed issue where email files and BitLocker files could not be read in Forensics mode
V10.0 Build 1010 26th April 2023
Case Manager
Fixed tagged files not being saved to the case due to incorrect duplicate file check
Hash Set
Fixed bug with exporting CSV files, category was not being exported in the CSV
Updated example export output in Help File
Install to USB
Fixed bug when Installing OSForensics to USB drive with an old version subscription key, it may wipe the current license from the local install
Raw Disk Viewer
Add support for ext4 64-bit feature
System Information
Fixed crash when “Live Acquisition - Current Machine” is selected for the scan and “Basic System Information” command is selected
Web Browser
Fix bug where OSF may fail to add downloaded video file to case
Misc
Updated VolatilityWorkbench to V3.0.1004
V10.0 Build 1009 23rd February 2023
Misc
Updated WinPEBuilder for ffmpeg support in WinPE
Fixed signing issue with previous build
V10.0 Build 1008 22nd February 2023
File Carver
Fixed possible crash during carving when verifying carved images with GDI
USB Install
Fixed crash when trying to create a USB install with all checkboxes selected
Misc
Fixed ffmpeg library loading warning on machines with Visual C++ Redistributable not installed
V10.0 Build 1007 23rd January 2023
Boot VM
Fixed error booting MacOS image on VirtualBox for some systems
Added a check to prevent user from adding VM to case if a case is not open
Case Management
Reports, added option to have a minimum font size when exporting report as PDF
Increased font sizes for better readability when exporting as PDF
Reports, added checkbox for case report dialog "Include thumbnails" to allow thumbnails to be enabled/disabled. It can be useful to disable thumbnails for reports with thousands of images otherwise they may not open correctly in a web browser
Deleted Files
Fixed possible crash when looking up carved files in hash set
Email Viewer
Fixed bug when exporting PST emails to list. The TO, CC, and BCC fields were not cleared between emails
Internal Viewer
Ffmpeg, fixed ffmpeg library error by re-arranging load order of DLLs (previously could display a “Failed to load library” error at OSForensics start-up)
Mobile Artifacts
Fixed bug with exporting SMS to CSV/Text where Sent/Received field was displaying only received
Fixed bug with exporting SMS to CSV/Text where selected checked items were not being exported correctly. The export was incorrectly using fixed GUI list position index and not the internal list indexes
Password Recovery
Fixed some possible crashes that could occur
User Activity
Fixed possible crash when scanning MRU
V10.0 Build 1006 28th November 2022
E-mail Viewer
Fixed Ctrl+J jump to message shortcut not working
Create / Search Index
New indexer builds
Fixed email indexing issue with delimiter character
Internal Viewer
Metadata, allow the user to manually extract EXIF data For large files that need to be saved temporarily on disk
Ffmpeg, fixed pts-related bug affecting certain video files (eg. mjpeg/Microsoft PCM)
Images, added file size limit for reading to buffer when using libheif
Misc
Replace file size limit with warning prompt when creating temporary copy of a large file
V10.0 Build 1005 14th November 2022
Analyze Shadow Copy
Fixed bug where it exported results as HTML when CSV was selected
Case Manager
Fix possible crash when calculating case folder sizes
Create / Search Index
Fixed possible crash during device prescan of unallocated cluster
Search index option dialog, fixed a crash when adding additional indexes
Email Viewer
Fixed a crash that could occur when searching
Internal Viewer
FFmpeg Player, fixed crash when scaling video frames (for videos that are rotated)
Video will now scale to window size if larger than the video resolution
Misc
Improved error message when failing to create temporary file when opening a file in an external program
V10.0 Build 1004 27th September 2022
Case Management
Reporting, increased PDF report generation timeout
Reporting, added a progress window when exporting report as a PDF
Devices, added support for BDE volumes with a clear key
Create Index
Fixed bug where if multiple folders/unallocated are added, the indexers fails to run
Deleted Files
Fixed crash when carving MFT records on disks without valid file systems
Email Viewer
Added checkbox option to search for attachment filenames
Password Recovery
Added an error message and retry option if Chrome local state file was locked (triggered if using Chrome to login into a site or switch profiles at the same time as running a scan in OSF)
Now clearing file system cache before performing scan. This is to fix issues due to inconsistent data when scanning live system drives in Forensics Mode
Fixed a failure to decrypt passwords due to unnecessary encoding/decoding operations of the keys when scanning Browsers passwords. This caused incorrect AES key and key length returned which caused the failure
Decryption and Password Recovery, made a change so that the number of available GPUs is not checked until clicking on the tab (previously it would happen at OSF startup and could cause a crash if GPU drivers are out of date)
Fixed bug where scan was being preformed on Live system regardless of which drive was selected
Rainbow Tables
Fixed bug where 'recover passwords' button did not resize properly after recovery is completed/cancelled
Start Page
Added icon and button to display USB write blocking current setting, displayed as "USB Write: Enabled" or "USB Write: Disabled", and can be toggled on and off using this button (current case setting will be changed)
User Activity
Now clearing file system cache before performing scan. This is to fix issues due to inconsistent data when scanning live system drives in Forensics Mode
Fixed a failure to decrypt passwords due to unnecessary encoding/decoding operations of the keys when scanning Browsers passwords. This caused incorrect AES key and key length returned which caused the failure
V10.0 Build 1003 9th August 2022
Auto Triage
Fixed crash in Auto Triage > Logical Image Configuration when selecting Peer 2 Peer option (pattern string length was too long)
Fixed crash in Auto Triage > Password recovery
Memory Viewer
Fixed a "certificate was explicitly revoked by its issuer" error when saving a memory dump to disk
Password Recovery
Fixed windows login passwords not scanning when using live acquisition
User Activity
Fixed bug when trying to re-order columns for USB items that would cause the columns to disappear until OSF was restarted
User Interface
Mitigated Window drag lag (effect was more prominent with mouse using with high polling rates (>300/s))
Misc
Fixed issue with OSF not validating some key.dat files because of extra lines in the file
V10.0 Build 1002 5th August 2022
Create / Search Index
Fixed crash when saving and loading index configurations
File System Browser
Fixed file entries not appearing in Details/List View in Win 7
Install to USB
Added config link to adjust auto triage options in USB install window
Localisation
Further UI adjustments for localisation
Start Window
Fixed filename bug when opening a file directly from the start window (registry, email, etc) where the filename could be random text or not open correctly
ThumbCache Viewer
Fixed thumbnails not appearing in List View in Win 7
V10.0 Build 1001 22nd July 2022
Localisation
UI adjustments for localisation
Added some missing strings to localisation
OSFMount
Updated OSFMount files to fix driver and program version mismatch
User Activity
Increased event info string size to avoid overflow
Volatility Workbench
Updated Volatility tool from "3 1.0.1 - beta" to "3 2.0.1"
Added new volatility commands to volatility workbench
V10.0 Build 1000 14th July 2022
Auto Triage
Added option to enable running auto triage automatically on startup, which can be enabled in the install to usb dialog and use settings last set
Added splash screen and progress bar when running auto triage as a standalone option
Analyze Shadow Copy
Added ability to find shadow copies from analyze dialog without adding to case first
Boot VM
Will now display a proper error message when booting from VirtualBox failed (eg. when Intel VT-x/AMD-V is not enabled)
Added check for whether VirtualBox extension pack is installed if USB 2.0 or USB 3.0 controller is selected
Added check and display error for partition-only images without a supported OS before mounting as physical disk
Added support for password bypass for Win 10/Server 2016 Builds 17763 and 19041 (via PEPassPass v1.2.3)
Case Manager
Support for adding recovered partitions to case
Added ability to save and load custom templates for evidence categories
Added ability to rename case devices after they have been added
Add Device, changed the default display name to include the date the shadow copy was taken
Added time zone names to time zone drop down and case report
Report Generation, separated the HTML and PDF report options into different templates, no longer need to generate a HTML report to get a PDF copy
Report Generation, added the details of OSFOrensics digital signature to generated reports
Report Generation, updated "Link to case files" and "Copy files to report location" options to "Create Redacted Report" and "Create Full Length Report" to be more descriptive
Report Generation, added ability to toggle the inclusion of signature certificate verification information in report generation dialog
Report Generation, Added "Software Verification" link in report sidebar
Report Generation, Added certificate verification information to non HTML reports
Clipboard Viewer / ThumbCache Viewer
Will now draw checkerboard background for improved display of transparent images
Improved drawing of images to reduce flickering
Deleted Files
File carving, optimization. Improved accuracy for JPG files and overall performance. Compared to final V9 release, current file carving code is over 6x faster (benchmarked with an Mac E01 disk image with default carving config)
File carving, optimization, updated extensions with header signature ????ftyp to \x00\x00\x00?ftyp instead. Changed empty buffer detection to faster implementation to detect empty or repeating blocks read from disk. Scanning empty sectors is now 6 times faster
File carving, optimization, improved efficiency of pattern matching code. This change roughly doubles the speed of file carving
File carving, optimization, improved the responsiveness for OSForensics when carving is running
File carving, optimization, increased the number of carving threads to 75% of available logical processors, up to a max of 32
For FAT and NTFS files systems, added option to carve only Allocated sectors
Updated to allow selecting of carving of MFT Only, MFT and Carving, or Carving Only
Changed name Plist to Binary Plist and improved detection to limit false positives
File carving, fixed possible crash when carving MP3 files
File carving, improved MP3/JPG detection to cut down on the number of false positive results returned
Added secondary sorting on second column (via dropdown and/or control click on details tab)
Disabled sorting while deleted file scan is in progress
Lowered priority level of carving threads to improve response from computer when carving is in progress
Thumbnail Tab, added a quality level indicator to the thumbnails preview
Added support for carving MFT file records on non-NTFS quick formatted volumes
Added support for recovering files from carved MFT records. This enables recovery of files from a quick-formatted volume
Added new scan method to config window, changed dropdown box to checkboxes
Prepend "Carved MFT" to 'Source String' of files recovered from carved MFT records to differentiate from normal deleted files
Added check for large buffer sizes before allocating memory when detecting faces
Background LED indicator fixed, indicator would incorrectly reset after "Saving Delete File to Disk" while scan is running
File carving, improved carving of HTML files
File carving, reduced false positives for FLV files
File carving, changed the naming of file to be more informative, new format "Carved .JPG file found at 310GB - byte offset 0x482D709C00.jpg"
File carving, better handling of .eml files (will verify that both "From:" and "Date:" field are present
File carving, reduced repeated carving for file signatures with the same headers (e.g. TIFF family, ZIP family)
File carving, ensure recovered carved file will not exceed the max file size specified by extension (or 100 MB, whichever is less)
Opening internal viewer for Plist Files from within the deleted files module should now work
NTFS, fixed potential memory issue when restoring deleted files
NTFS, added more debug verbosity when restoring deleted files to disk
Device Manager
Scan up to a maximum number of sectors when looking for recovered partitions. This prevents unbounded scanning of disks with large amount of unpartitioned space
Disk Image and Filesystem Support
HFS+, preliminary support for compressed files
HFS+, fixed bug in decompressing zlib-compressed file data
HFS+, support for reading lzvn-compressed file data stored in resource fork
Fixed bug, files required by the web browser module were not being copied
Localisation
Added localisation support for Korean, Chinese (simplified and traditional), Japanese, Spanish, German and French
Mismatch File Search
Separated default and user-created filters, removed "built-in" text
OSForensics Digital Signature Verification
Added button to start screen (in housekeeping section) that verifies the integrity the program and displays a dialog with the information. Equivalent to going to the properties for the OSF executable, going to the digital signatures tab and clicking the details of the signature to verify the digital certificate is valid
Password Recovery
Fixed decrypting of wifi passwords on some machines due to a bug in PBKDF2 algorithm
Updated common passwords dictionary with passwords obtained from more recent data breaches, increased number of unique passwords from ~10,000 to ~2.3 Million
Fixed password recovery issue with the records in "Windows.old" folder
Fixed crash in ZIP password recovery when testing a single password
Search Index
Fixed GDI handle leak
SQLite Browser
New Tab to shown Unallocated Space (Free Pages/Blocks) within SQLite database file
Fixed bug to address possible circular reference/offset when parsing corrupted/bad free blocks
Added Run SQL tab, allows users to write their own SQL statements
Updated sqlite source files from 3.8.11.1 to V3.38.0
Start Window
Added settings option to allow for selecting language in use
System Information
Added partition selection dialog when scanning whole disk image with multiple partitions
Added category for basic system information collection from non Windows machines
Thumbnail Cache / Viewer
Attempt to generate video file thumbnails if file extension is a known video type
Attempt to load thumbnails only if the filename has a known file extension
Set maximum thumbnail cache size of 2000 to prevent exceeding GDI handle limit
Fixed multithreaded handling of video thumbnail generation using Media Foundation
Fixed thumbnail icons not appearing in thumbnail view
Added check for large buffer sizes before allocating memory for displaying thumbnails
Migrated library used for video thumbnail generation from Windows Media Foundation to ffmpeg
Fixed pixelated play icon for video thumbnails
User Activity
Added Cortana history category. Finds reminders, events, contacts and search history as well as location at time of creation
Added "Create Super Timeline" button that performs a complete scan of all activity sub-categories
USB timeline, added support to collect USB Artifacts of USB storage device connection and disconnection history. This feature is achieved by analyzing event ID 1006 (from Microsoft-Windows-Partition%4Diagnostic.evtx) and event IDs 2003 and 2012 (Microsoft-Windows-DriverFrameworks-UserMode/Operational channel). Event logging of the later channel is not enabled by default, users / system administrators need to have enabled it in the past in order for OSF to collect the relevant events
Added parsing for Linux log files located in the /var/log directory
Passwords, added an option to scan "Windows.old" folder which stores the backups of the previously installed Windows, this option is enabled by default and can be disabled from the Config dialog
Fixed an issue where Moved Downloads not recognizing the system drive on live acquisition mode
Added browser artifact support for some modern versions of Linux
MRU, shortcut Files, will prompt users if they would like to open the .lnk file itself if the target file/directory is no longer available
Added warning when attempting to scan a drive image that does not exist
Shellbag, fixed possible heap corruption crash when parsing (corrupted) URI shell item
Added check and warning message for missing case device when starting scan
Web Server Log Viewer
Added menu for filtering for common web exploits such as SQL injections
Misc
Refresh physical disk info only when there is device change notification, to reduce costly re-scanning of physical disks
Keep single instance of physical disk info shared between all modules
Fixed bugs with some MessageBoxes opening to wrong handle
Changed some dialogs to close when 'esc' is pressed and centred others
Installer, added language selection when running installer
Rearranged some ok/cancel buttons for consistency, fixed up some out of place buttons/controls
GPUSupport DLLs, changed the runtime library for them to /MT instead of /MD to avoid a missing VC runtime error on older Windows systems
Centred some dialogs to main window for consistency
Help file, updated file carving config info + images
UI adjustments, centred additional dialogs
Installer, updated OSFMount to v3.1.1001
Installer, added Japanese language selection option
Removed "Selected items" option from the right-click menu for consistency. Affected modules include JSON Viewer, ThumbCache Viewer, Web Server Log Viewer
Updated DirectIO driver used for system information collection to work with Win11 22H2 release
V9.2 Build 1000 14th July 2022
Licence changes
Made changes to allow subscription keys to work with any version of OSF (from V9 onwards)
Password Recovery
Stopped trying to load GPUSupport/GPUSupport64.dll on systems older than Windows 10
Fixed VC runtime error on older Windows systems when trying to load GPUSupport/GPUSupport64.dll
Disk Image and Filesystem Support
Added missing close handle when populating device dropdown
V9.1 Build 1012 6th April 2022
File system support
exFAt, removed check for volume attribute bit when traversing file entries, which appears to be set in macOS created volumes (which casued file sizes to appear as 0 and some directories to be hidden)
V9.1 Build 1011 4th April 2022
Device Manager
Scan up to a maximum number of sectors when looking for recovered partitions. This prevents unbounded scanning of disks with large amount of unpartitioned space
Subscription
Fixed crash when checking subscription validity
V9.1 Build 1010 24th March 2022
Boot VM
Added more verbose debug logging when obtaining privileges to mount a registry hive
Added check for whether VirtualBox extension pack is installed if USB 2.0 or USB 3.0 controller is selected
Disk Image and Filesystem Support
Fixed reading of volume bitmap failure due to sector unaligned access
APFS, fixed reading compressed file data for files with hard links
APFS, fixed bug in decompressing zlib-compressed file data
APFS, fixed reading of lzvn-compressed file data with updated implementation
HFS+, fixed bug in decompressing zlib-compressed file data
HFS+, support for reading lzvn-compressed file data stored in resource fork
File Hashing
NSRL import, the latest hash set (2.75 Dec 2021) contains an invalid character that was stopping the import from running correctly, this has now been fixed
Help
Added the FireFox/Chrome cache directories that are excluded when using the Chrome/Firefox exclude image cache file options in the Files Mismatch module
Password Recovery
Fixed issue with browse dialog not accepting multiple files correctly
Screen Capture
Fixed GDI handle leak when drawing button. This caused a leak when drawing windows containing the Screen Capture button (eg. internal viewer)
Search Index
Fixed file handle leak
Fixed GDI handle leak
Fixed a bug that could occur on the off-chance that system time is the same for two searches
V9.1 Build 1009 3rd February 2022
Case Management
Fixed possible crash (crash was due to uncaught exception from MoveFile failure) when changing the case location in the Edit Case Details dialog when paths are longer than MAX_PATH
Deleted Files
Cleaned up text/message for the Save Checked Deleted Files confirmation dialog
Direct Image Access / Filesystem support
NTFS, fixed bug in traversing $I30 entries in directories spanning multiple MFT records
File Name Search
Enabled "Show $FILE_NAME Dates (NTFS)" configuration option automatically if any of the $FILE_NAME columns are selected when configuring displayed columns
Fixed bug where the custom case directories a user can specify in the config settings did not get reset when switching between cases
File System Browser
Fixed issue of FSB starting in extremely minimized state. Issue was caused if previous instance of FSB was minimized when closed. Now if closed while minimized, FSB will not save existing dimensions and reuse the last saved values
File Viewer
Fixed bug where OSF crashed when trying to retrieve file info from a file that does not exist
Fixed bug where if 'save file' option is used on a HFS file system and with 2 or more files selected, the saved file name was incorrectly output
Mismatch Files Search
Updated help file to add more detail on how 'Filter Types' is used
Fixed Chrome/Firefox Cache image exclusions (caches were in different places than expected, e.g. for Firefox, it is different based on OS)
Search Index
Fixed bug where displayed sort options did not match function (email + attachments)
Signatures
Will now clear create signature config (output type, hashes, etc) each time a new case is loaded
User Activity
Fixed bug where all USB entries weren't displayed unless the "event log" option was selected as well
Will now clear user activity config (date range etc) each time a new case is loaded
Misc
Decreased the size of the Deleted Icon (X) overlay over image thumbnails
Added .emlx to email pre-sets where used
V9.1 Build 1008 25th January 2022
Disk Image and Filesystem Support
Fixed HFS+ partitions being incorrectly identified as ext2
V9.1 Build 1007 24th January 2022
Case Manager
Support for adding recovered partitions to case
Misc
Refresh physical disk info only when there is device change notification, to reduce costly re-scanning of physical disks
Keep single instance of physical disk info shared between all modules
V9.1 Build 1006 23rd December 2021
Case Manager
Added option to "Add to Case" when right click on multiple tagged items. OSForensics will add tagged files but warn and provide a list of tagged items that are references (e.g. artifact found within a database) that could not be added to case.
Device Manager
Added support for detecting hidden file systems via on entire disk images. This allows for recovery of deleted partitions (depending on what remnants are left on disk)
System information
Updated hardware support to correct report on DDR5 RAM and Intel 12th Gen CPUs with efficiency cores and performance cores
Password Recovery
Fixed bug causing columns in list view to disappear after user has configured the active columns, when a new case is loaded
Misc
For some modules that allow user to configure columns orders, added a "Defaults" button to allow user to reset the columns to OSF's default settings
Added the Microsoft DLL, msvcp140_codecvt_ids.dll to installer as it is required by translate.exe, which is in turn used for viewing Word documents. But the DLL is missing in Win 7. The codecvt_ids DLL converts characters between different character sets.
V9.1 build 1005 21st December 2021
Create / Search Index
New indexer builds with updated support for latest Apple APFS file system
File Name Search
Recognizes JSON (*.json) and Event Log (*.evtx) files and open them with their appropriate internal viewers
JSON Viewer
Added support to parse Google Chat record exported from Google Takeout service
Can parse a single "messages.json" JSON format file or select to parse multiple files at once
Same as the Hangouts, it shows the conversations in HTML with formatted chatting app-like style
Fixed right-click Add to case menu, users can choose KML/GPX/CSV formats when adding selected items to case
Manage Case
Updated USB write-block message to differentiate when enabling and disabling the setting
Raw Disk Viewer
Fix handling of clusters for APFS "cloned" inodes that share clusters with other inodes
V9.1 build 1004 9th December 2021
Boot VM
Support for booting MacOS Catalina and Big Sur. Fixed EFI script to detect boot.efi location for booting
Case Management
Enhanced USB Write Block block more kinds of removable storage devices
Disk Image and Filesystem Support
APFS, added additional file system caching for better performance. Result was up to 30X performance improvement for file searching.
Support for APFS Sealed Volumes
APFS, handle compression algorithm 5
File Viewer
Fixed hang when a file system read error occurs when attempting to generate thumbnails
JSON Viewer
Added new feature to parse Google Location History JSON format archive file exported via Google Takeout service, shows a summary of the locations list.
Selected locations can be exported in KML/GPX/CSV formats for use in applications like Google Earth, Google Maps My Maps and OSForensics Map Viewer.
Updated right-click menu to view locations on internal Map Viewer.
Web Capture
When downloading large videos the connection to remote server could end with windows error 10060 (connection drop) and/or 10054 (server terminate connection). Previous behaviour: OSForensics reported failed download. Now if OSForensics detects the download is because of above errors, it try attempt to retry the download (the download should continue where it left off). If it fails three (3) times, it will ask user if they want continue to retry or stop.
V9.1 build 1003 2nd December 2021
Case Management
Fixed "Verify" option on case items not working correctly
Fixed "Verify" option on case items without hash values not displaying an error message
Deleted File Recovery
Fixed bug, OSForensics will now proceed with File Carving (if enabled) even if the image file contains mixed file system partition types
JSON Viewer
Added right-click menu to view HTML format conversations using internal/system web browsers, also double-click to open browser
Added TXT and CSV exporting options
Added support to parse Google Hangouts archive JSON format file downloaded from Google Takeout. It provides a summary view of the Hangouts conversation history and allows export of the selected Hangouts conversations to HTML with nicely formatted chatting app-like style so users can easily read through the messages.
Added right-click menu to export HTML files to case
Removed Compress JSON button as it may cause crash on large files
Remote Acquisition
Fixed logical image creation on remote machine
Delete temporary config file passed to remote machine when acquisition finished
Start Window
Fixed constant CPU usage due to redrawing
Verify/Create Hash
Fixed hash function not starting if "none" was selected for the secondary hash
V9.1 build 1002 19th November 2021
Auto Triage
Fixed stack overflow when attempting to calculate folder size for logical image
Updated info text for Logical Image Config Dialog Box
When loading previous config, re-prompt for FTP server password if non-anonymous upload is enabled
Android Logical Image
Fixed bug where after imaging, OSForensics would fail to attach log to case "path not found"
Remote Acquisition
When loading config file, re-prompt for FTP server password if non-anonymous upload is enabled
Added support for non-anonymous FTP upload without passing plain text password
Added check if portable install version matches current version
Fixed triage status file not being written when saving as compressed Case file format
Misc
Fixed detection of OSForensics Portable for current running instance
V9.1 build 1001 12th November 2021
Remote Acquisition
Fixed error when network path contains spaces
Use XML config file to pass triage options rather than command line options
Fixed reporting of triage status for pre triage tasks (memory dump) and post triage tasks (HTML report, FTP upload)
Auto Triage
Refactored handling of logical image configuration
V9.1 build 1000 11th November 2021
* NEW JSON Viewer *
Supports syntax highlighting for JSON documents
Treeview shows the hierarchical dependencies between JSON nodes
Changed buffer sizes and file access method which results in much better performance on very fast drives
Optmized code for increased speed when compressing E01 images
Changed compression which results in increased speed when creating the image
Fixed a bug where selecting "None" for the hashing function was still creating an MD5 hash while creating the image resulting in a slower speed than expected
Added CRC32-C to the available hashing options, an SSE4 enhanced version of CRC that is much faster
Added hash outputs to create image tab
Install to USB
Added option to set the workflow to a minimal set of modules for portable OSF installations
Allow installation of OSF portable to network folder
Added option to include python packages
Image Viewer
Fixed possible bug where the thumbnails may not be display/extracted the second time the image is analyzed
Password Recovery
Fixed crash due to using freed OpenSSL structure
Start Page
Re-assigned Modules to different groups
File System Browser moved to File Searching and Indexing
Web Browser and Analyze Memory with Volatility moved to House Keeping
Program Artifacts moved to System Artifacts and Passwords
Change to "Install to USB" to 'Install to USB or Network'
Modules hidden in both the workflow menu and start page (via customize workflow) will have grey text and have the word [Hidden] appended when appearing in the Module Feature Search. Note: This does not prevent user from accessing these modules
SQLite Browser
Fixed bug where it opened the add to case dialog using the main window's handle instead of SQLite Browser's
Fixed bug where it opened the file select dialog using the main window's handle instead of SQLite Browser's when selecting 'Load DB'
User Activity
Added Browser Custom Dictionary entries for Opera and Firefox.
Capture Screenshot Region will capture upon left mouse up (previously required user to hit 'Enter' key)
Web Capture
Internal changes to better support timing out when a page fails to load, adding delays after page has completed loading before taking capture, setting the page scale
Misc
Updated Crypto++ library to 8.6.0
V9.0 build 1002 8th September 2021
Auto Triage
Support for saving compressed Case files (experimental)
Support for uploading Case files to FTP server (experimental)
Fixed UI mouseover issues
Case Manager
Support for importing compressed Case files (experimental)
Fixed a error that occurred when trying to create a case in a network path
Create / Search Index
Fix crash bug when indexing corrupted OLE files (OLE is used in old style XLS, DOC, PPT files)
Added export of "lastfailedindexcfg.zcfg" for debugging purposes when indexing fails
Fixed potential crash bug with buffer issues in indexer
Memory Viewer
When running from network drive, DirectIo driver copied to temporary directory before loading. This is required becuase device drivers aren't be loaded by Windows from network drives.
When saving memory dump to network location, saves to temporary location before moving to network path
Start Window Search
Fixed home/end keys in text input
Added more search results
User Activity
Fixed potential memory buffer overflow crash in function on Win XP
Fixed a crash that could occur when collecting SRUM artifacts on Windows 11
Misc
Fixed crash when running from network drive
Update OpenSSL library in use to 1.1.1L. Previous version in use was v1.0.2L. This fixes a couple of potential security issues in OpenSSL.
Updated help documentation for internal viewer, E-mail viewer, map viewer, file name search map view, updated screenshots
V9.0 build 1001 17th August 2021
Auto Triage
Fixed bug with loading user-specified logical image file type settings from config file
Case Manager
New right click option in the case list to open the containing folder in Windows Explorer. This allows quicker navigation to case folder for backups or looking at logs.
Clipboard Viewer
Changed linking of WinRT libraries shcore library to restore Win7 compatibility. (So supported platforms now included Win7 to Win11)
Disk Image
Cleaned up the word wrapping on message box warning text
Email Viewer
Increased maxiumum length of 'To' and 'Cc' fields. Enabled word wrapping.
Filesystem Support
Fixed rare bug in FAT entry offset calculation due to using float type. This caused incorrect offset calculation on exFAT file systems, which in turn stopped some exFAT files being read correctly.
File Name Search
Added status window for adding files/folders to logical image to improve responsiveness when adding a large number of items
Internal Viewer
When viewing PDF files earlier than Win8, use text conversion instead of the native PDF viewer (which is only in Win10 and above)
Changed linking of WinRT shcore library for Win7 compatibility
Changed linking of WinRT Windows.Data.Pdf.dll library for Win7 compatibility
Logical Image
Fixed performance issues when adding/removing sources when there are large number of existing items
Password Recovery
Changed linking of OpenCL.dll to delay for Win7/8 compatibility
Python API
Updated youtube-dl (video download function) to newest version, this was required to deal with latest Youtube changed.
Added new Python script template for recursing directories in a file system, ignoring specified extensions and subdirectories. Allows user to make an logical image of just files of one type (e.g. Just .DOCX files).
Start Window
Search bar now searches and makes suggestions as text is entered on the fky.
Changed search to ignore word order, allow results for (n-1) search terms if no results, return help file if no results.
Prevent certain search keyboard inputs that could cause unintended behaviour.
WebBrowser
Updated web browser module to use webview2. On systems that support it (i.e. have chromium edge installed), the webview2 browser will be used, for systems without, will use the old IE based browser control. This allow much more accurate rendering of modern web pages and better security.
Change linking of GetDpiForWindow for Win7 compatibility
GUI Navigation/Icons should be less blurry
Removed Save Page/Add to Case button/option (it is not implemented/supported by Webview2). It is still possible to save screen shots of pages however.
Fixed issue with resizing browser window below minimum size and buttons moving out of place.
Export Page, fixed possible bug when downloading a file/video fails causing OSForensics to crash.
Changed default capture area (camera button) to Whole Page.
GUI Added visible note to users notifying them that right click options (Save As and possibly Print) on webpages are not working due to webview2 running in elevated permissions as required by OSF.
V9.0 build 1000 5th August 2021
Map Viewer
Added Map Viewer module which enables users to view GPS locations marked on a world map.
Added a new pre-set search option, “Photos with GPS Locations” to automatically find all photos with embedded GPS locations (via EXIF data) and then graphically locate where these photographs were taken on a map. On mouse over of the location on the map thumbnail images and image meta are displayed.
Ability to import and map GPS coordinates from CSV, GPX and KML files and IP addresses, and search for GPS location by name (ie. Geocoding
Added map email viewer integration, to draw arrows between the source and destination of an Email, plus any intermediate transit nodes referenced in Email header.
Auto Triage
Removed some unnecessary warning messages (You are attempting a non-live…) displayed when running Auto Triage
Updated the Passwords to select "Live acquisition" for scan when running Auto Triage.
Boot VM
Updated to now allow booting for MacOS (10.13 and above)
Now includes support for VMWare Workstation Player 16
Clipboard Viewer and Signatures Module
Restructured UI for consistency and simplicity in OSForensics user experience
Create / Search Index
Restructured UI for simplified user experience. This included convert to 'Sort' link, convert to 'Index' link, move 'Use Word List File' to button dropdown, and consolidated regex filter to search bar.
Improved indexing of XML files to index not only data content, but also attribute values in tags. Combined with expanding the max word length to 40 characters, this now allow indexing of GUIDs values in XML files. This allows finding GUIDs in peer-2-peer file sharing files (e.g. Profiles.xml file from Shareaza)
Added sub tabs under ‘Browse Index’. These include Words, Files and Protected lists.
Added "Save to disk" checked items menu option
Reporting of “protected” (or encrypted) files that were encountered and not indexed. Provides a quick way to identify all commonly encrypted document types.
Fixed bug with "Search Index", when matching exact phrases only found in meta description
Fixed crash bug for when page is near end of index
Fixed bug with extra text appearing after highlighting when exact phrase matched in meta description
Fixed timeline filter and other UI issues
Fixed cleanup of previous state when closing case
Fixed bug with email indexing causing corrupt index when long header or attachments are used as description in index
Fixed crash bug when corrupt index is encountered during a search and cleanup occurs, and subsequent searches did not reload the index
Added handling for partial index unloaded/reloading due to unexpected error cases (low memory, corrupt index, etc.)
Disk Preparation
Fixed a bug stopping Disk 0 from being formatted, if the user accidentially tries this
Decrypt File
Password Benchmark (i.e. num password per second) is now calculated per thread. Previously only the first benchmark collected was used as the benchmark value for all clients.
Deleted File Recovery
Restructured UI for consistency and simplicity (convert to 'Sort' link, convert to 'Preset' link, reduce clutter at the bottom)
Added ability to right click on an extension in the scan status tab to view the set of files.
Added the Face and Nudity Scan feature to the sorting option
FileCarver Config GUI changed the +/- icons to normal expand/collapse icons. Removed the Linux EXT2 option, FileCarver will try to determine the file system and enable it if necessary.
Fixed display bug where scrolling to the right and then back, where the listview checkbox/extension column would be unreadable. Added note to expand the extension groups to view the header/footer/etc details for each extension family.
Fixed a crash that could occur when no files where found
Device Manager
Added support for per-volume encryption, as used in newer versions of Apple’s APFS file system.
Email Viewer
Added right-click option to lookup IP addresses in e-mail headers and then mark on Map Viewer.
Added "Overview" button to view email address statistics in email viewer. Can now get a quick count of Emails To / From each Email address.
OSForensics will attempt to convert X.400/X.500 e-mail addresses by parsing the MIME headers if available
Added support for indexing EMLX files from Apple Mail
Fix overflow with long To/Cc/Bcc strings in mbox and dbx files. Fix missing single address summary icon. Add Top 10 contacts filter to sankey graph. Combine sankey graph and summary table when added to case
Event Log Viewer
Added OSF generated event information as a summary string in quotation marks when viewing items in the event log viewer (for eg “Disconnected USB device "TOSHIBA External USB 3.0 " , Serial Number: XXX").
File Name Search
Optimizations for improved scan speed and performance, especially when using the direct access mode (also called forensics mode).
Reorganized UI for consistency and simplicity (convert to 'Sort' link, convert to 'Preset' link, move configuration text to tooltip for 'Config' link)
Dynamically populate map view as files with GPS locations are found, and display image thumbnail (and file metadata) on mouseover of location while in map view
Fix stack overflow crash due to large local string variables
Changed search preset name ‘Windows Shortcut Files’ to ‘LNK Files’
Updated the P2P pre-sets to include UseNet related keywords
Hash Sets and Create Hash
Grouped the two modules into one main hashing module (File Hashing) with two tabs (Hash Sets & Create Hash).
Added SHA3 (256, 512) as hash options
Internal Viewer
Re-implemented thumbnails using global thumbnail cache for better performance. Increased number of thumbnails in lower bar to fill window width and added support for video thumbnails.
Jump to file when double clicking thumbnail
Add extracting of embedded thumbnails in image file within the 'Analyze' dialog. This can help with checking for image manipulation.
When a file is fragmented on disk, viewer can display list of file fragments + right-click option to jump to fragment
Improved drawing performance and navigation buttons.
Hex view, add 'Export strings...' link to string extractor
Initial support for viewing PDF files using native API in Win10. This allows faster more accurate PDF rendering in viewer.
Display Office Documents (docx, xlsx, pptx, etc) and OpenDocument (odt, odp, odx) files as HTML.
When analyzing images, add right-click menu options to embedded thumbnails to 'View with internal viewer...' and 'Add to Case'
Mismatch Search
Restructured UI for consistency and simplicity.
Fix bug with 0 byte files not being excluded from results
Fixed an issue with Firefox password recovery, a crash that could occur when parsing Firefox V31 and earlier versions passwords
Program Artifacts
Restructured UI for consistency and simplicity.
Raw Disk Viewer
Restructured UI for consistency and simplicity (move buttons to 'Actions' link, convert to 'Config' link, add search bar)
System Information
Re-organized UI for simplicity and consistency (consolidate "Live acquisition" into combo box, convert into "command list" link).
Thumbnail Viewer
Fixed drawing of images with alpha channel.
Tag/Untag
Changed behaviour of Tagging Files. Keyboard Shortcut (Ctrl+T) applies to selected (not checked) files. The Checked Items Submenu will have options to Tag/Untag checked files by submenu selection only. This has been implemented in FileSystem Browser and Find Name Search.
Ability to open some tagged items in the case manager, e.g. cookie tagged item. ‘Open internal viewer’ will open the SQLite database where cookie was stored.
Items tagged in the User Activity modules will indicate they were added in this module in the Case Manager
User Activity
Restructured UI for simplicity and consistency.
Moved 'Remove filter' link to 'Activity Filters' drop down
Added Anti-Forensics Artifacts to scan the traces of Anti-Forensics programs
Search Terms, cut down on duplicate entries by using DISTINCT in SQL query
Events, filtered out 4624 event when logon type is 5 (too many system generated events swamping others)
Added Cryptocurrency Wallet Apps to scan artifacts of wallet applications installed on the system
Fixed activity-specific right click menu options and enter/double click options
Added support for parsing UseNet NZB files to display filename, file size, poster and time
Added Newshosting UseNet client P2P artifacts
Changed the tree-view “Most Recently Used” item to be collapsed by default
Fixed crash with change to Autofill in Edge Chromium when data value in Sqlite DB is not encrypted.
Added a 3 second display of message "User Activity Scan Finished - No items found" when no items are found
Added more checks for cancelled scan when processing ESEDB databases so cancel will complete faster
Added support to parse the BitTorrent .torrent file format to display its contents info like the filename, file size, and time
Added scanning for WiFi passwords stored on the Windows system and display under the WLAN category
Fixed an issue with Firefox password recovery, a crash that could occur when parsing Firefox V31 and earlier versions passwords
Added support to collect details about recently viewed PDF files in Acrobat Reader and their file size and page numbers.
Added an option in the config window to allow full scan of the selected drives, which will search Torrent and NZB files across the drives and parse them
Added support to collect the VLC Media Player last opened filepath by parsing it's .ini file
Start Menu
Added search bar to the start page to quickly find OSF features
Workflow
Set Mount Drive Image button to be hidden by default in the Workflow menu. This was done as the Add Device function is preferable in nearly all cases
Python API
Add methods for adding/removing device from case (including BitLocker and Volume Shadow devices)
Remote Server
Fix bug in creating destination folders when source path is a network folder
System requirements
Windows 11 is now supported.
Security
Update EXIFTool to 12.25 due to ACE security vulnerability
V8.0 build 1008 7th June 2021
CloudMail
Fixed issue with Microsoft Outlook/Hotmail email when Content-Length is not returned in the header, but response body contains text
ThumbCache Viewer
Fixed an issue where Thumbnail items were not able to add to the case
User Activity
Form Autofill, fixed crash with change to Autofill in Edge Chromium when data value in sqlite db is not encrypte
Fixed an issue in the Logical Image configuration window where a non-system drive path was not added properly to the image creation list.
User activity
Fixed a crash that could occur when removing the filter after using timeline view to view and select files at a certain time
V8.0 build 1006 28th January 2021
Auto Triage
Updated select drives dialog.
Renamed "Deleted Files" to "List of Deleted Files"
Renamed "File Listing (Signature)" to "File Listing"
Added timezone to Process List and File Listing exporting CSV
Updated to add not only the OS boot drive but also all the other available logical and physical drives to case, and then scan all of them to create file listing
Deleted file search, updated to scan all drives available and export to CSV files separately
Added drive selecting options for file listing and deleted files searches
Case Manager
Add Device, Added debug output when populating device dropdown
More robust handling of case device dropdown
Added more verbose logging during case load
Forensic Imaging
Removed unnecessary refreshing of drive dropdown when loading Create Image tab
Added more verbose logging when opening Forensic Imaging window
Added debug output when populating device dropdown
Direct File Access
ImageFile, add check for opening physical drive when calling FSCTL_ALLOW_EXTENDED_DASD_IO and reading "imageUSB" signature. This fixed an issue when reading the physical disk for an McAfee encrypted drive ( a bug in the McAfee software that caused a read of the physical disk to fail if the read request was not sector aligned)
libesedb, increased fixed-array size, update for performance issues
V8.0 build 1005 29th December 2020
Auto Triage
Upgraded the screen capture to take screenshots of all running program windows.
Removed the drive selection drop-down list and changed it to select the OS boot drive to perform live acquisition scanning.
Case manager
Fixed an issue when exporting a report using the copy files option, if a source file was read only then multiple error messages could be show during the file copy process.
Improved speed of export when large amounts of files are being exported as part of the report
USEDB viewer
updated to library code for compatibility with newer helper libraries
Verify Hash
Fixed a bug where clicking the "upper case output" option after generating a hash would not update the primary hash and instead replace the secondary hash with the upper case primary
File system support
Updated library code for reading E01 and L01 files. While there were multiple changes under the hood, the most visiible change should
be better support for L01 image files. In particular it fixes a case where a NTFS directory entry in a L01 could point to the wrong file.
V8.0 build 1004 4th December 2020
Email Viewer
Remove MAPI initialization from startup, loading on-demand
Attempt to load MAPI dll from Outlook installation in registry (rather than mapi32.dll in Windows\System32) to prevent a "No mail client found" error message in some cases
File Name Search
Added vcruntime140_1.dll for exiv2.exe tool to fix missing DLL issue
Updated EXIF Metadata search keywords preset list
Hash Set Import
Fixed a crash that could occur when importing NSRL hash sets
V8.0 build 1003 25th November 2020
Case Management
Added a continue / stop option when a file copy fails (eg when creating a case report) rather than just stopping the current process
Cloud Mail Export
User can select which folder to export from account. An MBOX file will be created separately for each folder exported
Deleted Files
Added option in configuration to disable thumbnail creation as it may cause crashes in external windows libraries used to generate the thumbnails (eg media player) on poorly recovered / corrupt files
File Name Search
Added a new feature to allow for searching against image EXIF metadata
OSFExtract
Fixed issue where OSFExtract app would fail to install on older Android OS devices due to app signing issue
Subscription
Added deactivate seat option to the start page
User Activity
Event log, fixed a crash that could occur when reading a System log file caused by a very long file path in the event information
V8.0 build 1002 9th November 2020
Auto Triage
Fixed a broken link to the Auto Triage section in the help file
Install to USB
Fixed an issue where a ket.dat file created by OSForensics would not be read correctly when OSForensics starts
Workflow
Started saving config file immediately after locking the workflow rather than when OSForensics was closed so changes made to the workflow will be applied when installing to USB
V8.0 build 1001 3rd November 2020
Cloud EMail
Fixed bug where VHD would run out of disk space while exporting email. Now when creating VHD, an additional overhead of 1KB per message for metadata used in MBOX will be added to the total VHD size
Slow down the queries request rate (possibly hitting the queries limits from Google API)
File Name Search
Fixed 'Make Database Active' checkbox not setting hash set database active when checked
Subscription Licencing
WinPE, Will prompt user when subscription is expired to recreate WinPE image
USB, Will prompt user that online connection is needed to check license when subscription is expired
Misc
Added "Image Analysis" chapter and content on Face Detect and Illicit Image Detection to help
V8.0 build 1000 22nd October 2020
Added New Face Detection module module for still photographs & images
"Detect Faces" button was added in the Image Viewer
"Sort by Faces" in File Name Search
Added new Web Server Log Viewer module
Can load up log files from Apache, IIS and other web servers, then filter and sort the log data
Added new Python Scripting module
Implemented new scripting engine, which allows access to internal OSF functions from Python scripting. Scripting commands such as osf.UserActivityGetResult(), osf.ReportGenerate() & osf.LogicalImageStart() are now available
Changed 'Run Python script' to 'OSF Script Player'
Added support for built-in script templates installed under ProgramData\PassMark\OSForensics\ScriptTemplates. The template can be selected under the 'New Script' button dropdown
Added Python API reference for help file.
Added script examples for charting via matplotlib
Add right-click menu to enter user-defined parameters to 'pip install'
Added new Cloud Imaging support for Forensic Imaging
Added Cloud Download/Imaging for Google Drive, Microsoft OneDrive and Dropbox
Cloud imaging will create empty files (0 byte files with ".deleted" extension) for deleted items from Dropbox. Dropbox includes deleted files in their directory listing
Cloud Email Download support
Added GMail export to MBOX format
Added Microsoft Outlook (webmail) export to MBOX format
AmCache Viewer
Improved performance of reading amcache hive
Auto Triage
Turned off default options for including System hibernation and page files and registry files as part of the logical image configuration
Started saving scan options and logical image options to config file
Fixed display/gui bug where the background of the scan options was not being updated in WinPE
Boot Virtual Machine
Added the ability to select additional hard drives (data drives) when booting a VM from a disk image
Case Management
Added support for opening tagged e-mails & attachments via double-click/right-click
Will now use Web Browser to open URL tags
Added support for selecting multiple files when adding evidence images to case
Add button to open 'Manage Devices' window, for managing the devices added to the case
Multiple select enabled for Case Management. Can now delete or export multiple cases at a time
Generate Report, updated to hide the categories that have no items
Create / Search Index
Added indexing for HEIC and HEIF image files
Allowed indexing of memory dump files. .mem, Including .dmp, .mdmp (large file support does not apply if inside ZIP files)
Improved speed of large binary file extraction indexing (by way of parallel / 2 thread concurrency)
Fixed bytes progress status when indexing large binary file
Added Email Attachment indexing options ("index attachments by file types")
Fixed exiftool indexing issue (using the -fast3 parameter culled out alot of necessary meta information AND may incorrectly identify file type. Note removed -fast optimization will now be slower)
Fixed indexing of some GPS meta information from exiftool
Fixed issue with indexing OCR output from HEIC and HEIF files
Added "Save to Disk" for checked items
Create/Compare Signature
Combined the create and compare into a single "Signatures" module with separate tabs
Added support for SHA-256 hashes. This required changing the signature file format and incrementing the signature file version from 6 -> 7
Add support for comparing previous signature file version with v7 signature file
Added options to have two hashing options (e.g. MD5 and SHA-256) for OSFSig and file listing. Note: Will work with V7 OSFSig files but not previous OSFV8 Beta OSFSig files before this commit. When comparing signatures with different hashing options, only signatures with matching hash will be compared. E.g. Sig1.OSFSig was created with MD5 only and Sig2.OSFSig was created with MD5 + SHA-256. Only MD5 will be used for comparison. If both signature files use the same hashing options both checksums will be used for comparison
Deleted Files
Enabled right-click menu option, Show File Location dialog, for deleted files on FAT filesystem. Note: The file location dialog will only show the first cluster of the deleted file for FAT filesystems as only the starting cluster is known and the link-list FAT entries for subsequent clusters are removed once a file is deleted on FAT filesystems
Email Viewer
Support opening single e-mails from PST/DBX/MBOX files for faster loading (check if this was also backported to V7)
Added exporting e-mail messages to MSG file
Add checkboxes to e-mail messages
Added right-click option to export e-mails to PDF
ESEDB Viewer:
Fixed an issue where some values not displayed correctly in Windows 10 V2004
File and Hex Viewer
Added a drop down to allow track selection for playback for multi track video files
Added "Analyze" button to Image Viewer to work with illicit image detection feature
Fixed video player not working when opening video files via DirectAccess
Fixed bug with video not playing when < 9 thumbnails were loaded
Fixed a possible crash when extracting strings
Video, Display duration of media along with current timestamp
File Name Search
Added "Illicit images" detection. File Name Search can now sort by "Illicit score"
Changed configuration dialog to support modifying include/exclude folders for each preset. This allows for more accurate preset searches to be defined. Users can also define their own preset searches in the new advanced format
Fixed bug in matching include/exclude folders in presets
Fixed bug in saving custom preset include/exclude folders to XML file
Preset searches now support included/excluded folders (currently, only by editing FileNameSearchPresets.cfg)
Preset searches are now fixed and cannot be modified inline
Added 'User-defined Search' for fully customizable search criteria
Added right-click hash selected files option with option to create a Quick Hash Set from the results of the hashed files
Added new preset for searching for large images + sort by face detection score
Added new preset for searching for files modified since last month
Added new preset for searching for files modified since yesterday
Added colour backgrounds for results when sorting by Illicit or Face scores. Results are marked Red for likely illicit, Pink for probably illicit, and Green if Faces detected
Minor UI layout updates
Removed border from 'Config' text
Increased width of preset/sorting combo box
File System Browser
File size units can be selected in the FSB options dialog. Defaults to “Auto” and will display in Human readable file size. File size units selectable are: Auto, Bytes, KB, MB, GB. Selection saved in OSFConfig file
Fixed bug where the Analyze Shadow from the button within FSB was not working
Consolidated filter text into single link control
Changed timeline date type combo box to link control
Removed 'Current Path' and added 'Scan Status' edit control
Moved 'Thumbnail size' slider and 'timeline date' control to top
Added 'Images + Illicit-detect AI' preset
Added "Video files (sorted by # Tracks)" preset
Added sort by "video tracks" option
Moved sorting combo box to the top
Forensic Imaging
Added option to select between single/split files when creating Encase E01 image files
Added support for creating AFF4 disk images
Enabled SMART logging in SysInfoLog.txt
Hash Lookup
Fixed crash when attempting to export lookup results to text
Image Viewer
Added support for HEIC and HEIF image files
Added support for extracting meta data from HEIC and HEIF files
Added Analyze Results popup window, showing results from AI face detect, AI illicit image detect, MD5, SHA1, etc
Install PFX
Fixed broken help file link
Password Recovery
Improved performance of reading Firefox, IE & Windows logins from registry
Fix heap corruption when retrieving LSA secrets
Fixed various memory leak issues
Updated to support new Edge Chromium-based version.
Updated to support Chrome V80 and beyond
Updated to support Opera V67 and beyond
Fixed the Password Length column to display Not Available message when the password is not decrypted
Decryption Tab, Added ability for users to select multiple files at a time
Removed support for Opera Version 22 and earlier
Removed support for FireFox Version 31 and earlier
Removed support for Safari
Fixed potential crash when running on Windows 10 V2004.
Made some changes to enable recovery of chrome, edge and opera passwords in some cases where it was previously failing
Registry reading
Improved performance of RegistryGetSubKeys() and RegistryGetKeyValues() methods for reading registry keys
Improved performance of reading registry entries in User Activity. On a 160MB SOFTWARE hive, load times improved from >10min to 20s (as compared to v7.1.1005)
Added new registry function to read a single key in a hive for better performance without loading the entire registry file
Start
Add new 'Manage Devices' icon
System Information
Will now pick "System information from registry" as default when live acquisition is not selected for the case
Will now skip commands that can't be run on the selected drive (eg live acquisition only and a drive letter is selected) and display a skipped message in the output
Made some changes to allow user entered commands (eg regripper) to be run when live acquisition OR drive letter is selected (as most user entered commands will likely have a hard coded location)
ThumbCache Viewer
Redesigned the interface allowing to load a single cache file, add multiple files by scanning drive or folder
Added a tree view to show list of added cache files, folders and drives
Added a new "All" option to the Thumbnail Size combo box to show all records in a cache index file
Added a new feature to allow loading multiple cache files and viewing all of the records in them in a single list view
Added Extended Information to show EXIF data of thumbnails retrieved from ESE Database
Updated the thumbnail preview window to be resizable
Improved the efficiency of loading ESE Database
Thumbnail View
Added support for displaying thumbnails for video files
Support for animated video thumbnails on mouse hover
Changes to thumbnail caching thread for better performance and robustness
Added support for deleted video thumbnails
Files that do not have thumbnails are cached and no longer reloaded
User Activity
Added support for decrypting cookies value of the Chrome, Edge and Opera browsers
Added support for decrypting form history value of the Edge browser
Added Search Term to extract search keywords used in browsers
Added Website Logins to obtain browser passwords
Rearranged config dialog slightly to shrink height (previously unable to see OK button on 1080p laptop screen)
P2P, added extra error information display for decoder error during P2P scan
Fixed null pointer crash when scanning for USB devices only
Fixed bug in opening ARES registry key path
Added more Windows Event IDs to extract more forensically interesting logs
Added times to Browser Bookmarks and WLAN items
Fixed Time Source display error for some items under All category
Changed list-view default sorting as date and time descending order
Improved column sorting speed
Updated column names for Autorun Commands and UserAssist
Fixed an issue with Windows Search scan on Windows 10 V2004
Updated Browser History, Downloads, Form, Bookmarks and Cookies to support the latest versions of Edge, Chrome and Opera browsers
Updated Downloads to support Firefox latest versions
Fixed and issue with Windows Search showing incorrect times in Windows 10 V2004
Moved Top Sites items to Browser History category
Removed support for Opera Version 22 and earlier
Removed support for FireFox Version 31 and earlier
Removed support for Safari
Web Browser
Fixed video download crash
Workflow
Workflow buttons and Start window icons now have 1-to-1 correspondence
Removed extra 'button' slot
Revised default workflow list
Added separate checkbox column to show/hide icon in Start page, hiding workflow buttons no longer hide the corresponding Start page icon
WinPE
Fixed some bugs/crashes found during WinPE testing
As SHBrowserForFolder() does not work in WinPE, updated to emulate the functionality when running in WinPE
Custom case location can now be specified for Live Triage and Case Manager's Create Case option
Misc
Updated Volatility Workbench to v3.0.1001
Updated exiftool to version 12.03
Updated WinPEBuilder
On exit, OSF will check the parent Temp folder to clean up orphaned temp directories. It will only delete the temp directories that are older than the oldest running/active osf32.exe or osf64.exe process
Fixed a crash that could occur in the trial version in deleted files and file name search
V7.1 build 1012 28th May 2020
Case Manager
Fixed a crash that could occur when loading a case if a category name was longer than the max (63 characters).
Fixed a bug allowing categories to be added with names longer than the max (63 characters).
Create Index
Fixed crash bug when indexing smaller binary files (<25MB) with multi-threads.
Fixed bug with 32-bit indexer failing to launch.
Deleted Files
Carving, thread safety updates.
Carving, fixed bug (read a offset outside of buffer) causing possible crash when carving TIFF files.
Mobile Artifacts
Potential stack overflow crash fix.
V7.1 build 1011 20th April 2020
Case Manager
When deleting case, fixed case being deleted even when cancelling option to export case to disk
Deleted Files
Fixed an issue where Prefetch and SRUMDB info wasn't being read correctly and would return 0 items
Fixed a possible crash when collecting SRUMDB info
V7.1 build 1010 25th March 2020
Auto triage / User activity
Fixed a crash that could occur when running user activity (or auto triage) using the live acquisition option
Deleted Files
NTFS, Reading $ATTRIBUTE_LIST now uses a dynamic-sized buffer rather than a fixed-sized buffer. This may fix buffer overflow issues when scanning MFT
NTFS, Added more verbose output when scanning $MFT attributes
V7.1 build 1009 23rd March 2020
Create Index
Fixed crash bug when multi-threaded indexing and extracting text from system binary files and non-system binary files
Password Recovery
Added a dialog to allow individual partition selection when trying to run on a disk image mounted as the entire disk that contains multiple partitions
Fixed a potential crash that could occur when recovering passwords (mostly affecting chrome passwords)
Registry Viewer
Made some changes to work better with disk images mounted as the entire disk that contains multiple partitions, will now scan multiple partitions for known registry files
User Activity
Added a dialog to allow individual partition selection when trying to run user activity on a disk image mounted as the entire disk that contains multiple partitions
V7.1 build 1008 17th March 2020
Create Index
Fixed crash bugs while indexing large Bitlocker images
Fixed 'Skipping directory ...' log messages
Changed handling of $' system files e.g. $AttrDef, $Bitmap, $boot, $LogFile, $MFTMirr, $Secure, $UpCase and $Volume are now only treated as filename index only. Only $MFT and $RECYCLE.BIN are binary extracted.
RAM drive now allocates 2GB if >16GB of ram is available
Added error messages for caching files and temp files.
Updated PDF indexing to only use OCR when text layer is insufficient (avoid excessive OCR'ing files)
V7.1 build 1007 5th March 2020
Create Index
Added support for indexing "Memory dump files" file type (.dmp, .mdmp, .mem). Select 'Unknown file types' to enable.
Significantly improved speed of large binary file indexing (includes system files)
Fixed bugs with BitLocker support
Fixed support for APFS
System Information
Fixed crash bug during Auto Triage or System Information.
Forensic Imaging
Added support for configuring between single/split files when writing to EnCase files
Misc
Fixed bugs with APFS support (missing files in directory, initialisation issues)
Updated WinPEBuilder release 1.2.106 (includes fixed bug where build process fails when creating ISO)
V7.1 build 1006 18th February 2020
Auto Triage
Fixed a crash that could occur when collecting system information (via Auto Triage or System Information)
Made some changes so less trial limitation warnings are displayed at the same time during Auto Triage
File system support
Updated BitLocker handling for better performance, indexing & file system browsing should be slightly faster
Generate Report
Fixed an issue with Logos not being enabled to be changed for Pro/Licensed.
Passwords
Updated Password Decrypting .dll files and fixed issued with GPU decryption not running.
User Activity
Export to CSV. Removed Flags field from CSV output causing column shift for some MRU types. Note: Flag values are for case specific and their values were never exported, but the column header for "Flags" was.
Fixed shifted/misaligned column issue when exporting Event data to CSV.
Web Browser
Fixed an issue where saving a webpage as web archive (.MHT) was no longer working.
V7.1 build 1005 24th January 2020
Case Manager
Added support for opening tagged e-mails & attachments via double-click/right-click
Create Index/Search Index
Fixed bug when selecting file types for "Video", "Executables" or "Other" only (no files indexed when these are the only options selected)
Fixed crash bug with indexing and extracting meta info for MP3 files containing TXXX frames
Fixed bug with indexing files found within at least 3 recursive levels of ZIP files. These would show up with incorrect paths (missing ZIP file names) and unable to open the file from the Search Results
Fixed bug with email messages in HTML or TXT format (not RTF) not being indexed as email filetype (and incorrectly showing up on the "Files" tab in OSF results)
Fixed bug with MBOX files with no extensions (such as from Thunderbird) being indexed twice when we encounter the .MSF (mbox index) file.
Fixed bug with MBOX files with no extensions failing to be recognised by the unknown file type identification function (magic).
Updated PDF indexing to use CreationDate and ModDate from within PDF document properties
File Name Search
Presets, Updated default extensions to include heic/heif for images and hevc for videos.
Generate Report
Fixed Typos. Custom Logo area is always shown. Still only editable in Pro version.
Start Page
Fixed issue where some items were not being hidden when everything was unchecked in Customize Workflow.
System Information
Added collection of more fields when performing command ('Windows Info (Registry)'). Fixed collection of 'Install date' field.
Misc
Updated web browser video download function to work with current version of YouTube
Added code to deal with non sector aligned access to physical disk
Updated support bitlocker encryption. This can fix (some) instances of the "unsupported FVE metadata entry version" error.
V7.1 build 1004 6th January 2020
Create Index/Search Index
Further fixes to indexing and searching large number of unique words (2mill+)
Fixed bug with indexing files failed to be identified by magic being indexed as plain text (now treated as binary files). This may have caused extraneous data being indexed (leading to large number of unique words)
Fixed bug with "Export search results to CSV" from "Search Index"->"History" tab, when the selected search results contain a mix of files and emails, the columns output in the CSV do not match up (emails will have more columns than the files).
Email Viewer
Fixed bug with Email Viewer rejecting to open an MBOX file which contains non-ASCII characters, and the file is opened in the Internal File Viewer instead.
ESEDB Viewer
Added missing error checks for non- existent table name. This caused out-of-index exception when performing User Activity scan on IE/Edge WebCache01.dat files.
Passwords
Potential fix for crash when scanning for passwords in Credential Manager
V7.1 build 1003 16th December 2019
Create Index/Search Index
Fixed bugs with indexing and searching large indexes containing more than 2million unique words. Also improved error reporting.
Indexer now reports number of threads in log
Added debug mode for OSFIndexer
File System Browser
Fixed jumping to disk offset when selected disk in raw disk viewer does not match
Logical Imaging
Fixed copying sparse files, were not being set as sparse on destination (if filesystem supports it)
Raw disk viewer
Support for jumping to XFS inode record
Support for jumping to ext[2|3|4] inode record
Added file system scanning for APFS disks. APFS files should be identified and highlighted.
Added "Check for Updates" icon under "Help and Information" for checking the most up-to-date OSF version
User Activity
Warn user if contents copied to clipboard exceeded limit and will be truncated.
Misc
Fixed disk dropdown box incorrectly display "Unknown/Empty partition" for all case devices
V7.1 build 1002 6th December 2019
Android Logical Copy
Fixed possible crash due to corrupted stack
Event Log Viewer
Added Scan Folder button, this allow multiple event logs to be added to the viewer even when the event logs are found in a non-standard folder
Added ability to add and delete multiple drives and folders in tree-view. Previously only files from one drive at a time could be added.
Changed presets filtering configuration file, allowing more complicated filter conditions. Also added some additional preset fitlers
Added a must "Not Contain" option to the event log filter conditions.
User Activity
Results can now be sorted by tagged state by clicking on the "Flags" column
Fixed crash when sorting by column that we accidentally introduced in last patch, opps.
Added filtering of results by "Flags"
USB, Opening USB device entries obtained from setupapi.dev.log or event log now opens the correct viewer
WLN, Opening WLAN entries obtained from .xml file now opens the correct viewer
Fixed right-click menu for USB/WLAN activity
Fixed a crash that could occur if a scanned ESEDB database was corrupt. Seems to be rare as we have only seen one known instance.
V7.1 build 1001 2nd December 2019
Create / Search Index
Fixed bug with Custom limit for Max File Size and Max Pages not applying when
creating an index
Added ability to "Display Search Results" for multiple selected items in the
"History" tab
Added "Path hash" column for "Export Search Results to CSV" to locate files that
have been added to case (and stored in the "Files" folder)
Disk Imaging
Read/Write/Hash threads now use their own I/O buffers to prevent memory access
errors when a disk timeout occurs. This typically only happens when disk has a
hardware fault.
But it could result in a crash when it does happen.
ESEDB Viewer
Fixed possible crash when loading a table in the ESEDB viewer
Event Log Viewer
Reorganized elements in the main dialog and top menu.
Updated filter options in the Advanced Filter.
Added tree-view right-click menu.
Added Presets combo box for quick filtering. The user can also add their own preset
filters by editing the test file,
\ProgramData\PassMark\OSForensics\EventLogPresets.txt
Updated list-view item selection to allow multiple item selection using mouse drag
and right click menu Toggle Check to select them.
Internal viewer
Metadata, Improved UI responsiveness by launching metadata collection process in a
seperate thread.
Fixed bug in loading NTFS alternate streams when there is no file list
Raw disk viewer
Added file system scanning for Linux XFS disks. XFS files, directories, and internal
structures should be identified and highlighted.
Fixed bug in partition size for XFS disks
User Activity
Allowed tagging of activity items that are not file paths (eg. registry keys, URLs,
DB records, etc.)
Added an option in the list-view right-click menu for Event Log to allow users to
open Event Log Viewer and locate the selected event.
Added 'Flags' column to identify 'tagged' items
Fixed Ctrl+T shortcut not working
Fixed memory allocation error due to invalid jump list entries
Fixed Web Browser tab not being highlighted when opening URL
Improved options to export to CSV and copy to clipboard from SRUM Database entries.
V7.1 build 1000 19th November 2019
NEW Event Log Viewer
New viewer to display windows event log files. Open logs in E01 images, filter logs,
add log entries to the case, etc..
Android Logical Copy
At completion, log will show the count of files copied by file extension.
Case Manager
Fixed empty partitions being displayed in drop down list when adding physical drives
to case
Minor fix for BitLocker encrypted volume detection
Clipboard viewer
Added some checks when ComBase.dll functions are being called that they exist to
prevent a possible crash in Win7 when attempting to collect extended clipboard data
Create/Search Index
New indexer build that adds XFS file system support
Updated indexer fixed bug with search results from email attachments of ZIP files
appearing under the Files tab instead of Email attachments
Added 'Export Search Results to CSV' feature on the 'History' tab, which allows user
to export results from multiple search queries and multiple indexes at once.
Debug mode - (Start Window)
Added 'Restart OSF in Debug Mode' icon under 'Housekeeping' to restart OSF with
'DEBUGMODE' parameter set
ESEDB Viewer
Updated libesedb library to libesedb-20181229
Fixed major performance issue with very large ESEDB files (4GB+). Achieved roughly
40x speed improvement. Previously large files would be so slow to process that User
Activity module looked like it had locked up. This should resolve this issue
File system support
Added support for Linux XFS file system
Logical Imaging
Fixed bug where root paths added from "Other Available Devices" were not being
copied.
Registry Viewer
Added right-click menu for exporting report to disk/case
User activity
Added a new option in the config "Moved Downloads (Slow)" to control weather the
drive is scanned for downloads that have been moved (Zone.Identifier streams), this
is now off by default as it can be a slow process
Replaced Jetblue API use with ESEDB library (libesedb) use when getting EDGE/IE10
history
Added some more status messages for registry and browser processes
Fixed sorting of columns for SRUM DB information
Misc
Physical drive scanning for partitions at startup was updated so that OSF startup
speed should be quicker and use less RAM.
Fixed a bug in the disk partition detection code, it was not thread safe when
running in debug mode, which could result in a rare crash at startup
Help file updates
V7.0 build 1005 10th October 2019
Boot VM
Added option to select disk controller. If "Auto" is selected, IDE is used for
Windows XP and SATA otherwise. Should improve performance for non-XP images.
Disk Image and Filesystem Support
Initial support for ISO images.
ESEDB Viewer
Added detection of MAPI property hex in column header. If so, display the property
identifier string
Highlight known tables and display default columns for Win 10 Mail store.vol
Memory Viewer
Added checkboxes to list of processes
Added export of checked process details to CSV & case
Added export of list of checked process to CSV & case
Added link displaying number of checked processes
Fixed task activity LED not clearing after dumping process memory
Added right-click menu for checked items
Export checked processes memory dump to disk & case
Added right-click menu option to dump checked process memory into single file
Mismatch Search
Fixed "Identified Type" column header displaying as "Location"
Registry Viewer
Initial implementation of exporting SAM/SOFTWARE registry hive reports
Initial implementation of exporting SYSTEM/NTUSER.dat registry hive reports
Start Window
Fixed icon groups re-ordering when changing workflow
User activity
CSV export of checked items. Behaviour now matches export to text/html where if the
ALL items view is currently selected it will export all checked items, but when
viewing a specific item type only checked items of that item type are exported.
CSV export, fixed a bug preventing the recycle bin items from being exported
correctly.
Fixed an issue with the column sorting when sorting by integer value (eg filesize)
for Recycle bin, event, jumplist and shim cache items.
$UsnJrnl viewer
Changed to detection of MFT record size rather than using hardcoded 1024 bytes
Added additional debug logging when scanning MFT records
V7.0 build 1004 24th September 2019
NEW Clipboard Viewer
Added clipboard viewer to view current, historical clipboard items (where available)
and pinned items
NEW AmCache Viewer
Added AmCache viewer
Auto triage
Added option to collect clipboard contents
Boot Virtual Machine
Fixed unable to boot disk image located on network
Added debug logging when querying mounted disks
Case Manager
Added export clipboard contents to report
Partitions encrypted with Bitlocker now shows "Bitlocker" instead of "Empty"
Create Index
New indexer builds, fixed thread safety bugs with DOCX, PPTX, XLSX indexing with
timing issues causing occasional "cannot open file" error on files when multiple
threads are in use.
Disk Image and Filesystem Support
Added support for the Stream Optimized sub-format for VMDK images
Fixed possible crash when accessing invalid cache entries for for Linux EXT drives
Added detection of sector size when reading GPT header rather than using default
512 bytes. 4K native (4Kn) sector sizes should now be detected for disk images. This
resolves an issue where partition were not being detected in some E01 images.
Background info: Since about 2012 most hard drives use 4K physical sectors, but
nearly universally implemented 512 byte enumlation (512e). There are a tiny number
of enterprise drives
that are native 4K however without emulation. OSF now supports this 4Kn format.
Deleted Files
Fixed Crash when OSF Terminates and the background Deleted Files cache thread is
still processing items.
Prefetch Viewer (Program Artifacts)
Renamed Prefetch Viewer on Start page to Program Artifacts and changed icon.
Registry Viewer
Internal viewer should now handle large LI/RI Key Types. Should help open some
registry files and display previously missing keys.
Fixed crash when decrypting Windows Passwords (Key ClassName value was incorrect)
User Activity
Added clipboard item collection
Shimcache, fixed issue with Shimcache not showing details under File List tab and
also when exporting to CSV, HTML, TXT.
Added MuiCache to "Installed Programs" artifact list for non-live acq (i.e. drive
images).
Installed Programs , added programs and drivers found in AmCache.hve. (Initial
support AmCache format of Windows 10 V1607 and up).
Added right-click option to open system event viewer for event records, fixed
double-click/right-click options for other activity types
Fixed bug in MRU recent items file paths
Support adding files from Downloads, Jump List, Recycle Bin, Shim Cache to Case
Updates for adding items to Case and for tagging items
Added some extra error message details if a shadow copy of a locked system file
fails
V7.0 build 1003 23rd August 2019
Case Logging
Only the first 100 characters of the case narrative will be written to the case log
entry.
Fixed bug. If Case Logging is enabled and a new log text entry was greater than
65536 characters, it could lead to crash and/or corrupt the log file. If entry is
larger than allowed, the log entry (not actual contents) will now be truncated to
fit.
Create/Search Index
Added feature to increase Create Index threads up to 20 maximum
Changed default indexing threads to 4 (based on benchmark results)
Deleted Files
File Carving bug fix, some non-threadsafe functions could cause a crash during file
carving due to multiple threads running at the same time which has now been fixed.
Registry Viewer
Fixed issue with RegViewer displaying incorrect data for "Big Data" entries (were
data was over 16KB for a single key).
User Activity
Added MuiCache to "Installed Programs" artifact list. NOTE: working for live
acquisition only currently.
Added new artifact type “Shim Cache”
V7.0 build 1002 15th August 2019
Create/Search Index
Fixed error reporting when indexer run out of memory, max pages exceeded or max
words exceeded.
Misc
Fixed a performance issue with direct access of hard drives / images from
OSForensics. This was particularly apparent when looking up multiple results from a
file search in a hash set or when creating a search index.
V7.0 build 1001 13th August 2019
Create/Search Index
Fixed file extension count at end of summary. Previously the count of files indexed,
per file type, wasn't always accurate when files where found in container files,
like ZIP and CHM files.
Fixed crash bug in Create Index Log window stack corruption, when there was very
long lines in the log.
Fixed bug in "Search Index" stopping search prematurely, not returning the full set
of search results for large datasets
Create Signature
Support for counting NTFS hard links for OSF devices using direct access. This
avoids double counting of hard linked files.
Deleted Files
Apply Filter button will be enabled as long as MFT has been scanned even if Search
was cancelled during carving (a warning message will be visible that results are
incomplete).
File viewer
Fixed crash that could occur when rebuilding thumbnails (triggered by using an "Open
file location" right click menu item in recent activity items)
User Activity
Rewrote export to CSV function to export data as seen in each item's list rather
than trying to have each item match a preformatted output. The new CSV file will
have a section for each item type with a heading row and will be separated with a
blank line (eg MRU item headings, MRU items, blank line, USB item headings, usb
items etc). This means a lot more data will now be exported to CSV.
USB, Fixed parsing of Unknown USB device in registry
USB, Added parsing of "Properties\\{83DA6326-97A6-4088-9453-A1923F573B29}" registry
key to determine USB first installed, last connected, and removal times
USB, Added parsing of Microsoft-Windows-Partition/Diagnostic.evtx event log for USB
connection/disconnection events
USB, Added parsing of archived setupapi.dev.xxxxxxxx_xxxxxx.log
USB, Added scanning of SYSTEM\CurrentControlSet\Enum\SCSI for USB connected SCSI
disks
Added scanning for files in "Downloads" folder and scanning drive for
"Zone.Identifier" alternate stream and reading the "ReferrerUrl" and "HostUrl"
fields. This can help identify files that were downloaded but moved to a new folder.
Shellbags, started processing some more item types to retrieve more information when
available
Shellbags, fixed a bug where the top level of the disk path wasn't being cleared
correctly in some cases when recursively processing the ShellBagMRU leading to
malformed disk path such as Desktop\A:\B\C:\ instead of Desktop\C:\
Windows search, fixed a crash that could occur in some older versions of the
windows.edb database
Windows search, stopped directory entries from being filtered out automatically,
will now be displayed in the "directory" sub type
Misc
Reduced program start-up time by deferring window initialization for each module to
when they are first opened. OSF should launch around 3x quicker now.
Fixed default drive not set properly on startup
Fixed handling split image files, where the number of split file parts was > 1000
(.999 -> .1000 or .999 -> .A00). It really doesn't make sense to create split
files with this many parts, but someone did it.
V7.0 build 1000 31st July 2019
Platform support
OSF will no longer run on Windows XP systems. (But disk images from XP machines can
still be investigated). If support for installing the software on a XP system is
required, then V6 will need to be used.
Add Device
Bitlocker volume details (eg. key protectors, encryption, etc) now displayed when adding
a bitlocker-encrypted drive to case
Removed "Forensics Dude" from the Add Device window. The formatting of the help text was
changed to the same look as the other windows.
Android Logical
Fixed issue where during logical copy, some directories were not being included.
Android Artifact
Removed misleading text indicated "images" can be added to scan. Added warning if
adding ".vhd" (e.g. from logical copy) that it needs to be added to device first.
Photo artifacts were only looking at the
"data\\com.google.android.apps.photos\\db\\gph otos 0.db" (specified in Help File).
But will now also do a quick scan for known image file extensions. Added
notification to user to use File Name Search module for more advance viewing/search
options.
MMS extracted with OSFExtract will show recipients on the message.
Android Copy
Copying to a Logical Image (VHD) will no longer require a full scan to calculate
disk size. This should increase its responsiveness.
Updated OSFExtract to V1.0.1003. Change: App will transfer "canonical_address"
table from mmssms.db database file. Which contains the addresses (recipients) for
MMS threads.
Auto triage
Added configuration options for logical image creation
Moved deleted files report export to a separate thread to improve responsiveness
Moved recent activity report export to a separate thread to improve responsiveness
Disabled hashing of signature file list to improve responsiveness
Boot Virtual Machine
Added ability to boot an image as a VM from OSForensics.
Image to be booted can be read only, as the image file is never modified. Instead
changes to the image are written to separate cache files.
Images format support includes E01, Raw, Split images, VMDK, VHD, etc..
Write cache files are now used in mounting when 'Restore existing disk state' is
checked, so VM can be restarted were you left off
Added new menu option in Workflow navigation, "Boot Virtual machine" with 3 tabs
showing running machines, and associated drives.
Added 'Boot Virtual Machine' icon to Start page
User can select number of cores to allocate to the VM, RAM size and if networking
is enabled. Default values are scaled based on system specs of host.
Support for booting partition images by pre-pending an MBR image to the disk in the
.vmdk file. (normally it is impossible to boot just a bare partition). This includes
images that use with ntldr for booting (Windows XP) and bootmgr + BCD images (Vista
and above). Machines with EFI System Partitions are also supported.
VMWare 14,15 and VirtualBox 6 are supported as hypervisors
Host machine needs to be 64bit. Guest can be 32bit or 64bit. Guest image can be Mac
OS X 10.13 (High Sierra), Windows XP to Win10 and some Linux distributions.
Preliminary support for disk with multiple bootable partitions. Added warning text
when multiple O/Ses are detected on the disk. Note: Not all permutations of
multi-boot O/Ss will be supported (there are too many to test). Mac and Windows on
the same disk is known to be problematic.
Added option to bypass Windows login by patching a Windows system file and setting
automatic logon option in the registry. This method is fast, but it doesn't crack
the password of the user. So any files encrypted with EFS are not decrypted. As
patching of system files are required, not all releases of Windows are supported.
The Win 10 releases from March 2019 (17763) is known to have a problem.
There is support for selecting which user account to auto-logon into in the case
where the machine has multiple accounts.
A new version of OSFMount is included with the package. V3.0 build 1005. This
allows mounting of images as (emulated) physical drives and caching of disk writes
to temp files.
Case Manager
Fixed bug with trailing space characters allowed in case name (causing invalid
Windows folder names to be created)
Defined new hash set flag level "major" for Project VIC
Add info dialog when adding a Bitlocker-encrypted drive to Case
Added new case item group for virtual machines
Added case details tab for customizing category definitions
Fixed an annoyance, sometimes when switching cases the OSForensics GUI will lose
focus and another window will be on Top.
Fixed a bug where sometimes the status dialog window size can appear too large
while generating report.
Reporting, "Extra Information" box will export and identify $FILE_NAME timestamps
for applicable items and label it as such. Note: Applies to new items added to case.
Existing items in cases will not have the extra timestamps.
Reporting, "Skip Empty" checkbox to do not include empty artifact categories in the
generated reports.
Add button for the Case Narrative (html) editor in the main Manage Case module.
Double-clicking on virtual machine case item switches to 'Boot Virtual Machine'
module and selecting the VM in the list
When deleting a device that was the case default device the default device will now
be set to the first device associated with the case or the C drive if there are no
more devices.
Removed "Results of forensics analysis" and "Executive Overview" headings from case
narrative / auto triage report
When removing categories, all case items belonging to category shall be unassigned
Categories can now have optional "Notes" property
Added button to manage categories, when adding/editing case items, can click on
'Category' link to manage categories
When adding or editing case items, a new category can be entered in the Category
dropdown
Separated "Offences" list and "Categories" list. Defined a new "Categories" list
that reflects more common categorization types.
Fixed bug where downloads/attachments were not being loaded into case after OSF
restart.
Removed all options other than 'Delete' when right-clicking multiple selected items
Fixed possible crash when sorting Case Item name
Added missing 'Raw Disk' exports to generated report
Create Index / Browse Index
New Indexing feature added, Optical character recognition (OCR) for PDF files.
Previously this was only done on photographic images.
Updated indexing engine, with lots of more minor changes for handling different
file types & performance.
Added ability to skip pre-scan when creating an index
At Step 1, have all options check-marked by default except binary executable files,
which don't contain much useful text.
Fixed bug with search being prematurely truncated when indexed 0x1A character in
meta data (title, description, etc.)
Fixed bug with substring searches applying within exact phrases
Fixed bug with exact phrase searches spanning across page SECTIONS. This caused some
exact phrase searches (containing words which occur on the page many times but not
in that sequence) to take extraordinarily long.
Fixed Check/Uncheck all buttons not affecting new file type options
Fixed buffer overflow issues & crash bugs in Browse Index (removed unnecessary
dictionary counting) and when Filtering results
Fixed bug with filenames not being indexed for PDF files and other plugin formats
Improved error messages when failing to launch indexer
Fixed "Failed to add folder" bug with Create Index -> Add folder
Fixed bugs with handling multi-partition images
Fixed bug with Index names ending with "." which caused various failures
Fixed indexing unallocated clusters for entire disk images
Create Signature
File system cache is now cleared before creating a signature in Direct Access mode.
This is important for live file systems where the content is changing while OSF is
running.
Compare Signature
Increased number of recently selected signature comparison files (displayed in drop
list when selecting a signature) from 10 to 15
When creating a hash set from a comparison there is now the option to include all
files in the comparison or just new ones
Added a new difference type of "Attributes Modified"
Deleted Files / File Carving
Hashing of files will only be performed for non-empty files (0 byte files are
skipped).
Improved responsiveness by not redrawing window if not visible
Fixed a lockup that could occur
Added new status tab while scanning to show number of files (grouped by extension)
found/recovered.
Removed message dialog when no files are found
Checkbox added to enable/disable extensions for file carving.
Updated FileCarver to be threaded for better performance (by adding threading to
several operations). Resulted in 2.6x faster carving on a test system.
Added option to look within a sector for header pattern match. Enabled by default
(same as previous behaviour) OSF only looks at the bytes only at the beginning of
the sector.
Added definition for HEIC/HEIF image file format to allow these types of images to
be carved.
Updated JPG file header definition to decrease number of false positive when
carving.
Added definition for SQLite files
Added definition and extractors for Intel based Assembly Files (.asm)
Added definition and extractors for .torrent, .nef (Nikon RAW Image), .orf (Olympus
RAW Image), .arw (Sony RAW Image) and .raw (Lecia/Panasonic RAW Image) formats
Added header definition for FUJI Raw Image Format (.raf) and Mobile Video Format
(.3gp).
List view in Status Window showing total files found is now sortable.
Fixed issue when "Applying Filter" was not returning (stuck in loop).
Fixed issue with double counting files with simliar header pattern.
Drive preparation
Fixed an open file handle from the Drive test that would prevent the data pattern
write if the drive test was run first. This fixes a possible false report saying the
drive was faulty, when in fact the drive was just locked
Email Viewer
Fixed UI issues when minimizing and restoring windows
ESEDB Viewer
Changed behaviour to load all items for selected table into data buffer so we can
sort columns correctly, still only displaying 1000 entries per page. Will mean a
slower initial load but much faster sorting and searching.
Columns can now be sorted by clicking on the column heading
Added SRUDB.dat to known esedb list when opening the ESEDB viewer and fixed some
date display issues for the SRUDB date / time format.
File Name Search
Allow the user to enable the other four ($FILE_NAME attribute) time stamps in the
File Name Search Details View.
Added ability to create a New Preset option in the Config window. Defaults are
still loaded from FileNameSearchPresets.txt file in AppData directory. User defined
Presets are saved in the OSF config file, config.OSFCfg.
Change the module icon from "disk" to "binocular" to be consistent with the main
menu.
Config, fixed bug where hash sets were not populating in the drop down selection.
Added right-click option to show only checkmarked files.
Added ability to include additional folders and/or exclude folders from the File
Name Search.
When switching cases, any previous search result previously performed will be
cleared.
Fixed a bug when enabling $FILE_NAMES attributes, the horizontal scroll will
disappear in the List View.
Added Right-Click menu option to "Jump to Thumbnail View" from the File Details and
File List tab. And "Jump to File Details" from the Thumbnail Tab.
Started saving column ordering, visibility and size in OSF config file
Fixed default title not being updated when adding multiple files to case
File Previewer/Image viewer
Added support for single image HEIC files
File System Browser
Refreshing the current folder using the F5 now clears the file system cache and
allows user to see changes to live file system.
Fixed hidden scrollbar when minimizing/restoring the window
Fixed vector Out of bounds crash
Forensic Imaging
Create a Drive Imaging queue to allow user to add other drives to image once the
first imaging job is complete.
Forensic Copy
Added option to add individual files to the image list instead of just only folders.
Improved performance of looking up duplicate paths by keeping track of hashes
Fixed copy operation not aborting after pressing 'Stop'
Changed source list view to owner draw for better performance
Moved total file size calculation to a separate thread for better response
Hash Set
Added new built in hash sets for: Keyloggers, VPN Software, Peer to Peer (P2P)
software, Cryptocurrency
Added feature to import folder of VIC files. "Import VIC file set" will now prompt
to either "import into existing active database" or "create new database". Updated
import VIC feature to ignore Category: 0 which are considered Safe files
Added support for importing V2.0 format VIC hash set.
Added support for importing SHA1, MediaSize, LastUpdated fields from V1.3 VIC file
format
Fixed Bug with Right Click->Export to Text file output being corrupted. (Column
Indexes to the ListView were not correct).
Fixed Bug where Right Click->View with Internal Viewer was unable to open
deleted files entries.
Fixed Bug where false positive matches were being returned. (Previous result was
not being cleared).
When quitting, OSF will remember the current active hashset & reselect that
hashset on startup.
Made error message more descriptive on import failure. Fixed bug holding hast set
open after failure to import that was preventing deletion.
Fixed a bug preventing pasting folder locations into the NSRL data set input folder
when importing
Added "Delete" option from Hash Set Viewer window (right click menu)
Added confirmation message box when deleting a hash set
Added a more descriptive error message when an NSRL import fails due to errors in
the file contents (eg invalid product number)
Removed warning message about selecting a non-example / new hash set when importing
an NSRL hash set (a new hash set is created by default when importing a NSRL hash
set)
Added more prominent highlighting when file is in hash set to highlight Project VIC
hash sets
Improved error message when failing to open .OSFHashSet file which is read only
NSRL hash set import, added an error message when an operating system ID doesn't
exist (eg corrupt/incomplete dataset). Will now add a dummy "unknown" entry and
continue to import.
Added support for highlighting files as "PF_IN_HASHSET_MAJOR" for Category 2 files
Changed "Look up Hash Set" dialog to not close window when user cancels look up.
Install to USB
Added option to exclude password recovery dictionaries and rainbow tables from USB
install
Changed out of space error message to use MB instead of bytes
Added option to include Hash Sets to be exported during install.
Internal Viewer
File Info, added text to indicate if the file does not exist at the location
Added 'Help' link. Moved 'Capture' button and 'Alt Stream' Combo box to the left
Added preservation of 'create' and 'access' times, when available
Fixed contents of certain .rar files not being displayed (RAR5)
CSVReader, fixed a possible crash opening CSV files with individual elements that
contain over 512 characters (element will be truncated to 511 characters now)
Hex View, will display file slack space in internal viewer. Can enable/disable in
'Settings'.
Hex View, fixed bug where hex view would not load and return "Unable to open file:
File access is denied" when a file failed to open the underlying disk in raw mode
(to load slack space). Show Slack Space is not available for resident MFT files or
files on devices not added in forensics mode within OSForensics.
Hex View, will extract strings in file slack space if show slack is enabled.
MemViewer
Added warning if trying to save memory dump to a filesystem that doesn't support
the file size of the dump e.g. Over 4GB on FAT32.
Raw Memory Dump, added progress bar and estimated time remaining.
Updated volatility compiled executable to 2.6.1 and volatility workbench to
2.1.1000 to support new profiles for Win 10 builds 17763 and 17134
OSFDevMgr
Fixed buffer overflow when calling FindFirstFile() on a group device's root
directory (eg. "group_device:")
Fixed FindFirstFile() not returning the list of subdevices for a group device's
root directory (eg. "group_device:")
Fixed a crash that could occur when a badly formed system path is passed to
SplitFilePath
Password Recovery
Fixed an issue where passwords from the windows credential manager were returned
when running using the "scan drive" option when they are only available for the
"live acquisition" option
Made some changes so the registry reading code at this point so it is now thread
safe and will work better with the auto triage.
Started saving column ordering, visibility and size in OSF config file
Changed LM/NT references from "(disabled)" to "(empty)"
Added ability to add sequential decryption jobs in the Decryption & Password
Recovery tab.
40-Bit Encryption, fix for parsing output of 40-bit file.
Windows Login Passwords, updated GUI so list views expand as the size of the main
window expands.
Enabled debug logging for run_server.exe when OSF is ran in debug mode. Log can be
found in run_server.exe directory while running and then is moved to the OSF
documents folder when finished.
Fixed bug that could cause possible memory corruption issue if GPU decryption is
enabled.
Fixed bug where checked item count was not being reset if "Acquire password" was
clicked again
Prefetch Viewer
Added all available run times to results list and exports
Raw disk viewer
Fixed incorrect GPT 'Partition name' in Data Decode window
Added option to select where (beginning, current position, end) to jump from when
jumping using bytes or sectors. (Using a negative sign will jump backwards.)
Recent Activity – Renamed to User Activity
User Activity
Addition of System Resource Usage Monitor (SRUM) database scanning, will display
items from the Application Resource Usage, Network Usage, Network Connectivity and
Push Notifications database tables.
Made the user activity navigation pane with the Tree view resizable.
Started encoding HTML special characters (eg <>&) in the HTML output for
some items when exporting
P2P, Fixed crash when running on Ubuntu drive
Changed "Show empty activity types" checkbox to default to on so empty types are
displayed
Windows search is now using the ESEDB viewer to load the windows search database,
will sometimes be slower but should be more reliable (no need to repair database
using esentutl which would often crash or leave database in a dirty state still).
Installed programs, added date collection using the InstallDate registry value when
available and when not available uses the last write date of the registry entry
No longer stopping the windows search service when the windows search option is
selected for a live system scan
Added new Recycle Bin activity. Will show items in the Recycle Bin (original file
path/name and date deleted).
Added the Last-Visited and Open/Save MRU's to the MRU category:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi
on\Explorer\ComDlg32\LastVisitedPidlMRU and
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi
on\Explorer\ComDlg32\OpenSavePIDlMRU
Added the other 7 run time stamps for Prefetch Files (for 8 total).
Fixed bug with non-ascii characters for recent activities that use a sqlite
database (mostly browser - chrome, firefox, opera - activities)
Added Event Log Login Types description
Added MRU Adobe Acrobat Reader DC Artifacts
Added Office 16 and Office365 Word, Excel and Powerpoint Artifacts from desktop
install
MRU, Fixed crash when parsing Window's XP Registry files for OpenSave and LastVisit
MRU
Added subcategories for the various browser artifacts (Firefox, Chrome, Edge, IE,
etc)
Added checkmarks besides each artifact category. Users can then deselect any
artifacts they don’t want without going into the config settings.
Added +/- expand collapse for artifacts that have subcategories.
Add subcategories for Windows Event Logs (OAlerts, System, Security, Application,
etc.)
Fixed bug where the number of checked items links was not being shown in the File
List Tab.
Added VLC artifacts for Windows and OSX/Mac
Added Windows Media Player Last played and folders artifacts
Added Mapped Network Locations from HKCU\Network
Opera, fixed opera version being read incorrectly for new versions of opera
Opera, fixed bug stopping opera password data being read correctly
Fixed an issue seen where no Chrome information could be retrieved when doing a
live scan due to not being able to get the current windows user/profile/known
folders
Registry Viewer
Unknown value data types will be shown as hex data by default (previously the data
was not displayed at all. Useful for looking at Windows Store App's settings.dat
file which are special registry hive with non documented value data types).
System Information
Removed "Get" from the Registry Commands.
Get User Info (Registry), fixed an issue where user accounts could display "Account
disabled" incorrectly
Changed error message slightly when only live acquisition tasks are in selected
list when a drive letter is chosen instead of live acquisition
Added a quick search box to search the text of the current result tab.
Added full name, description and password hint to “Get user information (Registry)”
output
Fix to process "Enter" key notification while using the Find Text Control.
Thumbnail View
Items found in hash set are now entirely highlighted (not just text)
Web Browser
Updated video download script to support recent changes at Youtube which broke video
download feature.
Misc
Consolidated Red/Green/Yellow bookmarks into single generic bookmark
Renamed 'bookmarks' to 'tags'
Added 'tag' icon to replace previous 'flag' icon
Made some changes so OSF will start as the top most window (sometimes it would
start in the background)
Updated help file
Fixed bug with unable to access Case devices as underlying drives. This caused
problems reading from Bitlocker-encrypted drives
Added ClearFileSystemCache_direct() function to clear the file system cache (for
live disks). Previously changes in the live file system where not reflected in File
System Browser due to caching.
Updated 7zip DLL
Better reporting of SQL errors with hashset databases
Fix for bug with scroll bars in Compare Signature and Browse Index
New logging engine when using DEBUGMODE. Has more detail and has less overhead.
Changed warning message to be less severe when registry SAM permissions need
changing on live system (for recent activity and password recovery)
V6.1 build 1005 28th Nov 2018
Android Artifacts
Fixed bug with incorrectly listing call type (e.g. Incoming, Missed, etc..)
Combined/Cleaned up contacts list. Contacts with same RawContactId are combined into
a single listing (previously there was one entry per email, per phone, etc)
Updated OSFExtract Android App to V1.0.1002
File Name Search
Fixed a crash that could occur during a search if none of the file details columns
were enabled
Misc
Added some sanity checks to the customised column config file save/reload prevent
situations where all the columns are hidden
Updated help file for Android Artifact and OSFExtract Android App
V6.1 build 1004 13th Nov 2018
Android Artifacts
Fixed possible crash when scrolling through messages. Message scrolling in general
should be smoother.
Internal changes in preparation for collecting pictures from MMS Messages, data from
call log and contacts.
Auto Triage
Made auto triage tooltips a bit smaller to better fit buttons on dialog
Create index
Fixed bug for Create Index Status GUI (unable to click "Save configuration" button)
with high DPI setting
Fixed support for Win10 Bitlocker encryption
Raw disk viewer
Fixed default case drive not being displayed after switching cases
Misc
Fixed bug where "Entry Point Not Found : The procedure entry point
CancelSynchronousIo could not be located in the dynamic link library KERNEL32.dll"
could be displayed on old versions of Windows (pre Vista)
V6.1 build 1003 26th Oct 2018
Auto triage
Fixed a crash that could occur when collecting recent activity items
Case management
Added debug output when attempting to load a bitlocker encrypted drive
Fixed a scaling issue with the generate report dialog not displaying correctly when
high DPI scaling override settings were in use
Recent activity
Fixed a crash that could occur when collecting Opera form history
Fixed a crash that could occur when collecting USB information in windows 7 for live
acquisition
Fixed a bug where filters weren't applying correctly to URL history and downloads.
Misc
Added support for newer versions of BitLocker. XTS-AES 128 support was added. This
became available in Windows 10 (build 1511)
6.1 build 1002 16th Oct 2018
Create Index
Fixed bug with indexing BitLocker encrypted drive
Disk Test
GUI High DPI Scaling issue fixes (when user sets Application High DPI Override)
Forensic Imaging - Logical
Removed CREATE_VIRTUAL_DISK_FLAG_FULL_PHYSICAL_ALLOCATION flag when creating virtual
disk file. Pre-allocating disk space may cause the system to stall especially for
large disk images.
Fixed progress bar shifting backwards after a file copy is complete
Recent activity
Changed file list output of Windows explorer - recent items type so it no longer
overlaps the next entry
Fixed a bug where the vertical scrollbar was not refreshed correctly when switching
between the file details and file list tabs
Added location of "Windows Event Log" for windows event items retrieved from a live
scan
Timeline
Restored 'Show these files' option in right-click menu
WinPEBuilder
Updated to V1.2.105, fixed issue where the build process would fail if there was a
space in the Temp work directory.
V6.1.1001 - 9th Oct 2018
Raw disk viewer
Added right-click menu to export/add decoded master file table (MFT) to case
Internal viewer
An error message is now shown when there is not enough memory to extract strings.
Previously it would silently stop the extraction process in a low memory situation.
Added, File load in progress, status text when loading large text files
Fixed slow load when attempting to open a large file in the File Viewer tab
File system browser
Added new columns for NTFS $FILE_NAME dates. Added checkbox under Tools->Options
to show/hide $FILE_NAME dates. So up to 8 dates per file are now displayed. This is
useful for detecting fake time stamps.
File Name Search
Files found in file name search can now be added to a logical image (VHD) via check
boxes and right click options. This provides a fast method to, for example, dump all
JPG files to a logical image.
Create Index
Updates to handle indexing Apple's APFS file system - now with support for encrypted
volumes.
Bug fix - PST EMails with long headers didn't get all the text in the header
indexed. This was a regression, but is now fixed
Thread status now updates more often when indexing inside containers (like Zip
files). So progress is more obvious and the indexer doesn't appear to be stuck on
large container files.
Improved handling for hidden $ system files, like $BadClus, $Extend when indexing.
Misc
It is now possible to export timeline graph to a PNG image file or copy to clipboard
via right click on the graph.
V6.1.1000 - 27th of September 2018
Case Manager
New feature: Paste Clipboard to Case.
Can now add external BITMAP (e.g. screenshots) and Copy/Paste Text to case. This
provide an additional method of capturing web pages.
When displaying the volume shadow info to add to case, the creation time now
includes the GMT offset
Create Index
Updates to handle indexing Apple's APFS file system (indexing encrypted volumes is
not supported, but coming soon).
Fixed multi-threaded indexing problems with some image filesystems such as EXT2
Improved memory estimation (was previously not including some offline buffers)
New "broad numeric matching" feature. Allows for better searching of currency values
and part numbers with hashes in the number.
Added Precognitive Search feature, return matches for trigger
keywords during the "Create Index" process.
So you don't need to wait for the indexing process to be completed before seeing the
search results. It is also possible to use pre-made word lists with the Precog
search.
The concept of a template has been removed, instead you can now save and load
previously used configurations. Some of the advanced template options, like extreme
binary string extraction and stemming are now on Step 2 of the create index process.
Deleted Files
Fixed NTFS MFT record size calculation, which can prevent parsing of the MFT in the
raw disk viewer and in deleted files module.
Partial support for scanning "group" devices for deleted files
Fixed buffer overrun crash when parsing slack space for $I30 record
Email Viewer
Single Email Viewer can view Gmail email stored within Android
mailstore.username@gmail.com.db.
File Name Search
Fixed a bug when searching for deleted files
File System Browser
Fixed crash with internal viewer when clicking prev/next after file system browser
is closed
File system support
Apple's APFS file system is now supported. Including support for compression (zlib
& lzvn) and encryption. So you can browse and search files from a Mac machine in
Windows.
Forensic Imaging
Made some changes to how Encase format images (.E01 and .Ex01) are created to work
around an issue that limited the final image creation to a maximum of
64 .E01/.Ex01 files, which resulted in images larger than 100GB in size and more
than 64 files being unreadable.
Added copy Logical Android Image. Will obtain files off Android device using 'adb
pull' command over a USB connection. To use this with a device connected over USB,
you must enable USB debugging in the Android device system settings, under Developer
options. So the device needs to be unlocked to do this.
Fixed image type not displaying correctly for unicode filenames
Hash lookup
Fixed hang when error occurs while attempting to read from deleted files
Install to USB
Updated WinPEBuilder used for self boot USB, added option under Program Tab to
allow selection of Storage Area Network (SAN) Policy. The recommend setting for
OSForensics is, 3 - Doesn't mount storage devices, to prevent introduction of
artifacts. However, if you need access to disks, e.g. external disk drive to image
to, you can change it accordingly
Internal Viewers
Started saving viewer x,y positions (previously was just size) in config file and
will restore them to the last position on next open
Internal Viewer - File Info
When viewing compress archived (e.g. .7z or .ab), added right-click option to save
file to disk.
Show the total/used/free space for "partition" folders. Show the disk size for
devices/partitions
Fixed multithreading issues with sharing a handle to a video file. This potentially
can cause a crash.
Added checkbox to link the selected file in the list (file name
search, mismatch search, etc...), and the current file in the internal viewer. This
allows for faster selecting and previewing of pictures.
Android Artifacts
Addition of new module to scan for android mobile device information. A limited
number of artifacts are supported in this release. Additional data will be extracted
in future releases.
Currently only supports Android disk image (looks for items in data folder) and/or
backup (apps folder)
Initial support for password encrypted android backups. When opening file in
FileViewer, OSF will prompt for password and attempt to decrypt the backup.
Password Recovery
Fixed crash when running windows login / password search simultaneously due to
shared global variable
Fixed bug with list view column widths not being saved correctly, could cause URL
column to be incorrectly hidden and column widths to be reset each time OSF was
started.
Now displays available dictionaries before file is selected, will display an info
message when a 40bit encrypted file selected (which don't use the dictionaries).
Added a "Add Dictionary" button that will copy a selected text file to the OSF
dictionaries folder and create a simple default definition file to use the
dictionary
Renamed folder where pre-installed and user dictionaries are stored (from PDF to
Dictionaries)
Raw disk viewer
Regular expression searching, made a change to prevent an infinite loop when a
partial match was found
Added clickable link for File Rec#
Fixed bug with jumping to an LBA from the MBR/GPT
Added option to jump to MFT record
Added decoding of $FILE_NAME attribute
Added decoding of NTFS attribute common header
Added support for parsing MFT attributes SECURITY_DESCRIPTOR, OBJECT_ID,
VOLUME_NAME, VOLUME_INFORMATION, INDEX_ROOT
APFS GPT partition GUID now detected and displayed in Data Decode window
APFS file system string now properly displayed in Disk Info window
Fixed excessive quotes for 'Context' field in exported CSV
Replace unprintable characters with '.' when displaying context
Recent Activity
Now collects more information from LNK files (Windows Explorer - Recent Items) such
as volume name, volume serial and link target create/access/modified dates
Fixed a bug where subitems counts in the treeview was not actively reflecting the
actual filtered counts.
Made a change so windows timeline entries always display the same amount of lines in
the file list tab for consistency
Report Templates
Updated report templates to include Mobile Artifacts
SQLite Browser
Changed SQLite Browser into a viewer so users can have multiple instances open (Up
to 10).
Fixed bug that prevented additional sqlite viewers to be open even after closing
opened sqlite viewers.
Fixed bug with "View Cell with internal viewer" returning "Not an Error" message.
Start/Navigation
Added "Add to case" action on start screen and left hand menu button to allow quick
access to add a device to a case
File and Hex Viewer, will now open File Preview Tab as default.
Reordered the left side buttons. Removed Android Artifact and About button from the
Navigation Menu, but still accessible from the Start page. User Workflow
configuration setting will reset to defaults with changes upon first starting
V6.1.1000
System Information
Added new commands to get Windows information (product name, build and install date)
and last shutdown time from the registry
Fixed crash bug due to buffer overflow with long case device names. Device names
over 12 characters caused problems in the system information module
UsnJrnl Viewer
Fixed incorrect filenames due to incorrect length truncation
Web Browser
Export Webpage Dialog can be resized vertically to fit smaller screens.
Misc
Added support for mounting "group" devices such as entire physical disks. Contained
partitions are mounted as "subdevices" and appears as folders under the parent
device
Changed timezone drop down for GMT/UTC 0 from "GMT +0:00" to "GMT 0:00" to visually
stand out more in list
Made some changes so that the logo and version text on the main start page are now
next to the help / mouse over text area to save some vertical space
V6.0.1004 - 17th of July 2018
Create Index
Fixed out of bounds exception
New indexer build to address issues with multi-threaded indexing from ext2 image
(and possibly other filesystems)
Volatility Workbench
Fixed issue with edit boxes.
Misc
Fixed a bug preventing the workflow from being customised correctly
V6.0.1003 - 10th of July 2018
Create Index
Added RAM check before proceeding with user specified Create Index Size Settings.
Without this, users may have proceeded with
size settings that led to exhausting their RAM and the indexer crashing.
Search Index
Fixed bug when searching index containing file types: binary files, recycle bin
meta, or email attachments.
V6.0.1002 - 6th of July 2018
Case Manager
Reduced memory usage of path flags structure
Case logging now enabled by Default
Create Index
Fixed memory (handle) leak in Win10 caused by bug in ShellExecuteEx() in certain
builds of Win10. Replaced with CreateProcess() calls.
Improved error messages regarding "Maximum file size limit exceeded..." to show file
size.
Improved various error messages to show both actual temp file path and file being
indexed
Fixed bug with Pre-Scan count displayed being much bigger than the actual count
used. Did not affect pre-scan result.
Minor changes to fix "(Win10 only)" text for the "Use OCR" checkbox appearing in
Win10 builds
Improved accuracy of URLs being reported in the Create Index Status
Deleted Files
Added sort By FG and BG color.
File Name Search
Improved performance by doing fewer string compares/copies if wildcard '*' is used
Hash Set
Added a "skip files smaller than" option when creating a new hash set to avoid
creating hash sets which match the large amount of small byte files on a system
Image Viewer
Initial Support for Non Password protected logical Android Backup files (.ab)
allowing Image Viewer to be able to browse contents of Android Backup Files (.ab).
Internal Viewer
Added BitLocker Recovery Key RegEx pattern to Filter Presets for Hex File Viewer
V6.0.1001 - 25th of June 2018
Note: Build 1001 was made shortly after build 1000 to fix a day 1 indexing bug
Case Management
Added "Export case" feature
Added a list of reports that have been generated (in case directory or last known
export directory)
When creating/editing case, user can now specify whether or not USB write-block
should be enabled. Whenever the USB write-block settings are changed, a warning is
displayed to the user to detach/re-attach connected USB devices for the settings to
take effect.
Changed list view to allow groups (devices, reports, files etc) to be collapsible
Added last access date to case management when case is loaded
Fixed error copying files with long file paths in when a report was created and the
report contained deep / long paths.
Fixed a bug when creating a case report that was leaving a file handle open
Added support for encrypting PDF report
Added predefined offenses list to 'Offense' drop down list when creating/editing
case
Case Details Dialog, fixed bug that might cause case narrative text to be reset to
default when editing case details.
Case Details Dialog, will prompt user to confirm cancelling changes when they edited
case details fields and clicking cancel.
Case Export, changed text on "Cancel" button to "Close" on the Generate Report
Dialog since custom logos are saved to config once changed in the dialog.
Re-added "E-mail Delivery Time" to report and the associated timezone
Case load window was added at startup and when a case is loaded from the Case
Management window. This is useful for showing load progress for very large cases
with 10,000s of files in the case.
Report production progress window was added to show some progress activity when very
large reports are produced.
New Command Line Parameter to load a specific case (-C <PathToCaseFolder>), if
path does not exists or CaseDetails.OSFCase file cannot be found, OSF will default
to loading the the last case used.
Can now insert images into the case narrative text using the HTML editor. Images
need to have already been added to the case. Previously images could be added, but
the links where broken when a report was produced.
Added unique 'Case Item ID' attribute to each case item. This ID is displayed in the
'Manage Case' window, as well as included in the generated reports. The ID is stored
within the .OSFMeta file for each case item.
Case Manager maintains 'Next Case Item ID' variable that gets assigned to any new
items added to the case.
Fixed special characters not being escaped when generating reports
Create index
New indexing engine (Zoom V8 with multi-threaded offline indexing)
Much better indexing performance (3x speed increase)
Updated Create Index interface with new file type selections,
New "Memory optimization / Indexing Limits" step to bypass Pre-scan
Added support for user configurable number of indexing threads (up to 10)
Added options to enable RAM drive for temporary files
Improved RAM estimations and Indexing Limits settings
Improved indexing Status interface
Updated OSF interface to show multi-threaded indexing
Updated OSF Create Index options to offer more control with file type selection
Removed unnecessary indexing warnings
Added count display for Prescan
Added thousands grouping for large numbers shown in Create Index windows
Increased sleep/wait time while starting indexer to allow for a slower
initialisation which could cause an error to be displayed
Renamed indexing process. Now using "OSFIndexer32.exe" and "OSFIndexer64.exe"
instead of ZoomEngine32.exe and ZoomEngine64.exe, this should make it more obvious
what is running in task manager.
Added some internal checking to clean up detached instances of OSFIndexer and
temporary RAM drives.
Fixed a bug with indexing the compete content of Emails in PST files that were text
only EMails.
OCR (Optical Character Recognition) can now be done on photographic images while
they are being indexed. Like all OCR, the results depend on the quality and
resolution of the source image, how clear the text is and the level of contrast.
This is only supported on Win10. Depending on the images >10 images per second
are possible.
Deleted Files
Column ordering, visibility and size now saved in OSForensics config file
Configuration options now saved in OSForensics config file
Fixed a crash caused by logging a magic number incorrectly when getting deleted
files
Fixed uncaught exception error when loading MFT for some OSF devices
Fix Bug where raw whole disc carving was incorrectly returning progress, causing
possible crash when accessing the list.
Added check for buffer overrun when looking for slack $I30 entries
Errors when parsing non-resident attributes of deleted MFT records no longer causes
the search to terminate and throw an error message. This is an expected case. Errors
are now written to the debug log and the process continues.
Fixed a crash that could occur in deleted file search when file carving is selected
but the physical disk has been removed from the system
File Carver, added minimum file size option when carving. Changed "Reserved/Future
Use" field in osf_filecarve.conf to "Min File Size"
File Carver, TIFF/CR2 extraction should be better.
Disk Imaging
Added extra check if the first read fails when verifying the image created.
Previously if the disk did not contain a valid MBR this would cause it not to show
up in the list (as it would have no partitions) But the disk might be file system
boot sector. These disk are now correctly shown.
There is now the option to specify primary and/or secondary hash functions for
imaging disk. So the user can select SHA1 instead of just MD5. Or calculate two
hashes at the same time.
Disk Preparation
Can now wipe BitLocked drives. Previously these drives appeared to be lock and could
not be formatted.
In case of a physical drive failure, additional error codes have been added to the
status window
Disk Test
Fixed issue with formatting as FAT32 on small drives.
Fixed Crash when formatting as FAT32 fails.
E-mail Viewer
E-mail times now include the timezone offset, both 'Delivery Time' and 'Client
Submit Time'
Fixed printed e-mails missing e-mail addresses due to HTML entities not being
escaped
Fixed bug where case item title set to '<Use item name>' when selecting 'Use
same details for all'
File System Browser
Added right-click menu option to jump to MFT record in the raw disk viewer
Fixed stack overflow when attempting to add device to case
File Name Search
Added an "Uncheck all" menu item to uncheck currently selected items
Added 'Windows Shortcut Files' (ie. lnk files) to the file name search presets list
Column ordering, visibility and size now saved in OSForensics config file
Removed folders from results when filtering using hash set
When filtering using hash set, fixed bug with current file being added to results
after cancelling search
'In hash set' flag is now set for results when hash set is used and made active
Added support for filtering by whether or not the file belongs in the hash set. This
allows the user to search for files on disk that match a set of hash values
Re-arranged configuration dialog
Forensic Imaging
Re-arranged tabs
Create Image, for physical disks, disk model and serial number are now saved in the
info file
Added new 'Device and SMART Info' for displaying physical disk attributes + SMART
info
Device & SMART Info, Added support for export and adding report to case
Device/SMART Info, added mouseover tooltip descriptions for SMART attributes
Forensics Copy
Moved allocation of virtual disk image to thread to prevent system from being
unresponsive
Hash Set
Added option to create 'Quick hash set', allowing the user to quickly create a hash
set by specifying a list of hashes
Fixed deleted hash set databases appearing in the file name search config drop down
box
Re-organised buttons in main window
Added functionality for importing Project VIC JSON files with MD5 hashes &
optimised the import load time.
Added default database name when importing VIC data set
Stopped navigation bar being disabled when importing hash set. User can now do other
tasks in parallel to importing a large hash set.
Fixed hash set operation LED still "active" when there's an error
Fixed number display and file size formatting to be more readable for large import
files (> 4GB)
When creating hash set databases, columns are no longer created for hashes that
don't exist (eg. VIC/NSRL datasets)
Hash set lookup
Added right click menu option to open files in internal viewer
Fixed incorrect # files hashed text due to not updating the dialog once all files
are hashed
When performing hash set lookups, hashes are no longer checked for columns that do
not exist. This reduces the query time for large hash sets. e.g. we don't check for
SHA1 matches if the particular hash set doesn't have SHA1 values. Results were a
significant speed up for hash lookups.
When performing single file hash lookups, filename matches are no longer queried.
This reduces the query time for large hash sets.
Install and run from USB
Added help Link
Added separate "temp build" directory field when using WinPEBuilder.
Updated WinPE builder to deal with new latest WinPE10 changes
Internal File Viewer
EFS Support (encrypted file system). When an EFS file now opened in the file viewer
a temp copy will be created and passed to the hex and text viewer. If the matching
certificate has been installed on the system then the text should appear decrypted.
Hex View, added right-click option to add selected strings to case (as HTML file)
Fixed potential mem leak when generating video thumbnails
Fixed potential concurrency issues when loading videos
Added OCR view (Win10 only)
Memory viewer
Column ordering, visibility and size now saved in OSForensics config file
Added button to add memory dump to case
Removed 'Error' text and icon from message box when process memory cannot be dumped
because of access restrictions
Updated version of Volatility Workbench, with Mac & Linux support and ability to
add your own profiles.
Mismatch File Search
Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of
.CSV
NSRL Hash Import
Import 9x faster. While importing repeated file hashes, checks for duplicity are no
longer being done using a lookup on non-indexed database (very slow). Now checks are
done by comparing product code between two consecutive lines in input file.
Import will create new database automatically with default name based on date and
time. Thus, incremental import is no longer an option.
New NSRL import config window to specify input and (temp) output folders
Temp Output folder can be specified so that user can specify RAM drive or SSD to
speed up the import. Database is then moved from temp location to default hash sets
location.
Updated help file with info about allocating enough space on a RAM drive.
Status now displays percentage counter during file importing
Password Recovery
Added tab to allow PFX certificates to be installed on the local system, to
facilitate opening EFS encrypted files when the certificate and password are
available
Column ordering, visibility and size now saved in OSForensics config file
Browser passwords, made some changes to Firefox login recovery, now has a 64bit and
32bit helper executable (as FireFox have started distributing as 64bit).
Registry passwords, now displaying password hint value next to 'NT Password' column.
Displays '(empty)' if not present.
Registry Passwords , added support for win10 anniversary update for live system in
Forensics mode
Removed a "File not found" error when running the windows password search on a non
system drive
Prefetch Viewer
Added right-click option to export selected items to CSV
Rainbow Tables
Fixed crash occurring when cracking hashes from a pwdump txt file - wrong data types
were being past to format string when secure case logger was enabled
Raw Disk Viewer
Added progress window when carving to file
Renamed 'Decode' window to 'Disk Info'
Renamed 'Data Interpreter' window to 'Data Decode', split windows and shuffled
content between decode window.
Added right-click menu options to 'Data Decode' window, Jump to File and Jump to
File Record.
Clicking on file paths now open the internal viewer
Clicking on LCN/offsets now jump to the offset in the raw disk viewer
Data Interpreter window now shows the MFT record number and filepath if the current
cursor position is inside the $MFT file
Fixed crash issue when sector size could not be determined
Fixed right-click "Jump to offset" not working some of the time
Hexadecimal addresses copied from the Windows calculator into the search box didn't
work. The calculator was inserting non printable characters into the string. Non
printable characters are now being removed.
Recent Activity
Added a quick filter option (text box and button) to quickly apply a text filter to
recent activity items
"Show empty activity types" checkbox to default to on so empty types are displayed
Results are now sorted by Date (desc order) by default
Fixed possible crash when reading jumplist info
Added function to collect new Win10 Timeline database for artifacts
Added more displayed information for windows event items.
Registry Viewer
Support for generating reports for known registry hives (currently only SOFTWARE
hive at the moment)
Fixed a possible crash when processing a registry file
SQLite Browser
Will checks for Skype Sqlite database files during "Scan for DB Files".
Resizeable Dialog/Controls
Option (enabled by default) to convert known timestamps to readable format
Scan Folder button is now more useful. Will now populate with locations of known
SQLite files (e.g. Chrome and Firefox profile directories)
Scan Folder button will scan for known Android user data directory (where apps
usually store their own data) on currently selected drive
System Information
A new tab is now created for every new system information command
Added option to restore command lists back to default
Added "Recovery of Bitlocker Keys" to command list
Added ability to assign a name to an entered command. This name will then be
displayed in the output/report.
Added support for Embedded Python 3.6.5
Removed the "Get" from the start of some item names.
Changed button text from 'Add...' to 'New...' when adding new commands
Moved 'Reset lists to default' option to dialog window. Added confirmation prompt to
prevent accidental press.
Replaced spin control for moving items up/down due to overriding the handling of
mouse wheel messages
Re-organized controls
Added command to get current clipboard contents
Added command to get anti malware (windows defender) software status
Added command to get current TPM status
Started encoding HTML special entities in output from tools so anything with HTML
characters will display correctly
Fixed crash possible with getting printer info when system returns bad information.
Triage Wizard (now renamed to Auto-Triage)
Changed Wizard icon to fingerprint icon & removed forensics dude. R.I.P
forensics dude, we loved you, but the world just wan't ready for you.
Added option to create logical image with known system files
Added agent help text when mouse is hovering over a control
Added a free disk space check (for at least 1GB + memory size if memory dump
selected)
Fixed a unhandled exception that could occur in the triage wizard when running a
scan on a non system drive (eg D) and having only windows passwords selected.
Fixed a missing file error message that was displayed when running a scan on a non
system drive (eg D) and having only windows passwords selected and 0 results were
found
Fixed a crash caused by trial limitations when running the triage wizard
Web Browser
Added status bar to browser.
Can now select export format as Web Archive Format (.mht) when exporting webpage.
Can now export linked PDF, ZIP and other files. Also added check boxes to allow user
to select what is downloaded.
There is an option to download videos (MP4 format) from sites such as YouTube and
add them to the case.
Added a progress indicator for downloading large files.
Misc
Added colour coding of encrypted files displayed in a file list
Added exit confirmation message
Added warning message on OSF shutdown whenever the USB write-protect settings are
changed during the course of execution
Fixed a long delay at startup when not running as Admin
Removed agent icon from feature description text on start window
After successfully saving a file to disk, fixed a bug with activity monitor
displaying task is still active
Changed how temp files are stored, each thread now has a temp folder
Increased a timeout (from 60 seconds to 180 seconds) when trying to repair esedb
databases with esetutl as was timing out during triage runs
To prevent machine from sleeping when running from USB, the mouse will jiggle if the
time between user input (i.e. keyboard or mouse input) surpasses 10 secs.
Added DLL (MSVCR120.dll) required by wkhtmltopdf.exe to installer (error seen on
windows )
Switched debug logging to logging library g3log for thread-safe, crash-safe, faster
logging
V5.2.1007 - 16th of March 2018
Recent Activity
Fixed an error that could display when a jumplist was finished being processed
Registry Viewer
Fixed a crash that could occur when reading a registry file
V5.2.1006 - 26th of February 2018
Case Manager
Report Fix, if the background thread copying files for report didn't exit cleanly
OSF may warn of background activity when quitting.
Case Details Dialog
Fixed bug that might cause case narrative text to be reset to default when editing
case details.
Will prompt user to confirm cancelling changes when they edited case details fields
and clicking cancel.
Case Export
Changed text on "Cancel" button to "Close" on the Generate Report Dialog since
custom logos are saved to config once changed in the dialog.
V5.2.1005 - 22nd of February 2018
Disk test
Fixed a crash when formatting as FAT32 fails.
Fixed an issue with formatting as FAT32 on small drives.
Deleted Files
Fixed a crash that could occur in deleted file search when file carving is selected
but the physical disk has been removed from the system
Fixed an uncaught exception error when loading MFT for some OSF devices.
Fix a Bug where raw whole disc carving was incorrectly returning progress, causing
possible crash when accessing the list.
Fixed error box appearing when failing to read non-resident MFT attributes (eg. LCN
is invalid as the MFT attribute has been overwritten). Instead, the error is logged
and the search silently continues
When parsing $ATTRIBUTE_LIST, buffer is now properly allocated according to the size
of the attribute. Previously, this caused an assert error to occur due to the buffer
size being too small
Internal Viewer
Fixed potential memory leak when generating video thumbnails
Fixed potential concurrency issues when loading videos
Mismatch File Search
Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of
.CSV
Password recovery
Removed a "File not found" error when running the windows password search on a non
system drive
System Information
Fixed a possible crash when getting printer information
Triage Wizard
Fixed an uncaught exception error that could occur when running a scan on a non
system drive (eg D) and having only windows passwords selected.
Fixed a missing file error message that was displayed when running a scan on a non
system drive (eg D) and having only windows passwords selected and 0 results were
found
V5.2.1004 - 14th of December 2017
Case Report
Added dll required by wkhtmltopdf.exe to installer to prevent an export to PDF error
error seen on windows 8
Rainbow Tables
Fixed crash occuring when cracking hashes from a pwdump txt file when secure case
logger was enabled
Recent ACtivity
Fixed a crash that could be caused by 0 length entries when processing Jump lists
items
Triage Wizard
Fixed a crash caused by trial limitations when running the triage wizard
Misc
Improved how temp files are stored to make it more threadsafe (eg when running
multiple tasks using the Triage Wizard)
V5.2.1003 - 23rd of November 2017
Browser Passwords
Fixed a crash that could occur when there was more than 50 Firefox
username/passwords
Disk Imaging
Allow continuation of imaging after encountering too many bad blocks (1000).
Added extra check if the first read fails when verifying the image created.
System Information
Fixed crash possible with getting printer info when system returns bad information.
Fixed a crash in some cases when getting the computer name from the registry
Misc
Fixed bug where navigation bar icons were incorrect for items near the end/bottom.
V5.2.1002 - 3rd of November 2017
Deleted File Search
Fixed a stack corruption crash
SQLite Browser
Fixed issue where OSF wasn't able to extract blob contents for sqlite tables created
using WITHOUT ROWID.
Forensic Imaging
Fixed error when attempting to image a locked Bitlocker-encrypted drive. Instead of
opening the drive letter (eg. 'C:'), the underlying physical disk (eg.
\\.\PhysicalDrive0) is opened instead
File Index
New Zoom indexer build with added support for indexing .sqlite, .sqlite2, .sqlite3
and and identifying SQLite files with no extensions
Misc
Made some changes to how temporary files are created to make them thread safe (to
prevent multi threading issues when using the triage function)
V5.2.1001 - 18th of October 2017
Recent Activity
Fixed a crash that could occur when adding a filter when something other than "All"
was selected in the treeview
Triage wizard
Added "Manually carve files in unallocated clusters" suggested action
Added "Generate new HTML report" and "Generate new PDF report" suggested actions.
Fixed SysInfo "# commands completed" not updated properly on completion
Fixed wording of several "Suggested Actions"
Fixed BitLocker detection results appearing in System Information results
'Manually search' suggested actions now automatically start the corresponding search
Auto-generated HTML/PDF reports are now saved in separate "Triage PDF Report" and
"Triage HTML Report" folders respectively
Fixed underline/cursor/text colour confusion for list view text that are not links
V5.2.1000 - 10th of October 2017
NEW Triage wizard
Wizard launch icon on Start page. Huge amount of data can now be rapidly collected
by inexperienced users with single click.
Customize workflow
Now also removes icons from the Start page (and the menu)
It is possible to lock down the workflow with a password so inexperienced users
can’t re-enable all the features so easily.
Case Manager
Items added to a case can now be categorized into a type of Crime, this list can be
customised by editing the "Categories.txt" file in the ProgramData folder.
On the "add to case" dialog when using the "Use same details for all" option if the
title has not been changed by the user a special <Use item name> flag will be
displayed. This will then be replaced by each item's name when added to the case.
PDF reporting bug fix.
Fixed sorting by clicking on title in Case Management window.
Added new tag <!--OSF_CASE_CASEINFOTABLE--> to customisable reports for
generating Case Info table. Only non-blank fields shall be outputted
File Index
Fixed a buffer overflow bug due to illegally long filenames in ZIP files
Recent Activity
Started sanitising the HTML output for some items when exporting to HTML so that
HTML special characters (eg <>&) are safely encoded.
Thumbnail Viewer
Now has a faster option to switch between the various thumbnail files found on drive
via a drop down list.
Drive preparation
1 click drive preparation function. Can wipe, verify, format drive with 1 click. A
log file is also now written to the drive recording the preparation steps.
Hash Set Lookup
Added check if SHA256 hash is stored in the hash set. If not, SHA256 is not
calculated. This saves a small amount of CPU time.
Email viewer
A bug fix for parsing some rare corrupted PST flies
Misc
Correction of various multi-threading bugs, which came to light when running a
large number of tasks simultaneously.
Registry access code wasn’t thread safe & could crash if multiple tasks
were reading registry entries at same time, especially password recovery.
Caching of disk’s MFT into RAM didn’t work well with multiple threads.
Solution was to enlarged cache slightly and unified it into a shared cache.
Multiple threads should run significantly faster than before.
Some handles to various internal resources were not being free. Resulting in
memory leaks and possible crashes.
Even larger cache sizes and more advanced cache lookup algorithm to speed up
various operation that involve reading MFT (is a RAM usage / speed trade off).
Slightly more RAM is used, but disk operations are faster.
For example file name searches are now 33% faster.
Some help file updates
Fixed up the opening of the Help file to get the navigation menu showing again. The
Edge browser in Win10 unexpectedly broke some of the help functions.
Fixed a crash in the 32bit version when trying to start a filename search
V5.1.1003 - 28th of August 2017
File Index
New Zoom indexer build, fixed bug that was failing to index particular .OST and .PST
files with compression.
File Name Search
Fixed a crash which could occur in the hash set lookup function when the hash set being
searched contained very long string lengths.
Thumbnail View, flags are now custom drawn to increase the speed when updating path
flags, for example when doing hash matching.
Hash Lookup
Added support for 'Modeless' dialogs for hash lookup for multiple files. This allows
other modules in OSF to be used simultenously with hashing in background.
Fixed dialog resizing screen corruption issues in the hashset lookup window
Reduced the frequency of update to the user interface when hash operation is running to
improve speed. It looks slower, but is actually much much faster.
When performing a hash set lookup for multiple files, 4 threads and a larger block sizes
for disk reads are now used in order to increase performance. For large hashsets, with a
fast SSD, performance improved 5 fold.
Added a limit of 1000 file set matches returned for a single file hash lookup. So 1 file
on disk can now not match more than 1000 applications. Previously a zero length file
would match 500,000 applications in NSRL list.
Added a limit of 5 file set matches returned for multiple file hash lookups file set
results a hash set lookup for a single file will return which improves speed
dramatically when hash set or files being looked up contain matches in multiple files
sets (eg when searching for file hashes in a set containing millions of records such as
NSRL hash sets)
Added caching of 0 byte / empty (contains only 0's) files to speed up multiple hash set
lookups. Zero length files appear around 5000 times on a typical hard drive. So this can
save 5000 slow database queries.
Hash Sets
Added a "Properties" right click menu item to display a dialog with some information
about the hash set (disk location, number of product types, file sets, files).
Password recovery
Fixed a CSV formatting error when using the Copy row(s) to clipboard function if an
item contained a ',' character
Recent Activity
Fixed a bug where shellbag information was not being retrieved correctly when using
“Scan drive” C: instead of live acquisition.
Fixed a CSV formatting error when using the Copy row(s) to clipboard function if an item
contained a ',' character
Fixed a bug where the last connected date of a USB item could be different in Live
search when compared to a C:\ search
V5.1.1002 - 8th of August 2017
Add File To Case function
The copied files in the case folder should now have the same filetimes as the original
source file.
Case Manager
Fixed Accessed & Attribute Modified file times not being stored in the OSFMeta file
Case meta item file, added two additional fields (where available): Last Access Date,
MFT Modified Date
Deleted Files Search
Fixed changing of 'Date filter' combo box in Timeline view not updating the chart
File Indexer and searching
New Zoom builds fixed crash bug with indexing EML/MBOX file containing attachments of
EML/MBOX files
Internal Viewer
Fixed info text for files that belong to the case
When opening a file added to a case, the original folder and file times are now
displayed (obtained from the OSFMeta file).
These attributes are highlighted in a different colour along with an information text.
For image files, size and file times have been removed
Internal Viewer - Hex View
Split IP address regular expression into IPv4, IPv6 standard notation, IPv6 standard +
compressed notation
Recent Activity
Updated installer to include an alternate version of esentutl to use in the case of
"Dirty shutdown (-550)" errors for ESEDB databases (eg from Windows search, Edge)
that could sometimes cause the esentutl version installed locally to crash leaving the
files in an unreadable state
Misc
Updated help file with internal viewer changes
V5.1.1001 - 7th of July 2017
Case Manager
Fixed bug when specifying a custom location for a case.
V5.1.1000 - 6th of July 2017
Case Manager
Added ".mem" extension when selecting image file to add to case
Generate Report - Allow option to generate Chain of Custody report along side Case
Report.
Overhauled Chain of Custody reporting. Expanded the Edit Case dialog window with tabs to
allow additional case data, such as Offense type, Legal Authority & Suspects Name to
be entered.
Create Index
Added '.qbb' (Quickbooks) file type to the list of 'Other supported file types'
category. Note that only file name will be indexed.
Create Signature
Deleted files can now be included in the signature from the config window. Hashing is
also supported for deleted files (but not for $I30 slack entries)
Compare Signature
File attribute string now includes custom attributes (eg. 'deleted', '$I30 slack entry')
File icon is now included in the comparison results
Signature info now includes whether deleted files were scanned or not
Deleted Files
Fixed Bug where saving multiple files would fail to save files to destination.
File Carver - Unallocated Cluster code would not read from the disk when the cluster
offsets did not reside on sector boundaries. File Carving initialization will check to
see if start cluster offset is a factor of cluster size, if not, file carving will
switch to raw carve mode.
File Carver - Addressed bug which might cause carving unallocated clusters to not to
progress.
DirectAccess – NTFS
Added buffer overflow check when decompressing CompactOS files
Improved performance of checking for valid $ATTR_FILENAME attribute when looking for
$I30 slack entries
Improved performance of FindFirstDel/FirstNextDel functions
Fixed bug with not resetting the file pointer when detecting imageUSB image file. This
could result in volume hashes returning the wrong value when verify the hash of a volume
(a few bytes that the
start of the file were not included in the hash calculation).
Email Viewer
Fixed HTML/RTF message body not being searched
File Name Search
Added config option to 'Search deleted files'. If enabled, deleted and $I30 slack files
are included in the search results.
Deleted files are now shown in different text colour and with a deleted icon overlay in
'File List' view. Right click options for viewing files was also added.
Deleted files are now shown as a separate group in 'Timeline' view
Added more file details when exporting the file list to txt/html/csv file
Added support for adding/removing deleted files to/from case
Added support for looking up deleted files in hash set
Added support for saving deleted files to disk from File Name Search module.
File System Browser
Fixed 'n item(s) checked' still appearing after changing the folder
Added right-click menu option to export list of checked files to Case
File times now include decimal precision
Removed checkboxes in 'File Select' dialog
'File Select' dialog window size is now saved
Fixed auto-scrolling when sorting items
Internal Viewer - Hex View
Improved performance of string extraction by using parallel processing. Approximately a
60% speed improvement
Improved performance of filtering strings by using boyer-moore search & parallel
processing. Can be more than twice as fast, depending on hardware
If using word list, included matched expression in status bar of selected string
When filtering the string list, the # of strings that have been processed is now
displayed
Added option to save to .dic file for use with dictionary based password cracking
Moved filtering operation to thread due to length of operation. User may cancel the
filtering operation at any time.
Changed preset filter combo box to a link which brings up a menu when clicked. The menu
provides several preset filters, as well as an option to select a word list
Added 'Use RegEx' checkbox to allow user-specified regular expressions
MemViewer - Static Analysis
'Memory dump file' filter now includes .bin, .img, .dmp extensions
Added 'View & Extract Strings' button to open the dump file in internal viewer in
hex view
Thumbnail View
Fixed text colouring for Deleted/$I30 slack/Reparse point files
Misc
Updated help file
Improved performance of list classes by using multi reader single writer lock. Fixed
some synchronization issues.
When selecting image files, the 'All Images' filter now shows all supported image files
rather than all files
V5.0.1002 - 6th of June 2017
Internal Viewer
Fixed a bug where attempting to open an archive (zip etc) file could result in a missing
DLL message being displayed on older versions of Windows.
File Name Search
Fixed a buffer overflow that could sometimes cause a crash when displaying file names
longer than 512 characters in the "Current folder" field. Crash can be appear randomly
as field was only updated occasionally while a search was in progress.
Memory Viewer
Included updated version of Volatility
Workbench into the install package. Volatility Workbench is a graphical user
interface (GUI) for the Volatility tool.
V5.0.1001 - 5th of June 2017
File Indexer and searching
Added a missing DLL (MSVCR100.DLL) to the installer that could prevent ZIP files from
being indexed correctly. Only old versions of Windows are effected. New versions already
had the DLL installed.
Internal Viewer - Hex View
Fixed string extraction function failing to return correct offset due to using 32-bit
variables
Memory Viewer
Fixed an issue where the process refresh timer was running even when the memory viewer
window was hidden.
Passwords - Windows Login
Added right-click menu to tables
V5.0.1000 - 1st of June 2017
New PList Viewer
Added a new Plist viewer
Text foward/reverse search option.
For nodes that contain "data", added quick hex preview popup dialog when field is
single-clicked (double clicking will open a new file viewer window).
NEW $UsnJrnl Viewer
Added support for loading $UsnJrnl files saved as a regular file (ie. not as $J
alternate data stream)
Added support for $MFT file lookup to determine full path
Added support for searching for subtext
Added right-click menu options for viewing file, exporting records and adding records to
case
Added progress bar when parsing USN records, loading $MFT file and searching for subtext
Improved loading speed by searching for records from the end of the file
Path is now determined using the Parent MFT# stored in the USN record, followed
by the filename stored in the USN record.
Paths that may not be correct are coloured in red. This occurs when the
filename or the parent MFT# in the USN record does not match what is stored in
the $MFT
Analyze Shadow Volume
Results can now be exported in HTML and CSV format
Added button to export results to case
Added right-click menu for exporting results
Case Manager
Added support for mounting file paths as a device in the case
Adding devices to case now supports adding local folders in addition to network paths.
Renamed 'Network Path (UNC)' to 'Folder / Network Path'
When adding an image file to case, the 'Select partition' dialog has been updated to
reduce confusion.
Added option to export $UsnJrnl records to report
Fixed index OOB error when exporting deleted files to report
Added support for adding BitLocker-encrypted drives to case. The drive must have been
previously added to the case.
Fixed error message when viewing the properties of a Case Device
Recent history items for case name, investigator, contact details etc are now saved to
the config and will be reloaded when OSForensics is started.
Compare Signature
Check if signature reports as version 3 but is actually 4 (two extra fields were added
but internal version number of signature was not changed).
Create / Verify Hash
Added secondary hash function to allow calculating 2 different hashes
simultaneously
Deleted Files Search
Added right-click menu to re-arrange columns in Details View
Added 'Source' and 'File number' columns to details view
Directory records found in $I30 slack space are now included in the results
Records found in $I30 attribute in deleted MFT directory records are now included in the
results
Fixed bug with misreported quality when multiple streams exist for the deleted file
"Save and Open" right-click options no longer prompt the user for the a location to save
the file; it shall be saved automatically to the temp folder and immediately opened. The
right-click options have also been renamed accordingly
When opening deleted files in the internal viewer, the initial tab that is displayed
will correspond to the file extension
Fixed bug with saving deleted files to disk when the file fragments are greater than
64KB
Added *.msg to the search preset for e-mails
Drive Imaging
Fixed error copying single files to logical image due to directories not being created
Fixed file size of single file not included when calculating VHD image size
When calculating VHD image size, the file size on disk is now used. This is to account
for sparse/compressed files that occupy less disk space than its file size.
Fixed bug with drive list in 'Create Image' tab containing devices from previous case
after switching cases
Email Viewer
Fixed buffer overflow of 'From' field
Fixed heap corruption when opening .eml files with quoted printable encoded text
File Indexer and searching
New Zoom build with fixes for:
Fixed bug with indexing zero date as "23/04/2009 6:24:48"
Indexing "delivery time" for PST emails. Only index "submit time" if former is not
available. Previously was only indexing submit time, which means Drafts/Deleted
items would have no time in index but be inconsistent with EmailViewer, which would
display a date/time.
Now supporting Win10 CompactOS compression (when used with the default XPRESS
compression option). Viewing and indexing these files is now possible.
Fixed bug with Search Index -> Advanced settings' Date/Time range not being applied.
On History tab, when choosing right-click menu's "Display Search Results & Add
to Case...", it will now export the list of results to the case along with
adding the corresponding files.
File Name Search
Added right-click menu to re-arrange columns in Details View
Added *.msg to the search presets for e-mail
Fixed performance issue when searching with alternate stream criteria. Basic
search criteria (eg. file name, attributes, etc.) should be checked before
performing the much slower stream criteria check.
File System Browser
Added checkboxes for performing operations on multiple items without having to
continuously hold select/ctrl. Clicking on the 'n item(s) checked' link opens a menu
with a list of operations to perform.
Fixed text not appearing in icon/list view
Improved responsiveness when changing directories
Fixed bug with calculating folder size on disk for non-NTFS file systems
Fixed deadlock when multiple threads are accessing mounted devices simultaneously
Added right-click menu to re-arrange columns in Details View
When calculating folder sizes, stream sizes are now included
Added error messages when performing certain operations on $I30 slack items
Deleted artificats recovered from $I30 slack space can now be displayed.
Files that have reparse points are now displayed in green
Hash Sets
Fixed a NSRL has set import error that could occur when the manufacturer name was
greater than 100 characters
Added 'IP address' filter to Hex Viewer string extraction
When viewing buffers (eg. deleted files) in the "file viewer" tab, the buffer shall
first be saved to a temporary file and then loaded. Previously, a 'Unsupported file
format' message is displayed.
Removed unnecessary saving of temporary files for file paths containing case devices
Extracting strings is now threaded so the window is no longer blocked. String extraction
can also be cancelled half way.
Removed limit on the number of extracted strings
Added encryption, reparse point, sparse file, system compression attribute checkboxes
Added right-click menu option to save data to disk. This allows saving file streams and
buffers (eg. deleted files) to a file.
Added warning text when attempting to view a non-file buffer that exceeds the maximum
size (128MB for 64-bit, 16MB for 32-bit)
Memory Viewer
Added right-click menu to re-arrange columns of the process list
Changed encoding of memory dump VW cfg file from UTF16-BE to UTF-8
Changed the extension for memory dummp files from .bin to .mem
Added tabs for 'Live Analysis' and 'Static Analysis'. Previous view has been
moved to 'Live Analysis' tab. 'Static Analysis' allows the user to launch
'Volatility Workbench' process with the specified memory dump file.
Passwords
New updated password cracking library. Improved GPU acceleration allows for
faster cracking. Double the speed in some cases.
Find Passwords & Keys: Added right-click menu to re-arrange columns
Find Passwords & Keys: Added checkboxes for performing operations on multiple items
without having to continuously hold select/ctrl. Clicking on the 'n item(s) checked'
link opens a menu with a list of operations to perform.
Fixed bug where Wifi profiles weren’t searching the correct location in some cases when
“Live acquisition” was picked (could search incorrect drive letter)
Fixed bug where Wifi profiles might not search correct location in localised
(non-english) version of windows
Fixed a crash that could occur when searching Wifi profiles
Fixed possible crash when getting system passwords
Added more info to display, client thread status, benchmark, password length and prefix.
Prefetch Viewer
Fixed possible crash due to buffer overflow
Raw Disk Viewer
Added a list of preset regular expressions combo box that can be used when performing a
raw search
Improved performance of search window list view
Removed max search results limit in search window
Fixed synchronization issues potentially resulting in crash
Recent Activity Viewer
Changed how the windows user directories are searched for so all operating system
dependant locations (XP, Win7 etc) are searched now instead of searching the known
location of the first one found. For example if an XP system contained a "Users" folder
in the root directory then it was previously only searching the (possibly empty) Users
folder and then not searching the "Documents and Settings" location.
Fixed a "missing column" error for old versions of Firefox cookies
Made some changes when trying to repair a "dirty" windows search database (eg from a
system image of a currently running system) so that if the esentutl tool crashes OSF
will attempt to run it again
Added P2P artifacts from BitTorrent and UTorrent resume.dat folder, also checks the
User's Download directory for .torrent extensions.
Fixed Bug with P2P Items not showing details on the File List Tab
Added Search queries artifacts for Ares Galaxy
Added Shareaza P2P Search Artifacts.
Added Emule P2P Artifacts
Added SABnzbd P2P Artifacts
Report Templates
Combined 'Drive Imaging' and 'Forensic Copy' HTML template into a single 'Forensic
Imaging' HTML template
Start Window
Renamed “Website Passwords” to “Scan for Passwords/Keys”
Renamed “Removable Drive Preparation” to “Drive Preparation”
Added icon for launching 'Volatility Workbench' under 'Viewers' group
System Information
Made some changes to the system information command dialogs, added columns to show "Live
acquisition" / "Drive acquisition" / "Image acquisition" differences of commands
Web Browser
Fixed bug where saving the complete webpage was not working correctly
Misc
Changed date/time format to 24-hour clock
Fixed crash when Exception filter is executed
Moved 'Forensic Copy' module to 'Drive Imaging' module as a new tab. Renamed 'Drive
Imaging' to 'Forensic Imaging'
Fixed 'Forensic Copy' and 'Drive Imaging' logs not appearing in generated report
Fixed some flickering issues when resizing
Updated File Name Search preset list to include Virtual Machine files
Fixed bug with EmailView and EmailViewer displaying 1/01/1601 when a 0 datetime value is
given. Now reports "Unknown date".
When selecting a directory via a popup dialog, if the entered path in the text box is
valid, it will be returned. Otherwise, the directory selected in the tree view is
returned.
Added template files for exporting $UsnJrnl records to report
Fixed bug with the initial directory not being set correctly in the select file dialog
When prompted to select a file, the last directory path is now used as the initial
directory if not specified
Fixed bug in handling alternate data streams with multiple $DATA attributes
Added support for accessing bitlocker encrypted drives in raw form
Updated HTML Editor to show character count.
External Viewers (File, Registry, FS Browser, Email, Thumbcache, ESEDB, USNNRNL and
Plist) will retain the size of their last viewer window closed for subsequent openings
Performance increase when opening registry files
Fixed several potential crash points when closing the OSF application while the progress
window is still showing
Added encryption, reparse point, sparse file, system compression attribute checkboxes
Added right-click menu option to save data to disk. This allows saving file streams and
buffers (eg. deleted files) to a file.
Added warning text when attempting to view a non-file buffer that exceeds the maximum
size (128MB for 64-bit, 16MB for 32-bit)
Updated help file with $UsnJrnl Viewer section
Fixed a bug that may cause Temp Registry Files in the function call
CreateTempRegFileIfNeeded() not be created when debugmode is enabled.
V4.0.1002 - 1st of December 2016
Activity Monitor
Added separate tasks for adding files to case
Case Manager
Fixed synchronization issues with hash table causing an exception to be thrown
Add file to case dialog has been changed to modeless, allowing the user to switch
to another module while files are being added.
Added synchronization to CaseManager class to support concurrent access to case
items
Added error message when creating/importing/loading/deleting a case while a task is
still running
When closing the program, a warning dialog is displayed when any task is still
running (as opposed to a select few tasks)
Fixed scroll bar being reset every time case items are added/removed
Adjusted the maximum text to 245K characters in the rich edit box for case
narrative
Changed the case item list view to owner draw to improve performance
Decreased the time required to delete a large number of items from case
Fixed 're-use input' checkbox not working when adding bookmarked files to case
Added error message when attempting to add bookmarked folders to case
Increased the frequency of progress updates when adding multiple files to case
Case items are now sorted by date in ascending order by default
Fixed bug when attempting to overwrite an existing external report in case
Fixed non-existent case default drive appearing in drop down box when editing case
Improved performance of updating list items (eg. in File Search, Mismatch Search,
Deleted Search) when case flags are updated
Fixed memory leaks in case log
Decryption & Password Recovery
Added more info to display, client thread status, benchmark, password length and
prefix. Adjusted job size for CPU clients.
Deleted Files Search
Fixed junk characters showing up in error message when prompting to overwrite a file
Fixed case flags not being updated in thumbnail view
Email Viewer
Fixed unhandled exception when failing to load e-mail file
File indexing and searching
Fixed bug with Doc/Ppt/Xls indexing "last modified" as "Author". Will now prioritize
"Author" and only index "Last modified" if "Author" is not available.
Added support for Comments property (appended to KEYWORDS meta tag) in DOC files,
and support for "Category" property (as "ZOOMCATEGORY" meta tag) in PPT and XLS
files
Raw Disk Viewer
Fixed bookmarks showing up twice when reloading a case
ThumbCache Viewer
Fixed 'use same details for all' checkbox not working when adding to case
Due to changes in Win10, the 'name' column should now show the thumbnail cache ID
in hex format (instead of a cryptic string)
Misc
Updated HTML Editor to show character count
V4.0.1001 - 16th of November 2016
Case Manager
When generating report, fixed incorrect links being generated when 'Copy files' is
checked
Improved the performance of adding items to case by performing the hash calculations
all at once (rather than separately)
Improved the performance of updating case flags by not re-drawing the lists for File
Name Search, Mismatch Search, Deleted File Search, Index Search, File System Browser
Allowed the HTMLeditor to be left opened from the "Edit Case Detail" dialog window.
However, as a result, the case narrative is prevented from being edited from the New
Case dialog procedure.
Case Log Viewer
Improved the performance of adding new log entries
Decryption & Password Recovery
Added Openoffice (LibreOffice) extensions to select file dialog
Removed bell sound from gpu client, cpu client, and server and replaced with a
different (chime) sound
Fixed typo in default definition file
Forensic Copy
Added a clear log button and started displaying the number of files copied
Reduced the amount of memory used substantially during the forensic copy process
Recent Activity
Added Time Source Column for 'All'
V4.0.1000 - 10th November 2016
Licence changes
Free version has been replaced by a 30 day trial.
USB installation is now available only in the Pro version.
Changed the maximum number of items that can be indexed (in create index) to 2500
for the Trial version
Recent activity exported list is now limited to 10 items in the Trial version.
Changed the maxium number of browser passwords displayed to 5 per browser for the
Trial version.
Password recovery
Wifi passwords are now recovered & decrypted from the registry and file system.
Windows auto-logon password are now recovered & decrypted from registry.
Outlook & Windows live mail passwords are now recovered & decrypted.
Microsoft product keys are extracted from the Windows registry.
New Configuration window has been added to allow the user to select what items are
recovered, enter in an account password for offline decryption & select a
dictionary for brute force attacks on the account password.
Specific rows in the password report can now be selected for export or adding to the
case.
GPU accelerated hardware support for brute force password recovery on Office
documents, PDF, Zip & RAR file. (Work in progress).
Support for new MS Office 2013 encryption standards for DOCX, PPTX, etc... (SHA512
hashing has been implemented in addition to SHA-1).
New columns in the report have been added for password strength & length, which
can be useful when checking for compliance with password policies.
Added NTLM hash cracking to the common password check for the Windows login
password.
Added NTLM hash rainbow table generation.
User interface & work flow
It is now possible to change the order of buttons in the left menu. Now called the
Work Flow menu. This can allow the button order to reflect the chronological order
of specific forensics processed.
Checkboxes in several windows rather than multi-select with having to continuously
hold select/ctrl.
New 'File Details' tab in several windows that displays the search results in a list
view.
Recent activity artifacts
Added OS X artefacts to Recent Activity feature for Mac drives.
Added mobile backups, lists the backups found from iTunes (e.g. iPod, iPad, and
iPhone).
Updates in Recent Activity for newer browsers (including Edge).
Faster collection of Window Search terms in recent activity (reducing hours to
minutes for the worst case).
Added additional USB devices from SYSTEM\CurrentControlSet\Enum\USB in Recent
activity.
Added USB first connected time from parsing setupapi.dev.log.
The ability to reorganize and/or hide show certain columns by right clicking on the
column title area to configure it on the File Details tab was added.
GUI will show incrementing artefact count during the scan.
File system support & imaging
exFAT is now a supported.
Added read-support for .Ex01, .Lx01, and .L01 image formats.
Improvements to HFS+ support for Macs.
Added the ability for users to create Logical images from the Forensic Copy feature.
Logical images are created as a .VHD virtual disk & can be remounted back into
OSF or manipulated with 3rd party tools.
Added a log option for Forensics Copy.
Added ability to supply multiple source paths when performing Forensic Copy.
Owner/group/permissions are now preserved in Forensic Copy.
Better exposed the function to compare shadow copies.
Memory viewer
The Memory Viewer has been overhauled. Now has 47 columns of metadata for all
processes.
Handles and loaded Modules are displayed per process when available.
Users can create Process Specific binary dumps through right click options and add
to the case.
ESEDB Viewer
Dialog to select from a list of known files now shows the file size.
Added right-click option to copy values (ie. cells) to clipboard.
Added right-click option to view values (ie. cells) as binary data in the internal
viewer.
Added right-click option to export values (ie. cells) as binary data to file.
Added right-click option to export values (ie. cells) as binary data to case.
Added right-click option to export tables to case.
Fixed some memory allocation issues when exporting tables that can cause a crash.
Fixed horizontal scroll bar not appearing for some tables.
Binary data is now displayed in byte groupings.
Fixed a bug when retrieving a record multi-value.
File name search
The user can now edit the list of pre-sets by editing the FileNameSearchPresets.txt
file (in the C:\ProgramData\Passmark\OSForensics folder).
Peer to peer file types have been added as a new pre-set search selection.
The number of characters allowed in the search string field has been increased from
256 characters to 1023 characters.
Improved the default settings.
Ability to group the search results by file type in 'File Details' view.
When grouping the results by file type, the groups are collapsed by default.
File indexing and searching
Added image file EXIF header indexing for Camera Make Model, GPS date/time, GPS
Latitude, and GPS Longitude.
Improved relevance scoring when hundreds of matches are found within the same file.
Restored torrent file indexing which got accidentally broken in a past release.
Fixed bug when indexing invalid file types (e.g. misnamed or corrupt files) causing
incorrect content to be indexed.
Improved search results layout.
Fixed bugs when indexing meta data (title, keywords, etc) from DOC files.
Reporting & Case Management
PDF output added.
New streamlined report layout, including a sidebar for quick access to specific
forensic artifacts.
Added option to include file EXIF metadata in the report.
Custom Logos are now easier to added.
Added two custom fields to Case Information (The Edit Case and New Case windows)
& allow the user to rename the fields.
Added and Add External report feature in case management will support adding an
external HTML report directory to properly display other tools report.
Reduced the time required to populate the list of log entries.
Index search history is now loaded on demand to reduce case load time.
File size of the case item is no longer retrieved to reduce case load time.
The default mount name for volume shadows now contains the index number.
When mounting devices, there is no longer an attempt to open a handle to the drive
to reduce case load time.
When adding device to case, 'Case default device' checkbox is set by default.
Improved error message when generating a report in a location that already contains
an existing report.
Fixed error when generating links in a report to a file that contains > 260
characters.
Fixed forward slashes in links being escaped causing problems in some browsers (eg.
Chrome).
Fixed error when deleting a read-only file from case.
Fixed error when deleting a file with long file name from case.
Added retry mechanism when attempting to add a file to case that is being used.
When automatically adding files to case, added option to ignore future errors.
Updated Report Templates to include the 'Case Activity Log' section in the main
report.
Added checkbox option to include 'Case Activity Log' into the main report.
When generating a Case Log report, the exported log entries are exactly as displayed
in the Case Log Viewer (ie. Verbosity, filters, sorting, etc applied).
Added a HTML Editor to allow user to modify case summary narrative. Can be located
under "Edit Case Details".
Added progress bar when saving the case files to a folder before the case is
deleted.
Added new report type 'Log Report' for Case Log reports.
Shadow copies
Fixed an issue when adding shadow copies to a case, if selecting an individual
shadow copy it would store an incorrect Device path (eg Drive-C instead of
Drive-C:\) which would lead to it not being displayed on the analyze shadow copy
dialog.
Added an Shadow Copy Analyze icon to start page.
Stopped a shadow copy entities being compared against itself as it only makes sense
to compare different shadows.
Added a warning message when opening the analyze dialog if no shadow copies were
added to the case.
System information
BitLocker Detection preset added to System Information.
Updates to System information to detect new CPU types.
Added Printer Info from registry for live/scan drive and Printer Info from
(WinSpool) for Live Systems in the System Information module.
Registry Hive viewer
Fixed a bug when opening a backup hive that was locked and a shadow copy was
required to provide access.
Dialog to select from a list of known files now shows the file size.
Hashing
Button to add Hash results to case.
Thumbnail database viewer
Fixed large memory usage when reading Win10 thumbcache files.
Added support for Win10 thumbcache files. The Win10 thumbcache header uses a
different format than previous versions.
Added to list of known thumbnail cache files.
Replaced thumbnail size radio buttons with combo box.
Dialog to select from a list of known files now shows the file size.
Internal file viewer
Updated video previewer to support more video formats. Including video in these
formats. 3GP, ASF, ADTS, MPEG-4, SAMI, AAC, WMA, DV Video, H.264/H.263, WMV.
Can do screen capture from the File Viewer.
Email searching
Added BCC searching for Emails.
Additional details are indexed when indexing Emails (for some formats).
Support for MIME UTF8 encoded FROM, TO, CC, BCC, SUBJECT fields in MBOX files.
Deleted files
Added a new checkbox for full disk / unallocated space carving. Previously only
unallocated space was used for caving, as it is usually much faster. But in rare
situations the full disk option can be useful (e.g. file slack space examination).
Added a new window showing the list of File Types that are carved (opened from
within the config window). This list can be modified to add custom signatures by the
user by editing the osf_filecarve.conf file.
Ability to group the search results by file type in 'File Details' view.
When grouping the results by file type, the groups are collapsed by default.
Other changes
Added better time resolution, now fractions of seconds, in File Name Search/Mismatch
Search/Deleted Search.
Added support for Win10 prefetch files, which are compressed using lzxpress huffman
stream encoding.
Compare signatures can now display identical files. This is useful for duplicate
file detection. There is a configuration dialog for specifying folders to exclude
and file extensions to include.
Dozens of other bug fixes and minor usability improvements, including fixing a
couple of crash bugs.
Fixed up broken XP compatibility. This is very likely the last release we do that
has any support for running on Window XP.
Populating the drive list (for drive preparation) is no longer performed on program
startup to speed up load time.
Loading of Magic config file (for mismatch search)is now performed on demand to
speed up program load time.
Populating the device list (for raw disk viewer) is no longer performed on program
startup to speed up load time.
When loading the log file (secure log), a buffer is now used to speed up load time.
V3.3.1001 - 8th of February 2016
Deleted Files Search
File Carving, naming of recovered carved files has been changed to "Carved (type)
file (Sector Location in HEX).extention" e.g. Carved 'jpg' file 0x00001F2B.jpg.
File name search
Fixed a bug that was preventing sort by foreground/background colour working
correctly on results when OSForensics was using direct access (eg direct access of
an image file).
Hash Sets
Fixed a crash when first trying to open the hash sets tab.
Misc
Some help file updates.
V3.3.1000 - 4th of February 2016
Case Management
Increased Notes character limit to 64000 characters.
Can now remove file from case in right-click menu.
When adding an attachment to case that already exists, prompt the user to
overwrite.
Create Signature
E-mail files are no longer saved as temporary files when creating a hash of the
file. This improves the speed when creating a signature.
Fixed wrong directory path being displayed especially when hashing large files.
Fixed performance bug when hashing NTFS compressed files. Caused a 20x slowdown
reading compressed files.
Compare Signature
When comparing file attributes, mask out the extra attributes used by OSForensics
Forensics mode (eg. FILE_ATTRIBUTE_ATTR_MODIFY). This gives a more accurate list of
modified files.
Deleted File Search
Added 'Remove deleted file from case' right-click menu option.
Fixed search results clearing when flags are updated.
Drive Preparation
Added WAIT icon to drive refresh, so user can see when refresh is complete.
Fixed physical drives are now supported, including system drive. However, if the
system drive is selected, an error message is displayed.
Drive Imaging
By default, 'Verify Image File' and 'Disable Shadow Copy' checkboxes are now
checked.
Added option to attach Image metadata (.info) file to case on completion.
Changed extension of Image metadata file from .info to .info.txt.
Email Viewer
When parsing DBX e-mail files in forensics mode, a temporary copy of the file is no
longer created. This saves some time opening the file.
ESEDB viewer
Updated the Extensible Storage Engine database (ESEDB) viewer to support the new
Win10 file structure.
Fixed list of records being cleared when attempting to access a page that is out of
bounds.
Fixed bug with non NULL-terminated string.
Added sanity check for endianness for Vista DBs due to possibility of fields being
either big or little endian.
File Indexer
12x increased unique words capacity (from 16 million base words to 200 million).
Allows more documents to be indexed in a single index.
Approximate 5x faster Forensics Mode indexing. This resulted from better caching,
better parsing of the MFT and new low overhead methods of getting file attributes.
Improved JPG, PNG image indexing speed with new methods of calling exiftool.
Performance is approximately 5x faster on photographic images.
Fixed bugs with indexing of archives (zip, tar, 7z, etc.) in Forensics Mode.
Added support for ZIP files using non-DEFLATE methods (e.g. IMPLODE).
Improved file type identifications and attempted indexing methods. At lot fewer
warnings and errors should now be logged when indexing.
Fixed 64-bit bugs with 7z64.dll.
Fixed corrupt messages e.g. "Error: Cannot delete output file: ... ". Sometimes this
error was caused by indexing E-mails that contained malware. The antivirus (AV)
solutions running on machines would detect the malware on extraction of attachments
from the E-mail and unexpectedly delete the temporary file, causing a cascade of
errors. We have a work around for the errors, but active AV solutions can still
prevent indexing of files containing malware. Which can be a good or bad thing
depending on your point of view.
Fixed failing to open .gz and .tar.gz files from forensic mode mounted drive.
Fixed bugs with failing to extract files from certain problematic ZIPs and
attempting every file (with magic and extraction and indexing) causing 3 error
messages per file in the Zip file. Corrupted Zip files should no longer produce this
cascade of errors.
Fixed crash bug with truncated MP3 files.
Fixed OLE parsing bug when loading corrupted MSG Email file.
Improved memory estimation of indexing, to better judge if there is sufficient RAM
available to start the indexing job. No point starting an indexing job only to die
half way through it.
File Name Search
Fixed 'Current Folder' not being correctly displayed.
Fixed search results clearing when flags are updated.
File System Browser
Display "(Sparse)" for the "Starting LCN" column of sparse files.
Fixed incomplete folder size being displayed when folder size calculation is
cancelled midway (eg. when items are being sorted).
Speed improvement when calculating folder sizes in forensics mode. Approx 3x faster
depending on collection of files.
Internal Viewer
File info: For reparse points the linked path is now displayed.
No longer displays message box when failing to open file.
Hex viewer, Display error message in the status bar when failing to open file.
Mismatch Search
Fixed 'Current Folder' not being correctly displayed.
Password Recovery
Fixed crash when writing an entry to the log.
Windows Login - List views are now resized.
Windows Login - Added 'Password Required' column to 'Local Users' table to indicate
whether a password is required for login.
Windows Login - Fixed crash when saving local users/domain users to file.
Recent Activity
Added file type sub classification for Windows Search Items. Files are classified
using the MIME type and extensions.
Removed directories from Windows Search Items.
Fixed Security event log entries not appearing in the results.
Selected items in 'File Details' and 'File List' tabs are now independent of each
other. This caused problems when the exported list of selected items contain items
that were not selected.
Re-arranged the order of tabs so that 'File Details' is the default tab.
Fixed scan status not displaying in 'File Details' view.
Fixed sorting of items in 'File Details' view.
flickering of tree view.
Fixed error message appearing when JumpList is not selected in the scan.
Fixed a shellbag retrieval crash in Windows 10.
Fixed a jumplist crash in Windows 10.
Fixed a bug preventing some jumplist items from being retrieved.
Changed "Stream Number" jumplist item name to "Entry ID".
Fixed an offset bug when getting the name of a shellbag item in Windows 10 which
caused names with invalid characters to appear.
Updated function that retrieves Windows desktop search terms. The database format
recently changed in Win10 and broke older releases of OSF.
Registry Viewer
Can switch between Hex, ASCII, Unicode in right-click menu.
Hives under \Windows\System32\config\RegBack are now listed when selecting a
registry hive to open.
Added buttons for common operations (Add file, Add to case, Export, Find).
Fixed a crash when trying to view/open the SAM file in Windows 10.
Search Index
Updated search engine code to support new increased capacity index format with
extended unique words.
Added 'Remove item from case' right-click menu option.
Fixed search results clearing when flags are updated.
Thumbnail View
Improved performance of loading photographic image thumbnails in forensics mode. Is
approx 10x faster.
Improved speed + memory usage when drawing thumbnails. Especially noticeable when
scrolling the display, which should now be smoother.
Drive imaging
Fixed error "Unable to read end of drive". This occurred when imaging a volume (e.g.
Drive F:), when the size of the file system (e.g. NTFS) is smaller than the volume
size. The imaging process will now continue beyond the end of the file system to
read the entire volume.
Misc
Fixed some memory leaks found by the leak checker.
Licensing
In the free edition of the software,.
The indexing process will be restricted to 10,000 files or E-mails.
The search results from an index will be limited to 250 files per search.
Only 10 items to be added to each Case file.
Only the first 10 passwords from each browser type will be listed in the passwords
function.
Installer
The installer package is now signed with an Extended Validation coding signing
certificate. This avoids some SmartScreen installation warnings in Windows 10, like
Windows "prevented an unrecognised app from starting".
V3.2.1003 - 6th of October 2015
Create Index
Added support for zipx, 7z, rar, .arj, .dmg, .iso, .chm, .cab, .bz2, .lzo.
Fixed indexing bug with repeated "Core engine not responding" messages.
Disk Imaging
Reduced the vertical space used by the controls to support lower resolutions.
EmailViewer
Can now re-scan for recovered e-mails after cancelling a previously started scan.
Removed 'Tools' menu.
Misc
Help updates for system information.
V3.2.1002 - 28th of August 2015
Create Index
Improved MSG/EML/MBOX indexing support. Now using MIMETIC.
Fixed many common errors and warning messages and file recognition.
Fixed many issues with .zip, .gz, and .tar.gz archives. And recursive archives.
Fixed filter buttons/checkboxes not working when viewing a failed/cancelled index.
Added fix for "Core engine is not responding" when indexer was stuck in "Finishing"
stage due to large index or slow disk write.
Email Viewer
Added right-click option to jump to the message ID of an e-mail file.
Added progress details when scanning for deleted e-mails.
fixed bug with deleted e-mails not being displayed in the EmailViewer.
Fixed 'assert' error appearing when Subject field is missing in MIME headers.
Index Log Viewer
Fixed crash when trying to view a previous index log while an indexing job is
running.
Recent activity
Fixed an issue when trying to get IE10+ URLs from a read only drive.
Fixed an issue with "dirty" IE10+ databases that were displaying a "Failed to attach
IE10 database" error in some cases.
Fixed an "autofill_dates" missing error caused by a Chrome update removing this
table.
Fixed a "malformed" database error when getting Chrome cookie information.
Fixed some display and sorting issues with shellbag items on the file details tab.
Registry Viewer
Fixed a crash when opening a corrupt registry file.
Misc
exFAT partitions are now properly detected as opposed to being identified as
"Unknown".
V3.2.1001 - 22nd of June 2015
Case Manager
E-mail attachment paths now include the attachment index number following the file
name (eg. c:\email.pst*990*attach.txt:2). This is to distinguish multiple
attachments
with the same name.
Create Index
Fixed some bugs relating to email attachments.
New URL format for attachments.
Fixed bugs with indexing attachments from mbox (.eml) in nested format.
Fixed bug with not indexing From/To details for Mbox attachments.
Fixed bug with indexing attachment titles incorrectly.
Fixed a bug that was causing "Failed to rename file zoom_pagedata.tmp to ..." appear
at end of indexing.
Email Viewer
When extracting e-mail details, if FILETYPE_UNKNOWN is specified as the e-mail file
type, the function will try opening the file with each format until successful.
Fixed potential heap corruption when exporting an e-mail with a large text body.
Fixed possible memory leak.
Recent Activity
Added shellbag item from registry files collection and display.
Fixed a date conversion issue with Google chrome downloads date.
Search Index
Fixed some results not being filtered into the correct tab (eg. images in e-mail
attachments).
E-mail attachments with the same name can now be distinguished properly.
When doing bulk adding of items to case, user is no longer prompted when the item
already exists in the case after checking the 'Repeat action' checkbox.
Fixed various problems related to adding nested attachments/e-mails/archives to
case.
For E-mail paths that do not have a message ID in the path, a message ID of "0"
is assigned.
Fixed issues with the case flags not appearing for some items.
Misc
Fixed some date formatting bugs introduced in the previous build that were causing
dates to appear blank.
V3.2.1000 - 10th of June 2015
Create Index
Added indexing of From, To, CC, BCC, etc. fields for PST attachments.
Added indexing of From/CC/To etc. addresses from MSG attachments.
Added missing support for indexing headers for MSG files.
The start and end dates for the advanced search options are now correctly using
the current case timezone setting when a search is performed.
Fixed bug in Create Index -> Edit Template -> "Scan system paging and
hibernation
files" setting being lost.
Fixed bug with Search Index -> Email Attachments -> Export ... results
carrying
incorrect From/To/CC information from previous results.
Fixed bug with indexing attachments from MSG files (failing to recognize file type
properly).
Fixes for crashes and infinite loops when indexing corrupt DOC, XLS and PPT files.
Fixed bug with empty emails in PST files causing previous buffer to be used for
content and custom meta.
Case Manager
User can now specify whether logging is enabled/disabled when creating or editing
a case.
Error message is displayed if the log file is corrupted or tampered with.
When generating a report Added "No title" to when there was no title for an item
so the link to the file is visibly created.
When renaming (moving) cases, case items still used the old metafile path causing
issues with non-existant paths. Fixed by reloading case after moving.
E-mail attachment paths now include the attachment index number, due to the
possibility
of having multiple attachments with the same name.
Case Log
Supplemental log entries added across all modules.
When logging is disabled, controls are now disabled and message is shown to the
user.
Create/Verify Hash
Fixed drive drop down list to include Case devices.
CSV Exports
Removed "," separator between date and times for CSV exports so that Excel will
automatically pick them up as dates.
Deleted Files
Fixed bug with retrieving the clusters of a deleted NTFS file. This bug can
potential
cause an invalid memory access crash.
Unallocated cluster information now being used for mounted devices.
Fixed bug with unable to save multiple deleted files from a partition without a
drive letter (due to invalid characters in the device path).
The number of files that were not saved due to reallocation now displayed.
Improved performance of saving deleted NTFS files.
Deleted files stored in multiple MFT records are now being handled.
Proper stream names are being used when restoring a deleted NTFS file.
Disk Imaging
Fixed no default drive being selected in 'Hidden Areas - HPA/DCO' tab.
Added check for no physical disk selected.
The sizes of each respective max LBA are now displayed in the log after detecting
HPA/DCO.
Event Info
Bug fix, stripped trailing space character from event title.
Email Viewer
A dotted border is now custom drawn on the selected folder/e-mail so that even when
the control loses focus, the selection is still apparent.
Fixed not being able to add multiple e-mail attachments with the same name. Each
attachment now has a unique path.
File Name Search
Added 'Save to disk' right-click option. Re-arranged right-click menu to be more
readable.
Hash sets
Files less than 5 bytes in size are now excluded from hash set lookups (this is
to prevent tiny file (eg 0 byte files always appearing in a hash set where there
was a 0 byte file on creation).
Password Recovery (Windows Login Passwords)
Added cached domain users to recovery for local drives.
Fixed a crash that could happen when recovering cached domain users.
Recent Activity
Added timestamps to WLAN items for the associated XML profile or registry key (where
available).
Bug fix, export event to CSV will now include the item's title.
Columns will remember their widths when filtering, sorting and navigating to
different
activity types.
Search Index
Added To/From/CC information to attachment output when searching an index.
Removed the from/to/cc fields from the CSV export of an search for items that aren't
emails/attachments.
Fixed bug with broken links in search index results for files containing percent
encoding in filename.
System Information
Added cached domain users to "Get User Info (registry)".
ThumbCache Viewer
Fixed 'In Case' flag incorrectly displayed for all items in thumbnail view.
User Interface
List/tree views across OSF now shows the selected item regardless of when the
control
loses focus.
Fixed drawing issues when minimizing navigation buttons.
Removed flickering when resizing window.
Fixed buttons not being displayed when resizing window.
Fixed drawing issues when resizing file/folder popup dialog.
WinPEBuilder
Bug Fix. Selecting OSForensics or BurnInTest as the selected program in WinPEBuilder
will now add the required WinPE packages on the WinPE/Packages tab.
Misc
Updated help for new Case Activity Log section to describe logging feature.
Updated help with info on user editable file carving configuration file,
osf_filecarve.conf.
Updated help to mention timezone in case management.
Updated System information library.
V3.1.1007 - 4th of May 2015
Case Log
Added preliminary implementation of Case activity logging.
Case Management
Made add note window resizable.
Added veritcal and horizontal scrollbars to Add note dialog, allowing more data
to be saved and making it easier to format the notes.
Deleted files
Fixed crash when displaying deleted file thumbnails on ext2/HFS+ drives (due to
different threads sharing same drive handle).
Hash Sets
Fixed bug in deleting hash set from Tree View.
Web Browser
Fixed missing URL info when adding web snapshot to case.
WinPEBuilder
Can pass in .cfg file to preload some values of WinPEBuilder.exe.
Install to USB
Updated GUI. If installing to USB Drive, then only USB location will be allowed.
If creating a bootable device, then any folder is allowed. OSForensics will prefill
the output destination of OSForensics (via WinPE Builder config file) when launching
WinPE Builder (Requires WinPE Builder 1.0.107 and up).
Misc
Updated System information library.
V3.1.1006 - 5th of March 2015
Case Manager
Before deleting search indexes they will now be unloaded if currently in use rather
than displaying an error message.
Email Viewer
Added check for if the recipient address is in X400 format. If so, try to obtain
the SMTP Address instead.
File Indexing
Fixed a crash caused by partially compressed NTFS drives.
Fixed bug with missing title and from addresses from index.
Fixed bug with PST files not opening from search results due to incorrect/corrupt
path.
Fixed bug with x400 email address format when smtp format available for recipients.
Password Recovery
Windows login passwords: Added recovery of cached domain users, updated help file
to match new UI and functions.
Install to USB
Fixed a bug where if the initial start failed (eg invalid target directory) the
disabled buttons were not re-enabled, causing OSF to become un-usable.
Misc
Updated error message when trying to copy files to clipboard from non supported
devices.
V3.1.1005 - 18th of February 2015
File Indexing
Updated Zoom indexer to fix some crash issues.
Bug fixes when indexing DOC and XLS files inside ZIP files.
Install to USB
WinPEBuilder will launch with option to format USB drive filesystem as NTFS.
Password Recovery (Browser Passwords)
Fixed a bug with chrome and opera password recovery where the wrong password could
be displayed in some cases (out by 1 place in the list) or no password might be
displayed despite not being blacklisted.
System Information
Fixed a bug that was displaying an error message when trying to run a custom command
on the system information tab when using a selected drive.
V3.1.1004 - 16th of January 2015
Email Viewer
Added handling of rfc2047 encoding in subject/address fields of MIME headers.
Fixed buffer overflow in status message while recovering deleted e-mails in PST
files.
Fixed 'S' shortcut key being processed instead of 'Ctrl+S' to add attachments to
case.
Fixed a bug with saving embedded message in PST/OST files as .msg.
LIBPFF_ENTRY_TYPE_ATTACHMENT_DATA_OBJECT property was being saved as a stream
instead of storage.
ESEDB Viewer
Fixed population of known ESEDB files to use localised folder names instead of
hard-coded locations.
File Indexing
Pre-scanning can now be cancelled while scanning PST messages.
Updated Zoom indexer to fix some crash issues.
Updated Zoom Office XML plugin.
Improved length limit for meta fields in email files (used for FROM/TO/CC/BCC) from
255 characters to 65,535 characters.
During indexing, fixed Total Bytes/Peak Physical Memory/Peak Virtual Memory not
updating properly when > 2GB.
Fixed crash bug with buffer overflow and infinite add URL when indexing .MSG file
with many attachments.
Fixed bug with only using last filename for all attachments of the same .MSG file.
Fixed bug with losing generated body text with attachment filenames "Attachment(s):
... , ..." for .MSG file indexed.
Fixed bugs with indexing plain text emails in .MSG files.
Fixed bugs with indexing Chinese PST files (metafield length limit caused Unicode
corruption).
Fixed bug with possible Unicode string corruption when longer than available buffer
(with languages such as Chinese with 4 char MB UTF-8 characters).
Fixed a bug with files sizes not being indexed in offline mode.
Fixed a potential crash caused by long URLS.
Fixed a crash during pre-scanning when indexing unallocated clusters.
Fixed bug with search index failing on old format index files after a search with
new format index files.
Fixed DOCX plugin that split words incorrectly due to revision history.
Fixed crash bug with XLS files with invalid cell.templateID values.
Import Hash
Fixed String/Buffer overflow during import progress updates (if import folder name
is too long) by increasing string size.
Internal Viewer
If viewing an excel document that is password protected it will now display a
relevant error message.
Password Recovery
Shadow copy now used if registry file is locked.
Recent Activity
Now attempting to get the localised name for the "Documents and Settings" folder
from the registry when starting a recent activity scan so more information will be
retrieved on non-english Windows installations.
Shadow copy now used if registry file is locked.
Should now resolve shortcut (.lnk) files in User's Recent Items folder (when not
using live acquisition scan option).
Fixed scanning of system registry hives when no user hives are found.
Search Index
Fixed processing of FILETYPE_MSG and FILETYPE_ATTACHMENT_MSG index results.
System Information
Shadow copy now used if registry file is locked.
ThumbCache Viewer
When looking up default Windows.edb location, now using localised folder names
instead of hard-coded locations.
WinPE Builder
Updated build of WinPE Builder. (Allows user to set NTFS filesystem with command
line argument '-f'. Not enabled by default, since FAT32 supports booting both
BIOS-based and UEFI-based PCs. UEFI based systems require that the boot files reside
on FAT32 partition. If they are not on FAT32 the system may not see the device as
bootable.).
Misc
Fixed bug with handling of NTFS files with mix of compressed/non-compressed
fragments.
Help file updates.
v3.1.1002/v3.1.1003
Internal builds.
v3.1.1001 - 16th of December 2014
Case Management
Fixed potential deadlock after clicking 'Cancel' when items are being added to the
case.
Fixed 'To' field missing in e-mail case properties.
Fixed 'From', 'To', 'Subject' fields missing in case report.
Removed check for empty e-mail headers (From, To, Subject, etc...) when adding
e-mail to case. Adding warning to log file instead.
Email Viewer
When exporting e-mails to file/case, 'Print-friendly' HTML file is now generated.
Currently, only HTML/text is supported.
File Indexing
Indexer updated to the latest Zoom Engine.
Fixed a bug when indexing email attachments with accent characters in the folder
path.
Fixed infinite loop bug when indexing corrupted ZIP files.
Fixed a crash bug with indexing MSI files (and any other files that can be
misidentified as DOC).
Added error message when handling bad ZIP files./li>
Added default handling of .msi files as binary (filename only) format.
Recent Activity
Will now return files/folder from user's Recent Item folder (shell folder).
Added Support for Word 2013 Reading Locations to Recent File List Item.
Added Support for Office 2013 (Word, PowerPoint, Excel) Recent File List.
Added Adobe Acrobat Reader MRU locations.
Now also parsing the subkeys to
Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.xxx, where .xxx
is file extension to retrieve more information.
Added Right Click Menu Option - Copy Row to Clipboard.
GUI Fixes, Help File Link Update.
Added Filter for text search of all fields for an activity type.
Installed Programs, if there is no program name, will return registry location as
the title.
Registry Viewer
When opening key paths containing SYSTEM\CurrentControlSet which is a volatile
symbolic link, replaced with 'ControlSet00n' where n is the current control set.
Search Index
Improved performance of adding PST e-mail/attachments to case by using the same
e-mail file handle, instead of opening and closing for every e-mail message.
v3.1.1000 - 19th of November 2014
Email Viewer
Only one instance of the e-mail viewer window is now available and shared amongst
all modules.
This allows e-mail messages to be opened instantly without having to reload the
e-mail file if it was previously opened.
Partially loaded e-mail files (ie. cancelled halfway during loading) are no longer
allowed and removed from the tree view.
Added support for recovering deleted and orphaned e-mails in PST files.
Added status bar on the bottom of the window to indicate the number of items in the
current folder.
Fixed header field (From, To, Cc) text not showing when text length is too long.
Fixed saving attachments with invalid filename characters.
Added implementation to save PST emails with embedded message attachments in MSG
format.
Removed storage of e-mail file path for each mail item to reduce memory usage.
Fixed a crash when closing e-mail viewer while still loading e-mail/searching.
Direct Access
Reduced the memory usage for VMDK, VHDI and raw images
Cache data is now share globally per device rather than per device/thread. This
reduces memory usage and increases performance
NTFS
Fixed loading of $MFT file split into multiple MFT records
Added caching of ATTRIBUTE_LIST to improve performance
Fixed a possible crash when saving to disk
Internal viewer
Fixed a crash related to merged cells when converting excel document to html.
Fixed a bug with POLE library causing large files to be saved improperly.
Fixed hex view showing incorrect bytes while performing search
Forensic Copy
Fixed error message preventing files to be copied to a windows drive destination.
File Indexing
Added support for indexing .tar, .gz, .tar.gz, etc.
Added BinStringsUseBigram option for create index binary string extraction
settings, Code words and Extreme.
Added options to index "System hibernation and paging files".
Changed email prescan estimate to handle more cases.
Added a MAXPAGES min. cap of 100,000 pages when scanning attachments.
Fixed a bug with not detecting if wordmap merging failed mid write due to out of
space or other causes.
Fixed a bug with free edition not indexing PDF files properly (indexed as html).
Fixed a bug with not being able to perform searches on indexes created within a
folder path that contains Unicode character
(e.g. unicode characters in user name or in case name).
Fixed an issue with not scanning text files (non plugin files) when scan .sys files
is enabled.
Fixed a bug with an infinite loop when indexing a file misnamed as DOC (e.g. a RTF
file).
Fixed several bugs when indexing emails.
Recent Activity
New user interface, summary of items shown in left hand treeview side, added
filters, new sortable list.
Updated to work with latest version of opera (23).
Now searching localised folder names so should return more results on non-english
installs of Windows.
Now searching more registry locations for installed programs so far more results
should be returned.
Fixed a bug where registry locations of some installed programs weren’t displayed
fully.
Fixed some issues when trying to get recent activity from non-system drives.
Drive Preparation
Improvements to Disk preparation error messages.
Improvement to the Drive preparation progress update.
Disk Imaging
Raid rebuilding, fixed detection of RAID metadata for Promise RAID controllers.
v3.0.1001 - 19th of August 2014
Case Management
Images/drives without valid partition/file system info (ie. boot sector) can now be
added to the case. This allows the drive to be viewable using the Raw Disk Viewer.
File Indexing
Added support for indexing extracted binary text from "hiberfil.sys" and
"pagefile.sys" (not limited by max file size limit).
Fixed stemming problems during indexing.
Fixed bug with updating indexing status causing small indexing jobs to report no
files being indexed.
Fixed bugs with identifying misnamed ZIP files during indexing.
Updated Engine/CGIs to V7 build 1008.
Image search results that are nested in archives are now displayed in the 'Images'
tab.
Image search results that are nested in archives are now displayed with an 'archive'
overlay on the top left corner of the icon.
Fixed bugs with accented characters in search result URLs.
Fixed bug with opening search results in the Internal Viewer.
Deleted Files Search
Fixed bug in file carving of .mov files (was including 4 additional bytes in the
end, now removed).
Fixed file carving of .pdf files. Will now check buffer for four known combination
for end markers. If not found, will default to look for %EOF.
Fixed scanning of deleted files on mounted drives without partition information.
Raw Disk Viewer
Fixed divide by error bug when performing a raw disk search on a disk with sector
size = 0.
Fixed partition info in the Decode window not being updated correctly when a new
disk is loaded.
Web Browser
Module Will now load on first use instead of loading on startup. Starting Page is
now set to about:blank (was set "http://www.osforensics.com ). This minmises the
impact on a live target system when running OSF from a USB drive.
Internal Viewer
Fixed image stored in the alternate stream of a file not being displayed.
Misc
Fixed bug with FAT file system parsing caused by truncating errors when calculating
cluster offset. This could prevent some FAT partitions from being mounted when the
FAT partition's starting offset was a long way from the start of the disk.
Added debug statements to FAT file system parsing (when DEBUGMODE mode is enabled).
Added debug statements when there are NTFS file system parsing errors in applying
fixup values to MFT and index records (when DEBUGMODE mode is enabled).
Updated WinPEBuilder.exe to include more debug messages.
v3.0.1000 - 14th of July 2014
New Modules:
ThumbCache viewer for viewing cached thumbnails stored in the Windows thumbnail
cache database (Windows Vista and later only).
ESE database viewer for viewing the records stored in ESE database files (.edb). ESE
database format is used by a variety of Microsoft applications and can often contain
data of forensics value.
Prefetch Viewer for viewing the application prefech data stored by the operating
system's prefetcher. This data includes when the application was last run and how
frequently it has been run.
Case Management
Added option to "Make case default" when adding a device to a case so it is selected
by default for future actions.
When deleting cases, added prompt to allow the case files to be saved to another
location before deleting.
Adding attachments from case devices now supported.
Multiple image partitions can now be mounted at the same time.
VHD image files can now be mounted.
Added 'Repeat action' checkbox to message box when adding a file already existing in
case.
Fixed a bug that was preventing undeleted files from being exported as part of a
report.
Fixed bug with selecting default drive when creating case. Also removed current
case's devices from default drive dropdown list.
Fixed issue with setting newly mounted drives as default drive.
Fixed bug with condensing white space when reading .OSFCfg files.
When adding shadow drives, fixed combo box not being reset when changing drive
selection.
Changed the error message when adding an image file to a case to include the image
name.
Fixed a bug preventing bookmark tables in reports from being sorted
Deleted Files Search
Searching for deleted files in HFS+ drives now supported.
Results can now be displayed in 'thumbnail' and 'timeline' view.
Timeline view now shows stacked bars grouped by file extension.
Fixed overall system slowdown caused by large blocking file reads when file carving.
Removed right click menu options that aren't unsupported by the file system.
Fixed a crash when pressing a key with nothing selected.
Fixed deleted directory icon not being displayed for non-NTFS file systems.
Fixed deleted file fragmentation info not displaying for NTFS case devices.
Fixed crash with invalid memory access when searching for ext2 deleted files.
File System Browser
Added extra metadata column for the LCN of the first cluster of the file. This is
useful for seeing if files are grouped together on the disk.
Deleted files/directories can now be displayed (in red text). Added menu option to
enable deleted files to be displayed.
Added right-click menu option to attach selected files to case.
Attribute modify date is now displayed for ext2 file systems.
Fixed deleted icon overlay so that it displays correctly on XP.
File Indexing
Indexer updated to the new Zoom Engine, which includes support for real-time
logging.
Indexing now supported for Shadow Volumes.
Timeline view now shows stacked bars grouped by file type.
Multiple history items can now be added to case.
Multiple history items can now be deleted.
Changed indexing/searching limit to 25000 items for Free version.
Optimized index search by not reloading dictionary for every search.
Fixed a crash when indexing multiple partitions mounted from image files.
Fixed potential Thumbnail view crash due to lists being deleted while thumbnails are
loading.
Fixed bug with DBX message count not being included in total e-mail count.
Fixed Custom Limits not being saved/applied in Edit Template.
Fixed 'default' button not deselecting non-default filters in log window.
Fixed unallocated cluster indexing not working for drives mounted in Standard mode.
Fixed timeline date filter not filtering items correctly.
Fixed invalid characters showing up in 'History' under the 'Settings' column.
File Name Search
Timeline view now shows stacked bars grouped by file extension.
Deleted files/directories can now be displayed (in red text). Added menu option to
enable deleted files to be displayed.
Attribute modify date now displayed for ext2/hfs file systems.
Fixed a memory leak when closing window.
Hash set lookup
Added list of matched files when performing hash set look up of more than 1 items.
The list view contains a list of files that are found in the hash set. Previously,
only the number of matches are displayed without any information on the files that
matched.
Added support for deleted files hash lookup.
Internal Viewer
Metadata viewer tab now displays $I30 entries (normal + deleted) for NTFS
directories.
Metadata View tab now displays EXIFTool metadata for deleted files.
Metadata View tab now displays carved $I30 records for deleted directories.
Added jump to index right-click menu option.
Deleted files opened from the file system browser can now be viewed.
Thumbnail cache data opened from the ThumbCache viewer can now be viewed.
File Info tab now shows the file's starting LCN.
Increased the default number of strings limit in Hex view tab to 50,000. Increased
the max number of strings limit to 1,000,000.
Improved loading and caching of files.
Reduced file loading time by optimizing file system accesses.
Ctrl-C (copy)/Ctrl-A (select all) keyboard shortcuts now work in Text View.
Fixed minor issue in File Info tab with short filenames appearing incorrectly.
Fixed bug with hex viewer string extraction not stopping when max # results reached.
Fixed viewer string extraction omitting words in results.
Fixed 'Copy ASCII' in Hew view tab to copy all characters other than '\0' to
clipboard.
Fixed icon transparency not displaying correctly in Windows 8.
Fixed metadata view tab showing icons when displaying EXIF metadata.
'Unsupported file type' text is now displayed when failing to convert document files
to text.
'Fixed crash due to buffer overflow bug with handling Excel document conversions.
Email Viewer
Added support for searching message body.
Added support for date filtering.
Updated "Print" functionality.
Fixed a bug with HTML email printing not having any headers.
Fixed a bug with not printing full headers, RTF, and plain text mail.
Recent Activity
Added scanning of Windows search database (Windows.edb) index records.
Added scanning of prefetch items.
Added scanning of windows credential manager for browser passwords.
Added 'Config' window for configuring scan options (date range, items to scan).
Added additional filter for MRU sub-categories when filtering by 'MRU'.
Timeline view now shows the breakdown of activity types via stacked bar graph.
Changed behaviour when using the right click "Export to" options in the timeline so
only the items from the active timeline section are included (previously all the
found items were exported).
Timeline view is now synchronized with File List view.
Removed 'Summary' button. Summary dialog now appears when clicking the 'Total Items'
hyperlink.
Fixed crash when pressing 'Enter' with nothing selected.
Fixed item selection when 'End' is pressed.
Fixed stack overflow bug.
Fixed error when opening the selected item with the registry viewer.
For Chrome downloads, results now show filename from source URL if destination
download path unavailable.
Fixed scanning of IE history not working for certain versions of IE.
Fixed a bug preventing the name of items from being output correctly for CSV export.
Mismatch search
Added text colour to "Identified Type:" field for emphasis.
Fixed a bug that was causing a crash when adding a file to a case.
SQLite Browser
Files saved in temp folder are removed when exiting.
Fixed unitialized pointer bug when exiting program.
Password Recovery
Added "a-z A-Z 0-9" Alphanumeric option to password recovery random character
options.
Updated the Firefox password recovery feature to work with the latest version of
Firefox (24).
Fixed a bug where the password was not displayed if there was only one password
entry stored in the Firefox database.
Updated error message to show correct error code when permissions prevented some
registry changes.
Fixed crash when adding .rti rainbow tables without valid file segments.
Under 'Generate Rainbow Table' tab, moved the character set definition in the combo
box to an edit control due to length.
Under 'Generate Rainbow Table' tab, changed character set combo box to non-editable.
Drive Preparation
Fixed Write pattern function incorrectly reporting a write error near the very end
of the drive for some USB flash drives.
Drive Imaging
Restoring VHD image files now supported.
Disk image name and type is now maintained when using the browse button (if already
entered).
Fixed bug with imaging drives as Encase files.
Install to USB
Added window message processing during the USB installation process so the
application doesn't display as "Not responding".
Disabled Install/Exit/Browse buttons when install process starts.
Stopped "Install to USB" function from working when not installing to a
USB/removable drive.
Web Browser
No longer creates a web browser temporary dir as it was not being used and was not
being cleaned up properly after program exit.
Misc
Deleted files are now supported in thumbnail view.
Various performance improvements when loading thumbnails in thumbnail view.
Fixed display of files without high resolution icons in thumbnail view. Previously
this meant a tiny icon was drawn.
Deleted file thumbnails now show the proper icon/thumbnail with a deleted overlay
flag in thumbnail view.
Fixed crash caused by bug with retrieving the file icon in thumbnail view.
Fixed crash caused by overflow of the label exceeding 260 characters in thumbnail
view.
Added support for stacked bar graphs via groups in timeline view.
Fixed bug when the data spans greater than 30 years in timeline view.
Increased copy to clipboard limit from 100 to 10,000 files.
Fixed a crash when handling compressed files on NTFS for cluster sizes <4KB.
Redirected stdout containing Unicode characters should now work correctly (eg from
System information tools).
Fixed some flickering when adding files to case.
Updated OSFMount to v1.5.1015.
Fixed several crashes that could occur when closing OSF.
Fixed crash when attempting to shadow copy files from a drive mounted in standard
mode.
Non-raw image files that cannot be opened properly will be opened as raw.
Reduced flickering when resizing window.
Fixed copying of shadow copies of locked files into temporary directory.
v2.2.1000 - 10th of September 2013
Added support for creating a self booting USB solution from the "Install to USB" section,
this is a new tool called "WinPE builder" that can be launched after the "Install to USB"
process. There is an in depth guide on how to use this new feature here.
v2.1.1000 - 9th of August 2013
Indexing changes;
Will now process e-mail headers.
Added .zipx extension in filetypes to be recognized, handled as "Binary (filename
only)".
Added handling of ZIPX as "Binary (filename only)".
Added checkbox to scan attachments in e-mails to advanced template configuration
window.
Added Volume shadow copies support to the File System Browser. Currently considers a file is
a shadow if the modified time of file is different from the current volume file. Steps to
use this feature are,
Add Disk Image OR Drive in forensics mode OR Disk to case.
Add subsequent Volume Shadows for just added device.
Load File system browser and enable Show shadows under options menu.
Browse (the shadow copy files text/label will be a shade of grey).
Added "loading" dialog box when parsing shadow copies.
Shadow copies can now only be loaded for devices that are already added to case.
Improved performance when using shadow copies as a result of caching data in RAM. This
should also allow larger drives to be examined in a reasonable amount of time.
Added button to FSB Toolbar that launches a module to perform volume "diffs" for shadow
copies, it behaves similarly to the Create/Compare signature function.
Added keyboard shortcuts to Internal file and email viewers.
Raw disk viewer searches are no longer aborted when the search window is hidden.
Made some change to the Chrome download section in recent activity to work with newer chrome
versions (26.0.1410.64) as the database structure has changed.
Can now select 'Use entire image file' when selecting a partition from an image file.
Added Loading progress indicator for the advanced EmailViewer.
When an error occurs when adding multiple items to case, added a Message Box to prompt if
user wants to continue (or quit). This avoids a situation where hundreds of error boxes
might otherwise be displayed in a loop.
Raw disk viewer decode window can now identify a dynamic volume as "Windows dynamic volume
(LDM).
Can now detect dynamic volumes in dynamic disks (LDM).
In the 'Drive imaging' module, added 'Rebuild RAID' tab for rebuilding a single RAID image
from multiple source disk images. Support for auto-detecting Intel Matrix RAID (IMSM) &
software RAID was included. Additional auto-detecting features for other RAID formats are
expected to be supported in future releases. Added support for manually changing image file
offset/size for RAID rebuilding.
Rebuilding RAID images for the following RAID metadata types
RAID "Info" dialog now shows the metadata for all matching RAID formats.
Can select between multiple RAID metadata types if multiple formats detected.
Added HPA/DCO imaging. This allows hidden area on the disk to be made accessible for
copying. HPA = Host protected area. DCO = Device configuration overlay. Note that on some
drives there is locking that will prevent changing the HPA/DCO disk extent limits.
Carved files will now have FILETIME set to Jan 1, 1601 12:00 PM when the real date
information is not recoverable.
File Carving percent complete display bug fix.
File Carving put more safety checks when carving Zip / OfficeXML files to prevent crash.
Thumbnail Viewer, fixed a problem with thumbnails without a visible size being drawn as
black box.
Fixed some potential memory allocation in the internal file viewer issues when viewing
buffers. (Which is how deleted files are viewed).
Fixed a crash that could occur in recent activity during the IE URL scan, some URL paths
were longer than expected.
Added 'Info' button to retrieve and display the RAID metadata from an image file in the Disk
Imaging module.
Added ability to open Internet Explorer IE10 history databases and retrieve visited URLs
(Vista and newer only). IE10 has a new internal format for storing this data compared to
previous releases.
Updated document indexer to handle indexing recursive PST files (PST and MSG files attached
to E-mails inside PST files).
Fixed issue where "Add to Case" menu item was enabled when a case is not yet opened.
Fixed some memory leaks when indexing emails and attachments.
Fixed Email Viewer appearing (with no error messages and no emails) when PST file cannot be
opened (e.g. because Outlook is open and holding access). It now shows an error message and
destroys the Email Viewer window before it displays.
Fixed EmailViewer appearing (with truncated email contents) when user hits "Cancel" during
PST loading.
Fixed the EMail viewer's handling of embedded emails (.msg files attached to a .msg file) in
the EmailViewer.
Made some changes to stop a reported crash in the registry viewer.
Fixed a bug with the Windows Login Password when using "Live acquisition of current
machine", a required registry permissions was failing to be set correctly.
Old/simple PSTViewer is now restored in project and used when PST file is > 10GB.
Changes to try and stop the recent activity/registry viewing crashing in invalid data
circumstances (causes by null records in the registry).
Added help context for Volume Shadow Copies.
Help file updates for HPA / DCO hidden areas in Disk Imaging and 'RAID Rebuild'
functionality.
v2.0.1003 - 22nd of March 2013
Forensic Copy.
Fixed Forensic File Copy not copying folder 8.3 short names.
Made change to handle setting 8.3 short file names on files that have a read-only flag.
Added fractions of seconds to internal viewer file properties output.
Recent Activity - Now also searches registry location for typed IE URLs.
System information
Changed the dialog title to reflect that a command is being edited rather than a new
command.
Fixed a bug where if the first entry in the list was editable then it wasn't loading
correctly and defaulting to the new command dialog.
Fixed a bug where if the list management dialog was closed using the X button rather
than OK the current command window display was not being updated to reflect any changes.
Added new system information functions (Get User Info, Get Timezone, Get computer name,
Get network info) that can query the registry for information, these functions can be
used on the local system as well as disk images and other system drives.
Navigation Bar - Added 'Registry Viewer' button.
Start Page - Dialog for selecting registry file now closes when the Registry Viewer is
opened.
Registry Viewer
Correct icon is now displayed for Find/Goto windows.
All search types now selected by default in Find window.
and keys now work properly for Find/Goto windows.
Cancel button now works properly for Find/Goto windows.
Find/Goto windows stay open after search.
Added splitter bar and fixed resizing issues.
Added shortcut keys for searching (Ctrl+F, F3, Ctrl+G).
Find/Find next now traverses the tree in order according to currently selected entry.
Added support for opening multiple registry files in one viewer.
Added icons for tree view.
Email Viewer.
Fixed bug with retrieving the HTML body using the MVCOM library. Should use _bstr_t
instead of BSTR.
Changed header fields to Edit controls to fix redraw issues when resizing.
Improved parsing of Data/Time strings.
Hex View.
Added Ctrl+C (copy hex) and Ctrl+A (select all) keyboard shortcuts.
Fixed crash carving data.
Changed string extraction so that it no longer separates URL strings into components
(eg. 'http', 'www'), this was preventing the URL filter be useful.
Password Recovery.
Changed behaviour when recovering Firefox passwords so that is a firefox install isn't
found on the drive being scanned OSForensics will also check for a FireFox install on
the system drive.
If a FireFox location is not found an error message is now displayed.
Added warning to password recovery and system information functions when running on a
live system and the permissions of the SAM registry files need to be changed.
v2.0.1002 - 11th of March 2013
Fixed error when attempting to select a file in the listview with no items.
$I30 directory entries now returned even if the MFT record does not contain a $FILE_NAME
attribute.
Fixed a bug in the report template where Web Snapshots, Notes, Emails and Bookmark tables
were not being sorted when their heading columns were clicked.
Fixed a crash when changing hex view settings.
Changes to Forensic File Copy to better handle conflicts with 8.3 names on NTFS.
Fixed a bug in the recent activity scan on non-live systems where USB devices were not
displaying a last connected time and date.
Fixed a bug where the scroll bar was not updating on the recent activity page when using the
mousewheel.
In File Info tab, added 'Short file name' field for NTFS/FAT 8.3 short filenames.
Fixed a bug that was preventing the recent activity module from getting windows system event
information for the live system.
Added filename and file extension sorting to index search.
Fixed a crash when viewing/export a download recent activity record.
Added right-click option to save file to disk for the filepath hyperlink in the Decode
Window.
Added progress bar when saving file to disk, allowing the user to cancel if taking too long.
Fixed a crash that could occur when scrolling on the recent activity tab.
Fixed a bug where in the recent activity items the chrome form history items could be saved
with the currently registered username for OSF not the local user.
Fixing a bug in the recent activity CSV save to case / export where the time offset was
saved in the location field for MRU items.
v2.0.1001 - 4th of February 2013
Added Web Snapshots category to case management for exports from the web browser module.
Added additional URL meta data to Web Snapshots (viewable from case item properties window).
Fixed index search bug causing variant words like "testing" instead of "test" to not be
found.
Fixed index search bug causing exact phrases using quote characters to not return any search
results.
v2.0.1000 - 30th of January 2013
Major changes
Support for multiple drives & folders when indexing. So an single index can now span
more than drive.
Support for templates in the file indexing module. (to save re-entering data each time an
index in created).
Ability to capture pages from web sites and add them to a case (not finished in this Alpha
release).
Add support for searching multiple set of index files in a single search.
Added much improved E-mail viewer / browser.
Will open automatically if viewing an E-mail archive.
Can now add Email attachments to case.
Added the option to copy files from a case to the output directory when creating a case
report (instead of just including a reference to the files).
Changes to the Internal File Viewer.
Window can now be maximized. Minimum window size limits removed.
Minor metadata fixes.
Can now add string list to case in Hex Viewer.
Exported string list now contains string extraction settings.
Can now carve to file (and add to case) in Hex Viewer.
Can now directly open Office documents without the need for an external tool to extract
the text. Should be significantly faster to open large documents in images.
The index search function in now built into OSF (so it is no longer an external .exe). This
allows better persistent caching of the index which in some cases leads to much faster
searches e.g. 500% times faster, for large sets of index files and search terms that give
small result sets. Even in the worst case there will be around a 10% improvement on search
times.
Carved file can now be added to case in the raw disk viewer.
Implemented functions for reading the $I30 info file for NTFS directories. I30 data now
shown in Hex View tab for NTFS directories.
WebBrowser, Added ability to add/save complete webpage to case as MHTML (.mht) file and
image file. Can select region of screen to save or full screen. Free version of software
will contain watermark, Pro version won't.
Changes to the raw disk viewer.
Added right-click menu to search results in raw disk viewer. In particular, users can
now export the search results to disk.
'Select Range' dialog now populates 'Start offset' with current offset.
'Select Range' dialog shows the number of bytes between the start and end offset.
Minor changes
Changed UI layout to tab-based of memory viewer module. Re-organized buttons.
Bug fix when accessing zip file content on FAT16 volume using direct image access.
Fixed bug where FAT clusters were incorrectly flagged as deleted.
Several speed improvements on FAT volume with using direct image access.
Bug fix for assert errors at startup on machines with large amounts of RAM (> 32GB).
Fixed pre-scan file counting bug relating to upper and lower case files names in the
indexing module.
The last folder used for a report is now stored to avoid the need to re-enter it.
Fixed a crash on exit caused by the memviewer freeing resources that it shouldn't be
freeing.
Fixed a bug that prevented case reports being generated on any drive other than the one the
case resided on.
Made some changes to the Opera browser recent activity functions to prevent a possible
crash.
Added toolbar for quick access to changing views in file system browser.
Fixed file name issues when exporting HFS+ files to an NTFS drive where the file name on the
Mac system used characters that are illegal characters on a NTFS system.
Changed behaviour when adding emails from a search to overwrite existing ones (previously
would create a second copy with a number appended to the name).
Change behaviour so that when an email overwrites one that already exists the list view item
of the old item is updated with the new title.
Added right-click function for directories in file system viewer to switch to 'Create
Signature' module and automatically fill in location.
Better handling of nested e-mail/attachments in the index search function.
New indexer with fixes for index search results showing corrupted URLs for email attachments
& also fixed binary string extraction skipping longer phrases.
Fixed bug in Mbox Email Reader with attachments missing characters in the filename.
Fixed progress bar for adding email and attachment to the case.
Fixed Email path issues in the file signature function.
DOS batch (.bat) files can now be run from the system information function.
Corrected an issue where the "Live system Capable" radio buttons was not checked when
editing a command in system information function.
Allow right-click Copy/Copy All in the system information results tab.
Fixed buffer overflow caused by long header fields (eg. 'To:').
More information about the index is displayed under the results window.
Changed default number of maximum search results to 1000 from 5000.
Adding logging and error conditions for searching an index.
Fixed a bug preventing FireFox recent activity history from being read when directly
accessing an image file.
Fixed a bug where the location of IE & Safari recent activity entries could show
uninitialised character values when directly accessing an image file.
Fixed bug when in search index function when opening a word list that contains extended
ASCII characters.
Fixed bug in search index history list view when a past search query contains spaces.
Bulk searches performed via 'Browse Index' tab can now be cancelled by the user before they
have completed.
Added message box after successfully carving to file in the raw disk viewer.
Fixed a bug with Chrome timestamps not being converted correctly in recent activity and new
Chrome releases.
Fixed a typo in recent activity drop down (Form History).
Fixed incorrect display of Cyrillic characters in some recent activity output (Chrome and
Firefox).
v1.2.1003 - 3rd of October 2012
Fixed indexing for drive root.
v1.2.1002 - 3rd of October 2012
Fixed bug causing certain case items to not load correctly.
Fixed bug where NTFS file data reads were not sector aligned.
Fixed error loading DirectIo Driver.
Added warning message that search reuslts are limited to 1,000,000.
v1.2.1001 - 26th of September 2012
Added cancel button to stop drive scanning in the raw disk viewer.
Added ability to jump to disk offset of deleted files in the deleted files search.
The device name is now displayed for deleted ext2 files in the deleted files search.
Fixed artifact issue when panning images in the internal file viewer.
Fixed cancel functionality for FAT/ext2 in the deleted files search.
Fixed a bug where if there were no hash databases then the "New DB" button was disabled at
startup and no new databases could be created.
Fixed a bug preventing the recent activity scan from searching the root directory of a
drive.
Fixed a crash when retrieving MFT values.
File carving of physical disks bug fixes.
Image restore now allows image files that are smaller than the disk size.
Added support for FAT12 file system.
Fixed a bug when recoving file when carving via partition number.
Changed create index progress bar to not complete when indexing was manually cancelled.
Added new "Max results" option to search index options.
Added "Display search results" and "Display search results & add to case" right click
options for the history tab of search index.
Significantly reduced memory usage of open cases with a large number of items.
v1.2.1000 - 31st of August 2012
Major changes
Support for Apple Mac file systems. Including HFS+ as used in Mac, iPhone, iPod and iPad. So
it is now possible to view & investigate files from a Mac or iPhone on your windows
machine with OSForensics. Includes changes to,.
Indexer.
File viewer.
Raw disk viewer.
Device manager.
Support for Linux file systems. Including EXT2, EXT3, EXT4. Includes changes most modules in
OSF.
SQLite database viewer is now included in the OSF package. This is useful for looking into
database files created by several applications on the iPhone and also by Firefox.
Added support for APM partition scheme (Apple Partition Map).
Updated RecentActivity Module to display Browser information for when querying Unbutu
machines images.
Added firefox form history retriveal to the recent activity.
Made CSV import into hash sets a significantly more robust and added better documentation.
Changed regular expression searching in search index to use a slower algorithm, but it is
more able to execute complex regexes.
Deleted file search now supports hash set lookup and displays icons for status.
Internal file viewer supports right-click functionality for deleted files (Open/Hash
lookup/Add to case).
Can now image drives to .E01, .AFF format, in addition to dd format. The compression level
can now also be selected (None, Fast compression, Best compression).
Additional advanced indexing options to allow the user to select the type of content to be
indexed. The user can now, for example, choose to just index document meta data without
indexing the document content.
Sector number and byte offset are now displayed in the list of caved files in the undeleted
files module.
Minor changes
Changed progress bar in Create Index to complete with 100% instead of 0%.
Fixed Registry Viewer to use custom file selection dialog. Making it easier to view registry
files with directly accessing an image file.
Help file updates.
Fixed vmdk crash bug.
Added a maximum limit for # of items in cache to prevent allocation of an abnormally large
amount of RAM at startup by Thumbnail view.
Fixed handle/memory leaks causing potential crash in Thumbnail view.
Fixed crash when closing OSF when search is running in raw disk viewer.
Changed double click of thumbnail in Image tab of "Search Index" to open in internal viewer.
Extended vshadow executable timeout to 2 minutes for slow machines.
Fixed a crash when a case with no indexes was selected and the "Browse Index" tab was
clicked on.
Fixed a possible crash when using the scroll wheel in the recent activity window.
Added cookie name and content to CSV export of cookies.
Added cookie content to information displayed in the recent activiy window and included in
the TXT and HTML exports.
Fixed bug opening fileset from hash lookup dialog after first sorting.
Can now sort by whether or not the file is in the hash set in deleted file search.
The 'Include Special Characters' checkbox in the hex viewer settings is now functional.
Changed 2GB max file size limit for indexing to 4GB.
Fixed possible crash when adding file to case in free version in deleted files module.
Fix possible crash problem when indexing PST files.
Fixed icons in "File List" tab for OSF devices.
Can now image partitions without drive letters or without recognized file systems.
Sorting by bookmarks is now available from the File name search and index search functions.
The normally hidden NTFS MFT Modify Date field is now exposed. You can see it as an extra
column in the File System browser for example. Note that this is a different value from the
"Modified date" that is normally associated with a file and displayed in Windows Explorer.
The time line function in the File Name Search module can now generate a timeline based on
different sets of dates. e.g. you can do a time line on file creation date or modified date.
Previously the timeline always used modified date.
From the Manage Case module it is now possible to right click on a bookmark and add the
bookmarked file directly to the case.
In the drive imaging function there is now a new Restore Image tab. This tab allows a disk
image to to restored back to a physical drive. This might be useful if you want to attempt
to boot a disk image from a physical drive.
From the search index module you can now right click on a word in the Browse Index tab and
search for the word in the index and add it to the case in a single step.
You can now export a list of words from the index as CSV via the Browse Index tab.
Allowed multi-select when adding bookmarked files to case. Previously only 1 file could be
done at a time.
Allowed multi-select when changing bookmark colors. Previously only 1 bookmark could be done
at a time.
Added Export to CSV options to history tab in search index.
Changed list on search index history tab to allow multiple selection.
File system browser - sorting by column click now works for access date and any extra date
fields (if applicable, depending on file system and mount method).
Internal viewer - Added extra date fields to 'File Info' tab for "Attribute Modify Date" in
HFS and NTFS MFT Modify Date.
File Name Search - When results are filtered via timeline, the date filter used is displayed
above the tabs.
File Name Search - Configuration window now has filters for 'Access Date' and any extra date
fields (if applicable).
File Name Search - Added new sorting criteria (access date and extra date field) to combo
box.
Added support for hidden "Attribute Modify Date" field in Apple Mac HFS file system.
Improved forensic disk access speed via caching.
Various other minor bug fixes in existing functionality.
v1.1.1002 - 5th of June 2012
Addressed problems with indexing many EML Email files. Code for the handling of EML files
was completely re-written to be 80% more memory efficient. This can prevent crashes due to
lack of memory when indexing large numbers of E-mails.
Fixed a bug in the Windows Login Passwords function preventing the help page opening
correctly.
Fixed a crash bug when retrieving IE cookies on some systems. This correction was in common
code used by several modules and so might correct other (unknown) issue.
v1.1.1001 - 4th of May 2012
Added support for directly accessing image files of the following formats from within OSF:.
Split Raw Image (.00n).
Advanced Forensics Format Images (AFF).
Advanced Forensics Format Images w/ meta data (AFM).
Advanced Forensics Format Directories (AFD).
VMWare Image (.VMDK).
EnCase EWF (.E01).
SMART EWF (.S01).
Fixed bug opening unallocated clusters in OSF internal viewer.
v1.1.1000 - 26th of April 2012
Added ability to investigate raw NTFS image files directly from OSF without mounting them.
Images and physical drives can now be added to the case as devices.
All of OSF features have been updated to act on these devices.
Image files can now be given a short hand ‘display name’ handle. E.g. Case123:\.
Completely by passes file system and file permissions.
Automatic calculation of directory size in a background thread.
Browse history location bar.
Integration into bookmark, hashing, indexing and file viewing functions.
Can jump to file’s offset on the raw disk.
Disk NTFS stream information (pro version only).
Display of cluster information and file fragmentation.
Added right-click functionality to jump to file's disk offset in raw disk viewer.
Registry Viewer
Improved speed of Registry Viewer.
Enabled the data/values/match whole options in the registry viewer search dialog.
Fixed a bug where the last search term in the registry viewer wasn't being cleared
properly for a new search in some cases (leading to no results).
Various other crash bug fixes.
Added new warning when trying to import NSRL data into the existing example database.
Can now add notes to case without needing to add as an attachment.
Added From: and To: and Subject: fields for email exports from search results.
Can now attempt to crack passwords on encrypted 7zip files.
New right click option in case management to verify file hashes on case items.
Indexing now supports Email attachments with attachments being displayed on separate tab.
Improved image viewing quality in internal viewer.
Added option to use MD5 hashes when creating signatures, in addition to SHA1.
Can now set case acquisition mode. This will warn the user if they try to perform an
acquisition task that does not make sense with their case setting. Some functions only make
sense in the context of a live investigation.
Added timestamp fields to data decoder in raw disk viewer.
Fixed bug in displayed totals in signature comparison.
Reduced initial memory usage of the memory viewer which was allocating buffers unnecessarily
at startup.
Fixed bug adding files with no extension to the case.
Fixed hash set creation freeze on certain locked files.
Added "Browse Index" tab to "Search Index" module. Loads currently selected index
dictionary.
Recent activity and password recovery updated to support Opera 10/11 & Firefox 10.
Better support for long path names, up to 32,000 characters in a path.
MD5 is now calculated for items in the case (as well as SHA-1 & 256).
Signature/File listing may now include E-mails in PST, EML, MSG & MBOX. DBX is also
possible but attachments are not listed at the moment.
Fixed XP compatibility issue caused by missing SHGetStockIconInfo function in SHELL32.dll.
Fixed crash bug when opening the live registry or creating volume drive images via
shadowcopy on Vista.
Added support for multiple instances of registry viewer.
Added "Export to text" function to registry viewer.
Added "Save to case" right click menu option for keys and values in registry viewer.
Added "Search" menu for registry viewer.
Fixed a bug where REG_QWORD types were not being converted for display correctly.
Fixed bug where registry viewer right click menu could be displayed when not clicking on the
value list.
v1.0.1004 - 1st of December 2011
Added "extra information" check box option to case report generation dialog. When checked it
adds SHA1 and SHA256 fields to the case report.
Added inbuilt Registry viewer functionality, available via the start page. It is now
possible to view key update times and avoid registry permission issues.
Added "Open registry File..." to right click options for recent activity items that come
from the registry, which will open the associated registry file and display the key and
values.
Added ability to open locked (live system) registry files, (via shadow copy to temp
directory).
Changed some recent activity items, those sourced from the registry, to store the full
location of the registry file data was collected from and the full key location as two
separate items.
Behaviour of IE password scanning for non-live drives changed to display "N/A" for username
and password if found but fail to decrypt.
Fixed bug on Windows Login password tab where both radio buttons could be selected at the
same time.
Fixed possible bug where scanning for passwords on a read-only mounted drive image could
give an "I/O error", affected files are now copied to the temp directory before opening.
Changes to Rainbow Table generation and recovery.
Can now use indexed rainbow table files (.RTI) to decrypt passwords. This inlcudes
support for the tables from freerainbowtables.com in RTI1 format.
Added checkbox to turn RT to RTC compression on/off.
Added configuration file to define character sets.
Updated Rainbow Table help file.
Fixed several bugs.
New builds of the indexer that fixes datetime bug that caused files to be dated 1 second
behind.
Fixed bug where valid license keys were not accepted if username was too big.
Added filetype for OpenOffice documents and Recycle Bin Meta files. So .ODT files can now be
indexed and searched. This also includes support for KOffice & Google Docs.
Fixed a deleted files search crash bug.
Fixed bug with indexing OpenDocument support and Recycle Bin Meta files.
Fixed bug with searching index for unallocated clusters, and filename only files. Results
were displayed incorrectly and may not open in the internal viewer.
Fixed bug with missing context descriptions for some search results, and stemmed base words
appearing in context.
Fixed bugs with some initial word variants missing from index.
v1.0.1003 - 8th of November 2011
Added silent copy to temp directory of registry files if they can't be opened due to
read-only error (eg mounted a disk image as read only) when retrieving windows passwords.
Fixed a bug that was preventing individual partitions from being imaged correctly and
displaying an access denied message.
Fixed a bug where if a username associated with a licence key was too large it would not be
recognised as a valid key.
Fixed a datetime bug in the create index / search index that caused files to be dated 1
second behind.
v1.0.1002 - 2nd of November 2011
Removed beta expiry from create index process that was mistakenly left in.
Indexing now supports OpenOffice documents, Windows Recycle Bin Meta file indexing, and soft
hyphen indexing.
Fixed rare crash in the raw disk viewer.
v1.0.1001 - 13th of October 2011
Added icon for mounted drives in recent activity list.
Fixed bug with cookie recent activity export not exporting date correctly.
Added silent copy to temp directory of registry files if they can't be opened due to
read-only error (eg mounted a disk image as read only).
Added retrieval of user assist items from registry to recent activity.
Improved internal viewer to better display various text document formats.
Fixed a crash creating a new case when entering too much data into the organization or
contact fields.
Added warning message to disk imaging when trying to image a partition without a drive
letter.
v1.0.1000 - 10th of October 2011
Increased index log window from 5000 to 10000 lines.
Added search MRU items for Windows7 in recent activity.
Added mounted drive letters + volumes to recent activity.
Fixed a bug where on some systems file carving would end up in an infinite loop.
Fixed bug with creating an index with Custom Limits being stuck on Step 3.
Updated OSF Icon to have 256x256 size.
v0.99j Beta - 28th of September 2011
Fixed a crash when indexing certain email files.
Improved Drive Imaging. Now locks drives when unable to shadow copy, also has option to
force shadow copy off.
Changed drive imaging so that image write re-attempts on failure.
Updated report export to include emails.
Fixed email export to case for eml files, plus other rare instances with possible name
conflicts.
Fixed crash exporting emails before opening the internal email viewer that left OSF in a
state that would crash on next export or email view.
Fixed DPI issue in email viewer.
Improvements to ZIP password cracking.
Added ability to get Recent Documents MRU from registry files.
Added ability to get Autorun items from registry and display in recent activity.
Fixed a bug where the random password definition was not being created correctly when a
known character was entered.
Fixed crash when exporting recent activity items.
Fixed a bug on the recent activity dialog where "Included dateless items" was not being
disabled correctly after a scan finished.
Fixed a bug in the recent activities export where dateless items were not being exported.
Fixed bug with hexviewer ascii/hex radio buttons.
Updated FileCarving to handle .EML format.
Added display of registry key location where registry passwords were retrieved from.
Made some changes to PDF password cracking to add 0-9 and 00-99 to each word in the
dictionary.
Index search, fixed bug with not opening files and folders containing entitized characters
(e.g. apostrophes) in its name.
Create Index.
Added handling for temp. Office created "owner files" e.g. "~$MyDoc.dot".
Added handling for "Could not open file" errors from RTF messages in PST files.
Fixed problem with "Activation context generation failed" error messages in the Windows
Event Log.
Version 0.99i Beta - 15th of September 2011
Fixed a crash collecting recent activity on some systems.
Fixed a rare crash manipulating files in the thumbnail view.
Added ability to retrive list of installed programs in recent activity function.
When picking a particular drive in the recent activity scan, registry files will now also be
searched for in the root of the drive.
Updated common password list.
Added code to search both halves LM hash for Windows password recovery.
Can now detects empty Windows passwords.
Improved cracking of passwords in PWDUMP files.
LM and NTLM hashes will only be searched within their respective tables.
Support for cracking of zip files with directory encryption (PKZIP format).
Zip file cracking now up to 10 times faster.
Version 0.99h Beta - 6th of September 2011
Added registry password retrieval dialog to password recovery tab and support code to get
windows logins and password hashes from SAM hives.
Undelete Files.
For FAT formatted disks, files in deleted directories are now also shown (rather than
just directly deleted files).
For NTFS formatted disks, deleted files that are older than the directories they are in
are now also shown.
Disk Preparation.
The list of disks is now shown by default (without pressing the refresh button).
The SMART parameters are refreshed from the disk at the end of the disk test.
The disk test didn't seem to be able to open the disk for writing, this has been
corrected.
Fixed issues with .eml files containing CRLF in Subject: headings which broke the index file
format.
Added support for carving files from EXT2 partitioned drives.
Added support for filtering file search results by attributes.
Fixed bug in "ole" file parsing.
Auto-update of disk dropdown list when new disks are inserted/mounted.
Fixed identification of unicode strings for binary string extraction.
Rainbow Table cracking now supports PWDUMP text format.
Version 0.99g Beta - 24th of August 2011
Moved expiry date forward to November 15th.
Ctrl-a now works in deleted files module.
Significantly increased speed of browser password recovery in certain circumstances.
Added support for Firefox 6 in recent activity module.
Fixed a number of possible crashes in recent activity module.
Fixed critical memory leak in thumbnail view.
Change made to indexing process to allow searching for email addresses within the content of
a document.
Fixed "Performing Search…" message in index search.
Version 0.99f Beta - 12th of August 2011
Fixed bug in Index search causing 0 results to be returned on first try.
Updated file carving to handle mounted images without volume letters and no physical drive
numbers.
Can now carve .wma, .wmv and .mov files.
Additional bug fixes to email indexing.
Version 0.99e Beta - 11th of August 2011
Moved beta expiry to 15th of October.
Fixed crash in sig creation when creating hashes and first file hashed is 0 length.
Fixed potential infinite loop in sig creation when creating hashes.
Fixed possible buffer overflow issue in signature creation when trying to hash a file that
is inaccessible.
Added ability to change color of bookmarks in case management window.
Added file name search presets for video and audio files.
Fixed a crash when comparing signatures that had extermely long registry key paths.
Fixed a index search crash relating to certain exact phrase searches.
Several fixes and improvements to Rainbow Table generation and recovery.
Rainbow Table changes have rendered any previously generated tables unusable. Tables will
have to be re-generated.
Fixed problems with not extracting From: and To: for some emails during indexing.
Added button to minimise/maximise navigation buttons to make low resolution use easier.
Added right click menu to navigation bar to make the buttons thinner.
Can now use the raw disk viewer on unpartitioned or corrupted drive images.
Added a second check for locked chrome database.
Added a way of remembering the copy on locked choice so user doesn't have to sit though
multiple dialogs.
Renamed "Get Network drive Info" to "Get Network Info".
Added Edit option to command list management to edit customised (not default) commands.
Internal viewer can now view office documents and pdf files.
Fixed keyboard shortcuts in email list of index search.
Fixed a thumbnail bug in index search lists.
Fixed a bug where bookmarks would not be removed from case management window when they were
removed elsewhere in OSF.
Version 0.99d Beta - 29th of July 2011
Fixed critical bugs in both the index creation and search.
Added thumbnail for loading video files.
Added a few extra index bulk search sample lists.
Version 0.99c Beta - 28th of July 2011
Index Search history functionality added.
Index bulk search functionality added.
Internal viewer can now play audio/video files.
Added keyboard shortcuts to internal viewer.
Added keyboard shortcuts to many of the results lists.
Changed report export to allow multiple report types, added ability to select output
location.
Added more report tags (organisation, contact details, tiezeone, default drive, case
folder).
Fixed a bug where 40bit encryption would not start correctly if a root folder was selected
(eg c:\).
Fixed registry signature comparison.
Added Raw Disk Viewer Bookmark functionality.
Some Rainbow Table UI problems fixed.
Default Rainbow Table format has been changed from .RT to .RTC for compression.
Rainbow Table Recovery now supports both .RT and .RTC files.
OSFMount updated.
Version 0.99b Beta - 13th of July 2011
Fixed a bug preventing the creation of a new case.
Version 0.99 Beta - 12th of July 2011
New file bookmarking functionality.
Can now see which files have already been viewed for a particular case.
Can now brute force passwords using random passwords and specify the randok pattern.
Can get Chrome and Firefox password even if the browsers are still open.
Updated a few of the password dictionaries.
Updated indexer executable with some minor bug fixes. Most noteably fixed a crash that
occured indexing emails on Windows XP.
Fixed a bug preventing overwriting USB installs with more recent versions of OSF.
Version 0.98 Beta - 22th of June 2011
Beta expiry moved to the beginning of August.
New "Forensic Folder Copy" feature added that allows copying the contents of folders whilst
maintaining timestamps.
Can now add emails found from searching an index to the case (via right click on the
E-mail).
Files copied to case now retain their original timestamps.
Can now search index for foreign characters with unicode input in the search field.
Index searching now natively supports 64-bit for increased speed (when running 64-bit OSF).
64-bit index search support also corrects a bug when searching very large indexes.
Can now add registry keys/values to signatures (in addition the the file system). This
allows snap shots of the registry to be compared, and a list of differences exported. Which
can be important for tracking malware behavior.
Improved Rainbow Table benchmark performance.
Can now run multiple create index tasks concurrently by opening multiple copies of OSF.
File Decryption can now use dictionaries to try and brut force the password of encrypted
documents.
Added a dictionary containing a list of most commonly used passwords.
Added a dictionary of the english language.
Also has the ability to use the custom dictionaries created by the create index process,
which contain every word found by the indexer on the disk being examined.
Added ability to Force OSF to quit if a task fails to stop.
Fixed a number of minor UI quirks.
Fixed a bug copying hash sets between databases.
Version 0.97 Beta - 27th of May 2011
Added drive imaging module. Can now create drive images of live systems.
Mismatch files date filter.
Can now filter on both modify and create date
Is now inclusive of end dates
Now correctly respects the case time zone
File decryption tab renamed to Decryption & Password Recovery.
Now supports Word/Excel/Powerpoint/PDF/ZIP/RAR password recovery based on a dictionary
attack (currently only a default english dictonary is used)
Different options will be available depending on the type of file encryption detected
Rainbow Tables.
In Rainbow Table Generation, added automatic and manual input modes for basic and
advanced users respectively
Separated Rainbow Tables Inputs into two groups, Password Parameters and Table
Dimensions
Version 0.96 Beta - 6th of May 2011
Fixed crash when trying to use the file decryption module.
Fixed list of default drives in new case and edit case dialogs.
Fixed an issue with the right click menu not working in the thumbnail view on XP systems.
Fixed an issue with the thumbnail list not updated on XP.
Fixed tabbing, and tab ordering in most windows.
Rainbow Tables.
Added an LM specific character set.
Added automatic incrementing of rainbow tables with the same parameters (by incrementing
the rainbow table index/reduction offset) to prevent overwriting of files and to add
breadth the coverage of the tables.
Removed a hash input, so that the text edit box is shared between the raw hash input and
the select hash file input.
Rearranged the UI to be more space efficient.
Fixed Create Rainbow Table button, which was not getting re-enabled when generation is
cancelled.
Fixed rainbow table file text control to have left to right text.
Fixed issue with drive list not refreshing in "Browser Password" and "Create/Verify Hash"
modules.
Indexing.
Fixed bug with foreign characters in text files.
Fixed error message regarding date script.
Version 0.95b Beta - 21st of April 2011
Fixed error when trying to create an index with the 64-bit version of OSF.
Changed order of indexing process so that when no errors occur pre-scan will move straight
into indexing.
Added cancel button to create index pre-scan.
Updated OSFMount to V1.5.1003.
Fixed an occasional bug in setting the default drive letter.
Version 0.95 Beta - 20th of April 2011
Improved IE password discovery.
Bug fixes and improvements for creating indexes.
Fixed issues with non-English date formats in Outlook e-mail messages.
Changed handling of errors when indexing unallocated clusters. Will now continue to
index next start point or finish indexing instead of aborting.
Fixed issue with SWF plugin crashes (due to invalid SWF files) appearing.
Fixed bug with not indexing RTF format e-mail messages in .PST or .MSG files.
Changed all list exports to use utf-8 instead of utf-16.
Fixed bug exporting recent activity to HTML format.
Added option to switch choose between UTF-8 or UTF-16 when hashing text.
Column sorting in password recovery window is no longer case sensitive.
Fixed bug copying some items from browser password list.
Updated OSFMount to v1.5.1002.
Minor improvements to internal system information gathering commands.
Minor improvements to rainbow tables UI.
Version 0.94b Beta - 15th of April 2011
Fixed a crash in the recent activity page.
Added 'Hash Text' option to hashing window.
Fixed column sorting issue in browser password recovery.
Version 0.94 Beta - 14th of April 2011
New password recovery and file decryption module.
Moved browser passwords recovery from recent activity to passwords window.
New rainbow tables for recovering a password from a hash.
Can now decrypt PDF, DOC and XLS files with 40-bit encryption.
Added a visual indication in the side bar of what modules are currently running tasks.
Fixed bug collecting some system information on 32-bit systems.
Can now copy files to clipboard so they can be pasted in windows explorer.
Fixed crash when scanning recent activity on system with Firefox 4.
Fixed bug causing default system information lists to not be added.
Fixed bug causing crash when deleting multiple indexes.
Change NSRL import feature to allow pointing at a directory without sub folders.
Links in emails viewed internally now work and open an external browser.
Internal report links in system information report now work.
Removed useless link accidentally placed in signature window.
Corrections for undelete file across a physical disk (i.e. multiple partitions).
Corrected bugs related to undelete files on Files Systems with MFT's with more than 500000
entries.
Changed deleted recycle bin meta data file display to be clearer that it is not the original
file.
DiskViewer changes.
"Select Range..." option in right-click menu.
Data interpreter window now resizable.
Jump/Select range dialog now holds previous settings.
MemViewer.
Added legend for memory layout map.
Removed Idle process (PID: 0) and System process (PID: 4) from combo box.
Combo box is now sorted alphabetically.
Refresh now retains the current process.
Fixed memory layout map bug for Wow64 processes with IMAGE_FILE_LARGE_ADDRESS_AWARE flag
set.
Fixed bug with memory walking routine.
Improved CSV export. OSForensics now generates valid CSV formatted files.
Can now undelete files directly to case.
Added ability to index Chinese/Japanese text.
Can now sort by user in recent activity.
Added 'Exit' navigation button.
Drive Preperation now allow sselection of byte pattern, some like zeros, some like ones, and
some like h7F.
Changed it so that clicking the captions in the help index expands the item.
Fixed bug in case export where empty tables would cause sorting on subsequent tables to
fail.
Moved beta expiry date forward to 15th of July 2011.
Version 0.93 Beta - 18th of March 2011
Redesigned System Information module with greater flexibility.
Fixed RTF Viewer in built-in email viewer.
Updated packaged OSFMount to v1.5.
Fixed bug when adding files from very long paths to case.
Fixed crash related to retrieving non-English bookmarks from Chrome.
Changed font in search lists to support unicode where available.
Fixed bug allowing adding of files to case when case not open.
Disk Viewer
Fixed MFT scan lock-up bug.
Moved button functionality to right-click (View with viewer, Carve, etc...).
Changed decode window to be open by default.
Misc. performance enhancements.
Code refactoring + documentation.
Improved error message for drive scanning errors.
Fixed minor auto-highlighting issue.
Internal viewer
Resizable FileInfoViewer.
FileInfo Viewer metadata information for raw disk bytes.
MemViewer
Fixed “Select Process” bug.
“Select Process” now supports multiple monitors.
Version 0.92 Beta - 4th of March 2011
Unified x86/x64 installer.
Improved USB Install both versions of OSF are now installed to USB and the correct version
is launched automatically depending on the system.
Include OSF Mount in OSF Installer and allowed OSF Mount to be launched from within OSF.
Added link from start page detailing how to create drive images.
Improved file carving functionality.
Fixed export functionality for attachments.
Disk Viewer
Auto-highlight (files, system files, slack space, streams, etc...).
Decode window is now resizable.
Decode window includes an extra field to identify the object type (eg. file,
directory, slack space, streams, etc...).
Fixed auto-highlight colour scheme.
Added auto-highlight legend.
Auto-highlight of MBR.
MBR decode.
Support for volume/file system slack space.
FAT parse bug fixes.
Delay disk scanning until user selects tab.
Miscellaneous bug fixes and performance improvements.
.
Can now filter lists to only show a specific date range in the timeline view.
Fixed File Name Search date range lookup, previous fix broke end date conditions.
Fixed date range in recent activity lookup.
Date and time display format is now based on the Windows regional settings.
Version 0.91 Beta - 22nd of February 2011
Fixed bug preventing the creation of new hash sets.
Date range selection in File Name Search now works correctly. Previously it was slightly off
due to lack of correcting for time zone differences.
Added message on memory viewer warning user that this feature is only useful for live
acquisitions.
If trying to install a USB copy to the root of a drive OSF will automatically specify a
sub-directory to install to.
Current OSForensics configuration is now copied with USB installation.
Version 0.90 Beta - 18th of February 2011
Fixed bug preventing the creation of a new case.
Added sector markers to raw disk viewer.
Added progress info when searching raw disk.
Updated help file pages on raw disk veiwer.
Version 0.89 Beta - 16th of February 2011
Added raw disk viewer.
Can now specify a default drive to perform actions on as part of the case.
Fixed memory handle leak when searching for alternate streams.
Fixed opening a files location where the file exists in a folder with a comma.
Indexing process now skips known file types that are deselected when choosing to index
unknown file types.
Fixed bug in advanced index configuration not allowing max file size less than 2GB.
Can now view alternate streams in internal viewer.
Fixed progress bar being wrong by a factor of 10 during the hashing stage of signature
creation.
Fixed a bug preventing some files from being opened from the index log.
Added progress bar to indexing status window.
Added maximum number of files to index status window.
Improved some indexing failure error messages.
Fixed incorrect counting of .dbx files in some instances during indexing pre-scan.
Indexing process by default now excludes '.zdat' files (index files).
Fixed bug with indexing Outlook .msg files.
Fixed bug with missing from and to addresses for some HTML emails from .pst files.
Max file size indexed is now determined by the amount of RAM in the system rather than the
largest file on disk.
File search no longer shows folder when limits on streams are set.
Can now sort by number and size of streams in File Search.
Index search now shows an indication when context has been truncated.
Fixed minor bug that would re-enable the controls in the deleted files search before the
search was completed if the user browsed to another window and back.
Add ability to stop the deleted file search while running.
Fixed crash when closing the internal file viewer while a large file was being loaded into
the text viewer.
Case management item list now shows the date the item was added.
Renaming indexes in the case management window now correctly updates the names in the search
index window.
Fixed crash in recent activity search when limiting by date range.
Minor improvements to NSRL import speed.
Version 0.88 Beta - 4th of February 2011
External documents can now be attached and included into case reports.
Can now sort images by foreground or background color in file search.
Can now perform file carving in the deleted files window, finding deleted files that no
longer have any associated file table entries.
Recent Activity scan now threaded so other actions can be performed while the scan is going.
Fixed a potential issue where the recent activity can could end up in an infinite loop.
Can now recover browser bookmarks in recent activity module.
Indexing file size limitation no longer apply to container files such as zip and pst. (Files
within containers are still subject to the limit).
Invalid character checking on case creation fixed.
OSF will now launch as admin by default, however there is a start menu option to launch as
non elevated admin. Admin permissions are required for operations like recovering deleted
files. But it is important that the software can still run on systems where the
administrator's password is not available.
System information window now shows more memory information.
Threaded document loading for the internal text viewer. (with cancel button for large
documents).
Case sensitive checkbox for text search in the internal text viewer.
Possible fix for text search on unallocated sector in internal viewer, which was previously
very slow.
Internal Text Viewer GUI fixes.
Fixed resize issue when minimizing/maximizing internal HEX viewer.
Indexing process no longer tries to index the files it is creating.
Fixed a DPI issue on the start page.
Added functionality to search and filter files by NTFS streams (based on the number and size
of the stream)
Version 0.87 Beta - 16th of December 2010
Fixed bug in 64-bit indexing causing files to be skipped when max file size was greater than
2GB. Max file size is now limited to 2GB.
Fixed bug in 32-bit where pre-scan would never allow a max file size greater than 50MB,
limit is now 512MB in 32-bit pre-scan.
Various other fixes/improvements to the indexing process.
Improved stability in the recent activity module.
Version 0.86 Beta - 13th of December 2010
Redesigned case management module for easier selection between multiple cases. Some
underlying changes with this will make cases created with previous versions of OSF
incompatible.
Indexing process has had significant improvements, especially in the area of binary string
extraction and indexing unallocated sectors.
Different levels of binary string extraction can now be selected from the advanced indexing
options.
Any file can now be added as an attachment to a case.
Case creation date now stored.
Organization and Contact Details can now be stored as part of a case.
Extra details about created indexes are now stored in the case and can be viewed through the
case item properties window.
Fixed issue indexing unallocated clusters from a drive image mounted with OSFMount.
Fixed issue with file name search populating thumbnail view for searches that complete
quickly.
Fixed a rare index search crash on browsing results.
Better support for recent activity gathering of Internet Explorer related activities on non
active drives.
Fixed big in saving window size that caused the window to shrink vertically slightly between
runs.
Added ability to get logins/passwords from IE, Chrome and Opera.
Version 0.85 Beta - 1st of December 2010
Faster Unallocated Cluster indexing.
Can now open unallocated index search results in the internal viewer.
Fixed rare crash browsing unallocated cluster index search results.
Fixed crash on Recent Activity related to new Firefox login extraction.
Improved System Memory Information.
Search Index, searches with a single result now show properly.
Version 0.84 Beta - 29th of November 2010
Redesigned create index module into a wizard. It is now much more user friendly.
The indexing process should also now be more reliable with a number of bug fixes and other
assorted improvements.
Recent activity module can now retrieve saved passwords from Firefox (where the user is not
using a master password).
Upgraded removable drive to also allow for drive zeroing.
Made a change to the indexing process to better support Thunderbird mail files.
Fixed issue with dates from emails in mbox files.
Fixed Index searching when dealing with non English characters.
OSF now saves last window size.
Updated start page descriptions and icons.
Re-arranged left panel.
Deleted files search now applies filters on when clicking the search button as well as the
apply filter button.
Version 0.83 Beta - 10nd of November 2010
New Start Page tab to better navigate the features of OSForensics.
Fixed bug on Windows XP preventing the creation of Case Files.
Can now gather recent activity from system event logs.
Fixed bug getting browser recent activity from non active drives.
Improved Indexing max limits.
Improved index gathering of dates in emails.
Improved Undelete functionality on highly fragmented FAT partitions.
Increased number of strings extractable using Hex viewer.
Fixed memory viewer window so that all information fits correctly.
Added warning for users running the 32-bit version on 64-bit Windows.
Minor additions to help file on certain topics.
Version 0.82 Beta - 22nd of October 2010
By default OSF now displays in local time rather than UTC.
Added ability to select time zone for display as part of case properties.
Added time zone information to html, csv and text exports.
Fixed bug causing radio to remain on volume after no admin warning in hash lookup.
Update need admin message in deleted files and create hash modules.
Changed website link in about window to point to osforensics.com.
Changed about window to display 32/64 bit version info.
Added feedback button (for Beta only, will be removed in final release).
Version 0.81 Beta - 13th of October 2010
Beta period extended to 1st of July 2011.
Added ability to hash entire drives.
Additional information about where the data was retrieved
from in the recent activity module, for WLAN, USB and URL items.
Miscellaneous help file improvements.
Added “add to case” functionality in “Recent activity”,
“Search index”, “Deleted file search” and “system
information” modules.
Allowed adding CSV exports to case.
Fixed bug causing an error to display at start-up about no
disk in drive when certain USB devices are connected (such as
USB card readers).
Fixed crash while scrolling recent activity window.
Added CSV export to “Recent activity” module.
Improve error for new case when non existent folder is
selected.
No longer attempt to hash folders when hashing files found
in the File Search module.
No longer lose selection when hashing files in the file
search module if sort order is anything other than sort by "In
hash set".
Minor modifications to the Deleted Files Search interface.
Added additional templates for case export.
Added a better default mismatch search filter.
Extra sort options in Recent Activity Module.
When exceeding theoretical word/page limits in Indexing the
log now shows a proper error.