OSForensics - What's new version history

V11.1 build 1007 6th May 2025

Case Management
- When adding volume shadow to case, fixed bug showing only the first volume shadow info when selecting "All"
Indexing
- Recompiled OSFOCR to fix slow OCR processing speeds
- Fixed some unique word count inconsistencies when running exiftool
Shadow Copy
- Fixed bug where some files in shadow copy images might be skipped / not displayed.

V11.1 build 1006 29th April 2025

Event Log Viewer
- Fixed General and Details tabs showing different info in certain situations
File Name Search
- Fixed files identified as hash set matches not given the barcode icon identifier in the Flags column
- Fixed scrolling issue in config window causing incorrect element placement in certain cases
UsnJrnl Viewer
- Fixed issue where pre-extracted UsnJrnl $J stream may fail to parse by the viewer

V11.1 build 1005 16th April 2025

Email Viewer
- Added "E-mail folder" column in HTML index file when exporting e-mails
Disk Imaging
- Fixed bug where assigned the assigned category from "Attach Image Metadata File to Case on Completion" was not working
Indexing
- Added right-click option to jump to e-mail message
- Fixed .gz files not being indexed properly when running multiple threads
Prefetch Artifacts
- Fixed issue where Prefetch from Windows 11 systems were not being processed correctly which resulted in certain fields being absent from display
User Activity
- Fixed bug where JumpLists were not being processed when using "Folder/Network Path option" to add drive to case

V11.1 build 1004 19th March 2025

Email Viewer
- Fixed crash due to regression in "Jump to message" right-click option
- Fixed possible crash when exporting PST to MSG
Hash Sets
- Fixed some active hash databases not being saved when reopening OSF
- Fixed Hash DB link not showing all active DBs being used in Lookup File in Hash Set window if DB names are long
- Removed checks for active database when importing, user selects database to import to during import process
- Fixed one database always being active on OSF reopen if all were set to inactive
- Updated all the warnings about no active databases to be consistent
- Fixed some fields not being disabled while creating new hash set
Manage Case
- Changed to throw error if key/password was incorrect when adding BDE volumes to case
USB Write-Block
- Restored USB write-block setting on OSF exit and case deletion
- Enhanced USB write-block verification: Creates 'OSForensics write-block check.txt' on the target drive, appends test logs if the file exists.
- Enhanced status bar with more detailed information.
- Added a button in the list view for per-device write-block verification
- Displayed write-block check results, auto-hiding after 5 seconds
- Removed USB Write-block from the customize workflow list
User Activity
- Web History, Fixed possible crash accessing the URL records for browser history when parsing WebCacheV01.dat. The URL may be empty/null for some entries

V11.1 build 1003 28th February 2025

Auto Triage
- New Reports generated after running triage under "Suggested Actions" will prompt confirmation before opening the report in default system viewer (to prevent undesired opening forensic report on the suspect's computer)
Email Viewer
- Fixed possible crash caused by heap corruption (string buffer overrun) when exporting emails
File Hashing - Hash Sets
- Added result summary when importing Project VIC hash set
- Added option to cancel import when importing Project VIC hash set
- Updated multi-file hash lookup to show current file more accurately
- Fixed issue where it would import to the wrong hash database
- Fixed hash database not being populated after NSRL import
- Fixed NSRL import error for long file names
File Viewer
- Fixed potential file path buffer overflow when getting case device info. For very long / deep paths this could result in a crash of OSF when viewing files

V11.1 build 1002 18th February 2025

Create Forensic Image
- Create Logical Image, Added "Import Files & Folders" option
Manage Case
- Fixed issue where generated Case Reports (for the loaded case) were not listed in Case Manager after restart
User Activity
- Added a Thumbnails tab to the Recycle Bin option

V11.1 build 1001 10th February 2025

Create Signature
- Fixed incorrect hashes calculated for files in DirectAccess drives due to reading data past the file size (eg. slack space)
Indexing
- Fixed issue where indexer did not determine correct filetype for some files when running multiple threads, causing some result inconsistencies
Manage Case
- Resolved image ratio issues for banners and logos in the export report wizard dialog
- Added dialog to display USB drives and manage write-block status individually
User Activity
- Fixed iPhones always being reported as an "iPhone5" in USB Activity
Misc
- File Viewer, Fixed Entropy tab Help link not functioning
- Updated to keep timestamps unchanged when case time conversion is unnecessary

V11.1 build 1000 30th January 2025

Auto Triage
- Changed to try recovering BitLocker keys instead of just detecting BitLocker status
Drive Preparation
- Fixed possible bug where if OSF failed to open drive the first time, the retries to open drive would fail as well
Event Log Viewer
- Added decoded XML from details tab to general
- Renamed 'User' to 'User SID' to avoid confusion between other uses of 'User' in other modules
- User SID column will display some known Security IDs (https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers) in addition to the SID
- Changed to now show -1 as the number of event log records if the event log is returning invalid log records
- Display 'Device Connected/Disconnected' in General tab for devices using DirectAccess
File Name Search
- Added 'Website Files' pre-set
- Changed to allow resizing of config window for machines with low screen resolution
File Viewer
- Entropy Tab, Added 'Scan @ VirusTotal.com' option which will upload the current file to VirusTotal and scan it
- Metadata Tab, Removed Date/Time and File Permissions Attributes from showing for files extracted to temp before running exiftool
- Updated the number case changes allowed in a word when using the Extract String function from 5 to 15
Hashing
- Added ability to have more than one active Hash Database
- Added 'Add to existing hash set' option in Hash Selected Files window
- Added field to name Hash Database & Hash Set when creating Quick Hash
- Added Hash Database name to hash scan results
Indexing
- Added ability to run selected files against active hash sets and create quick hash sets
- Changed to go to the first tab that has any results instead of last tab that has results
- Changed to default to most recently created index
- Fixed possible crash when going to the Search Index tab when case does not contain any existing indexes
Manage Case
- Updated to save the last used custom case location, and use it for new cases
- Disabled 'Tagged Files' from automatic inclusion in the report
Mismatch Files Search
- Added right-click option to save checked items to disk
- Fixed Browser Cache preset not working for images with multiple partitions
- Fixed Browser Cache scan not working on certain versions of Chrome
Passwords
- Added Select Partition window to Windows Login Passwords tab
- Fixed Wi-Fi passwords not being decrypted
- Fixed possible stall when trying to decrypt NTFS encrypted files, OSF will now treat them as not supported, as the file is not readable
- Fixed recovered password hint not displaying
- Fixed UI elements being disabled if scan is cancelled in certain situations
System Information
- Added 'System Clock' (Time Sync) setting under the Timezone Info (Registry)" section
User Activity
- Website Logins, Added additional check for Firefox install location
- Fixed a potential crash when parsing the user's Master Key
Misc
- Added new 'Report Bug' option to make reporting bugs for streamlined
- Updated to VolatilityWorkbench 3.0.1010
- Fixed reading data of compressed files with more than 1 non-sparse fragments in a compression unit

V11.0 build 1015 29th October 2024

File Viewer
- File Info, Change LCN to display "<Sparse>" instead of "-1" for sparse fragments
User Activity
- Fixed a potential crash during cookie scans
Misc
- Updated VolatilityWorkbench to V3.0.1009

V11.0 build 1014 3rd October 2024

File Viewer
- When opening encrypted file within an image, fallback to using direct access if unable to decrypt temporary copy of the file
Misc
- Fixed issue with OSF crashing when trying to boot from USB

V11.0 build 1013 24th September 2024

File Viewer
- Fixed possible crash on some machines when opening files

V11.0 build 1012 20th September 2024

Create Disk Image
- Further improvements to E01 and Ex01 disk imaging speeds when compression is in use. Compared to build 1010 this can result in a 7 fold performance improvement (depending on hardware and settings). A 5 hour imaging job might now take 40min !!
- Fixed "Preparing to copy" status not being updated when creating E01/Ex01 images
- Fixed compression speed being displayed when compression is set to None
- Fixed unable to set # threads to max of 32
- Fixed occasionally incorrect image format and options being grayed out when editing imaging settings
- Changed default number of threads to be dymanic, to optmimse performance based on the hardware in use
- Display warning message when # threads is greater than 16 or the number of CPU cores
- Set default compression level to 'Medium'. This was done becuase medium compression is now significantly faster than it was and is now the bets default option.
- Show compression level and # threads in Create Disk Image under "Options" column

V11.0 build 1011 17th September 2024

Create Disk Image
- Significantly improve E01/Ex01 imaging performance
- Added UI option to set # threads for E01/Ex01 imaging
File Previewer
- Fix bug with HEIC images having Red and Blue colors flipped
Misc
- Fixed issue where area around the main logo was flicking as the mouse cursor moved over it

V11.0 build 1010 6th September 2024

Customize Workflow
- Fixed the issue where Lock/Unlock button text was not displayed properly
- Fixed the issue where the lock and unlock action was not in effect after pressing "Enter" key
Deleted Files
- Clicking the "X" in the text search will "Enter" and the results should clear the text search filter. Also added Reset Right-Click option in the Scan Status tab to do the same.
Drive Preparation
- Fixed issue with warning message strings not shown in full
Email Viewer
- Changed PDF/HTML/MSG email export file naming scheme to: [Email Filename]-[Delivery Date in Case Time]-[Entry ID]-[Sender Email Address]
- Start/End date ranges on the search filters are now updated according to the list-view items delivery time
- Updated to take into account time zone for search filtering by Start/End dates
- Updated Emails export format.
- Updated column sort for the Email export index.html
ESEDB Viewer
- Fixed sorting issue when results have been filtered
Indexing
- Added "View with E-mail Viewer" option to the right-click checked items submenu for the Emails tab
- Optimized the process of loading multiple emails to Email Viewer
- Fixed issue where duplicate items were added when loading multiple emails to Email Viewer
- Fixed issue with exporting a single email as HTML
Internal Viewer
- Changed to perform regular expression searches using UTF8 strings only (to support URL regular expressions)
- Fixed memory bug when extracting strings in Hex View
Mismatch Files Search
- Added 'Browser Cache' pre-set that allows the user to scan a specified evidence device or directory for Windows web browser cache
Web Server Log Viewer
- Fixed possible crash on log files loading
Misc
- Added a new line under the main OSF logo to display "X days left to validate" warning test in red when there is less than 10 days left for license check
- Updated the warning message that displayed when the subscription license is expiring soon

V11.0 build 1009 was not publicly available

V11.0 build 1008 13th June 2024

Android Artifacts
- Updated to allow double-clicking tagged items from Manage Case dialog to open Android Artifacts module, select the item on the tree-view and display on the tab view
- Updated list-view:
  - Added Tag Flag column
  - Added Read column to the MMS/SMS Messages
  - Added Read/Unread status to the preview
  - Removed Read column from Conversations
- Updated right-click menu options
Deleted Files
- Added additional sanity checks to JPG carving to prevent buffer out of bounds access
Disk Imaging
- Display total time taken and average speed after imaging
File Viewer
- Fixed issue opening docx files with non-ASCII filenames
Hash Sets
- Fixed issue where some Project VIC sets could not be imported
- Changed import button to resize after changing selection
Prefetch Viewer
- Fixed possible crash when prefetch artifact paths are too long
User Activity
- Added evidence location column to the Windows Search category list-view
- Fixed possible crash when running Event Log option with Linux image
$UsnJrnl Viewer
- Added line to indicate what the entries with the file name in read represent
Misc
- Added minimum size limits to SQLite Browser and Registry Selection windows
- Updated VolatilityWorkbench to V3.0.1007

V11.0 build 1007 20th March 2024

Android Artifacts
- Added destination target write permissions check before launching acquisition
- Fixed issue that OSFExtract-data.xml file was not created properly under certain conditions (e.g. Failed to create OSFExtract folder in the destination target)
- Fixed issue where the image was not loaded properly when the OSFExtract-data.xml file was placed in the root folder instead of in the OSFExtract folder
- Updated logs display format
Deleted Files Search
- Fixed hash calculation using "DirectAccess" version instead of "buffer" version of file
Drive Preparation
- Fixed issue where this module was unable to be run on Drive-0
File Viewer
- Fix lockup of internal viewer when attempting to read past media stream size
Hash Sets
- Updated to include total # files to hash in 'Files hashed' field
- Updated to display # files with errors
Manage Case
- Removed category ID column from Case Edit window - Case Categories tab
User Activity
- Fixed possible crash when scanning VLC .ini file
- Fixed issue where OSF is stuck scanning Event Logs on Linux
- Config, Changed to auto uncheck Moved Downloads if Downloads is unchecked
Misc
- Fixed possible crash when running USB install
- DirectAccess, Fixed bug in I30 b-tree incorrectly using index record size rather than cluster size. This caused errors traversing the file system and reading file data when the cluster size is not 4096 bytes
- Updated OSFMount to V3.1.1003

V11.0 build 1006 4th March 2024

Email Viewer
- Added warning message when system lacks Outlook MAPI library that exported MSG files will be saved in OLE format
Hash Sets
- Fixed possible crash when calculating hashes
User Activity
- Changed to auto-uncheck Moved Downloads if Downloads was unchecked (needs Download checked to run)

V11.0 build 1005 28th February 2024

Deleted Files Search
- Fixed recovered partitions not being scanned on first access
- Removed error message being displayed when invalid NTFS partition found (eg. recovered partitions)
Manage Case
- Fixed issue when adding new category and reordering immediately afterwards would not save the correct order
- Fixed issue where categories from pre-V11 cases would not sort properly
- Fixed issue where exporting categories would not included changes made in the current Edit case window
- Fixed issue where report was generating but does not complete properly until OSF is closed
Misc
- Updated WinPEBuilder to V1.2.108
- Fixed unable to boot on some older Win7 machines

V11.0 build 1004 13th February 2024

File Hashing
- Updated UI of NSRL import dialog
Indexing
- Fixed possible freezing issue when indexing files via DirectAccess

V11.0 build 1003 7th February 2024

Android Artifacts
- Fixed images not loading from VHD
File Hashing
- Fixed bug where the category and tags fields were not parsed properly during the CSV import and export
- Fixed crash while copying hash sets between databases using drag and drop
- Fixed bug where some fields were missing when creating a new database
- Added summary message box to the end of CSV import
Hash Sets
- Updated to display the number of records skipped during the CSV import

V11.0 build 1002 2nd February 2024

Android Artifacts
- Added icon for MMS audio files
- Added duration display to audio and video files
- Added device serial number to main window
- Changed the order of the counters in OSFExtract to match the order in which we collect the data
- Changed the collection dialog elements order
- Changed default file viewer tab for opening message attachments
- Updated to show the data extraction (with OSFExtract app) status in progress bar
- Updated to sync SMS selection between the left and right panel
- Reorganized the collection dialog
- Fixed issue rendering incorrect conversation in preview window
- Fixed exception when displayName is null
- Fixed contact name decoding where the scanned phone messaged first
- Fixed crash when contact name did not exist
- Fixed the issue that some of the columns not sorted properly.
- Fixed the issue that the number of forensic elements from data extraction is not updated correctly (SMS/MMS Messages)
Drive Preparation
- Fixed issue with module not starting if language was not set to English
File Hashing
- Fixed crash that occurs when adding hashes via Quick Set menu
Manage Case
- Fixed bug where handles were not released while removing devices from the case
User Activity
- Updated JumpList columns to separate arguments and local path from full path
- Updated to display link target timestamps when the original file does not exist
- Fixed possible crash when scanning MRU records from Windows Registy
Misc
- Added support for .vhdx image files
- Updated localization

V11.0 build 1001 18th January 2024

Android Artifacts
- OSForensics now receives contact photos from OSFExtract and saves them to disk but does _not_ display them in any way nor does it associate them with the actual contact to whom they belong
- Added play button to MMS video thumbnails
- Added contact name to SMS/MMS list
- Added missing conversation view information
- Added contact photos to contact window
- Fixed GDI Bitmap handle leak in MMS thumbnail cache
- Fixed showing invalid string when no contact name present
- Fixed bug where OSForensics wasn't consuming and decoding the new forensic data element counts
- Fixed bug in OSFExtract where ".jpg" was added to the contents of all ContactParts instead of only the "Photo" one, to make the contact photo URI into a jpg file name
- Changed default string for calls with no associated name from 'null' to 'unknown'
- Improved contact name resolution for conversations
File Name Search
- Added detection of the store.vol Windows Email database file in the UnistoreDB folder, in the preset email search option
- Update the email preset search to exclude some false positives and also include .msg files in the search
User Activity
- Added a few columns that can be of great forensic value, such as MAC timestamps, File size, Access count (retrieved from DestList), MAC address and System boot timestamp from Birth Object, New&Birth volume IDs
- Added some extended info retrieved from DestList entry of OneDrive Jump List file (available from Windows 11), for example: Title, User ID, Local path, App name, MAC Timestamps
- Updated Jump Lists to support for parsing OneDrive Jump List file (5a2098e080cf7ac4.automaticDestinations-ms) on Windows 11
- Jump Lists, Fixed bug where some Windows 11 were parsed incorrectly

V11.0 Build 1000 10th January 2024

Analyze Shadow Copies
- Fixed issue where analyzing "Drive-C" shadow copies was not working
- Re-arranged some UI elements
Android Artifacts
- Changed to use a wizard to obtain, scan and load Android artifacts
- Updated OSFExtract app to support newer versions of Android
Boot VM
- Added VirtualBox 7 and VMWare 17 to supported hypervisors
- Fixed issue with long .vmx filenames
Auto Triage
- Added automatic encryption certificate collection option
- Fixed issue where Windows certificates task never completed
- Fixed Windows certificates option check not being saved
- Fixed certificates added to case being categorized as images
- Fixed generated report html files were incorrectly copied
Deleted File Search
- Added Carving Option to main Deleted Files Screen, so no need to go into Config file anymore
- Added "Calculate Hash of File(s)" to right click menu
- Added ability for the user to create a new folder when utilizing the "Save Deleted File(s) to Disk" option
- Fixed possible crash when no drive is selected for scanning
- Fixed no drive being set for scanning when loaded case has no default drive
Device Manager
- Added check for invalid sub device names (e.g. when ':' is mistakenly added to the partition name "image:\part1:\Windows\System32")
Email Viewer
- Support displaying email messages when loading MBOX folders found on MacOS
- When opening an MSF file (meta data file) which Thunderbird uses to index emails, the Email Viewer will attempt to load the corresponding MBOX in the same directory (the MBOX has the same name as MSF file but without an extension)
- Added "To" column to the email list view
- Updated default email export title to "[{filename}] {first 32 chars of subject}"
- Updated to allow Email Boxes/Files to be removed by right-clicking on tree view item
ESEDB Viewer
- Added support for Win11 22H2 & 23H2
Event Log Viewer
- Added a new filtering option to allow searching all event log files at the same time
- Added RDP and PowerShell logs to the presets list
- Added option to allow cancelling of loading process that is taking a long time
- Updated to allow for reading of event log files located anywhere on the machine, in case they have been moved from their standard location
- Improved presets filtering to make it also work on folder scan and single log file scan
- Improved performance of loading large log files
File Hashing
- Fixed Quick Set not adding to treeview
- Fixed on hash set viewer closing, it would swap to different window
File Name Search
- It is now faster. A lot faster. In some cases up to 40x faster. Whole hard drives can be searched in under 1 second (depending on hardware and the number of files). This was the result of improved caching and dozens of separate low level optimisations.
- Added second level search to search the File Name column within the existing results, supports wildcard characters
- Added new presets: "All Folders (No Files)", "All Files (No Folders)", "Certificate Files"
- Added .msf to the Email file search preset (.msf file is only the index, but it is an indication that Emails might be in the same folder)
- Added config option to detect encryption/compression by File Analysis (and/or Entropy)
- Start location will now display hint text if no devices in to case (for non-live acquisition only)
- Changed "folder to scan" field so it now shows "Multiple directories selected" instead of the first folder in the list
- Changed so when "Search in Hash Set Database" is checked, the hash being used is shown in the status bar
- Changed so the sort order prior to a new scan is reset to prevent triggering the Face/Illicit Detect on search completion
- Changed so user is warned if the start directory specified is a child or parent directory of existing item in the directory to be scanned list
- Changed to allow searching through directories that are re-parse points when device is in Forensics Mode
- Changed to allow adding re-parse point files to case
- Renamed "All Files" to "All Items (Files & Folders)" preset
- Opening a folder will now open the folder in File System Browser
- Increased the length of the text users can type into the configuration directory field
- Updated several search presets to exclude folders to avoid false positives and changed the search string from using wildcard (*) to improve search times
- Set the current device selection as the default value for the Directory in the Config dialog
- Set the Directory value as the case default drive when user clicks the Reset button in the Config dialog
- Fixed bug where "Make Database Active" setting was not updating the Active Database in the Hash module
- Fixed bug where "Folder to Scan" would revert to the Case default directory when switching to/from different modules
- Fixed issue where it would add to directories to scan rather than replacing them
File System Browser
- Added option to right-click menu to allow users to open a file with OSF internal viewer
- Mapped the Back/Forward buttons on the mouse (XBUTTONS) to the existing GUI Back/Forward button on the File System Browser
- Fixed the bug where MFT Modify Date(Attribute Modify Date) column name was not displaying properly
File Viewer
- Viewed, Tagged or Categories values can now be modified
- Separated flags into OSF and User flags
- Added "Check file in list" option, when checked, updates checkbox in file list view of the File Name, Deleted File and Mismatch File Search modules
- Added new graph to chart the entropy for a file
- Added "not in hash set" flag to File Info tab
- Added categorized case item status and category name in the file info tab
- Added EXIF metadata tag group (family) name, this would be helpful to distinguish the two tags which have the same name but belong to different tag groups
- Added check for direct access NTFS directory before retrieving $I30 entries
- Tag group names are now shown in the case item properties window and exported report
- Automatically rotate images based on EXIF data
- Fixed "in hash set" flag always being enabled even when file is not in a hash set
- Fixed issue with being unable to play .avi files with tscc encoding
- Fixed issue where images were distorted when rotated
- Fixed issue when attempting to load videos from logical drive
- Fixed column headers disappearing in OSF File Viewer for Compressed filetype when moving/hiding window
- Fixed possible crash when opening .heic images from file
- Fixed non-monospace font used for hex viewer in WinPE
- Fixed bug where files in some folders get mistaken as folders
- Removed check for ERROR_NO_MORE_FILES when displaying file metadata
Indexing
- Combined the Create Index and Search Index modules into a single module with tabs for each module
- Added ability to index Windows Event Log files
- Fixed looping/hang issue when trying to index invalid MBOX files
- Fixed save dialog not appearing when saving files in the email tab
JSON Viewer
- Fixed freezing on large JSON files
- Fixed crash when importing JSON files
- Fixed possible crash on JSON Viewer exit
Hash Sets
- Added PhotoDNA hash support to hash set lookup
- Added tags field to hash sets
Logical Image
- Added individual file hashing option when creating logical image
- Fixed bug where logical image creation log could not be added to case after completion due to file naming issue
Manage Case
- Added new caching modes when using Forensics mode. These are set automatically:
  - For disk images and read only devices, persistent caching is used. This means we hold the data from the disk (or disk image) in RAM forever. This gives maximum speed, with the second search run typically getting faster than the first run, as everything gets cached on the first run. This works well for read only devices. It doesn't work so well for live disks that have files being added and deleted all the time.
  - Temporary caching means we throw away the cache before each search. Caching still occurs during the search however, but the cache starts empty. So it isn't as fast as persistent caching. The advantage is that it picks up any new files that have been created since the last search.
  - You can also turn caching off. Which is useful only in very rare circumstances for debugging purposes or if the drive is very very active and being even a few seconds behind the live disk activity is an issue.
- Added Case type: Criminal; Criminal (Contains Child Exploitation Material); Civil; Internal / Confidential; Other
- Added option when importing a case, if a custom location is detected then ask user if they want to try and restore the case to the same location
- Added option to choose what date format to use for the selected case when displaying/exporting records
- Added shortcut keys to case categories
- Added the ability to account for daylight saving time
- Added "Settings" right-click option for case devices for setting the device caching mode
- Added Device Dialog will appear after creating a case when using Investigate Disk from Another Machine option
- Added check for opened temp file when saving case narrative
- Edit Case, Restructured Case Narrative and Job Summary Data to be more user intuitive. RichEdit textbox no longer editable, but instead will display HTML Preview of the contents. Case Narrative and Job Summary must now be edited through the OSF HTML Editor
- Case List sort setting is now saved, with default sort set to by access date descending (Most recent listed first)
- Loaded case always appears on top of the list of Case List (regardless of sorting selected)
- Display full path to report listed for Case Reports in the case items list
- Changed missing thumbnail message to be more accurate
- Changed edit narrative tab to display HTML preview
- Changed so when deleting more than 10 cases at the same time, do not list all cases
- Updated list of available time zones
- Updated Manage Devices dialog UI
- Populate category colors when creating a new case
- Allow for rearranging of case categories in list view
- Highlight categorized case items if color is assigned to the category
- Display the color of the selected category in case item exports/properties dialogs
- Moved the Case Type from Offense & Custody Data to Basic Case Data window
- Cleaned up updating the access time when selecting a case
- Fixed base metadata tags config for the report export
- Fixed crash when exiting case narrative editor
- Fixed incorrect error shown when trying to create case with no name
- Fixed the bug where OSF crashes when editing summary of job in the Offense & Custody Data in advance edit mode
- Fixed issue when a device was renamed in the Case Manager
- Fixed bug where the item deleted in the Manage Devices were not being deleted in the case itself
- Fixed clipping of elements with footer for Chain of Custody report
- Fixed case sorting issue when sorting by access date after selecting different cases
- Fixed Case Activity Log not displaying anything when starting OSF and loading last case
- Fixed Case Activity Log generate report settings not set properly on open
Manage Case - Generate Report
- Changed export window to a wizard dialog
- Exported HEIC/HEIF/TIFF images in the report will shown a PNG converted thumbnail of the original image, the exported file and link to the exported file remain unchanged
- Added option to display files in grid view
- Added a metadata level option to the report export wizard to allow fine control of the metadata level for the report generation
- Added the option to enable/disable displaying time zone next to the date and times
- Added option to disable the signature/footer
- Allows users to select EXIF metadata tags per file extension to include in the case report
- Save the custom report logo file paths and report output location after use and preload the saved paths when the export report wizard dialog is reopened
- Updated report so that apart from report.html, all files are now in a "ReportData" folder
- Updated list of default EXIF metadata tags that will be enabled and included in the report for common file types
- Updated time zone display name
- Automatically uncheck include thumbnail when created redacted report
- When loading Case Narrative Template, added warning if template exceed max characters allowed and contents will be truncated
- Removed links in title column when selecting Redacted Report option
- Fixed window redraw issue when switching tabs
- Fixed bug that report was not being properly generated for "Case Report PDF - Printer Friendly", erroring out because template does not have "categories.html" template file
- Fixed issue where report generation fails when using templates with no "files.html" file
- Fixed uncategorized category page not displaying only uncategorized items
- Fixed repeating (and also incorrect) heading for Uncategorized report page
- Fixed navigation bar formatting issue when all files are uncategorized
- Fixed issue where nothing is displayed in uncategorized category page when all files are uncategorized
- Fixed issue where using 'included Chain of Custody' option did not add to Case
- Fixed issue when using 'included Chain of Custody' option, attempting to open Case Report would open Chain of Custody instead
- Optimized report generation Code for category generation
Memory Viewer
- Display total RAM of current system in Live Analysis tab
- After creating a process specific memory capture, browsing in static analysis tab opens to directory they were saved to
- Fixed memory dump not working on older Win11 machines
Mismatch File Search
- Added a new Scan browser cached images option, when checked it will perform a scan of browsers (Chrome, Edge, Opera, Firefox) cache directories to search for image files
- Added support for Brave, Vivaldi, Yandex browsers cached images scan
- Added Scan Time taken results on completion
- Added call to flush cache before each scan
- Added "Exclude Edge Cache image files" option in config
- Changed to scan drive selected in 'Folder to scan' field instead of all drives in case when using 'Scan browser cached images only' option
- Changed to allow customization of columns in list view
- Start location will now display hint text if no devices in to case (for non-live acquisition only)
- Fixed issue where certain columns were not able to be sorted
- Fixed bug where "Folder to Scan" would revert to the Case default directory when switching to/from different modules
- Fixed bug where found items were incorrectly colored in the list compared to the file attributes
Passwords
- Added ability to scan for installed certificates in the windows certificate store
- Added scan entire file system option for encryption certificates
- Added activity light to encryption Certificate scan
- Updated Windows Login Password to confirm with user if they want to continue to scan Non-Windows file system when scanning for Windows Login Password
- Fixed crash when running encryption Certificate scan on entire drive
- Fixed a bug where not all DPAPI system master keys were collected, which affected passwords decryption relying on it like WiFi password
- Fixed a bug decrypting Wi-Fi password in non-live acquisition mode
- Encryption Certificates, Added support for parsing .pem and .cer format files
- Encryption Certificates, Added support for scanning Windows Registry for non-live acquisition
- Encryption Certificates, Added support for full drive scan
- Encryption Certificates, Added right-click options (Export List to TXT/HTML/CSV), Add to Case, Copy to Clipboard
- Encryption Certificates, Added support to export certificates (raw data from Registry & PFX files) as files
- Encryption Certificates, Added support to decode .pfx files (non-encrypted ones only)
- Encryption Certificates, Added list-view checkbox, column config and sorting
- Encryption Certificates, Added new options (open with registry/file viewer, open containing folder) to right-click menu
- Encryption Certificates, Added status bar to display scan status
- Encryption Certificates, Updated path display format
- Encryption Certificates, Updated list-view columns, added new fields, hid Raw Data column
- Encryption Certificates, Case time zone setting is applied when displaying date and time
- Encryption Certificates, Path is renamed to Evidence Location and shows full registry/file path
- Encryption Certificates, Double click list-view items to open viewers
- Encryption Certificates, Fixed a bug in expiration date time conversion which may cause crash on some machines
- Encryption Certificates, Fixed serial number display format
- Encryption Certificates, Fixed issue where expiration date was empty for some certificates
- Encryption Certificates, Fixed possible crash when certificate has an unknown expiration date
- Encryption Certificates, Fixed dropdown being out of order
- Encryption Certificates, Fixed bug with displaying evidence location in live system
- Encryption Certificates, Removed Select Drive dialog and replaced with Scan Entire File System checkbox
Registry Viewer
- Added amcache.hve file as a option to select for viewing
- Fixed incorrect Time Zone values when exporting System Hive
SQLite DB Browser
- Added the Windows.db Windows Search database file to known locations
- Added Windows 10 Push Notification file-path to the SQLite Browser known locations
- Changed to try and open corresponding .shm & .wal files if they exist
- Fixed issue where Run SQL crashes under some conditions
System Information
- Added support to collect Mac OS system info including: Model and serial number, Computer name, local host name, Timezone info, OS version info, User login info
- Added notes to the output for Windows Version from Registry command concerning ProductName (e.g. Windows 11 may appear as Windows 10 when querying the registry)
- Removed date after running each command, single date at the top of the report instead
- Fixed arrangement of preset dropdown
ThumbCache Viewer
- Added support to collect thumbnails EXIF data from "Windows.db" file for Windows 11
- Improved the performance to get data from Windows.db file, especially on the machines with many thumbcache entries
- Fixed issue where VLC Media Player artifacts not recognized by the internal file viewer properly
- Fixed possible crash in thumbnail view when mousing over different video items quickly
User Activity
- Added a new Open Evidence Source option to the right-click menu to make it clear whether users are opening an item or its evidence source file
- Added support to collect Windows Search info for Windows 11
- Added support to collect MS Office Backstage artifacts (recent documents and folders)
- Added support for parsing Mac OS Safari artifacts including Downloads, Browser History and Bookmarks records
- Added support for parsing .url format URL shortcut files for the Recent Files artifacts
- Added support for reading additional OSX MRU files (VLC, TextEdit, QuickTime Player, Recent Documents, Recent Applications)
- Added support for recycle bin artifacts in OSX
- Added new subcategory in Event Logs: OSX - KnowledgeC
- Added new category "Call History" - currently only for OSX
- Added option to scan dynamic-*.dat files used for auto-correction and predictive text features in OSX for Form History artifacts
- Added scanning progress and scan time taken on completion
- Added a new column to show Visit Duration of URLs in Browser History
- Browser History now shows all the web page visits
- Changed the tree-view to stay in the previously selected category/subcategory after filtering
- Changed Browser History to show all visits to a webpage instead of just the last visit
- Updated to collect cookies in updated file locations for newer versions of Google Chrome, MS Edge, and Opera
- Updated right-click menu options for P2P
- Updated list-view double-click/Enter behavior
- Updated to scan Downloads location for the Anti-Forensics artifacts
- Updated so tree-view width can now be adjusted
- Updated to display status for some slow scan processes
- Disable sort drop-down if timeline tab is selected
- Fixed the issue where VLC Media Player artifacts not recognized by the internal file viewer properly
- Fixed issue with displaying Installed programs evidence location for Linux images scan
- Fixed issue with parsing event logs from Linux images
- Fixed issue with parsing Chrome/Edge/Firefox browser artifacts on Linux & OSX
- Fixed issue where MRU item name displayed a empty string in LNK, Recent Files and MS Office categories
- Fixed issue where MUICache artifacts evidence file did not open correctly by Registry Viewer
- Fixed crash when adding a filter in the config dialog
- Fixed potential buffer overflow issue during the Event Log rendering
- Fixed system.log gathering in OSX
- Fixed issue where "Sort by:" text was not updated when switching between categories
- Fixed issue where some categories were using the same color in the timeline tab
- Fixed images not displaying in File Previewer when opening Recycle bin items
- Fixed text overflowing in File List tab for some types of artifacts
- Fixed possible crash when scanning browser artifacts
- Fixed possible crash when Windows 10 Timeline scan fails to open ActivitiesCache.db database
- Fixed possible crash when using activity filters
- Fixed possible crash when trying to obtain FireFox Install Location
- Reordered Internet Artifacts
Verify Hash
- Added auto population of comparison hash field when internal hash value exists, so users do not have to re-validate EO1 files with pre-calculated hashes when importing into OSF
Web Browser
- Allow user to select whether the captured image to be added to case or save to file
- Updated Export GUI
Web Server Viewer
- Fixed issue where the log format radio buttons were not checked/unchecked properly when switching around them
Misc
- Added support for scanning images with multiple partitions for various modules
- Added options to export and import OSFConfig files from Settings
- Added right click option to customize workflow in start page area
- Added color legend when exporting timelines as image
- Added deactivate option for perpetual licenses
- Added some missing time zones
- Added option to settings that allows user to pick a custom location for temp files
- Added RAM drive as a option for a custom temp location
- Added "FBI Most Wanted Terrorists 2023" search list as a new Word List for the index search module
- Changed wording of "Other devices available" option to warn that it's not running in Forensics mode
- Changed USB write block icon text and description text to be clearer when its enabled/disabled
- Changed to use UTC instead of GMT for time zone information
- Changed thumbnail size slide button to allow to view images with larger sizes
- Updated "Add Device" & "Manage Devices" icons
- Updated VolatilityWorkbench to v3.0.1006
- Update OSFMount to v3.1.1002
- Updated German/Spanish/Japanese localization
- Updated library for reading E01/Ex01 image files
- UI fixes to account for localization changes
- Improved performance when hovering over a thumbnail to see a video preview
- Display a more serious warning when running OSF as a non admin user, as several important features are missing if you are not running as Admin
- Make backup of old config file when updating/downgrading OSF
- Module running statuses on now cleared when loading a new case
- Fixed tabbing on some "Add to case" windows
- Fixed incorrect GUI Message (Warning drive/valid not found for APFS) on Password/User Activity module
- Fixed text clipping with the legend in timelines
- Fixed OSF being unable to load on Win7
- Fixed main screen icons not loading properly while running in WinPE
- Fixed possible buffer overflow when generating long date & time strings

V10.0 Build 1016 10th October 2023

File Name Search
- Changed to show 'Multiple directories selected' in directory field instead of the first directory being scanned if multiple directories are selected
- Fixed issue where it would add to directories to scan rather than replacing them when switching between different directories
Registry Viewer
- Fixed bug where Time Zone values were incorrect (only first byte of integer value returned) when exporting System Hive
User Activity
- Fixed potential buffer overflow issue during the Event Log rendering

V10.0 Build 1015 19th July 2023

Create Index
- Fixed possible crash when using the 'Don't know/Prescan' option
Logical Cloud Drive Imaging - OneDrive
- Fixed possible discrepancy between the file size when summing all the files and the drive size from querying the user's root. When creating a logical drive, it will use the maximum size between both methods
Password Decrypt - Brute Force
- Fixed bug when using Custom Random Dictionary for individual work queue items, the Brute Force settings were not being saved
Search Index
- Fixed issue when loading a UTF-8 wordlist file without a BOM
User Activity
- Fixed possible crash when using the 'Autorun Commands' option

V10.0 Build 1014 14th June 2023

Create Index
- Added mp4 and mv4 to default video formats
- Fixed detecting UTF-8 text files without a BOM

V10.0 Build 1014 14th June 2023

Create Index
- Added mp4 and mv4 to default video formats
- Fixed detecting UTF-8 text files without a BOM

V10.0 Build 1013 26th May 2023

File Viewer/File Name Search
- Added MSVCP140.dll and vcruntime140.dll to fix missing system file issue that could happen when opening docx files and filtering on EXIF metadata in some Windows 11 builds
Manage Case
- Fixed issue where USB write block was not being enabled/disabled
Start Page
- Fixed issue where 'USB Write: Enabled/Disabled' icon text was not updating in custom workflows
- Fixed issue where 'USB Write: Enabled/Disabled' text was written onto the wrong icon

V10.0 Build 1012 16th May 2023

Report Generation
- Fixed issue where all 'Photos of Acquired Evidence' were added to every 'Category' section

V10.0 Build 1011 12th May 2023

ESEDB Viewer
- Fixed a bug where Windows.edb file could not be loaded from an image file
- Changed the selecting custom Windows.edb file behavior to make the Windows.edb filepath as the initial directory
Logical Image - Android Copy
- Fixed possible crash during imaging due to long file names/extension
Program Artifacts
- Fixed parsing of the prefetch files for windows 10 builds 1903 and newer to collect the correct run count
Report Generation
- Fixed issue where all 'Exported Files' were added to every 'Category' section
- Enabled hiding of thumbnails for PDF reports
- Fixed issue where options was not disabled for certain report options
Misc
- Fixed issue with hover text not displaying properly on toolbar icons (Script Player & SQLite Browser)
- Fixed issue where email files and BitLocker files could not be read in Forensics mode

V10.0 Build 1010 26th April 2023

Case Manager
- Fixed tagged files not being saved to the case due to incorrect duplicate file check
Hash Set
- Fixed bug with exporting CSV files, category was not being exported in the CSV
- Updated example export output in Help File
Install to USB
- Fixed bug when Installing OSForensics to USB drive with an old version subscription key, it may wipe the current license from the local install
Raw Disk Viewer
- Add support for ext4 64-bit feature
System Information
- Fixed crash when “Live Acquisition - Current Machine” is selected for the scan and “Basic System Information” command is selected
Web Browser
- Fix bug where OSF may fail to add downloaded video file to case
Misc
- Updated VolatilityWorkbench to V3.0.1004

V10.0 Build 1009 23rd February 2023

Misc
- Updated WinPEBuilder for ffmpeg support in WinPE
- Fixed signing issue with previous build

V10.0 Build 1008 22nd February 2023

File Carver
- Fixed possible crash during carving when verifying carved images with GDI
USB Install
- Fixed crash when trying to create a USB install with all checkboxes selected
Misc
- Fixed ffmpeg library loading warning on machines with Visual C++ Redistributable not installed

V10.0 Build 1007 23rd January 2023

Boot VM
- Fixed error booting MacOS image on VirtualBox for some systems
- Added a check to prevent user from adding VM to case if a case is not open
Case Management
- Reports, added option to have a minimum font size when exporting report as PDF
- Increased font sizes for better readability when exporting as PDF
- Reports, added checkbox for case report dialog "Include thumbnails" to allow thumbnails to be enabled/disabled. It can be useful to disable thumbnails for reports with thousands of images otherwise they may not open correctly in a web browser
Deleted Files
- Fixed possible crash when looking up carved files in hash set
Email Viewer
- Fixed bug when exporting PST emails to list. The TO, CC, and BCC fields were not cleared between emails
Internal Viewer
- Ffmpeg, fixed ffmpeg library error by re-arranging load order of DLLs (previously could display a “Failed to load library” error at OSForensics start-up)
Mobile Artifacts
- Fixed bug with exporting SMS to CSV/Text where Sent/Received field was displaying only received
- Fixed bug with exporting SMS to CSV/Text where selected checked items were not being exported correctly. The export was incorrectly using fixed GUI list position index and not the internal list indexes
Password Recovery
- Fixed some possible crashes that could occur
User Activity
- Fixed possible crash when scanning MRU

V10.0 Build 1006 28th November 2022

E-mail Viewer
- Fixed Ctrl+J jump to message shortcut not working
Create / Search Index
- New indexer builds
- Fixed email indexing issue with delimiter character
Internal Viewer
- Metadata, allow the user to manually extract EXIF data For large files that need to be saved temporarily on disk
- Ffmpeg, fixed pts-related bug affecting certain video files (eg. mjpeg/Microsoft PCM)
- Images, added file size limit for reading to buffer when using libheif
Misc
- Replace file size limit with warning prompt when creating temporary copy of a large file

V10.0 Build 1005 14th November 2022

Analyze Shadow Copy
- Fixed bug where it exported results as HTML when CSV was selected
Case Manager
- Fix possible crash when calculating case folder sizes
Create / Search Index
- Fixed possible crash during device prescan of unallocated cluster
- Search index option dialog, fixed a crash when adding additional indexes
Email Viewer
- Fixed a crash that could occur when searching
Internal Viewer
- FFmpeg Player, fixed crash when scaling video frames (for videos that are rotated)
- Video will now scale to window size if larger than the video resolution
Misc
- Improved error message when failing to create temporary file when opening a file in an external program

V10.0 Build 1004 27th September 2022

Case Management
- Reporting, increased PDF report generation timeout
- Reporting, added a progress window when exporting report as a PDF
- Devices, added support for BDE volumes with a clear key
Create Index
- Fixed bug where if multiple folders/unallocated are added, the indexers fails to run
Deleted Files
- Fixed crash when carving MFT records on disks without valid file systems
Email Viewer
- Added checkbox option to search for attachment filenames
Password Recovery
- Added an error message and retry option if Chrome local state file was locked (triggered if using Chrome to login into a site or switch profiles at the same time as running a scan in OSF)
- Now clearing file system cache before performing scan. This is to fix issues due to inconsistent data when scanning live system drives in Forensics Mode
- Fixed a failure to decrypt passwords due to unnecessary encoding/decoding operations of the keys when scanning Browsers passwords. This caused incorrect AES key and key length returned which caused the failure
- Decryption and Password Recovery, made a change so that the number of available GPUs is not checked until clicking on the tab (previously it would happen at OSF startup and could cause a crash if GPU drivers are out of date)
- Fixed bug where scan was being preformed on Live system regardless of which drive was selected
Rainbow Tables
- Fixed bug where 'recover passwords' button did not resize properly after recovery is completed/cancelled
Start Page
- Added icon and button to display USB write blocking current setting, displayed as "USB Write: Enabled" or "USB Write: Disabled", and can be toggled on and off using this button (current case setting will be changed)
User Activity
- Now clearing file system cache before performing scan. This is to fix issues due to inconsistent data when scanning live system drives in Forensics Mode
- Fixed a failure to decrypt passwords due to unnecessary encoding/decoding operations of the keys when scanning Browsers passwords. This caused incorrect AES key and key length returned which caused the failure

V10.0 Build 1003 9th August 2022

Auto Triage
- Fixed crash in Auto Triage > Logical Image Configuration when selecting Peer 2 Peer option (pattern string length was too long)
- Fixed crash in Auto Triage > Password recovery
Memory Viewer
- Fixed a "certificate was explicitly revoked by its issuer" error when saving a memory dump to disk
Password Recovery
- Fixed windows login passwords not scanning when using live acquisition
User Activity
- Fixed bug when trying to re-order columns for USB items that would cause the columns to disappear until OSF was restarted
User Interface
- Mitigated Window drag lag (effect was more prominent with mouse using with high polling rates (>300/s))
Misc
- Fixed issue with OSF not validating some key.dat files because of extra lines in the file

V10.0 Build 1002 5th August 2022

Create / Search Index
- Fixed crash when saving and loading index configurations
File System Browser
- Fixed file entries not appearing in Details/List View in Win 7
Install to USB
- Added config link to adjust auto triage options in USB install window
Localisation
- Further UI adjustments for localisation
Start Window
- Fixed filename bug when opening a file directly from the start window (registry, email, etc) where the filename could be random text or not open correctly
ThumbCache Viewer
- Fixed thumbnails not appearing in List View in Win 7

V10.0 Build 1001 22nd July 2022

Localisation
- UI adjustments for localisation
- Added some missing strings to localisation
OSFMount
- Updated OSFMount files to fix driver and program version mismatch
User Activity
- Increased event info string size to avoid overflow
Volatility Workbench
- Updated Volatility tool from "3 1.0.1 - beta" to "3 2.0.1"
- Added new volatility commands to volatility workbench

V10.0 Build 1000 14th July 2022

Auto Triage
- Added option to enable running auto triage automatically on startup, which can be enabled in the install to usb dialog and use settings last set
- Added splash screen and progress bar when running auto triage as a standalone option
Analyze Shadow Copy
- Added ability to find shadow copies from analyze dialog without adding to case first
Boot VM
- Will now display a proper error message when booting from VirtualBox failed (eg. when Intel VT-x/AMD-V is not enabled)
- Added check for whether VirtualBox extension pack is installed if USB 2.0 or USB 3.0 controller is selected
- Added check and display error for partition-only images without a supported OS before mounting as physical disk
- Added support for password bypass for Win 10/Server 2016 Builds 17763 and 19041 (via PEPassPass v1.2.3)
Case Manager
- Support for adding recovered partitions to case
- Added ability to save and load custom templates for evidence categories
- Added ability to rename case devices after they have been added
- Add Device, changed the default display name to include the date the shadow copy was taken
- Added time zone names to time zone drop down and case report
- Report Generation, separated the HTML and PDF report options into different templates, no longer need to generate a HTML report to get a PDF copy
- Report Generation, added the details of OSFOrensics digital signature to generated reports
- Report Generation, updated "Link to case files" and "Copy files to report location" options to "Create Redacted Report" and "Create Full Length Report" to be more descriptive
- Report Generation, added ability to toggle the inclusion of signature certificate verification information in report generation dialog
- Report Generation, Added "Software Verification" link in report sidebar
- Report Generation, Added certificate verification information to non HTML reports
Clipboard Viewer / ThumbCache Viewer
- Will now draw checkerboard background for improved display of transparent images
- Improved drawing of images to reduce flickering
Deleted Files
- File carving, optimization. Improved accuracy for JPG files and overall performance. Compared to final V9 release, current file carving code is over 6x faster (benchmarked with an Mac E01 disk image with default carving config)
- File carving, optimization, updated extensions with header signature ????ftyp to \x00\x00\x00?ftyp instead. Changed empty buffer detection to faster implementation to detect empty or repeating blocks read from disk. Scanning empty sectors is now 6 times faster
- File carving, optimization, improved efficiency of pattern matching code. This change roughly doubles the speed of file carving
- File carving, optimization, improved the responsiveness for OSForensics when carving is running
- File carving, optimization, increased the number of carving threads to 75% of available logical processors, up to a max of 32
- For FAT and NTFS files systems, added option to carve only Allocated sectors
- Updated to allow selecting of carving of MFT Only, MFT and Carving, or Carving Only
- MFT and Carving now enabled by default
- Added minimum size requirement for carved JPGs (126 bytes), GIFs (43 Bytes), PNGs (68 bytes)
- Changed name Plist to Binary Plist and improved detection to limit false positives
- File carving, fixed possible crash when carving MP3 files
- File carving, improved MP3/JPG detection to cut down on the number of false positive results returned
- Added secondary sorting on second column (via dropdown and/or control click on details tab)
- Disabled sorting while deleted file scan is in progress
- Lowered priority level of carving threads to improve response from computer when carving is in progress
- Thumbnail Tab, added a quality level indicator to the thumbnails preview
- Added support for carving MFT file records on non-NTFS quick formatted volumes
- Added support for recovering files from carved MFT records. This enables recovery of files from a quick-formatted volume
- Added new scan method to config window, changed dropdown box to checkboxes
- Prepend "Carved MFT" to 'Source String' of files recovered from carved MFT records to differentiate from normal deleted files
- Added check for large buffer sizes before allocating memory when detecting faces
- Background LED indicator fixed, indicator would incorrectly reset after "Saving Delete File to Disk" while scan is running
- File carving, improved carving of HTML files
- File carving, reduced false positives for FLV files
- File carving, changed the naming of file to be more informative, new format "Carved .JPG file found at 310GB - byte offset 0x482D709C00.jpg"
- File carving, better handling of .eml files (will verify that both "From:" and "Date:" field are present
- File carving, reduced repeated carving for file signatures with the same headers (e.g. TIFF family, ZIP family)
- File carving, ensure recovered carved file will not exceed the max file size specified by extension (or 100 MB, whichever is less)
- Opening internal viewer for Plist Files from within the deleted files module should now work
- NTFS, fixed potential memory issue when restoring deleted files
- NTFS, added more debug verbosity when restoring deleted files to disk
Device Manager
- Scan up to a maximum number of sectors when looking for recovered partitions. This prevents unbounded scanning of disks with large amount of unpartitioned space
Disk Image and Filesystem Support
- HFS+, preliminary support for compressed files
- HFS+, fixed bug in decompressing zlib-compressed file data
- HFS+, support for reading lzvn-compressed file data stored in resource fork
- APFS, fixed bug causing buffer overflow when reading extended attributes (eg. compressed files)
- APFS, fixed reading compressed file data for files with hard links
- APFS, fixed bug in decompressing zlib-compressed file data
- NTFS, fixed bug in incorrect file being opened due to hash collision
E-mail Viewer
- Message body containing inline content (eg. base64-encoded jpgs) now displayed as attachments
- Thumbnail preview for supported image attachments on mouse over
ESEDB Viewer
- Viewer now displays when binary data has been found
- Search now looks for ASCII strings present in binary data fields
Event Log Viewer
- Added "Device Connected/Disconnected" option to the filter preset list
File Name Search
- Added Hash Set column which identifies which hash set the file was located in
- Fixed $FILE_NAME dates not being displayed for entire disk images added to case
- Added a reset button to config dialog which sets all changes made by user back to their defaults
- Made several popup dialogs to close when 'esc' is pressed
- Now using ffmpeg library instead of exiftool for counting video tracks for better performance
Forensic and Cloud Imaging
- Rebuild RAID Disk, added support for detecting and rebuilding Linux mdadm RAID using superblock v1.X
- Forensics Copy, added ability to export forensic image as zip file
Internal Viewer
- Perform initialization/shutdown of Media Foundation once rather than for every internal viewer instance
- Fixed issue that prevented deleted files opened from File System Browser from showing in the File Viewer
- Fixed incorrect thumbnail being draw for current item, after the list is updated
- Migrated library for media playback from Windows Media Foundation to ffmpeg
- Added support for playing media from memory buffer sources (eg. deleted files)
- Will now display a specific error message when attempting to open media file with corrupted attributes (duration, video pixel format, etc)
- Fixed flickering from redrawing thumbnails from deleted search result
- Automatically rotate videos if rotation metadata available
- Added a check to only redraw thumbnails if the items changed
- Metadata, display an error message if exiftool executable was not found
- Fixed multithreading bug causing media playback issues when opening multiple instances of the same file
- Fixed video paint issues when resizing window
- Fixed first video frame occasionally being displayed immediately after loading preview thumbnail images
- File viewer support, added opening deleted files (image, video/audio, android backup, compressed archive, office files)
- Added right-click menu support for deleted files
Install to USB
- Fixed bug, files required by the web browser module were not being copied
Localisation
- Added localisation support for Korean, Chinese (simplified and traditional), Japanese, Spanish, German and French
Mismatch File Search
- Separated default and user-created filters, removed "built-in" text
OSForensics Digital Signature Verification
- Added button to start screen (in housekeeping section) that verifies the integrity the program and displays a dialog with the information. Equivalent to going to the properties for the OSF executable, going to the digital signatures tab and clicking the details of the signature to verify the digital certificate is valid
Password Recovery
- Fixed decrypting of wifi passwords on some machines due to a bug in PBKDF2 algorithm
- Updated common passwords dictionary with passwords obtained from more recent data breaches, increased number of unique passwords from ~10,000 to ~2.3 Million
- Fixed password recovery issue with the records in "Windows.old" folder
- Fixed crash in ZIP password recovery when testing a single password
Search Index
- Fixed GDI handle leak
SQLite Browser
- New Tab to shown Unallocated Space (Free Pages/Blocks) within SQLite database file
- Fixed bug to address possible circular reference/offset when parsing corrupted/bad free blocks
- Added Run SQL tab, allows users to write their own SQL statements
- Updated sqlite source files from 3.8.11.1 to V3.38.0
Start Window
- Added settings option to allow for selecting language in use
System Information
- Added partition selection dialog when scanning whole disk image with multiple partitions
- Added category for basic system information collection from non Windows machines
Thumbnail Cache / Viewer
- Attempt to generate video file thumbnails if file extension is a known video type
- Attempt to load thumbnails only if the filename has a known file extension
- Set maximum thumbnail cache size of 2000 to prevent exceeding GDI handle limit
- Fixed multithreaded handling of video thumbnail generation using Media Foundation
- Fixed thumbnail icons not appearing in thumbnail view
- Added check for large buffer sizes before allocating memory for displaying thumbnails
- Migrated library used for video thumbnail generation from Windows Media Foundation to ffmpeg
- Fixed pixelated play icon for video thumbnails
User Activity
- Added Cortana history category. Finds reminders, events, contacts and search history as well as location at time of creation
- Added "Create Super Timeline" button that performs a complete scan of all activity sub-categories
- USB timeline, added support to collect USB Artifacts of USB storage device connection and disconnection history. This feature is achieved by analyzing event ID 1006 (from Microsoft-Windows-Partition%4Diagnostic.evtx) and event IDs 2003 and 2012 (Microsoft-Windows-DriverFrameworks-UserMode/Operational channel). Event logging of the later channel is not enabled by default, users / system administrators need to have enabled it in the past in order for OSF to collect the relevant events
- Added parsing for Linux log files located in the /var/log directory
- Passwords, added an option to scan "Windows.old" folder which stores the backups of the previously installed Windows, this option is enabled by default and can be disabled from the Config dialog
- Fixed an issue where Moved Downloads not recognizing the system drive on live acquisition mode
- Added browser artifact support for some modern versions of Linux
- MRU, shortcut Files, will prompt users if they would like to open the .lnk file itself if the target file/directory is no longer available
- Added warning when attempting to scan a drive image that does not exist
- Shellbag, fixed possible heap corruption crash when parsing (corrupted) URI shell item
- Added check and warning message for missing case device when starting scan
Web Server Log Viewer
- Added menu for filtering for common web exploits such as SQL injections
Misc
- Refresh physical disk info only when there is device change notification, to reduce costly re-scanning of physical disks
- Keep single instance of physical disk info shared between all modules
- Fixed bugs with some MessageBoxes opening to wrong handle
- Changed some dialogs to close when 'esc' is pressed and centred others
- Installer, added language selection when running installer
- Rearranged some ok/cancel buttons for consistency, fixed up some out of place buttons/controls
- GPUSupport DLLs, changed the runtime library for them to /MT instead of /MD to avoid a missing VC runtime error on older Windows systems
- Centred some dialogs to main window for consistency
- Help file, updated file carving config info + images
- UI adjustments, centred additional dialogs
- Installer, updated OSFMount to v3.1.1001
- Installer, added Japanese language selection option
- Removed "Selected items" option from the right-click menu for consistency. Affected modules include JSON Viewer, ThumbCache Viewer, Web Server Log Viewer
- Updated DirectIO driver used for system information collection to work with Win11 22H2 release

V9.2 Build 1000 14th July 2022

Licence changes
- Made changes to allow subscription keys to work with any version of OSF (from V9 onwards)
Password Recovery
- Stopped trying to load GPUSupport/GPUSupport64.dll on systems older than Windows 10
- Fixed VC runtime error on older Windows systems when trying to load GPUSupport/GPUSupport64.dll
Disk Image and Filesystem Support
- Added missing close handle when populating device dropdown

V9.1 Build 1012 6th April 2022

File system support
- exFAt, removed check for volume attribute bit when traversing file entries, which appears to be set in macOS created volumes (which casued file sizes to appear as 0 and some directories to be hidden)

V9.1 Build 1011 4th April 2022

Device Manager
- Scan up to a maximum number of sectors when looking for recovered partitions. This prevents unbounded scanning of disks with large amount of unpartitioned space
Subscription
- Fixed crash when checking subscription validity

V9.1 Build 1010 24th March 2022

Boot VM
- Added more verbose debug logging when obtaining privileges to mount a registry hive
- Added check for whether VirtualBox extension pack is installed if USB 2.0 or USB 3.0 controller is selected
Disk Image and Filesystem Support
- Fixed reading of volume bitmap failure due to sector unaligned access
- APFS, fixed bug causing buffer overflow when reading extended attributes (eg. compressed files)
- APFS, fixed reading compressed file data for files with hard links
- APFS, fixed bug in decompressing zlib-compressed file data
- APFS, fixed reading of lzvn-compressed file data with updated implementation
- HFS+, fixed bug in decompressing zlib-compressed file data
- HFS+, support for reading lzvn-compressed file data stored in resource fork
File Hashing
- NSRL import, the latest hash set (2.75 Dec 2021) contains an invalid character that was stopping the import from running correctly, this has now been fixed
Help
- Added the FireFox/Chrome cache directories that are excluded when using the Chrome/Firefox exclude image cache file options in the Files Mismatch module
Password Recovery
- Fixed issue with browse dialog not accepting multiple files correctly
Screen Capture
- Fixed GDI handle leak when drawing button. This caused a leak when drawing windows containing the Screen Capture button (eg. internal viewer)
Search Index
- Fixed file handle leak
- Fixed GDI handle leak
- Fixed a bug that could occur on the off-chance that system time is the same for two searches

V9.1 Build 1009 3rd February 2022

Case Management
- Fixed possible crash (crash was due to uncaught exception from MoveFile failure) when changing the case location in the Edit Case Details dialog when paths are longer than MAX_PATH
Deleted Files
- Cleaned up text/message for the Save Checked Deleted Files confirmation dialog
Direct Image Access / Filesystem support
- NTFS, fixed bug in traversing $I30 entries in directories spanning multiple MFT records
File Name Search
- Enabled "Show $FILE_NAME Dates (NTFS)" configuration option automatically if any of the $FILE_NAME columns are selected when configuring displayed columns
- Fixed bug where the custom case directories a user can specify in the config settings did not get reset when switching between cases
File System Browser
- Fixed issue of FSB starting in extremely minimized state. Issue was caused if previous instance of FSB was minimized when closed. Now if closed while minimized, FSB will not save existing dimensions and reuse the last saved values
File Viewer
- Fixed bug where OSF crashed when trying to retrieve file info from a file that does not exist
- Fixed bug where if 'save file' option is used on a HFS file system and with 2 or more files selected, the saved file name was incorrectly output
Mismatch Files Search
- Updated help file to add more detail on how 'Filter Types' is used
- Fixed Chrome/Firefox Cache image exclusions (caches were in different places than expected, e.g. for Firefox, it is different based on OS)
Search Index
- Fixed bug where displayed sort options did not match function (email + attachments)
Signatures
- Will now clear create signature config (output type, hashes, etc) each time a new case is loaded
User Activity
- Fixed bug where all USB entries weren't displayed unless the "event log" option was selected as well
- Will now clear user activity config (date range etc) each time a new case is loaded
Misc
- Decreased the size of the Deleted Icon (X) overlay over image thumbnails
- Added .emlx to email pre-sets where used

V9.1 Build 1008 25th January 2022

Disk Image and Filesystem Support
- Fixed HFS+ partitions being incorrectly identified as ext2

V9.1 Build 1007 24th January 2022

Case Manager
- Support for adding recovered partitions to case
Misc
- Refresh physical disk info only when there is device change notification, to reduce costly re-scanning of physical disks
- Keep single instance of physical disk info shared between all modules

V9.1 Build 1006 23rd December 2021

Case Manager
- Added option to "Add to Case" when right click on multiple tagged items. OSForensics will add tagged files but warn and provide a list of tagged items that are references (e.g. artifact found within a database) that could not be added to case.
Device Manager
- Added support for detecting hidden file systems via on entire disk images. This allows for recovery of deleted partitions (depending on what remnants are left on disk)
System information
- Updated hardware support to correct report on DDR5 RAM and Intel 12th Gen CPUs with efficiency cores and performance cores
Password Recovery
- Fixed bug causing columns in list view to disappear after user has configured the active columns, when a new case is loaded
Misc
- For some modules that allow user to configure columns orders, added a "Defaults" button to allow user to reset the columns to OSF's default settings
- Added the Microsoft DLL, msvcp140_codecvt_ids.dll to installer as it is required by translate.exe, which is in turn used for viewing Word documents. But the DLL is missing in Win 7. The codecvt_ids DLL converts characters between different character sets.

V9.1 build 1005 21st December 2021

Create / Search Index
- New indexer builds with updated support for latest Apple APFS file system
File Name Search
- Recognizes JSON (*.json) and Event Log (*.evtx) files and open them with their appropriate internal viewers
JSON Viewer
- Added support to parse Google Chat record exported from Google Takeout service
- Can parse a single "messages.json" JSON format file or select to parse multiple files at once
- Same as the Hangouts, it shows the conversations in HTML with formatted chatting app-like style
- Fixed right-click Add to case menu, users can choose KML/GPX/CSV formats when adding selected items to case
Manage Case
- Updated USB write-block message to differentiate when enabling and disabling the setting
Raw Disk Viewer
- Fix handling of clusters for APFS "cloned" inodes that share clusters with other inodes

V9.1 build 1004 9th December 2021

Boot VM
- Support for booting MacOS Catalina and Big Sur. Fixed EFI script to detect boot.efi location for booting
Case Management
- Enhanced USB Write Block block more kinds of removable storage devices
Disk Image and Filesystem Support
- APFS, added additional file system caching for better performance. Result was up to 30X performance improvement for file searching.
- Support for APFS Sealed Volumes
- APFS, handle compression algorithm 5
File Viewer
- Fixed hang when a file system read error occurs when attempting to generate thumbnails
JSON Viewer
- Added new feature to parse Google Location History JSON format archive file exported via Google Takeout service, shows a summary of the locations list.
- Selected locations can be exported in KML/GPX/CSV formats for use in applications like Google Earth, Google Maps My Maps and OSForensics Map Viewer.
- Updated right-click menu to view locations on internal Map Viewer.
Web Capture
- When downloading large videos the connection to remote server could end with windows error 10060 (connection drop) and/or 10054 (server terminate connection). Previous behaviour: OSForensics reported failed download. Now if OSForensics detects the download is because of above errors, it try attempt to retry the download (the download should continue where it left off). If it fails three (3) times, it will ask user if they want continue to retry or stop.

V9.1 build 1003 2nd December 2021

Case Management
- Fixed "Verify" option on case items not working correctly
- Fixed "Verify" option on case items without hash values not displaying an error message
Deleted File Recovery
- Fixed bug, OSForensics will now proceed with File Carving (if enabled) even if the image file contains mixed file system partition types
JSON Viewer
- Added right-click menu to view HTML format conversations using internal/system web browsers, also double-click to open browser
- Added TXT and CSV exporting options
- Added support to parse Google Hangouts archive JSON format file downloaded from Google Takeout. It provides a summary view of the Hangouts conversation history and allows export of the selected Hangouts conversations to HTML with nicely formatted chatting app-like style so users can easily read through the messages.
- Added right-click menu to export HTML files to case
- Removed Compress JSON button as it may cause crash on large files
Remote Acquisition
- Fixed logical image creation on remote machine
- Delete temporary config file passed to remote machine when acquisition finished
Start Window
- Fixed constant CPU usage due to redrawing
Verify/Create Hash
- Fixed hash function not starting if "none" was selected for the secondary hash

V9.1 build 1002 19th November 2021

Auto Triage
- Fixed stack overflow when attempting to calculate folder size for logical image
- Updated info text for Logical Image Config Dialog Box
- When loading previous config, re-prompt for FTP server password if non-anonymous upload is enabled
Android Logical Image
- Fixed bug where after imaging, OSForensics would fail to attach log to case "path not found"
Remote Acquisition
- When loading config file, re-prompt for FTP server password if non-anonymous upload is enabled
- Added support for non-anonymous FTP upload without passing plain text password
- Added check if portable install version matches current version
- Fixed triage status file not being written when saving as compressed Case file format
Misc
- Fixed detection of OSForensics Portable for current running instance

V9.1 build 1001 12th November 2021

Remote Acquisition
- Fixed error when network path contains spaces
- Use XML config file to pass triage options rather than command line options
- Fixed reporting of triage status for pre triage tasks (memory dump) and post triage tasks (HTML report, FTP upload)
Auto Triage
- Refactored handling of logical image configuration

V9.1 build 1000 11th November 2021

* NEW JSON Viewer *
- Supports syntax highlighting for JSON documents
- Treeview shows the hierarchical dependencies between JSON nodes
- Supports JSON formatting and indenting
- Supports compressing (minifying) JSON documents
- Supports encoding: UTF8, ASCII, UTF16 BE/LE
* NEW Remote Acquisition *
- Preliminary implementation of remote acquisition module
- Added encryption to configuration file. Prompt user for password when loading/saving config file
- Automatically import case when remote acquisition complete
- Support for domain user accounts
- Support for compressed Case File
Auto Triage
- Fixed bug in FTP case file upload
- Added error messages when uploading of case file failed
- Save FTP config to OSF config file on close
- Fixed minor UI bug when hovering over triage tasks
- Refactor to support running without GUI (ie. command line option)
- Added command line options to run Auto Triage in standalone mode
Case Management
- Added Case Size column to the list of selectable cases. Size is calculated in background thread
- Added option to "Export to file" in "Export Case" button dropdown menu
Create / Search Index
- Fixed crash bug when searching in index containing long file paths in the protected files list
Deleted Files
- Fixed multiple device scanning
Email Viewer
- Tiff Export, Moved tiff export menu item, changed emails md5 to sha1 and added attachments sha1, added tiff export progress to title bar
- Updated tiff export folder structure
- Updated load file format, added text extraction (using code from Zoom)
- Renamed concordance export option, removed debugging print
- Added right click option to export emails to concordance load file
Forensic Imaging
- Improved image creation speed significantly
- Changed buffer sizes and file access method which results in much better performance on very fast drives
- Optmized code for increased speed when compressing E01 images
- Changed compression which results in increased speed when creating the image
- Fixed a bug where selecting "None" for the hashing function was still creating an MD5 hash while creating the image resulting in a slower speed than expected
- Added CRC32-C to the available hashing options, an SSE4 enhanced version of CRC that is much faster
- Added hash outputs to create image tab
Install to USB
- Added option to set the workflow to a minimal set of modules for portable OSF installations
- Allow installation of OSF portable to network folder
- Added option to include python packages
Image Viewer
- Fixed possible bug where the thumbnails may not be display/extracted the second time the image is analyzed
Password Recovery
- Fixed crash due to using freed OpenSSL structure
Start Page
- Re-assigned Modules to different groups
- File System Browser moved to File Searching and Indexing
- Web Browser and Analyze Memory with Volatility moved to House Keeping
- Program Artifacts moved to System Artifacts and Passwords
- Change to "Install to USB" to 'Install to USB or Network'
- Modules hidden in both the workflow menu and start page (via customize workflow) will have grey text and have the word [Hidden] appended when appearing in the Module Feature Search. Note: This does not prevent user from accessing these modules
SQLite Browser
- Fixed bug where it opened the add to case dialog using the main window's handle instead of SQLite Browser's
- Fixed bug where it opened the file select dialog using the main window's handle instead of SQLite Browser's when selecting 'Load DB'
User Activity
- Added Browser Custom Dictionary entries for Opera and Firefox.
- Added new Browser Custom Dictionary entries activity type. (Chrome, Chromium Edge, Opera, Firefox)
Web Browser
- Capture Screenshot Region will capture upon left mouse up (previously required user to hit 'Enter' key)
Web Capture
- Internal changes to better support timing out when a page fails to load, adding delays after page has completed loading before taking capture, setting the page scale
Misc
- Updated Crypto++ library to 8.6.0

V9.0 build 1002 8th September 2021

Auto Triage
- Support for saving compressed Case files (experimental)
- Support for uploading Case files to FTP server (experimental)
- Fixed UI mouseover issues
Case Manager
- Support for importing compressed Case files (experimental)
- Fixed a error that occurred when trying to create a case in a network path
Create / Search Index
- Fix crash bug when indexing corrupted OLE files (OLE is used in old style XLS, DOC, PPT files)
- Added export of "lastfailedindexcfg.zcfg" for debugging purposes when indexing fails
- Fixed potential crash bug with buffer issues in indexer
Memory Viewer
- When running from network drive, DirectIo driver copied to temporary directory before loading. This is required becuase device drivers aren't be loaded by Windows from network drives.
- When saving memory dump to network location, saves to temporary location before moving to network path
Start Window Search
- Fixed home/end keys in text input
- Added more search results
User Activity
- Fixed potential memory buffer overflow crash in function on Win XP
- Fixed a crash that could occur when collecting SRUM artifacts on Windows 11
Misc
- Fixed crash when running from network drive
- Update OpenSSL library in use to 1.1.1L. Previous version in use was v1.0.2L. This fixes a couple of potential security issues in OpenSSL.
- Updated help documentation for internal viewer, E-mail viewer, map viewer, file name search map view, updated screenshots

V9.0 build 1001 17th August 2021

Auto Triage
- Fixed bug with loading user-specified logical image file type settings from config file
Case Manager
- New right click option in the case list to open the containing folder in Windows Explorer. This allows quicker navigation to case folder for backups or looking at logs.
Clipboard Viewer
- Changed linking of WinRT libraries shcore library to restore Win7 compatibility. (So supported platforms now included Win7 to Win11)
Disk Image
- Cleaned up the word wrapping on message box warning text
Email Viewer
- Increased maxiumum length of 'To' and 'Cc' fields. Enabled word wrapping.
Filesystem Support
- Fixed rare bug in FAT entry offset calculation due to using float type. This caused incorrect offset calculation on exFAT file systems, which in turn stopped some exFAT files being read correctly.
File Name Search
- Added status window for adding files/folders to logical image to improve responsiveness when adding a large number of items
Internal Viewer
- When viewing PDF files earlier than Win8, use text conversion instead of the native PDF viewer (which is only in Win10 and above)
- Changed linking of WinRT shcore library for Win7 compatibility
- Changed linking of WinRT Windows.Data.Pdf.dll library for Win7 compatibility
Logical Image
- Fixed performance issues when adding/removing sources when there are large number of existing items
Password Recovery
- Changed linking of OpenCL.dll to delay for Win7/8 compatibility
Python API
- Updated youtube-dl (video download function) to newest version, this was required to deal with latest Youtube changed.
- Added new Python script template for recursing directories in a file system, ignoring specified extensions and subdirectories. Allows user to make an logical image of just files of one type (e.g. Just .DOCX files).
Start Window
- Search bar now searches and makes suggestions as text is entered on the fky.
- Changed search to ignore word order, allow results for (n-1) search terms if no results, return help file if no results.
- Prevent certain search keyboard inputs that could cause unintended behaviour.
WebBrowser
- Updated web browser module to use webview2. On systems that support it (i.e. have chromium edge installed), the webview2 browser will be used, for systems without, will use the old IE based browser control. This allow much more accurate rendering of modern web pages and better security.
- Change linking of GetDpiForWindow for Win7 compatibility
- GUI Navigation/Icons should be less blurry
- Removed Save Page/Add to Case button/option (it is not implemented/supported by Webview2). It is still possible to save screen shots of pages however.
- Fixed issue with resizing browser window below minimum size and buttons moving out of place.
- Export Page, fixed possible bug when downloading a file/video fails causing OSForensics to crash.
- Changed default capture area (camera button) to Whole Page.
- GUI Added visible note to users notifying them that right click options (Save As and possibly Print) on webpages are not working due to webview2 running in elevated permissions as required by OSF.

V9.0 build 1000 5th August 2021

Map Viewer
- Added Map Viewer module which enables users to view GPS locations marked on a world map.
- Added a new pre-set search option, “Photos with GPS Locations” to automatically find all photos with embedded GPS locations (via EXIF data) and then graphically locate where these photographs were taken on a map. On mouse over of the location on the map thumbnail images and image meta are displayed.
- Ability to import and map GPS coordinates from CSV, GPX and KML files and IP addresses, and search for GPS location by name (ie. Geocoding
- Added map email viewer integration, to draw arrows between the source and destination of an Email, plus any intermediate transit nodes referenced in Email header.
Auto Triage
- Removed some unnecessary warning messages (You are attempting a non-live…) displayed when running Auto Triage
- Updated the Passwords to select "Live acquisition" for scan when running Auto Triage.
Boot VM
- Updated to now allow booting for MacOS (10.13 and above)
- Now includes support for VMWare Workstation Player 16
Clipboard Viewer and Signatures Module
- Restructured UI for consistency and simplicity in OSForensics user experience
Create / Search Index
- Restructured UI for simplified user experience. This included convert to 'Sort' link, convert to 'Index' link, move 'Use Word List File' to button dropdown, and consolidated regex filter to search bar.
- Improved indexing of XML files to index not only data content, but also attribute values in tags. Combined with expanding the max word length to 40 characters, this now allow indexing of GUIDs values in XML files. This allows finding GUIDs in peer-2-peer file sharing files (e.g. Profiles.xml file from Shareaza)
- Added sub tabs under ‘Browse Index'. These include Words, Files and Protected lists.
- Added "Save to disk" checked items menu option
- Reporting of “protected” (or encrypted) files that were encountered and not indexed. Provides a quick way to identify all commonly encrypted document types.
- Fixed bug with "Search Index", when matching exact phrases only found in meta description
- Fixed crash bug for when page is near end of index
- Fixed bug with extra text appearing after highlighting when exact phrase matched in meta description
- Fixed timeline filter and other UI issues
- Fixed cleanup of previous state when closing case
- Fixed bug with email indexing causing corrupt index when long header or attachments are used as description in index
- Fixed crash bug when corrupt index is encountered during a search and cleanup occurs, and subsequent searches did not reload the index
- Added handling for partial index unloaded/reloading due to unexpected error cases (low memory, corrupt index, etc.)
Disk Preparation
- Fixed a bug stopping Disk 0 from being formatted, if the user accidentially tries this
Decrypt File
- Password Benchmark (i.e. num password per second) is now calculated per thread. Previously only the first benchmark collected was used as the benchmark value for all clients.
Deleted File Recovery
- Restructured UI for consistency and simplicity (convert to 'Sort' link, convert to 'Preset' link, reduce clutter at the bottom)
- Added ability to right click on an extension in the scan status tab to view the set of files.
- Added the Face and Nudity Scan feature to the sorting option
- FileCarver Config GUI changed the +/- icons to normal expand/collapse icons. Removed the Linux EXT2 option, FileCarver will try to determine the file system and enable it if necessary.
- Fixed display bug where scrolling to the right and then back, where the listview checkbox/extension column would be unreadable. Added note to expand the extension groups to view the header/footer/etc details for each extension family.
- Fixed a crash that could occur when no files where found
Device Manager
- Added support for per-volume encryption, as used in newer versions of Apple's APFS file system.
Email Viewer
- Added right-click option to lookup IP addresses in e-mail headers and then mark on Map Viewer.
- Added "Overview" button to view email address statistics in email viewer. Can now get a quick count of Emails To / From each Email address.
- OSForensics will attempt to convert X.400/X.500 e-mail addresses by parsing the MIME headers if available
- Added support for indexing EMLX files from Apple Mail
- Fix overflow with long To/Cc/Bcc strings in mbox and dbx files. Fix missing single address summary icon. Add Top 10 contacts filter to sankey graph. Combine sankey graph and summary table when added to case
Event Log Viewer
- Added OSF generated event information as a summary string in quotation marks when viewing items in the event log viewer (for eg “Disconnected USB device "TOSHIBA External USB 3.0 " , Serial Number: XXX").
File Name Search
- Optimizations for improved scan speed and performance, especially when using the direct access mode (also called forensics mode).
- Reorganized UI for consistency and simplicity (convert to 'Sort' link, convert to 'Preset' link, move configuration text to tooltip for 'Config' link)
- Dynamically populate map view as files with GPS locations are found, and display image thumbnail (and file metadata) on mouseover of location while in map view
- Fix stack overflow crash due to large local string variables
- Changed search preset name ‘Windows Shortcut Files' to ‘LNK Files'
- Updated the P2P pre-sets to include UseNet related keywords
Hash Sets and Create Hash
- Grouped the two modules into one main hashing module (File Hashing) with two tabs (Hash Sets & Create Hash).
- Added SHA3 (256, 512) as hash options
Internal Viewer
- Re-implemented thumbnails using global thumbnail cache for better performance. Increased number of thumbnails in lower bar to fill window width and added support for video thumbnails.
- Jump to file when double clicking thumbnail
- Add extracting of embedded thumbnails in image file within the 'Analyze' dialog. This can help with checking for image manipulation.
- When a file is fragmented on disk, viewer can display list of file fragments + right-click option to jump to fragment
- Improved drawing performance and navigation buttons.
- Hex view, add 'Export strings...' link to string extractor
- Initial support for viewing PDF files using native API in Win10. This allows faster more accurate PDF rendering in viewer.
- Display Office Documents (docx, xlsx, pptx, etc) and OpenDocument (odt, odp, odx) files as HTML.
- When analyzing images, add right-click menu options to embedded thumbnails to 'View with internal viewer...' and 'Add to Case'
Mismatch Search
- Restructured UI for consistency and simplicity.
- Fix bug with 0 byte files not being excluded from results
Password Recovery
- Restructured UI for consistency and simplicity.
- Distributed password cracking with support for Multiple GPUs (Pro Only). Supports up to 1000 total clients when using distributed cracking
- Fixed an issue with Firefox password recovery, a crash that could occur when parsing Firefox V31 and earlier versions passwords
Program Artifacts
- Restructured UI for consistency and simplicity.
Raw Disk Viewer
- Restructured UI for consistency and simplicity (move buttons to 'Actions' link, convert to 'Config' link, add search bar)
System Information
- Re-organized UI for simplicity and consistency (consolidate "Live acquisition" into combo box, convert into "command list" link).
Thumbnail Viewer
- Fixed drawing of images with alpha channel.
Tag/Untag
- Changed behaviour of Tagging Files. Keyboard Shortcut (Ctrl+T) applies to selected (not checked) files. The Checked Items Submenu will have options to Tag/Untag checked files by submenu selection only. This has been implemented in FileSystem Browser and Find Name Search.
- Ability to open some tagged items in the case manager, e.g. cookie tagged item. ‘Open internal viewer' will open the SQLite database where cookie was stored.
- Items tagged in the User Activity modules will indicate they were added in this module in the Case Manager
User Activity
- Restructured UI for simplicity and consistency.
- Moved 'Remove filter' link to 'Activity Filters' drop down
- Added Anti-Forensics Artifacts to scan the traces of Anti-Forensics programs
- Search Terms, cut down on duplicate entries by using DISTINCT in SQL query
- Events, filtered out 4624 event when logon type is 5 (too many system generated events swamping others)
- Added Cryptocurrency Wallet Apps to scan artifacts of wallet applications installed on the system
- Fixed activity-specific right click menu options and enter/double click options
- Added support for parsing UseNet NZB files to display filename, file size, poster and time
- Added Newshosting UseNet client P2P artifacts
- Changed the tree-view “Most Recently Used” item to be collapsed by default
- Fixed crash with change to Autofill in Edge Chromium when data value in Sqlite DB is not encrypted.
- Added a 3 second display of message "User Activity Scan Finished - No items found" when no items are found
- Added more checks for cancelled scan when processing ESEDB databases so cancel will complete faster
- Added support to parse the BitTorrent .torrent file format to display its contents info like the filename, file size, and time
- Added scanning for WiFi passwords stored on the Windows system and display under the WLAN category
- Fixed an issue with Firefox password recovery, a crash that could occur when parsing Firefox V31 and earlier versions passwords
- Added support to collect details about recently viewed PDF files in Acrobat Reader and their file size and page numbers.
- Added an option in the config window to allow full scan of the selected drives, which will search Torrent and NZB files across the drives and parse them
- Added support to collect the VLC Media Player last opened filepath by parsing it's .ini file
Start Menu
- Added search bar to the start page to quickly find OSF features
Workflow
- Set Mount Drive Image button to be hidden by default in the Workflow menu. This was done as the Add Device function is preferable in nearly all cases
Python API
- Add methods for adding/removing device from case (including BitLocker and Volume Shadow devices)
Remote Server
- Fix bug in creating destination folders when source path is a network folder
System requirements
- Windows 11 is now supported.
Security
- Update EXIFTool to 12.25 due to ACE security vulnerability

V8.0 build 1008 7th June 2021

CloudMail
- Fixed issue with Microsoft Outlook/Hotmail email when Content-Length is not returned in the header, but response body contains text
ThumbCache Viewer
- Fixed an issue where Thumbnail items were not able to add to the case
User Activity
- Form Autofill, fixed crash with change to Autofill in Edge Chromium when data value in sqlite db is not encrypte
- Passwords, fixed wireless network passwords recovery issue
- Passwords, fixed Firefox browser password recovery bugs
Misc
- Fixed Typo in Expiration/Subscription GUI Text

V8.0 build 1007 17th February 2021

Auto Triage
- Fixed an issue in the Logical Image configuration window where a non-system drive path was not added properly to the image creation list.
User activity
- Fixed a crash that could occur when removing the filter after using timeline view to view and select files at a certain time

V8.0 build 1006 28th January 2021

Auto Triage
- Updated select drives dialog.
- Renamed "Deleted Files" to "List of Deleted Files"
- Renamed "File Listing (Signature)" to "File Listing"
- Added timezone to Process List and File Listing exporting CSV
- Updated to add not only the OS boot drive but also all the other available logical and physical drives to case, and then scan all of them to create file listing
- Deleted file search, updated to scan all drives available and export to CSV files separately
- Added drive selecting options for file listing and deleted files searches
Case Manager
- Add Device, Added debug output when populating device dropdown
- More robust handling of case device dropdown
- Added more verbose logging during case load
Forensic Imaging
- Removed unnecessary refreshing of drive dropdown when loading Create Image tab
- Added more verbose logging when opening Forensic Imaging window
- Added debug output when populating device dropdown
Direct File Access
- ImageFile, add check for opening physical drive when calling FSCTL_ALLOW_EXTENDED_DASD_IO and reading "imageUSB" signature. This fixed an issue when reading the physical disk for an McAfee encrypted drive ( a bug in the McAfee software that caused a read of the physical disk to fail if the read request was not sector aligned)
- libesedb, increased fixed-array size, update for performance issues

V8.0 build 1005 29th December 2020

Auto Triage
- Upgraded the screen capture to take screenshots of all running program windows.
- Removed the drive selection drop-down list and changed it to select the OS boot drive to perform live acquisition scanning.
Case manager
- Fixed an issue when exporting a report using the copy files option, if a source file was read only then multiple error messages could be show during the file copy process.
- Improved speed of export when large amounts of files are being exported as part of the report
USEDB viewer
- updated to library code for compatibility with newer helper libraries
Verify Hash
- Fixed a bug where clicking the "upper case output" option after generating a hash would not update the primary hash and instead replace the secondary hash with the upper case primary
File system support
- Updated library code for reading E01 and L01 files. While there were multiple changes under the hood, the most visiible change should be better support for L01 image files. In particular it fixes a case where a NTFS directory entry in a L01 could point to the wrong file.

V8.0 build 1004 4th December 2020

Email Viewer
- Remove MAPI initialization from startup, loading on-demand
- Attempt to load MAPI dll from Outlook installation in registry (rather than mapi32.dll in Windows\System32) to prevent a "No mail client found" error message in some cases
File Name Search
- Added vcruntime140_1.dll for exiv2.exe tool to fix missing DLL issue
- Updated EXIF Metadata search keywords preset list
Hash Set Import
- Fixed a crash that could occur when importing NSRL hash sets

V8.0 build 1003 25th November 2020

Case Management
- Added a continue / stop option when a file copy fails (eg when creating a case report) rather than just stopping the current process
Cloud Mail Export
- User can select which folder to export from account. An MBOX file will be created separately for each folder exported
Deleted Files
- Added option in configuration to disable thumbnail creation as it may cause crashes in external windows libraries used to generate the thumbnails (eg media player) on poorly recovered / corrupt files
File Name Search
- Added a new feature to allow for searching against image EXIF metadata
OSFExtract
- Fixed issue where OSFExtract app would fail to install on older Android OS devices due to app signing issue
Subscription
- Added deactivate seat option to the start page
User Activity
- Event log, fixed a crash that could occur when reading a System log file caused by a very long file path in the event information

V8.0 build 1002 9th November 2020

Auto Triage
- Fixed a broken link to the Auto Triage section in the help file
Install to USB
- Fixed an issue where a ket.dat file created by OSForensics would not be read correctly when OSForensics starts
Workflow
- Started saving config file immediately after locking the workflow rather than when OSForensics was closed so changes made to the workflow will be applied when installing to USB

V8.0 build 1001 3rd November 2020

Cloud EMail
- Fixed bug where VHD would run out of disk space while exporting email. Now when creating VHD, an additional overhead of 1KB per message for metadata used in MBOX will be added to the total VHD size
- Slow down the queries request rate (possibly hitting the queries limits from Google API)
File Name Search
- Fixed 'Make Database Active' checkbox not setting hash set database active when checked
Subscription Licencing
- WinPE, Will prompt user when subscription is expired to recreate WinPE image
- USB, Will prompt user that online connection is needed to check license when subscription is expired
Misc
- Added "Image Analysis" chapter and content on Face Detect and Illicit Image Detection to help

V8.0 build 1000 22nd October 2020

Added New Face Detection module module for still photographs & images

"Detect Faces" button was added in the Image Viewer
"Sort by Faces" in File Name Search

Added new Web Server Log Viewer module
- Can load up log files from Apache, IIS and other web servers, then filter and sort the log data
Added new Python Scripting module
- Implemented new scripting engine, which allows access to internal OSF functions from Python scripting. Scripting commands such as osf.UserActivityGetResult(), osf.ReportGenerate() & osf.LogicalImageStart() are now available
- Changed 'Run Python script' to 'OSF Script Player'
- Added support for built-in script templates installed under ProgramData\PassMark\OSForensics\ScriptTemplates. The template can be selected under the 'New Script' button dropdown
- Added Python API reference for help file.
- Added script examples for charting via matplotlib
- Add right-click menu to enter user-defined parameters to 'pip install'
Added new Cloud Imaging support for Forensic Imaging
- Added Cloud Download/Imaging for Google Drive, Microsoft OneDrive and Dropbox
- Cloud imaging will create empty files (0 byte files with ".deleted" extension) for deleted items from Dropbox. Dropbox includes deleted files in their directory listing
- Cloud Email Download support
- Added GMail export to MBOX format
- Added Microsoft Outlook (webmail) export to MBOX format
AmCache Viewer
- Improved performance of reading amcache hive
Auto Triage
- Turned off default options for including System hibernation and page files and registry files as part of the logical image configuration
- Started saving scan options and logical image options to config file
- Fixed display/gui bug where the background of the scan options was not being updated in WinPE
Boot Virtual Machine
- Added the ability to select additional hard drives (data drives) when booting a VM from a disk image
Case Management
- Added support for opening tagged e-mails & attachments via double-click/right-click
- Will now use Web Browser to open URL tags
- Added support for selecting multiple files when adding evidence images to case
- Add button to open 'Manage Devices' window, for managing the devices added to the case
- Multiple select enabled for Case Management. Can now delete or export multiple cases at a time
- Generate Report, updated to hide the categories that have no items
Create / Search Index
- Added indexing for HEIC and HEIF image files
- Allowed indexing of memory dump files. .mem, Including .dmp, .mdmp (large file support does not apply if inside ZIP files)
- Improved speed of large binary file extraction indexing (by way of parallel / 2 thread concurrency)
- Fixed bytes progress status when indexing large binary file
- Added Email Attachment indexing options ("index attachments by file types")
- Fixed exiftool indexing issue (using the -fast3 parameter culled out alot of necessary meta information AND may incorrectly identify file type. Note removed -fast optimization will now be slower)
- Fixed indexing of some GPS meta information from exiftool
- Fixed issue with indexing OCR output from HEIC and HEIF files
- Added "Save to Disk" for checked items
Create/Compare Signature
- Combined the create and compare into a single "Signatures" module with separate tabs
- Added support for SHA-256 hashes. This required changing the signature file format and incrementing the signature file version from 6 -> 7
- Add support for comparing previous signature file version with v7 signature file
- Added options to have two hashing options (e.g. MD5 and SHA-256) for OSFSig and file listing. Note: Will work with V7 OSFSig files but not previous OSFV8 Beta OSFSig files before this commit. When comparing signatures with different hashing options, only signatures with matching hash will be compared. E.g. Sig1.OSFSig was created with MD5 only and Sig2.OSFSig was created with MD5 + SHA-256. Only MD5 will be used for comparison. If both signature files use the same hashing options both checksums will be used for comparison
Deleted Files
- Enabled right-click menu option, Show File Location dialog, for deleted files on FAT filesystem. Note: The file location dialog will only show the first cluster of the deleted file for FAT filesystems as only the starting cluster is known and the link-list FAT entries for subsequent clusters are removed once a file is deleted on FAT filesystems
Email Viewer
- Support opening single e-mails from PST/DBX/MBOX files for faster loading (check if this was also backported to V7)
- Added exporting e-mail messages to MSG file
- Add checkboxes to e-mail messages
- Added right-click option to export e-mails to PDF
ESEDB Viewer:
- Fixed an issue where some values not displayed correctly in Windows 10 V2004
File and Hex Viewer
- Added a drop down to allow track selection for playback for multi track video files
- Added "Analyze" button to Image Viewer to work with illicit image detection feature
- Fixed video player not working when opening video files via DirectAccess
- Fixed bug with video not playing when < 9 thumbnails were loaded
- Fixed a possible crash when extracting strings
- Video, Display duration of media along with current timestamp
File Name Search
- Added "Illicit images" detection. File Name Search can now sort by "Illicit score"
- Changed configuration dialog to support modifying include/exclude folders for each preset. This allows for more accurate preset searches to be defined. Users can also define their own preset searches in the new advanced format
- Fixed bug in matching include/exclude folders in presets
- Fixed bug in saving custom preset include/exclude folders to XML file
- Preset searches now support included/excluded folders (currently, only by editing FileNameSearchPresets.cfg)
- Preset searches are now fixed and cannot be modified inline
- Added 'User-defined Search' for fully customizable search criteria
- Added right-click hash selected files option with option to create a Quick Hash Set from the results of the hashed files
- Added new preset for searching for large images + sort by face detection score
- Added new preset for searching for files modified since last month
- Added new preset for searching for files modified since yesterday
- Added colour backgrounds for results when sorting by Illicit or Face scores. Results are marked Red for likely illicit, Pink for probably illicit, and Green if Faces detected
- Minor UI layout updates
- Removed border from 'Config' text
- Increased width of preset/sorting combo box
File System Browser
- File size units can be selected in the FSB options dialog. Defaults to “Auto” and will display in Human readable file size. File size units selectable are: Auto, Bytes, KB, MB, GB. Selection saved in OSFConfig file
- Fixed bug where the Analyze Shadow from the button within FSB was not working
- Consolidated filter text into single link control
- Changed timeline date type combo box to link control
- Removed 'Current Path' and added 'Scan Status' edit control
- Moved 'Thumbnail size' slider and 'timeline date' control to top
- Added 'Images + Illicit-detect AI' preset
- Added "Video files (sorted by # Tracks)" preset
- Added sort by "video tracks" option
- Moved sorting combo box to the top
Forensic Imaging
- Added option to select between single/split files when creating Encase E01 image files
- Added support for creating AFF4 disk images
- Enabled SMART logging in SysInfoLog.txt
Hash Lookup
- Fixed crash when attempting to export lookup results to text
Image Viewer
- Added support for HEIC and HEIF image files
- Added support for extracting meta data from HEIC and HEIF files
- Added Analyze Results popup window, showing results from AI face detect, AI illicit image detect, MD5, SHA1, etc
Install PFX
- Fixed broken help file link
Password Recovery
- Improved performance of reading Firefox, IE & Windows logins from registry
- Fix heap corruption when retrieving LSA secrets
- Fixed various memory leak issues
- Updated to support new Edge Chromium-based version.
- Updated to support Chrome V80 and beyond
- Updated to support Opera V67 and beyond
- Fixed the Password Length column to display Not Available message when the password is not decrypted
- Decryption Tab, Added ability for users to select multiple files at a time
- Removed support for Opera Version 22 and earlier
- Removed support for FireFox Version 31 and earlier
- Removed support for Safari
- Fixed potential crash when running on Windows 10 V2004.
- Made some changes to enable recovery of chrome, edge and opera passwords in some cases where it was previously failing
Registry reading
- Improved performance of RegistryGetSubKeys() and RegistryGetKeyValues() methods for reading registry keys
- Improved performance of reading registry entries in User Activity. On a 160MB SOFTWARE hive, load times improved from >10min to 20s (as compared to v7.1.1005)
- Added new registry function to read a single key in a hive for better performance without loading the entire registry file
Start
- Add new 'Manage Devices' icon
System Information
- Will now pick "System information from registry" as default when live acquisition is not selected for the case
- Will now skip commands that can't be run on the selected drive (eg live acquisition only and a drive letter is selected) and display a skipped message in the output
- Made some changes to allow user entered commands (eg regripper) to be run when live acquisition OR drive letter is selected (as most user entered commands will likely have a hard coded location)
ThumbCache Viewer
- Redesigned the interface allowing to load a single cache file, add multiple files by scanning drive or folder
- Added a tree view to show list of added cache files, folders and drives
- Added a new "All" option to the Thumbnail Size combo box to show all records in a cache index file
- Added a new feature to allow loading multiple cache files and viewing all of the records in them in a single list view
- Added Extended Information to show EXIF data of thumbnails retrieved from ESE Database
- Updated the thumbnail preview window to be resizable
- Improved the efficiency of loading ESE Database
Thumbnail View
- Added support for displaying thumbnails for video files
- Support for animated video thumbnails on mouse hover
- Changes to thumbnail caching thread for better performance and robustness
- Added support for deleted video thumbnails
- Files that do not have thumbnails are cached and no longer reloaded
User Activity
- Added support for decrypting cookies value of the Chrome, Edge and Opera browsers
- Added support for decrypting form history value of the Edge browser
- Added Search Term to extract search keywords used in browsers
- Added Website Logins to obtain browser passwords
- Rearranged config dialog slightly to shrink height (previously unable to see OK button on 1080p laptop screen)
- P2P, added extra error information display for decoder error during P2P scan
- Fixed null pointer crash when scanning for USB devices only
- Fixed bug in opening ARES registry key path
- Added more Windows Event IDs to extract more forensically interesting logs
- Added times to Browser Bookmarks and WLAN items
- Fixed Time Source display error for some items under All category
- Changed list-view default sorting as date and time descending order
- Improved column sorting speed
- Updated column names for Autorun Commands and UserAssist
- Fixed an issue with Windows Search scan on Windows 10 V2004
- Updated Browser History, Downloads, Form, Bookmarks and Cookies to support the latest versions of Edge, Chrome and Opera browsers
- Updated Downloads to support Firefox latest versions
- Fixed and issue with Windows Search showing incorrect times in Windows 10 V2004
- Moved Top Sites items to Browser History category
- Removed support for Opera Version 22 and earlier
- Removed support for FireFox Version 31 and earlier
- Removed support for Safari
Web Browser
- Fixed video download crash
Workflow
- Workflow buttons and Start window icons now have 1-to-1 correspondence
- Removed extra 'button' slot
- Revised default workflow list
- Added separate checkbox column to show/hide icon in Start page, hiding workflow buttons no longer hide the corresponding Start page icon
WinPE
- Fixed some bugs/crashes found during WinPE testing
- As SHBrowserForFolder() does not work in WinPE, updated to emulate the functionality when running in WinPE
- Custom case location can now be specified for Live Triage and Case Manager's Create Case option
Misc
- Updated Volatility Workbench to v3.0.1001
- Updated exiftool to version 12.03
- Updated WinPEBuilder
- On exit, OSF will check the parent Temp folder to clean up orphaned temp directories. It will only delete the temp directories that are older than the oldest running/active osf32.exe or osf64.exe process
- Fixed a crash that could occur in the trial version in deleted files and file name search

V7.1 build 1012 28th May 2020

Case Manager
- Fixed a crash that could occur when loading a case if a category name was longer than the max (63 characters).
- Fixed a bug allowing categories to be added with names longer than the max (63 characters).
Create Index
- Fixed crash bug when indexing smaller binary files (<25MB) with multi-threads.
- Fixed bug with 32-bit indexer failing to launch.
Deleted Files
- Carving, thread safety updates.
- Carving, fixed bug (read a offset outside of buffer) causing possible crash when carving TIFF files.
Mobile Artifacts
- Potential stack overflow crash fix.

V7.1 build 1011 20th April 2020

Case Manager
- When deleting case, fixed case being deleted even when cancelling option to export case to disk
Deleted Files
- Fixed an issue where Prefetch and SRUMDB info wasn't being read correctly and would return 0 items
- Fixed a possible crash when collecting SRUMDB info

V7.1 build 1010 25th March 2020

Auto triage / User activity
- Fixed a crash that could occur when running user activity (or auto triage) using the live acquisition option
Deleted Files
- NTFS, Reading $ATTRIBUTE_LIST now uses a dynamic-sized buffer rather than a fixed-sized buffer. This may fix buffer overflow issues when scanning MFT
- NTFS, Added more verbose output when scanning $MFT attributes

V7.1 build 1009 23rd March 2020

Create Index
- Fixed crash bug when multi-threaded indexing and extracting text from system binary files and non-system binary files
Password Recovery
- Added a dialog to allow individual partition selection when trying to run on a disk image mounted as the entire disk that contains multiple partitions
- Fixed a potential crash that could occur when recovering passwords (mostly affecting chrome passwords)
Registry Viewer
- Made some changes to work better with disk images mounted as the entire disk that contains multiple partitions, will now scan multiple partitions for known registry files
User Activity
- Added a dialog to allow individual partition selection when trying to run user activity on a disk image mounted as the entire disk that contains multiple partitions

V7.1 build 1008 17th March 2020

Create Index
- Fixed crash bugs while indexing large Bitlocker images
- Fixed 'Skipping directory ...' log messages
- Changed handling of $' system files e.g. $AttrDef, $Bitmap, $boot, $LogFile, $MFTMirr, $Secure, $UpCase and $Volume are now only treated as filename index only. Only $MFT and $RECYCLE.BIN are binary extracted.
- RAM drive now allocates 2GB if >16GB of ram is available
- Added error messages for caching files and temp files.
- Updated PDF indexing to only use OCR when text layer is insufficient (avoid excessive OCR'ing files)

V7.1 build 1007 5th March 2020

Create Index
- Added support for indexing "Memory dump files" file type (.dmp, .mdmp, .mem). Select 'Unknown file types' to enable.
- Significantly improved speed of large binary file indexing (includes system files)
- Fixed bugs with BitLocker support
- Fixed support for APFS
System Information
- Fixed crash bug during Auto Triage or System Information.
Forensic Imaging
- Added support for configuring between single/split files when writing to EnCase files
Misc
- Fixed bugs with APFS support (missing files in directory, initialisation issues)
- Updated WinPEBuilder release 1.2.106 (includes fixed bug where build process fails when creating ISO)

V7.1 build 1006 18th February 2020

Auto Triage
- Fixed a crash that could occur when collecting system information (via Auto Triage or System Information)
- Made some changes so less trial limitation warnings are displayed at the same time during Auto Triage
File system support
- Updated BitLocker handling for better performance, indexing & file system browsing should be slightly faster
Generate Report
- Fixed an issue with Logos not being enabled to be changed for Pro/Licensed.
Passwords
- Updated Password Decrypting .dll files and fixed issued with GPU decryption not running.
User Activity
- Export to CSV. Removed Flags field from CSV output causing column shift for some MRU types. Note: Flag values are for case specific and their values were never exported, but the column header for "Flags" was.
- Fixed shifted/misaligned column issue when exporting Event data to CSV.
Web Browser
- Fixed an issue where saving a webpage as web archive (.MHT) was no longer working.

V7.1 build 1005 24th January 2020

Case Manager
- Added support for opening tagged e-mails & attachments via double-click/right-click
Create Index/Search Index
- Fixed bug when selecting file types for "Video", "Executables" or "Other" only (no files indexed when these are the only options selected)
- Fixed crash bug with indexing and extracting meta info for MP3 files containing TXXX frames
- Fixed bug with indexing files found within at least 3 recursive levels of ZIP files. These would show up with incorrect paths (missing ZIP file names) and unable to open the file from the Search Results
- Fixed bug with email messages in HTML or TXT format (not RTF) not being indexed as email filetype (and incorrectly showing up on the "Files" tab in OSF results)
- Fixed bug with MBOX files with no extensions (such as from Thunderbird) being indexed twice when we encounter the .MSF (mbox index) file.
- Fixed bug with MBOX files with no extensions failing to be recognised by the unknown file type identification function (magic).
- Updated PDF indexing to use CreationDate and ModDate from within PDF document properties
File Name Search
- Presets, Updated default extensions to include heic/heif for images and hevc for videos.
Generate Report
- Fixed Typos. Custom Logo area is always shown. Still only editable in Pro version.
Start Page
- Fixed issue where some items were not being hidden when everything was unchecked in Customize Workflow.
System Information
- Added collection of more fields when performing command ('Windows Info (Registry)'). Fixed collection of 'Install date' field.
Misc
- Updated web browser video download function to work with current version of YouTube
- Added code to deal with non sector aligned access to physical disk
- Updated support bitlocker encryption. This can fix (some) instances of the "unsupported FVE metadata entry version" error.

V7.1 build 1004 6th January 2020

Create Index/Search Index
- Further fixes to indexing and searching large number of unique words (2mill+)
- Fixed bug with indexing files failed to be identified by magic being indexed as plain text (now treated as binary files). This may have caused extraneous data being indexed (leading to large number of unique words)
- Fixed bug with "Export search results to CSV" from "Search Index"->"History" tab, when the selected search results contain a mix of files and emails, the columns output in the CSV do not match up (emails will have more columns than the files).
Email Viewer
- Fixed bug with Email Viewer rejecting to open an MBOX file which contains non-ASCII characters, and the file is opened in the Internal File Viewer instead.
ESEDB Viewer
- Added missing error checks for non- existent table name. This caused out-of-index exception when performing User Activity scan on IE/Edge WebCache01.dat files.
Passwords
- Potential fix for crash when scanning for passwords in Credential Manager

V7.1 build 1003 16th December 2019

Create Index/Search Index
- Fixed bugs with indexing and searching large indexes containing more than 2million unique words. Also improved error reporting.
- Indexer now reports number of threads in log
- Added debug mode for OSFIndexer
File System Browser
- Fixed jumping to disk offset when selected disk in raw disk viewer does not match
Logical Imaging
- Fixed copying sparse files, were not being set as sparse on destination (if filesystem supports it)
Raw disk viewer
- Support for jumping to XFS inode record
- Support for jumping to ext[2|3|4] inode record
- Added file system scanning for APFS disks. APFS files should be identified and highlighted.
- Added jump to APFS file offset
SQLite Viewer
- Fixed "begins with" and "end with" query strings generating reversed queries
Start Window
- Added "Check for Updates" icon under "Help and Information" for checking the most up-to-date OSF version
User Activity
- Warn user if contents copied to clipboard exceeded limit and will be truncated.
Misc
- Fixed disk dropdown box incorrectly display "Unknown/Empty partition" for all case devices

V7.1 build 1002 6th December 2019

Android Logical Copy
- Fixed possible crash due to corrupted stack
Event Log Viewer
- Added Scan Folder button, this allow multiple event logs to be added to the viewer even when the event logs are found in a non-standard folder
- Added ability to add and delete multiple drives and folders in tree-view. Previously only files from one drive at a time could be added.
- Changed presets filtering configuration file, allowing more complicated filter conditions. Also added some additional preset fitlers
- Added a must "Not Contain" option to the event log filter conditions.
User Activity
- Results can now be sorted by tagged state by clicking on the "Flags" column
- Fixed crash when sorting by column that we accidentally introduced in last patch, opps.
- Added filtering of results by "Flags"
- USB, Opening USB device entries obtained from setupapi.dev.log or event log now opens the correct viewer
- WLN, Opening WLAN entries obtained from .xml file now opens the correct viewer
- Fixed right-click menu for USB/WLAN activity
- Fixed a crash that could occur if a scanned ESEDB database was corrupt. Seems to be rare as we have only seen one known instance.

V7.1 build 1001 2nd December 2019

Create / Search Index
- Fixed bug with Custom limit for Max File Size and Max Pages not applying when creating an index
- Added ability to "Display Search Results" for multiple selected items in the "History" tab
- Added "Path hash" column for "Export Search Results to CSV" to locate files that have been added to case (and stored in the "Files" folder)
Disk Imaging
- Read/Write/Hash threads now use their own I/O buffers to prevent memory access errors when a disk timeout occurs. This typically only happens when disk has a hardware fault. But it could result in a crash when it does happen.
ESEDB Viewer
- Fixed possible crash when loading a table in the ESEDB viewer
Event Log Viewer
- Reorganized elements in the main dialog and top menu.
- Updated filter options in the Advanced Filter.
- Added tree-view right-click menu.
- Added Presets combo box for quick filtering. The user can also add their own preset filters by editing the test file, \ProgramData\PassMark\OSForensics\EventLogPresets.txt
- Updated list-view item selection to allow multiple item selection using mouse drag and right click menu Toggle Check to select them.
Internal viewer
- Metadata, Improved UI responsiveness by launching metadata collection process in a seperate thread.
- Fixed bug in loading NTFS alternate streams when there is no file list
Raw disk viewer
- Added file system scanning for Linux XFS disks. XFS files, directories, and internal structures should be identified and highlighted.
- Fixed bug in partition size for XFS disks
User Activity
- Allowed tagging of activity items that are not file paths (eg. registry keys, URLs, DB records, etc.)
- Added an option in the list-view right-click menu for Event Log to allow users to open Event Log Viewer and locate the selected event.
- Added 'Flags' column to identify 'tagged' items
- Fixed Ctrl+T shortcut not working
- Fixed memory allocation error due to invalid jump list entries
- Fixed Web Browser tab not being highlighted when opening URL
- Improved options to export to CSV and copy to clipboard from SRUM Database entries.

V7.1 build 1000 19th November 2019

NEW Event Log Viewer
- New viewer to display windows event log files. Open logs in E01 images, filter logs, add log entries to the case, etc..
Android Logical Copy
- At completion, log will show the count of files copied by file extension.
Case Manager
- Fixed empty partitions being displayed in drop down list when adding physical drives to case
- Minor fix for BitLocker encrypted volume detection
Clipboard viewer
- Added some checks when ComBase.dll functions are being called that they exist to prevent a possible crash in Win7 when attempting to collect extended clipboard data
Create/Search Index
- New indexer build that adds XFS file system support
- Updated indexer fixed bug with search results from email attachments of ZIP files appearing under the Files tab instead of Email attachments
- Added 'Export Search Results to CSV' feature on the 'History' tab, which allows user to export results from multiple search queries and multiple indexes at once.
Debug mode - (Start Window)
- Added 'Restart OSF in Debug Mode' icon under 'Housekeeping' to restart OSF with 'DEBUGMODE' parameter set
ESEDB Viewer
- Updated libesedb library to libesedb-20181229
- Fixed major performance issue with very large ESEDB files (4GB+). Achieved roughly 40x speed improvement. Previously large files would be so slow to process that User Activity module looked like it had locked up. This should resolve this issue
File system support
- Added support for Linux XFS file system
Logical Imaging
- Fixed bug where root paths added from "Other Available Devices" were not being copied.
Registry Viewer
- Added right-click menu for exporting report to disk/case
User activity
- Added a new option in the config "Moved Downloads (Slow)" to control weather the drive is scanned for downloads that have been moved (Zone.Identifier streams), this is now off by default as it can be a slow process
- Replaced Jetblue API use with ESEDB library (libesedb) use when getting EDGE/IE10 history
- Added some more status messages for registry and browser processes
- Fixed sorting of columns for SRUM DB information
Misc
- Physical drive scanning for partitions at startup was updated so that OSF startup speed should be quicker and use less RAM.
- Fixed a bug in the disk partition detection code, it was not thread safe when running in debug mode, which could result in a rare crash at startup
- Help file updates

V7.0 build 1005 10th October 2019

Boot VM
- Added option to select disk controller. If "Auto" is selected, IDE is used for Windows XP and SATA otherwise. Should improve performance for non-XP images.
Disk Image and Filesystem Support
- Initial support for ISO images.
ESEDB Viewer
- Added detection of MAPI property hex in column header. If so, display the property identifier string
- Highlight known tables and display default columns for Win 10 Mail store.vol
Memory Viewer
- Added checkboxes to list of processes
- Added export of checked process details to CSV & case
- Added export of list of checked process to CSV & case
- Added link displaying number of checked processes
- Fixed task activity LED not clearing after dumping process memory
- Added right-click menu for checked items
- Export checked processes memory dump to disk & case
- Added right-click menu option to dump checked process memory into single file
Mismatch Search
- Fixed "Identified Type" column header displaying as "Location"
Registry Viewer
- Initial implementation of exporting SAM/SOFTWARE registry hive reports
- Initial implementation of exporting SYSTEM/NTUSER.dat registry hive reports
Start Window
- Fixed icon groups re-ordering when changing workflow
User activity
- CSV export of checked items. Behaviour now matches export to text/html where if the ALL items view is currently selected it will export all checked items, but when viewing a specific item type only checked items of that item type are exported.
- CSV export, fixed a bug preventing the recycle bin items from being exported correctly.
- Fixed an issue with the column sorting when sorting by integer value (eg filesize) for Recycle bin, event, jumplist and shim cache items.
$UsnJrnl viewer
- Changed to detection of MFT record size rather than using hardcoded 1024 bytes
- Added additional debug logging when scanning MFT records

V7.0 build 1004 24th September 2019

NEW Clipboard Viewer
- Added clipboard viewer to view current, historical clipboard items (where available) and pinned items
NEW AmCache Viewer
- Added AmCache viewer
Auto triage
- Added option to collect clipboard contents
Boot Virtual Machine
- Fixed unable to boot disk image located on network
- Added debug logging when querying mounted disks
Case Manager
- Added export clipboard contents to report
- Partitions encrypted with Bitlocker now shows "Bitlocker" instead of "Empty"
Create Index
- New indexer builds, fixed thread safety bugs with DOCX, PPTX, XLSX indexing with timing issues causing occasional "cannot open file" error on files when multiple threads are in use.
Disk Image and Filesystem Support
- Added support for the Stream Optimized sub-format for VMDK images
- Fixed possible crash when accessing invalid cache entries for for Linux EXT drives
- Added detection of sector size when reading GPT header rather than using default 512 bytes. 4K native (4Kn) sector sizes should now be detected for disk images. This resolves an issue where partition were not being detected in some E01 images. Background info: Since about 2012 most hard drives use 4K physical sectors, but nearly universally implemented 512 byte enumlation (512e). There are a tiny number of enterprise drives that are native 4K however without emulation. OSF now supports this 4Kn format.
Deleted Files
- Fixed Crash when OSF Terminates and the background Deleted Files cache thread is still processing items.
Prefetch Viewer (Program Artifacts)
- Renamed Prefetch Viewer on Start page to Program Artifacts and changed icon.
Registry Viewer
- Internal viewer should now handle large LI/RI Key Types. Should help open some registry files and display previously missing keys.
- Fixed crash when decrypting Windows Passwords (Key ClassName value was incorrect)
User Activity
- Added clipboard item collection
- Shimcache, fixed issue with Shimcache not showing details under File List tab and also when exporting to CSV, HTML, TXT.
- Added MuiCache to "Installed Programs" artifact list for non-live acq (i.e. drive images).
- Installed Programs , added programs and drivers found in AmCache.hve. (Initial support AmCache format of Windows 10 V1607 and up).
- Added right-click option to open system event viewer for event records, fixed double-click/right-click options for other activity types
- Fixed bug in MRU recent items file paths
- Support adding files from Downloads, Jump List, Recycle Bin, Shim Cache to Case
- Updates for adding items to Case and for tagging items
- Added some extra error message details if a shadow copy of a locked system file fails

V7.0 build 1003 23rd August 2019

Case Logging
- Only the first 100 characters of the case narrative will be written to the case log entry.
- Fixed bug. If Case Logging is enabled and a new log text entry was greater than 65536 characters, it could lead to crash and/or corrupt the log file. If entry is larger than allowed, the log entry (not actual contents) will now be truncated to fit.
Create/Search Index
- Added feature to increase Create Index threads up to 20 maximum
- Changed default indexing threads to 4 (based on benchmark results)
Deleted Files
- File Carving bug fix, some non-threadsafe functions could cause a crash during file carving due to multiple threads running at the same time which has now been fixed.
Registry Viewer
- Fixed issue with RegViewer displaying incorrect data for "Big Data" entries (were data was over 16KB for a single key).
User Activity
- Added MuiCache to "Installed Programs" artifact list. NOTE: working for live acquisition only currently.
- Added new artifact type “Shim Cache”

V7.0 build 1002 15th August 2019

Create/Search Index
- Fixed error reporting when indexer run out of memory, max pages exceeded or max words exceeded.
Misc
- Fixed a performance issue with direct access of hard drives / images from OSForensics. This was particularly apparent when looking up multiple results from a file search in a hash set or when creating a search index.

V7.0 build 1001 13th August 2019

Create/Search Index
- Fixed file extension count at end of summary. Previously the count of files indexed, per file type, wasn't always accurate when files where found in container files, like ZIP and CHM files.
- Fixed crash bug in Create Index Log window stack corruption, when there was very long lines in the log.
- Fixed bug in "Search Index" stopping search prematurely, not returning the full set of search results for large datasets
Create Signature
- Support for counting NTFS hard links for OSF devices using direct access. This avoids double counting of hard linked files.
Deleted Files
- Apply Filter button will be enabled as long as MFT has been scanned even if Search was cancelled during carving (a warning message will be visible that results are incomplete).
File viewer
- Fixed crash that could occur when rebuilding thumbnails (triggered by using an "Open file location" right click menu item in recent activity items)
User Activity
- Rewrote export to CSV function to export data as seen in each item's list rather than trying to have each item match a preformatted output. The new CSV file will have a section for each item type with a heading row and will be separated with a blank line (eg MRU item headings, MRU items, blank line, USB item headings, usb items etc). This means a lot more data will now be exported to CSV.
- USB, Fixed parsing of Unknown USB device in registry
- USB, Added parsing of "Properties\\{83DA6326-97A6-4088-9453-A1923F573B29}" registry key to determine USB first installed, last connected, and removal times
- USB, Added parsing of Microsoft-Windows-Partition/Diagnostic.evtx event log for USB connection/disconnection events
- USB, Added parsing of archived setupapi.dev.xxxxxxxx_xxxxxx.log
- USB, Added scanning of SYSTEM\CurrentControlSet\Enum\SCSI for USB connected SCSI disks
- Added scanning for files in "Downloads" folder and scanning drive for "Zone.Identifier" alternate stream and reading the "ReferrerUrl" and "HostUrl" fields. This can help identify files that were downloaded but moved to a new folder.
- Shellbags, started processing some more item types to retrieve more information when available
- Shellbags, fixed a bug where the top level of the disk path wasn't being cleared correctly in some cases when recursively processing the ShellBagMRU leading to malformed disk path such as Desktop\A:\B\C:\ instead of Desktop\C:\
- Windows search, fixed a crash that could occur in some older versions of the windows.edb database
- Windows search, stopped directory entries from being filtered out automatically, will now be displayed in the "directory" sub type
Misc
- Reduced program start-up time by deferring window initialization for each module to when they are first opened. OSF should launch around 3x quicker now.
- Fixed default drive not set properly on startup
- Fixed handling split image files, where the number of split file parts was > 1000 (.999 -> .1000 or .999 -> .A00). It really doesn't make sense to create split files with this many parts, but someone did it.

V7.0 build 1000 31st July 2019

Platform support
- OSF will no longer run on Windows XP systems. (But disk images from XP machines can still be investigated). If support for installing the software on a XP system is required, then V6 will need to be used.
Add Device
Android Logical
- Fixed issue where during logical copy, some directories were not being included.
Android Artifact
- Removed misleading text indicated "images" can be added to scan. Added warning if adding ".vhd" (e.g. from logical copy) that it needs to be added to device first.
- Photo artifacts were only looking at the "data\\com.google.android.apps.photos\\db\\gph otos 0.db" (specified in Help File). But will now also do a quick scan for known image file extensions. Added notification to user to use File Name Search module for more advance viewing/search options.
- MMS extracted with OSFExtract will show recipients on the message.
Android Copy
- Copying to a Logical Image (VHD) will no longer require a full scan to calculate disk size. This should increase its responsiveness.
- Updated OSFExtract to V1.0.1003. Change: App will transfer "canonical_address" table from mmssms.db database file. Which contains the addresses (recipients) for MMS threads.
Auto triage
- Added configuration options for logical image creation
- Moved deleted files report export to a separate thread to improve responsiveness
- Moved recent activity report export to a separate thread to improve responsiveness
- Disabled hashing of signature file list to improve responsiveness
Boot Virtual Machine
- Added ability to boot an image as a VM from OSForensics.
- Image to be booted can be read only, as the image file is never modified. Instead changes to the image are written to separate cache files.
- Images format support includes E01, Raw, Split images, VMDK, VHD, etc..
- Write cache files are now used in mounting when 'Restore existing disk state' is checked, so VM can be restarted were you left off
- Added new menu option in Workflow navigation, "Boot Virtual machine" with 3 tabs showing running machines, and associated drives.
- Added 'Boot Virtual Machine' icon to Start page
- User can select number of cores to allocate to the VM, RAM size and if networking is enabled. Default values are scaled based on system specs of host.
- Support for booting partition images by pre-pending an MBR image to the disk in the .vmdk file. (normally it is impossible to boot just a bare partition). This includes images that use with ntldr for booting (Windows XP) and bootmgr + BCD images (Vista and above). Machines with EFI System Partitions are also supported.
- VMWare 14,15 and VirtualBox 6 are supported as hypervisors
- Host machine needs to be 64bit. Guest can be 32bit or 64bit. Guest image can be Mac OS X 10.13 (High Sierra), Windows XP to Win10 and some Linux distributions.
- Preliminary support for disk with multiple bootable partitions. Added warning text when multiple O/Ses are detected on the disk. Note: Not all permutations of multi-boot O/Ss will be supported (there are too many to test). Mac and Windows on the same disk is known to be problematic.
- Added option to bypass Windows login by patching a Windows system file and setting automatic logon option in the registry. This method is fast, but it doesn't crack the password of the user. So any files encrypted with EFS are not decrypted. As patching of system files are required, not all releases of Windows are supported. The Win 10 releases from March 2019 (17763) is known to have a problem.
- There is support for selecting which user account to auto-logon into in the case where the machine has multiple accounts.
- A new version of OSFMount is included with the package. V3.0 build 1005. This allows mounting of images as (emulated) physical drives and caching of disk writes to temp files.
Case Manager
- Fixed bug with trailing space characters allowed in case name (causing invalid Windows folder names to be created)
- Defined new hash set flag level "major" for Project VIC
- Add info dialog when adding a Bitlocker-encrypted drive to Case
- Added new case item group for virtual machines
- Added case details tab for customizing category definitions
- Fixed an annoyance, sometimes when switching cases the OSForensics GUI will lose focus and another window will be on Top.
- Fixed a bug where sometimes the status dialog window size can appear too large while generating report.
- Reporting, "Extra Information" box will export and identify $FILE_NAME timestamps for applicable items and label it as such. Note: Applies to new items added to case. Existing items in cases will not have the extra timestamps.
- Reporting, "Skip Empty" checkbox to do not include empty artifact categories in the generated reports.
- Add button for the Case Narrative (html) editor in the main Manage Case module.
- Double-clicking on virtual machine case item switches to 'Boot Virtual Machine' module and selecting the VM in the list
- When deleting a device that was the case default device the default device will now be set to the first device associated with the case or the C drive if there are no more devices.
- Removed "Results of forensics analysis" and "Executive Overview" headings from case narrative / auto triage report
- When removing categories, all case items belonging to category shall be unassigned
- Categories can now have optional "Notes" property
- Added button to manage categories, when adding/editing case items, can click on 'Category' link to manage categories
- When adding or editing case items, a new category can be entered in the Category dropdown
- Separated "Offences" list and "Categories" list. Defined a new "Categories" list that reflects more common categorization types.
- Fixed bug where downloads/attachments were not being loaded into case after OSF restart.
- Removed all options other than 'Delete' when right-clicking multiple selected items
- Fixed possible crash when sorting Case Item name
- Added missing 'Raw Disk' exports to generated report
Create Index / Browse Index
- New Indexing feature added, Optical character recognition (OCR) for PDF files. Previously this was only done on photographic images.
- Updated indexing engine, with lots of more minor changes for handling different file types & performance.
- Added ability to skip pre-scan when creating an index
- At Step 1, have all options check-marked by default except binary executable files, which don't contain much useful text.
- Fixed bug with search being prematurely truncated when indexed 0x1A character in meta data (title, description, etc.)
- Fixed bug with substring searches applying within exact phrases
- Fixed bug with exact phrase searches spanning across page SECTIONS. This caused some exact phrase searches (containing words which occur on the page many times but not in that sequence) to take extraordinarily long.
- Fixed Check/Uncheck all buttons not affecting new file type options
- Fixed buffer overflow issues & crash bugs in Browse Index (removed unnecessary dictionary counting) and when Filtering results
- Fixed bug with filenames not being indexed for PDF files and other plugin formats
- Improved error messages when failing to launch indexer
- Fixed "Failed to add folder" bug with Create Index -> Add folder
- Fixed bugs with handling multi-partition images
- Fixed bug with Index names ending with "." which caused various failures
- Fixed indexing unallocated clusters for entire disk images
Create Signature
- File system cache is now cleared before creating a signature in Direct Access mode. This is important for live file systems where the content is changing while OSF is running.
Compare Signature
- Increased number of recently selected signature comparison files (displayed in drop list when selecting a signature) from 10 to 15
- When creating a hash set from a comparison there is now the option to include all files in the comparison or just new ones
- Added a new difference type of "Attributes Modified"
Deleted Files / File Carving
- Hashing of files will only be performed for non-empty files (0 byte files are skipped).
- Improved responsiveness by not redrawing window if not visible
- Fixed a lockup that could occur
- Added new status tab while scanning to show number of files (grouped by extension) found/recovered.
- Removed message dialog when no files are found
- Checkbox added to enable/disable extensions for file carving.
- Updated FileCarver to be threaded for better performance (by adding threading to several operations). Resulted in 2.6x faster carving on a test system.
- Added option to look within a sector for header pattern match. Enabled by default (same as previous behaviour) OSF only looks at the bytes only at the beginning of the sector.
- Added definition for HEIC/HEIF image file format to allow these types of images to be carved.
- Updated JPG file header definition to decrease number of false positive when carving.
- Added definition for SQLite files
- Added definition and extractors for Intel based Assembly Files (.asm)
- Added definition and extractors for .torrent, .nef (Nikon RAW Image), .orf (Olympus RAW Image), .arw (Sony RAW Image) and .raw (Lecia/Panasonic RAW Image) formats
- Added header definition for FUJI Raw Image Format (.raf) and Mobile Video Format (.3gp).
- List view in Status Window showing total files found is now sortable.
- Fixed issue when "Applying Filter" was not returning (stuck in loop).
- Fixed issue with double counting files with simliar header pattern.
Drive preparation
- Fixed an open file handle from the Drive test that would prevent the data pattern write if the drive test was run first. This fixes a possible false report saying the drive was faulty, when in fact the drive was just locked
Email Viewer
- Fixed UI issues when minimizing and restoring windows
ESEDB Viewer
- Changed behaviour to load all items for selected table into data buffer so we can sort columns correctly, still only displaying 1000 entries per page. Will mean a slower initial load but much faster sorting and searching.
- Columns can now be sorted by clicking on the column heading
- Added SRUDB.dat to known esedb list when opening the ESEDB viewer and fixed some date display issues for the SRUDB date / time format.
File Name Search
- Allow the user to enable the other four ($FILE_NAME attribute) time stamps in the File Name Search Details View.
- Added ability to create a New Preset option in the Config window. Defaults are still loaded from FileNameSearchPresets.txt file in AppData directory. User defined Presets are saved in the OSF config file, config.OSFCfg.
- Change the module icon from "disk" to "binocular" to be consistent with the main menu.
- Config, fixed bug where hash sets were not populating in the drop down selection.
- Added right-click option to show only checkmarked files.
- Added ability to include additional folders and/or exclude folders from the File Name Search.
- When switching cases, any previous search result previously performed will be cleared.
- Fixed a bug when enabling $FILE_NAMES attributes, the horizontal scroll will disappear in the List View.
- Added Right-Click menu option to "Jump to Thumbnail View" from the File Details and File List tab. And "Jump to File Details" from the Thumbnail Tab.
- Started saving column ordering, visibility and size in OSF config file
- Fixed default title not being updated when adding multiple files to case
File Previewer/Image viewer
- Added support for single image HEIC files
File System Browser
- Refreshing the current folder using the F5 now clears the file system cache and allows user to see changes to live file system.
- Fixed hidden scrollbar when minimizing/restoring the window
- Fixed vector Out of bounds crash
Forensic Imaging
- Create a Drive Imaging queue to allow user to add other drives to image once the first imaging job is complete.
Forensic Copy
- Added option to add individual files to the image list instead of just only folders.
- Improved performance of looking up duplicate paths by keeping track of hashes
- Fixed copy operation not aborting after pressing 'Stop'
- Changed source list view to owner draw for better performance
- Moved total file size calculation to a separate thread for better response
Hash Set
- Added new built in hash sets for: Keyloggers, VPN Software, Peer to Peer (P2P) software, Cryptocurrency
- Added feature to import folder of VIC files. "Import VIC file set" will now prompt to either "import into existing active database" or "create new database". Updated import VIC feature to ignore Category: 0 which are considered Safe files
- Added support for importing V2.0 format VIC hash set.
- Added support for importing SHA1, MediaSize, LastUpdated fields from V1.3 VIC file format
- Fixed Bug with Right Click->Export to Text file output being corrupted. (Column Indexes to the ListView were not correct).
- Fixed Bug where Right Click->View with Internal Viewer was unable to open deleted files entries.
- Fixed Bug where false positive matches were being returned. (Previous result was not being cleared).
- When quitting, OSF will remember the current active hashset & reselect that hashset on startup.
- Made error message more descriptive on import failure. Fixed bug holding hast set open after failure to import that was preventing deletion.
- Fixed a bug preventing pasting folder locations into the NSRL data set input folder when importing
- Added "Delete" option from Hash Set Viewer window (right click menu)
- Added confirmation message box when deleting a hash set
- Added a more descriptive error message when an NSRL import fails due to errors in the file contents (eg invalid product number)
- Removed warning message about selecting a non-example / new hash set when importing an NSRL hash set (a new hash set is created by default when importing a NSRL hash set)
- Added more prominent highlighting when file is in hash set to highlight Project VIC hash sets
- Improved error message when failing to open .OSFHashSet file which is read only
- NSRL hash set import, added an error message when an operating system ID doesn't exist (eg corrupt/incomplete dataset). Will now add a dummy "unknown" entry and continue to import.
- Added support for highlighting files as "PF_IN_HASHSET_MAJOR" for Category 2 files
- Changed "Look up Hash Set" dialog to not close window when user cancels look up.
Install to USB
- Added option to exclude password recovery dictionaries and rainbow tables from USB install
- Changed out of space error message to use MB instead of bytes
- Added option to include Hash Sets to be exported during install.
Internal Viewer
- File Info, added text to indicate if the file does not exist at the location
- Added 'Help' link. Moved 'Capture' button and 'Alt Stream' Combo box to the left
- Added preservation of 'create' and 'access' times, when available
- Fixed contents of certain .rar files not being displayed (RAR5)
- CSVReader, fixed a possible crash opening CSV files with individual elements that contain over 512 characters (element will be truncated to 511 characters now)
- Hex View, will display file slack space in internal viewer. Can enable/disable in 'Settings'.
- Hex View, fixed bug where hex view would not load and return "Unable to open file: File access is denied" when a file failed to open the underlying disk in raw mode (to load slack space). Show Slack Space is not available for resident MFT files or files on devices not added in forensics mode within OSForensics.
- Hex View, will extract strings in file slack space if show slack is enabled.
MemViewer
- Added warning if trying to save memory dump to a filesystem that doesn't support the file size of the dump e.g. Over 4GB on FAT32.
- Raw Memory Dump, added progress bar and estimated time remaining.
- Updated volatility compiled executable to 2.6.1 and volatility workbench to 2.1.1000 to support new profiles for Win 10 builds 17763 and 17134
OSFDevMgr
- Fixed buffer overflow when calling FindFirstFile() on a group device's root directory (eg. "group_device:")
- Fixed FindFirstFile() not returning the list of subdevices for a group device's root directory (eg. "group_device:")
- Fixed a crash that could occur when a badly formed system path is passed to SplitFilePath
Password Recovery
- Fixed an issue where passwords from the windows credential manager were returned when running using the "scan drive" option when they are only available for the "live acquisition" option
- Made some changes so the registry reading code at this point so it is now thread safe and will work better with the auto triage.
- Started saving column ordering, visibility and size in OSF config file
- Changed LM/NT references from "(disabled)" to "(empty)"
- Added ability to add sequential decryption jobs in the Decryption & Password Recovery tab.
- 40-Bit Encryption, fix for parsing output of 40-bit file.
- Windows Login Passwords, updated GUI so list views expand as the size of the main window expands.
- Enabled debug logging for run_server.exe when OSF is ran in debug mode. Log can be found in run_server.exe directory while running and then is moved to the OSF documents folder when finished.
- Fixed bug that could cause possible memory corruption issue if GPU decryption is enabled.
- Fixed bug where checked item count was not being reset if "Acquire password" was clicked again
Prefetch Viewer
- Added all available run times to results list and exports
Raw disk viewer
- Fixed incorrect GPT 'Partition name' in Data Decode window
- Added option to select where (beginning, current position, end) to jump from when jumping using bytes or sectors. (Using a negative sign will jump backwards.)
Recent Activity – Renamed to User Activity
User Activity
- Addition of System Resource Usage Monitor (SRUM) database scanning, will display items from the Application Resource Usage, Network Usage, Network Connectivity and Push Notifications database tables.
- Made the user activity navigation pane with the Tree view resizable.
- Started encoding HTML special characters (eg <>&) in the HTML output for some items when exporting
- P2P, Fixed crash when running on Ubuntu drive
- Changed "Show empty activity types" checkbox to default to on so empty types are displayed
- Windows search is now using the ESEDB viewer to load the windows search database, will sometimes be slower but should be more reliable (no need to repair database using esentutl which would often crash or leave database in a dirty state still).
- Installed programs, added date collection using the InstallDate registry value when available and when not available uses the last write date of the registry entry
- No longer stopping the windows search service when the windows search option is selected for a live system scan
- Added new Recycle Bin activity. Will show items in the Recycle Bin (original file path/name and date deleted).
- Added the Last-Visited and Open/Save MRU's to the MRU category: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi on\Explorer\ComDlg32\LastVisitedPidlMRU and NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi on\Explorer\ComDlg32\OpenSavePIDlMRU
- Added the other 7 run time stamps for Prefetch Files (for 8 total).
- Fixed bug with non-ascii characters for recent activities that use a sqlite database (mostly browser - chrome, firefox, opera - activities)
- Added Event Log Login Types description
- Added MRU Adobe Acrobat Reader DC Artifacts
- Added Office 16 and Office365 Word, Excel and Powerpoint Artifacts from desktop install
- MRU, Fixed crash when parsing Window's XP Registry files for OpenSave and LastVisit MRU
- Added subcategories for the various browser artifacts (Firefox, Chrome, Edge, IE, etc)
- Added checkmarks besides each artifact category. Users can then deselect any artifacts they don't want without going into the config settings.
- Added +/- expand collapse for artifacts that have subcategories.
- Add subcategories for Windows Event Logs (OAlerts, System, Security, Application, etc.)
- Fixed bug where the number of checked items links was not being shown in the File List Tab.
- Added VLC artifacts for Windows and OSX/Mac
- Added Windows Media Player Last played and folders artifacts
- Added Mapped Network Locations from HKCU\Network
- Opera, fixed opera version being read incorrectly for new versions of opera
- Opera, fixed bug stopping opera password data being read correctly
- Fixed an issue seen where no Chrome information could be retrieved when doing a live scan due to not being able to get the current windows user/profile/known folders
Registry Viewer
- Unknown value data types will be shown as hex data by default (previously the data was not displayed at all. Useful for looking at Windows Store App's settings.dat file which are special registry hive with non documented value data types).
System Information
- Removed "Get" from the Registry Commands.
- Get User Info (Registry), fixed an issue where user accounts could display "Account disabled" incorrectly
- Changed error message slightly when only live acquisition tasks are in selected list when a drive letter is chosen instead of live acquisition
- Added a quick search box to search the text of the current result tab.
- Added full name, description and password hint to “Get user information (Registry)” output
- Fix to process "Enter" key notification while using the Find Text Control.
Thumbnail View
- Items found in hash set are now entirely highlighted (not just text)
Web Browser
- Updated video download script to support recent changes at Youtube which broke video download feature.
Misc
- Consolidated Red/Green/Yellow bookmarks into single generic bookmark
- Renamed 'bookmarks' to 'tags'
- Added 'tag' icon to replace previous 'flag' icon
- Made some changes so OSF will start as the top most window (sometimes it would start in the background)
- Updated help file
- Fixed bug with unable to access Case devices as underlying drives. This caused problems reading from Bitlocker-encrypted drives
- Added ClearFileSystemCache_direct() function to clear the file system cache (for live disks). Previously changes in the live file system where not reflected in File System Browser due to caching.
- Updated 7zip DLL
- Better reporting of SQL errors with hashset databases
- Fix for bug with scroll bars in Compare Signature and Browse Index
- New logging engine when using DEBUGMODE. Has more detail and has less overhead.
- Changed warning message to be less severe when registry SAM permissions need changing on live system (for recent activity and password recovery)

V6.1 build 1005 28th Nov 2018

Android Artifacts
- Fixed bug with incorrectly listing call type (e.g. Incoming, Missed, etc..)
- Combined/Cleaned up contacts list. Contacts with same RawContactId are combined into a single listing (previously there was one entry per email, per phone, etc)
- Updated OSFExtract Android App to V1.0.1002
File Name Search
- Fixed a crash that could occur during a search if none of the file details columns were enabled
Misc
- Added some sanity checks to the customised column config file save/reload prevent situations where all the columns are hidden
- Updated help file for Android Artifact and OSFExtract Android App

V6.1 build 1004 13th Nov 2018

Android Artifacts
- Fixed possible crash when scrolling through messages. Message scrolling in general should be smoother.
- Internal changes in preparation for collecting pictures from MMS Messages, data from call log and contacts.
Auto Triage
- Made auto triage tooltips a bit smaller to better fit buttons on dialog
Create index
- Fixed bug for Create Index Status GUI (unable to click "Save configuration" button) with high DPI setting
- Fixed support for Win10 Bitlocker encryption
Raw disk viewer
- Fixed default case drive not being displayed after switching cases
Misc
- Fixed bug where "Entry Point Not Found : The procedure entry point CancelSynchronousIo could not be located in the dynamic link library KERNEL32.dll" could be displayed on old versions of Windows (pre Vista)

V6.1 build 1003 26th Oct 2018

Auto triage
- Fixed a crash that could occur when collecting recent activity items
Case management
- Added debug output when attempting to load a bitlocker encrypted drive
- Fixed a scaling issue with the generate report dialog not displaying correctly when high DPI scaling override settings were in use
Recent activity
- Fixed a crash that could occur when collecting Opera form history
- Fixed a crash that could occur when collecting USB information in windows 7 for live acquisition
- Fixed a bug where filters weren't applying correctly to URL history and downloads.
Misc
- Added support for newer versions of BitLocker. XTS-AES 128 support was added. This became available in Windows 10 (build 1511)

6.1 build 1002 16th Oct 2018

Create Index
- Fixed bug with indexing BitLocker encrypted drive
Disk Test
- GUI High DPI Scaling issue fixes (when user sets Application High DPI Override)
Forensic Imaging - Logical
- Removed CREATE_VIRTUAL_DISK_FLAG_FULL_PHYSICAL_ALLOCATION flag when creating virtual disk file. Pre-allocating disk space may cause the system to stall especially for large disk images.
- Fixed progress bar shifting backwards after a file copy is complete
Recent activity
- Changed file list output of Windows explorer - recent items type so it no longer overlaps the next entry
- Fixed a bug where the vertical scrollbar was not refreshed correctly when switching between the file details and file list tabs
- Added location of "Windows Event Log" for windows event items retrieved from a live scan
Timeline
- Restored 'Show these files' option in right-click menu
WinPEBuilder
- Updated to V1.2.105, fixed issue where the build process would fail if there was a space in the Temp work directory.

V6.1.1001 - 9th Oct 2018

Raw disk viewer
- Added right-click menu to export/add decoded master file table (MFT) to case
Internal viewer
- An error message is now shown when there is not enough memory to extract strings. Previously it would silently stop the extraction process in a low memory situation.
- Added, File load in progress, status text when loading large text files
- Fixed slow load when attempting to open a large file in the File Viewer tab
File system browser
- Added new columns for NTFS $FILE_NAME dates. Added checkbox under Tools->Options to show/hide $FILE_NAME dates. So up to 8 dates per file are now displayed. This is useful for detecting fake time stamps.
File Name Search
- Files found in file name search can now be added to a logical image (VHD) via check boxes and right click options. This provides a fast method to, for example, dump all JPG files to a logical image.
Create Index
- Updates to handle indexing Apple's APFS file system - now with support for encrypted volumes.
- Bug fix - PST EMails with long headers didn't get all the text in the header indexed. This was a regression, but is now fixed
- Thread status now updates more often when indexing inside containers (like Zip files). So progress is more obvious and the indexer doesn't appear to be stuck on large container files.
- Improved handling for hidden $ system files, like $BadClus, $Extend when indexing.
Misc
- It is now possible to export timeline graph to a PNG image file or copy to clipboard via right click on the graph.

V6.1.1000 - 27th of September 2018

Case Manager
- New feature: Paste Clipboard to Case. Can now add external BITMAP (e.g. screenshots) and Copy/Paste Text to case. This provide an additional method of capturing web pages.
- Added support for mounting an image file as a "group" device. Partitions are listed as a folder of the top device.
- When displaying the volume shadow info to add to case, the creation time now includes the GMT offset
Create Index
- Updates to handle indexing Apple's APFS file system (indexing encrypted volumes is not supported, but coming soon).
- Fixed multi-threaded indexing problems with some image filesystems such as EXT2
- Improved memory estimation (was previously not including some offline buffers)
- New "broad numeric matching" feature. Allows for better searching of currency values and part numbers with hashes in the number.
- Added Precognitive Search feature, return matches for trigger keywords during the "Create Index" process. So you don't need to wait for the indexing process to be completed before seeing the search results. It is also possible to use pre-made word lists with the Precog search.
- The concept of a template has been removed, instead you can now save and load previously used configurations. Some of the advanced template options, like extreme binary string extraction and stemming are now on Step 2 of the create index process.
Deleted Files
- Fixed NTFS MFT record size calculation, which can prevent parsing of the MFT in the raw disk viewer and in deleted files module.
- Partial support for scanning "group" devices for deleted files
- Fixed buffer overrun crash when parsing slack space for $I30 record
Email Viewer
- Single Email Viewer can view Gmail email stored within Android mailstore.username@gmail.com.db.
File Name Search
- Fixed a bug when searching for deleted files
File System Browser
- Fixed crash with internal viewer when clicking prev/next after file system browser is closed
File system support
- Apple's APFS file system is now supported. Including support for compression (zlib & lzvn) and encryption. So you can browse and search files from a Mac machine in Windows.
Forensic Imaging
- Made some changes to how Encase format images (.E01 and .Ex01) are created to work around an issue that limited the final image creation to a maximum of 64 .E01/.Ex01 files, which resulted in images larger than 100GB in size and more than 64 files being unreadable.
- Added copy Logical Android Image. Will obtain files off Android device using 'adb pull' command over a USB connection. To use this with a device connected over USB, you must enable USB debugging in the Android device system settings, under Developer options. So the device needs to be unlocked to do this.
- Fixed image type not displaying correctly for unicode filenames
Hash lookup
- Fixed hang when error occurs while attempting to read from deleted files
Install to USB
- Updated WinPEBuilder used for self boot USB, added option under Program Tab to allow selection of Storage Area Network (SAN) Policy. The recommend setting for OSForensics is, 3 - Doesn't mount storage devices, to prevent introduction of artifacts. However, if you need access to disks, e.g. external disk drive to image to, you can change it accordingly
Internal Viewers
- Started saving viewer x,y positions (previously was just size) in config file and will restore them to the last position on next open
Internal Viewer - File Info
- When viewing compress archived (e.g. .7z or .ab), added right-click option to save file to disk.
- Show the total/used/free space for "partition" folders. Show the disk size for devices/partitions
- Fixed multithreading issues with sharing a handle to a video file. This potentially can cause a crash.
- Added checkbox to link the selected file in the list (file name search, mismatch search, etc...), and the current file in the internal viewer. This allows for faster selecting and previewing of pictures.
Android Artifacts
- Addition of new module to scan for android mobile device information. A limited number of artifacts are supported in this release. Additional data will be extracted in future releases.
- Currently only supports Android disk image (looks for items in data folder) and/or backup (apps folder)
- Initial support for password encrypted android backups. When opening file in FileViewer, OSF will prompt for password and attempt to decrypt the backup.
Password Recovery
- Fixed crash when running windows login / password search simultaneously due to shared global variable
- Fixed bug with list view column widths not being saved correctly, could cause URL column to be incorrectly hidden and column widths to be reset each time OSF was started.
- Now displays available dictionaries before file is selected, will display an info message when a 40bit encrypted file selected (which don't use the dictionaries).
- Added a "Add Dictionary" button that will copy a selected text file to the OSF dictionaries folder and create a simple default definition file to use the dictionary
- Renamed folder where pre-installed and user dictionaries are stored (from PDF to Dictionaries)
Raw disk viewer
- Regular expression searching, made a change to prevent an infinite loop when a partial match was found
- Added clickable link for File Rec#
- Fixed bug with jumping to an LBA from the MBR/GPT
- Added option to jump to MFT record
- Added decoding of $FILE_NAME attribute
- Added decoding of NTFS attribute common header
- Added support for parsing MFT attributes SECURITY_DESCRIPTOR, OBJECT_ID, VOLUME_NAME, VOLUME_INFORMATION, INDEX_ROOT
- APFS GPT partition GUID now detected and displayed in Data Decode window
- APFS file system string now properly displayed in Disk Info window
- Fixed excessive quotes for 'Context' field in exported CSV
- Replace unprintable characters with '.' when displaying context
Recent Activity
- Now collects more information from LNK files (Windows Explorer - Recent Items) such as volume name, volume serial and link target create/access/modified dates
- Fixed a bug where subitems counts in the treeview was not actively reflecting the actual filtered counts.
- Made a change so windows timeline entries always display the same amount of lines in the file list tab for consistency
Report Templates
- Updated report templates to include Mobile Artifacts
SQLite Browser
- Changed SQLite Browser into a viewer so users can have multiple instances open (Up to 10).
- Fixed bug that prevented additional sqlite viewers to be open even after closing opened sqlite viewers.
- Fixed bug with "View Cell with internal viewer" returning "Not an Error" message.
Start/Navigation
- Added "Add to case" action on start screen and left hand menu button to allow quick access to add a device to a case
- File and Hex Viewer, will now open File Preview Tab as default.
- Reordered the left side buttons. Removed Android Artifact and About button from the Navigation Menu, but still accessible from the Start page. User Workflow configuration setting will reset to defaults with changes upon first starting V6.1.1000
System Information
- Added new commands to get Windows information (product name, build and install date) and last shutdown time from the registry
- Fixed crash bug due to buffer overflow with long case device names. Device names over 12 characters caused problems in the system information module
UsnJrnl Viewer
- Fixed incorrect filenames due to incorrect length truncation
Web Browser
- Export Webpage Dialog can be resized vertically to fit smaller screens.
Misc
- Added support for mounting "group" devices such as entire physical disks. Contained partitions are mounted as "subdevices" and appears as folders under the parent device
- Changed timezone drop down for GMT/UTC 0 from "GMT +0:00" to "GMT 0:00" to visually stand out more in list
- Made some changes so that the logo and version text on the main start page are now next to the help / mouse over text area to save some vertical space

V6.0.1004 - 17th of July 2018

Create Index
- Fixed out of bounds exception
- New indexer build to address issues with multi-threaded indexing from ext2 image (and possibly other filesystems)
Volatility Workbench
- Fixed issue with edit boxes.
Misc
- Fixed a bug preventing the workflow from being customised correctly

V6.0.1003 - 10th of July 2018

Create Index
- Added RAM check before proceeding with user specified Create Index Size Settings. Without this, users may have proceeded with size settings that led to exhausting their RAM and the indexer crashing.
Search Index
- Fixed bug when searching index containing file types: binary files, recycle bin meta, or email attachments.

V6.0.1002 - 6th of July 2018

Case Manager
- Reduced memory usage of path flags structure
- Case logging now enabled by Default
Create Index
- Fixed memory (handle) leak in Win10 caused by bug in ShellExecuteEx() in certain builds of Win10. Replaced with CreateProcess() calls.
- Improved error messages regarding "Maximum file size limit exceeded..." to show file size.
- Improved various error messages to show both actual temp file path and file being indexed
- Fixed bug with Pre-Scan count displayed being much bigger than the actual count used. Did not affect pre-scan result.
- Minor changes to fix "(Win10 only)" text for the "Use OCR" checkbox appearing in Win10 builds
- Improved accuracy of URLs being reported in the Create Index Status
Deleted Files
- Added sort By FG and BG color.
File Name Search
- Improved performance by doing fewer string compares/copies if wildcard '*' is used
Hash Set
- Added a "skip files smaller than" option when creating a new hash set to avoid creating hash sets which match the large amount of small byte files on a system
Image Viewer
- Initial Support for Non Password protected logical Android Backup files (.ab) allowing Image Viewer to be able to browse contents of Android Backup Files (.ab).
Internal Viewer
- Added BitLocker Recovery Key RegEx pattern to Filter Presets for Hex File Viewer

V6.0.1001 - 25th of June 2018

Note: Build 1001 was made shortly after build 1000 to fix a day 1 indexing bug
Case Management
- Added "Export case" feature
- Added a list of reports that have been generated (in case directory or last known export directory)
- When creating/editing case, user can now specify whether or not USB write-block should be enabled. Whenever the USB write-block settings are changed, a warning is displayed to the user to detach/re-attach connected USB devices for the settings to take effect.
- Changed list view to allow groups (devices, reports, files etc) to be collapsible
- Added last access date to case management when case is loaded
- Fixed error copying files with long file paths in when a report was created and the report contained deep / long paths.
- Fixed a bug when creating a case report that was leaving a file handle open
- Added support for encrypting PDF report
- Added predefined offenses list to 'Offense' drop down list when creating/editing case
- Case Details Dialog, fixed bug that might cause case narrative text to be reset to default when editing case details.
- Case Details Dialog, will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
- Case Export, changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.
- Re-added "E-mail Delivery Time" to report and the associated timezone
- Case load window was added at startup and when a case is loaded from the Case Management window. This is useful for showing load progress for very large cases with 10,000s of files in the case.
- Report production progress window was added to show some progress activity when very large reports are produced.
- New Command Line Parameter to load a specific case (-C <PathToCaseFolder>), if path does not exists or CaseDetails.OSFCase file cannot be found, OSF will default to loading the the last case used.
- Can now insert images into the case narrative text using the HTML editor. Images need to have already been added to the case. Previously images could be added, but the links where broken when a report was produced.
- Added unique 'Case Item ID' attribute to each case item. This ID is displayed in the 'Manage Case' window, as well as included in the generated reports. The ID is stored within the .OSFMeta file for each case item. Case Manager maintains 'Next Case Item ID' variable that gets assigned to any new items added to the case.
- Fixed special characters not being escaped when generating reports
Create index
- New indexing engine (Zoom V8 with multi-threaded offline indexing)
- Much better indexing performance (3x speed increase)
- Updated Create Index interface with new file type selections,
- New "Memory optimization / Indexing Limits" step to bypass Pre-scan
- Added support for user configurable number of indexing threads (up to 10)
- Added options to enable RAM drive for temporary files
- Improved RAM estimations and Indexing Limits settings
- Improved indexing Status interface
- Updated OSF interface to show multi-threaded indexing
- Updated OSF Create Index options to offer more control with file type selection
- Removed unnecessary indexing warnings
- Added count display for Prescan
- Added thousands grouping for large numbers shown in Create Index windows
- Increased sleep/wait time while starting indexer to allow for a slower initialisation which could cause an error to be displayed
- Renamed indexing process. Now using "OSFIndexer32.exe" and "OSFIndexer64.exe" instead of ZoomEngine32.exe and ZoomEngine64.exe, this should make it more obvious what is running in task manager.
- Added some internal checking to clean up detached instances of OSFIndexer and temporary RAM drives.
- Fixed a bug with indexing the compete content of Emails in PST files that were text only EMails.
- OCR (Optical Character Recognition) can now be done on photographic images while they are being indexed. Like all OCR, the results depend on the quality and resolution of the source image, how clear the text is and the level of contrast. This is only supported on Win10. Depending on the images >10 images per second are possible.
Deleted Files
- Column ordering, visibility and size now saved in OSForensics config file
- Configuration options now saved in OSForensics config file
- Fixed a crash caused by logging a magic number incorrectly when getting deleted files
- Fixed uncaught exception error when loading MFT for some OSF devices
- Fix Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
- Added check for buffer overrun when looking for slack $I30 entries
- Errors when parsing non-resident attributes of deleted MFT records no longer causes the search to terminate and throw an error message. This is an expected case. Errors are now written to the debug log and the process continues.
- Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
- File Carver, added minimum file size option when carving. Changed "Reserved/Future Use" field in osf_filecarve.conf to "Min File Size"
- File Carver, TIFF/CR2 extraction should be better.
Disk Imaging
- Added extra check if the first read fails when verifying the image created.
- Previously if the disk did not contain a valid MBR this would cause it not to show up in the list (as it would have no partitions) But the disk might be file system boot sector. These disk are now correctly shown.
- There is now the option to specify primary and/or secondary hash functions for imaging disk. So the user can select SHA1 instead of just MD5. Or calculate two hashes at the same time.
Disk Preparation
- Can now wipe BitLocked drives. Previously these drives appeared to be lock and could not be formatted.
- In case of a physical drive failure, additional error codes have been added to the status window
Disk Test
- Fixed issue with formatting as FAT32 on small drives.
- Fixed Crash when formatting as FAT32 fails.
E-mail Viewer
- E-mail times now include the timezone offset, both 'Delivery Time' and 'Client Submit Time'
- Fixed printed e-mails missing e-mail addresses due to HTML entities not being escaped
- Fixed bug where case item title set to '<Use item name>' when selecting 'Use same details for all'
File System Browser
- Added right-click menu option to jump to MFT record in the raw disk viewer
- Fixed stack overflow when attempting to add device to case
File Name Search
- Added an "Uncheck all" menu item to uncheck currently selected items
- Added 'Windows Shortcut Files' (ie. lnk files) to the file name search presets list
- Column ordering, visibility and size now saved in OSForensics config file
- Removed folders from results when filtering using hash set
- When filtering using hash set, fixed bug with current file being added to results after cancelling search
- 'In hash set' flag is now set for results when hash set is used and made active
- Added support for filtering by whether or not the file belongs in the hash set. This allows the user to search for files on disk that match a set of hash values
- Re-arranged configuration dialog
Forensic Imaging
- Re-arranged tabs
- Create Image, for physical disks, disk model and serial number are now saved in the info file
- Added new 'Device and SMART Info' for displaying physical disk attributes + SMART info
- Device & SMART Info, Added support for export and adding report to case
- Device/SMART Info, added mouseover tooltip descriptions for SMART attributes
Forensics Copy
- Moved allocation of virtual disk image to thread to prevent system from being unresponsive
Hash Set
- Added option to create 'Quick hash set', allowing the user to quickly create a hash set by specifying a list of hashes
- Fixed deleted hash set databases appearing in the file name search config drop down box
- Re-organised buttons in main window
- Added functionality for importing Project VIC JSON files with MD5 hashes & optimised the import load time.
- Added default database name when importing VIC data set
- Stopped navigation bar being disabled when importing hash set. User can now do other tasks in parallel to importing a large hash set.
- Fixed hash set operation LED still "active" when there's an error
- Fixed number display and file size formatting to be more readable for large import files (> 4GB)
- When creating hash set databases, columns are no longer created for hashes that don't exist (eg. VIC/NSRL datasets)
Hash set lookup
- Added right click menu option to open files in internal viewer
- Fixed incorrect # files hashed text due to not updating the dialog once all files are hashed
- When performing hash set lookups, hashes are no longer checked for columns that do not exist. This reduces the query time for large hash sets. e.g. we don't check for SHA1 matches if the particular hash set doesn't have SHA1 values. Results were a significant speed up for hash lookups.
- When performing single file hash lookups, filename matches are no longer queried. This reduces the query time for large hash sets.
Install and run from USB
- Added help Link
- Added separate "temp build" directory field when using WinPEBuilder.
- Updated WinPE builder to deal with new latest WinPE10 changes
Internal File Viewer
- EFS Support (encrypted file system). When an EFS file now opened in the file viewer a temp copy will be created and passed to the hex and text viewer. If the matching certificate has been installed on the system then the text should appear decrypted.
- Hex View, added right-click option to add selected strings to case (as HTML file)
- Fixed potential mem leak when generating video thumbnails
- Fixed potential concurrency issues when loading videos
- Added OCR view (Win10 only)
Memory viewer
- Column ordering, visibility and size now saved in OSForensics config file
- Added button to add memory dump to case
- Removed 'Error' text and icon from message box when process memory cannot be dumped because of access restrictions
- Updated version of Volatility Workbench, with Mac & Linux support and ability to add your own profiles.
Mismatch File Search
- Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV
NSRL Hash Import
- Import 9x faster. While importing repeated file hashes, checks for duplicity are no longer being done using a lookup on non-indexed database (very slow). Now checks are done by comparing product code between two consecutive lines in input file.
- Import will create new database automatically with default name based on date and time. Thus, incremental import is no longer an option.
- New NSRL import config window to specify input and (temp) output folders
- Temp Output folder can be specified so that user can specify RAM drive or SSD to speed up the import. Database is then moved from temp location to default hash sets location.
- Updated help file with info about allocating enough space on a RAM drive.
- Status now displays percentage counter during file importing
Password Recovery
- Added tab to allow PFX certificates to be installed on the local system, to facilitate opening EFS encrypted files when the certificate and password are available
- Column ordering, visibility and size now saved in OSForensics config file
- Browser passwords, made some changes to Firefox login recovery, now has a 64bit and 32bit helper executable (as FireFox have started distributing as 64bit).
- Registry passwords, now displaying password hint value next to 'NT Password' column. Displays '(empty)' if not present.
- Registry Passwords , added support for win10 anniversary update for live system in Forensics mode
- Removed a "File not found" error when running the windows password search on a non system drive
Prefetch Viewer
- Added right-click option to export selected items to CSV
Rainbow Tables
- Fixed crash occurring when cracking hashes from a pwdump txt file - wrong data types were being past to format string when secure case logger was enabled
Raw Disk Viewer
- Added progress window when carving to file
- Renamed 'Decode' window to 'Disk Info'
- Renamed 'Data Interpreter' window to 'Data Decode', split windows and shuffled content between decode window.
- Added right-click menu options to 'Data Decode' window, Jump to File and Jump to File Record.
- Clicking on file paths now open the internal viewer
- Clicking on LCN/offsets now jump to the offset in the raw disk viewer
- Data Interpreter window now shows the MFT record number and filepath if the current cursor position is inside the $MFT file
- Fixed crash issue when sector size could not be determined
- Fixed right-click "Jump to offset" not working some of the time
- Hexadecimal addresses copied from the Windows calculator into the search box didn't work. The calculator was inserting non printable characters into the string. Non printable characters are now being removed.
Recent Activity

Added a quick filter option (text box and button) to quickly apply a text filter to recent activity items
"Show empty activity types" checkbox to default to on so empty types are displayed
Results are now sorted by Date (desc order) by default
Fixed possible crash when reading jumplist info
Added function to collect new Win10 Timeline database for artifacts
Added more displayed information for windows event items.

Registry Viewer
- Support for generating reports for known registry hives (currently only SOFTWARE hive at the moment)
- Fixed a possible crash when processing a registry file
SQLite Browser
- Will checks for Skype Sqlite database files during "Scan for DB Files".
- Resizeable Dialog/Controls
- Option (enabled by default) to convert known timestamps to readable format
- Scan Folder button is now more useful. Will now populate with locations of known SQLite files (e.g. Chrome and Firefox profile directories)
- Scan Folder button will scan for known Android user data directory (where apps usually store their own data) on currently selected drive
System Information
- A new tab is now created for every new system information command
- Added option to restore command lists back to default
- Added "Recovery of Bitlocker Keys" to command list
- Added ability to assign a name to an entered command. This name will then be displayed in the output/report.
- Added support for Embedded Python 3.6.5
- Removed the "Get" from the start of some item names.
- Changed button text from 'Add...' to 'New...' when adding new commands
- Moved 'Reset lists to default' option to dialog window. Added confirmation prompt to prevent accidental press.
- Replaced spin control for moving items up/down due to overriding the handling of mouse wheel messages
- Re-organized controls
- Added command to get current clipboard contents
- Added command to get anti malware (windows defender) software status
- Added command to get current TPM status
- Started encoding HTML special entities in output from tools so anything with HTML characters will display correctly
- Fixed crash possible with getting printer info when system returns bad information.
Triage Wizard (now renamed to Auto-Triage)
- Changed Wizard icon to fingerprint icon & removed forensics dude. R.I.P forensics dude, we loved you, but the world just wan't ready for you.
- Added option to create logical image with known system files
- Added agent help text when mouse is hovering over a control
- Added a free disk space check (for at least 1GB + memory size if memory dump selected)
- Fixed a unhandled exception that could occur in the triage wizard when running a scan on a non system drive (eg D) and having only windows passwords selected.
- Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found
- Fixed a crash caused by trial limitations when running the triage wizard
Web Browser
- Added status bar to browser.
- Can now select export format as Web Archive Format (.mht) when exporting webpage.
- Can now export linked PDF, ZIP and other files. Also added check boxes to allow user to select what is downloaded.
- There is an option to download videos (MP4 format) from sites such as YouTube and add them to the case.
- Added a progress indicator for downloading large files.
Misc
- Added colour coding of encrypted files displayed in a file list
- Added exit confirmation message
- Added warning message on OSF shutdown whenever the USB write-protect settings are changed during the course of execution
- Fixed a long delay at startup when not running as Admin
- Removed agent icon from feature description text on start window
- After successfully saving a file to disk, fixed a bug with activity monitor displaying task is still active
- Changed how temp files are stored, each thread now has a temp folder
- Increased a timeout (from 60 seconds to 180 seconds) when trying to repair esedb databases with esetutl as was timing out during triage runs
- To prevent machine from sleeping when running from USB, the mouse will jiggle if the time between user input (i.e. keyboard or mouse input) surpasses 10 secs.
- Added DLL (MSVCR120.dll) required by wkhtmltopdf.exe to installer (error seen on windows )
- Switched debug logging to logging library g3log for thread-safe, crash-safe, faster logging

V5.2.1007 - 16th of March 2018

Recent Activity
- Fixed an error that could display when a jumplist was finished being processed
Registry Viewer
- Fixed a crash that could occur when reading a registry file

V5.2.1006 - 26th of February 2018

Case Manager
- Report Fix, if the background thread copying files for report didn't exit cleanly OSF may warn of background activity when quitting.
Case Details Dialog
- Fixed bug that might cause case narrative text to be reset to default when editing case details.
- Will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
Case Export
- Changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.

V5.2.1005 - 22nd of February 2018

Disk test
- Fixed a crash when formatting as FAT32 fails.
- Fixed an issue with formatting as FAT32 on small drives.
Deleted Files
- Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
- Fixed an uncaught exception error when loading MFT for some OSF devices.
- Fix a Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
- Fixed error box appearing when failing to read non-resident MFT attributes (eg. LCN is invalid as the MFT attribute has been overwritten). Instead, the error is logged and the search silently continues
- When parsing $ATTRIBUTE_LIST, buffer is now properly allocated according to the size of the attribute. Previously, this caused an assert error to occur due to the buffer size being too small
Internal Viewer
- Fixed potential memory leak when generating video thumbnails
- Fixed potential concurrency issues when loading videos
Mismatch File Search
- Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV
Password recovery
- Removed a "File not found" error when running the windows password search on a non system drive
System Information
- Fixed a possible crash when getting printer information
Triage Wizard
- Fixed an uncaught exception error that could occur when running a scan on a non system drive (eg D) and having only windows passwords selected.
- Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found

V5.2.1004 - 14th of December 2017

Case Report
- Added dll required by wkhtmltopdf.exe to installer to prevent an export to PDF error error seen on windows 8
Rainbow Tables
- Fixed crash occuring when cracking hashes from a pwdump txt file when secure case logger was enabled
Recent ACtivity
- Fixed a crash that could be caused by 0 length entries when processing Jump lists items
Triage Wizard
- Fixed a crash caused by trial limitations when running the triage wizard
Misc
- Improved how temp files are stored to make it more threadsafe (eg when running multiple tasks using the Triage Wizard)

V5.2.1003 - 23rd of November 2017

Browser Passwords
- Fixed a crash that could occur when there was more than 50 Firefox username/passwords
Disk Imaging
- Allow continuation of imaging after encountering too many bad blocks (1000).
- Added extra check if the first read fails when verifying the image created.
System Information
- Fixed crash possible with getting printer info when system returns bad information.
- Fixed a crash in some cases when getting the computer name from the registry
Misc
- Fixed bug where navigation bar icons were incorrect for items near the end/bottom.

V5.2.1002 - 3rd of November 2017

Deleted File Search
- Fixed a stack corruption crash
SQLite Browser
- Fixed issue where OSF wasn't able to extract blob contents for sqlite tables created using WITHOUT ROWID.
Forensic Imaging
- Fixed error when attempting to image a locked Bitlocker-encrypted drive. Instead of opening the drive letter (eg. 'C:'), the underlying physical disk (eg. \\.\PhysicalDrive0) is opened instead
File Index
- New Zoom indexer build with added support for indexing .sqlite, .sqlite2, .sqlite3 and and identifying SQLite files with no extensions
Misc
- Made some changes to how temporary files are created to make them thread safe (to prevent multi threading issues when using the triage function)

V5.2.1001 - 18th of October 2017

Recent Activity
- Fixed a crash that could occur when adding a filter when something other than "All" was selected in the treeview
Triage wizard
- Added "Manually carve files in unallocated clusters" suggested action
- Added "Generate new HTML report" and "Generate new PDF report" suggested actions.
- Fixed SysInfo "# commands completed" not updated properly on completion
- Fixed wording of several "Suggested Actions"
- Fixed BitLocker detection results appearing in System Information results
- 'Manually search' suggested actions now automatically start the corresponding search
- Auto-generated HTML/PDF reports are now saved in separate "Triage PDF Report" and "Triage HTML Report" folders respectively
- Fixed underline/cursor/text colour confusion for list view text that are not links

V5.2.1000 - 10th of October 2017

NEW Triage wizard
- Wizard launch icon on Start page. Huge amount of data can now be rapidly collected by inexperienced users with single click.
Customize workflow
- Now also removes icons from the Start page (and the menu)
- It is possible to lock down the workflow with a password so inexperienced users can't re-enable all the features so easily.
Case Manager
- Items added to a case can now be categorized into a type of Crime, this list can be customised by editing the "Categories.txt" file in the ProgramData folder.
- On the "add to case" dialog when using the "Use same details for all" option if the title has not been changed by the user a special <Use item name> flag will be displayed. This will then be replaced by each item's name when added to the case.
- PDF reporting bug fix.
- Fixed sorting by clicking on title in Case Management window.
- Added new tag  to customisable reports for generating Case Info table. Only non-blank fields shall be outputted
File Index
- Fixed a buffer overflow bug due to illegally long filenames in ZIP files
Recent Activity
- Started sanitising the HTML output for some items when exporting to HTML so that HTML special characters (eg <>&) are safely encoded.
Thumbnail Viewer
- Now has a faster option to switch between the various thumbnail files found on drive via a drop down list.
Drive preparation
- 1 click drive preparation function. Can wipe, verify, format drive with 1 click. A log file is also now written to the drive recording the preparation steps.
Hash Set Lookup
- Added check if SHA256 hash is stored in the hash set. If not, SHA256 is not calculated. This saves a small amount of CPU time.
Email viewer
- A bug fix for parsing some rare corrupted PST flies
Misc
- Correction of various multi-threading bugs, which came to light when running a large number of tasks simultaneously.
  - Registry access code wasn't thread safe & could crash if multiple tasks were reading registry entries at same time, especially password recovery.
  - Caching of disk's MFT into RAM didn't work well with multiple threads. Solution was to enlarged cache slightly and unified it into a shared cache. Multiple threads should run significantly faster than before.
  - Some handles to various internal resources were not being free. Resulting in memory leaks and possible crashes.
- Even larger cache sizes and more advanced cache lookup algorithm to speed up various operation that involve reading MFT (is a RAM usage / speed trade off). Slightly more RAM is used, but disk operations are faster. For example file name searches are now 33% faster.
- Some help file updates
- Fixed up the opening of the Help file to get the navigation menu showing again. The Edge browser in Win10 unexpectedly broke some of the help functions.
- Fixed a crash in the 32bit version when trying to start a filename search

V5.1.1003 - 28th of August 2017

File Index

New Zoom indexer build, fixed bug that was failing to index particular .OST and .PST files with compression.

File Name Search

Fixed a crash which could occur in the hash set lookup function when the hash set being searched contained very long string lengths.
Thumbnail View, flags are now custom drawn to increase the speed when updating path flags, for example when doing hash matching.

Hash Lookup

Added support for 'Modeless' dialogs for hash lookup for multiple files. This allows other modules in OSF to be used simultenously with hashing in background.
Fixed dialog resizing screen corruption issues in the hashset lookup window
Reduced the frequency of update to the user interface when hash operation is running to improve speed. It looks slower, but is actually much much faster.
When performing a hash set lookup for multiple files, 4 threads and a larger block sizes for disk reads are now used in order to increase performance. For large hashsets, with a fast SSD, performance improved 5 fold.
Added a limit of 1000 file set matches returned for a single file hash lookup. So 1 file on disk can now not match more than 1000 applications. Previously a zero length file would match 500,000 applications in NSRL list.
Added a limit of 5 file set matches returned for multiple file hash lookups file set results a hash set lookup for a single file will return which improves speed dramatically when hash set or files being looked up contain matches in multiple files sets (eg when searching for file hashes in a set containing millions of records such as NSRL hash sets)
Added caching of 0 byte / empty (contains only 0's) files to speed up multiple hash set lookups. Zero length files appear around 5000 times on a typical hard drive. So this can save 5000 slow database queries.

Hash Sets

Added a "Properties" right click menu item to display a dialog with some information about the hash set (disk location, number of product types, file sets, files).

Password recovery

Fixed a CSV formatting error when using the Copy row(s) to clipboard function if an item contained a ',' character

Recent Activity

Fixed a bug where shellbag information was not being retrieved correctly when using “Scan drive” C: instead of live acquisition.
Fixed a CSV formatting error when using the Copy row(s) to clipboard function if an item contained a ',' character
Fixed a bug where the last connected date of a USB item could be different in Live search when compared to a C:\ search

V5.1.1002 - 8th of August 2017

Add File To Case function

The copied files in the case folder should now have the same filetimes as the original source file.

Case Manager

Fixed Accessed & Attribute Modified file times not being stored in the OSFMeta file
Case meta item file, added two additional fields (where available): Last Access Date, MFT Modified Date

Deleted Files Search

Fixed changing of 'Date filter' combo box in Timeline view not updating the chart

File Indexer and searching

New Zoom builds fixed crash bug with indexing EML/MBOX file containing attachments of EML/MBOX files

Internal Viewer

Fixed info text for files that belong to the case
When opening a file added to a case, the original folder and file times are now displayed (obtained from the OSFMeta file). These attributes are highlighted in a different colour along with an information text.
For image files, size and file times have been removed

Internal Viewer - Hex View

Split IP address regular expression into IPv4, IPv6 standard notation, IPv6 standard + compressed notation

Recent Activity

Updated installer to include an alternate version of esentutl to use in the case of "Dirty shutdown (-550)" errors for ESEDB databases (eg from Windows search, Edge) that could sometimes cause the esentutl version installed locally to crash leaving the files in an unreadable state

Misc

Updated help file with internal viewer changes

V5.1.1001 - 7th of July 2017

Case Manager

Fixed bug when specifying a custom location for a case.

V5.1.1000 - 6th of July 2017

Case Manager

Added ".mem" extension when selecting image file to add to case
Chain of Custody Report Template - Rearranged template fields, added signature field.
Generate Report - Allow option to generate Chain of Custody report along side Case Report.
Overhauled Chain of Custody reporting. Expanded the Edit Case dialog window with tabs to allow additional case data, such as Offense type, Legal Authority & Suspects Name to be entered.

Create Index

Added '.qbb' (Quickbooks) file type to the list of 'Other supported file types' category. Note that only file name will be indexed.

Create Signature

Deleted files can now be included in the signature from the config window. Hashing is also supported for deleted files (but not for $I30 slack entries)

Compare Signature

File attribute string now includes custom attributes (eg. 'deleted', '$I30 slack entry')
File icon is now included in the comparison results
Signature info now includes whether deleted files were scanned or not

Deleted Files

Fixed Bug where saving multiple files would fail to save files to destination.
File Carver - Unallocated Cluster code would not read from the disk when the cluster offsets did not reside on sector boundaries. File Carving initialization will check to see if start cluster offset is a factor of cluster size, if not, file carving will switch to raw carve mode.
File Carver - Addressed bug which might cause carving unallocated clusters to not to progress.

DirectAccess – NTFS

Added buffer overflow check when decompressing CompactOS files
Improved performance of checking for valid $ATTR_FILENAME attribute when looking for $I30 slack entries
Improved performance of FindFirstDel/FirstNextDel functions
Fixed bug with not resetting the file pointer when detecting imageUSB image file. This could result in volume hashes returning the wrong value when verify the hash of a volume (a few bytes that the start of the file were not included in the hash calculation).

Email Viewer

Fixed HTML/RTF message body not being searched

File Name Search

Added config option to 'Search deleted files'. If enabled, deleted and $I30 slack files are included in the search results.
Deleted files are now shown in different text colour and with a deleted icon overlay in 'File List' view. Right click options for viewing files was also added.
Deleted files are now shown as a separate group in 'Timeline' view
Added more file details when exporting the file list to txt/html/csv file
Added support for adding/removing deleted files to/from case
Added support for looking up deleted files in hash set
Added support for saving deleted files to disk from File Name Search module.

File System Browser

Fixed 'n item(s) checked' still appearing after changing the folder
Added right-click menu option to export list of checked files to Case
File times now include decimal precision
Removed checkboxes in 'File Select' dialog
'File Select' dialog window size is now saved
Fixed auto-scrolling when sorting items

Internal Viewer - Hex View

Improved performance of string extraction by using parallel processing. Approximately a 60% speed improvement
Improved performance of filtering strings by using boyer-moore search & parallel processing. Can be more than twice as fast, depending on hardware
If using word list, included matched expression in status bar of selected string
When filtering the string list, the # of strings that have been processed is now displayed
Added option to save to .dic file for use with dictionary based password cracking
Moved filtering operation to thread due to length of operation. User may cancel the filtering operation at any time.
Changed preset filter combo box to a link which brings up a menu when clicked. The menu provides several preset filters, as well as an option to select a word list
Added 'Use RegEx' checkbox to allow user-specified regular expressions

MemViewer - Static Analysis

'Memory dump file' filter now includes .bin, .img, .dmp extensions
Added 'View & Extract Strings' button to open the dump file in internal viewer in hex view

Thumbnail View

Fixed text colouring for Deleted/$I30 slack/Reparse point files

Misc

Updated help file
Improved performance of list classes by using multi reader single writer lock. Fixed some synchronization issues.
When selecting image files, the 'All Images' filter now shows all supported image files rather than all files

V5.0.1002 - 6th of June 2017

Internal Viewer

Fixed a bug where attempting to open an archive (zip etc) file could result in a missing DLL message being displayed on older versions of Windows.

File Name Search

Fixed a buffer overflow that could sometimes cause a crash when displaying file names longer than 512 characters in the "Current folder" field. Crash can be appear randomly as field was only updated occasionally while a search was in progress.

Memory Viewer

Included updated version of Volatility Workbench into the install package. Volatility Workbench is a graphical user interface (GUI) for the Volatility tool.

V5.0.1001 - 5th of June 2017

File Indexer and searching

Added a missing DLL (MSVCR100.DLL) to the installer that could prevent ZIP files from being indexed correctly. Only old versions of Windows are effected. New versions already had the DLL installed.

Internal Viewer - Hex View

Fixed string extraction function failing to return correct offset due to using 32-bit variables

Memory Viewer

Fixed an issue where the process refresh timer was running even when the memory viewer window was hidden.

Passwords - Windows Login

Added right-click menu to tables

V5.0.1000 - 1st of June 2017

New PList Viewer

Added a new Plist viewer
Text foward/reverse search option.
For nodes that contain "data", added quick hex preview popup dialog when field is single-clicked (double clicking will open a new file viewer window).

NEW $UsnJrnl Viewer

Added support for loading $UsnJrnl files saved as a regular file (ie. not as $J alternate data stream)
Added support for $MFT file lookup to determine full path
Added support for searching for subtext
Added right-click menu options for viewing file, exporting records and adding records to case
Added progress bar when parsing USN records, loading $MFT file and searching for subtext
Improved loading speed by searching for records from the end of the file
Path is now determined using the Parent MFT# stored in the USN record, followed by the filename stored in the USN record.
Paths that may not be correct are coloured in red. This occurs when the filename or the parent MFT# in the USN record does not match what is stored in the $MFT

Analyze Shadow Volume

Results can now be exported in HTML and CSV format
Added button to export results to case
Added right-click menu for exporting results

Case Manager

Added support for mounting file paths as a device in the case
Adding devices to case now supports adding local folders in addition to network paths. Renamed 'Network Path (UNC)' to 'Folder / Network Path'
When adding an image file to case, the 'Select partition' dialog has been updated to reduce confusion.
Added option to export $UsnJrnl records to report
Fixed index OOB error when exporting deleted files to report
Added support for adding BitLocker-encrypted drives to case. The drive must have been previously added to the case.
Fixed error message when viewing the properties of a Case Device
Recent history items for case name, investigator, contact details etc are now saved to the config and will be reloaded when OSForensics is started.

Compare Signature

Check if signature reports as version 3 but is actually 4 (two extra fields were added but internal version number of signature was not changed).

Create / Verify Hash

Added secondary hash function to allow calculating 2 different hashes simultaneously

Deleted Files Search

Added right-click menu to re-arrange columns in Details View
Added 'Source' and 'File number' columns to details view
Directory records found in $I30 slack space are now included in the results
Records found in $I30 attribute in deleted MFT directory records are now included in the results
Fixed bug with misreported quality when multiple streams exist for the deleted file
"Save and Open" right-click options no longer prompt the user for the a location to save the file; it shall be saved automatically to the temp folder and immediately opened. The right-click options have also been renamed accordingly
When opening deleted files in the internal viewer, the initial tab that is displayed will correspond to the file extension
Fixed bug with saving deleted files to disk when the file fragments are greater than 64KB
Added *.msg to the search preset for e-mails

Drive Imaging

Fixed error copying single files to logical image due to directories not being created
Fixed file size of single file not included when calculating VHD image size
When calculating VHD image size, the file size on disk is now used. This is to account for sparse/compressed files that occupy less disk space than its file size.
Fixed bug with drive list in 'Create Image' tab containing devices from previous case after switching cases

Email Viewer

Fixed buffer overflow of 'From' field
Fixed heap corruption when opening .eml files with quoted printable encoded text

File Indexer and searching

New Zoom build with fixes for:

Fixed bug with indexing zero date as "23/04/2009 6:24:48"
Indexing "delivery time" for PST emails. Only index "submit time" if former is not available. Previously was only indexing submit time, which means Drafts/Deleted items would have no time in index but be inconsistent with EmailViewer, which would display a date/time.
Now supporting Win10 CompactOS compression (when used with the default XPRESS compression option). Viewing and indexing these files is now possible.

Fixed bug with Search Index -> Advanced settings' Date/Time range not being applied.
On History tab, when choosing right-click menu's "Display Search Results & Add to Case...", it will now export the list of results to the case along with adding the corresponding files.

File Name Search

Added right-click menu to re-arrange columns in Details View
Added *.msg to the search presets for e-mail
Fixed performance issue when searching with alternate stream criteria. Basic search criteria (eg. file name, attributes, etc.) should be checked before performing the much slower stream criteria check.

File System Browser

Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the 'n item(s) checked' link opens a menu with a list of operations to perform.
Fixed text not appearing in icon/list view
Improved responsiveness when changing directories
Fixed bug with calculating folder size on disk for non-NTFS file systems
Fixed deadlock when multiple threads are accessing mounted devices simultaneously
Added right-click menu to re-arrange columns in Details View
When calculating folder sizes, stream sizes are now included
Added error messages when performing certain operations on $I30 slack items
Deleted artificats recovered from $I30 slack space can now be displayed.
Files that have reparse points are now displayed in green

Hash Sets

Fixed a NSRL has set import error that could occur when the manufacturer name was greater than 100 characters

Internal Viewer / File and Hex Viewer

File Viewer tab, changed volume controls to trackbar + mute button
Added 'IP address' filter to Hex Viewer string extraction
When viewing buffers (eg. deleted files) in the "file viewer" tab, the buffer shall first be saved to a temporary file and then loaded. Previously, a 'Unsupported file format' message is displayed.
Removed unnecessary saving of temporary files for file paths containing case devices
Extracting strings is now threaded so the window is no longer blocked. String extraction can also be cancelled half way.
Removed limit on the number of extracted strings
Added encryption, reparse point, sparse file, system compression attribute checkboxes
Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.
Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)

Memory Viewer

Added right-click menu to re-arrange columns of the process list
Changed encoding of memory dump VW cfg file from UTF16-BE to UTF-8
Changed the extension for memory dummp files from .bin to .mem
Added tabs for 'Live Analysis' and 'Static Analysis'. Previous view has been moved to 'Live Analysis' tab. 'Static Analysis' allows the user to launch 'Volatility Workbench' process with the specified memory dump file.

Passwords

New updated password cracking library. Improved GPU acceleration allows for faster cracking. Double the speed in some cases.
Find Passwords & Keys: Added right-click menu to re-arrange columns
Find Passwords & Keys: Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the 'n item(s) checked' link opens a menu with a list of operations to perform.
Fixed bug where Wifi profiles weren't searching the correct location in some cases when “Live acquisition” was picked (could search incorrect drive letter)
Fixed bug where Wifi profiles might not search correct location in localised (non-english) version of windows
Fixed a crash that could occur when searching Wifi profiles
Fixed possible crash when getting system passwords
Added more info to display, client thread status, benchmark, password length and prefix.

Prefetch Viewer

Fixed possible crash due to buffer overflow

Raw Disk Viewer

Added a list of preset regular expressions combo box that can be used when performing a raw search
Improved performance of search window list view
Removed max search results limit in search window
Fixed synchronization issues potentially resulting in crash

Recent Activity Viewer

Changed how the windows user directories are searched for so all operating system dependant locations (XP, Win7 etc) are searched now instead of searching the known location of the first one found. For example if an XP system contained a "Users" folder in the root directory then it was previously only searching the (possibly empty) Users folder and then not searching the "Documents and Settings" location.
Fixed a "missing column" error for old versions of Firefox cookies
Made some changes when trying to repair a "dirty" windows search database (eg from a system image of a currently running system) so that if the esentutl tool crashes OSF will attempt to run it again
Added P2P artifacts from BitTorrent and UTorrent resume.dat folder, also checks the User's Download directory for .torrent extensions.
Fixed Bug with P2P Items not showing details on the File List Tab
Added Search queries artifacts for Ares Galaxy
Added Shareaza P2P Search Artifacts.
Added Emule P2P Artifacts
Added SABnzbd P2P Artifacts

Report Templates

Combined 'Drive Imaging' and 'Forensic Copy' HTML template into a single 'Forensic Imaging' HTML template

Start Window

Renamed “Website Passwords” to “Scan for Passwords/Keys”
Renamed “Removable Drive Preparation” to “Drive Preparation”
Added icon for launching 'Volatility Workbench' under 'Viewers' group

System Information

Made some changes to the system information command dialogs, added columns to show "Live acquisition" / "Drive acquisition" / "Image acquisition" differences of commands

Web Browser

Fixed bug where saving the complete webpage was not working correctly

Misc

Changed date/time format to 24-hour clock
Fixed crash when Exception filter is executed
Moved 'Forensic Copy' module to 'Drive Imaging' module as a new tab. Renamed 'Drive Imaging' to 'Forensic Imaging'
Fixed 'Forensic Copy' and 'Drive Imaging' logs not appearing in generated report
Fixed some flickering issues when resizing
Updated File Name Search preset list to include Virtual Machine files
Fixed bug with EmailView and EmailViewer displaying 1/01/1601 when a 0 datetime value is given. Now reports "Unknown date".
When selecting a directory via a popup dialog, if the entered path in the text box is valid, it will be returned. Otherwise, the directory selected in the tree view is returned.
Added template files for exporting $UsnJrnl records to report
Fixed bug with the initial directory not being set correctly in the select file dialog
When prompted to select a file, the last directory path is now used as the initial directory if not specified
Fixed bug in handling alternate data streams with multiple $DATA attributes
Added support for accessing bitlocker encrypted drives in raw form
Updated HTML Editor to show character count.
External Viewers (File, Registry, FS Browser, Email, Thumbcache, ESEDB, USNNRNL and Plist) will retain the size of their last viewer window closed for subsequent openings
Performance increase when opening registry files
Fixed several potential crash points when closing the OSF application while the progress window is still showing
Added encryption, reparse point, sparse file, system compression attribute checkboxes
Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.
Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)
Updated help file with $UsnJrnl Viewer section
Fixed a bug that may cause Temp Registry Files in the function call CreateTempRegFileIfNeeded() not be created when debugmode is enabled.

V4.0.1002 - 1st of December 2016

Activity Monitor
- Added separate tasks for adding files to case
Case Manager
- Fixed synchronization issues with hash table causing an exception to be thrown
- Add file to case dialog has been changed to modeless, allowing the user to switch to another module while files are being added.
- Added synchronization to CaseManager class to support concurrent access to case items
- Added error message when creating/importing/loading/deleting a case while a task is still running
- When closing the program, a warning dialog is displayed when any task is still running (as opposed to a select few tasks)
- Fixed scroll bar being reset every time case items are added/removed
- Adjusted the maximum text to 245K characters in the rich edit box for case narrative
- Changed the case item list view to owner draw to improve performance
- Decreased the time required to delete a large number of items from case
- Fixed 're-use input' checkbox not working when adding bookmarked files to case
- Added error message when attempting to add bookmarked folders to case
- Increased the frequency of progress updates when adding multiple files to case
- Case items are now sorted by date in ascending order by default
- Fixed bug when attempting to overwrite an existing external report in case
- Fixed non-existent case default drive appearing in drop down box when editing case
- Improved performance of updating list items (eg. in File Search, Mismatch Search, Deleted Search) when case flags are updated
- Fixed memory leaks in case log
Decryption & Password Recovery
- Added more info to display, client thread status, benchmark, password length and prefix. Adjusted job size for CPU clients.
Deleted Files Search
- Fixed junk characters showing up in error message when prompting to overwrite a file
- Fixed case flags not being updated in thumbnail view
Email Viewer
- Fixed unhandled exception when failing to load e-mail file
File indexing and searching
- Fixed bug with Doc/Ppt/Xls indexing "last modified" as "Author". Will now prioritize "Author" and only index "Last modified" if "Author" is not available.
- Added support for Comments property (appended to KEYWORDS meta tag) in DOC files, and support for "Category" property (as "ZOOMCATEGORY" meta tag) in PPT and XLS files
Raw Disk Viewer
- Fixed bookmarks showing up twice when reloading a case
ThumbCache Viewer
- Fixed 'use same details for all' checkbox not working when adding to case
- Due to changes in Win10, the 'name' column should now show the thumbnail cache ID in hex format (instead of a cryptic string)
Misc
- Updated HTML Editor to show character count

V4.0.1001 - 16th of November 2016

Case Manager
- When generating report, fixed incorrect links being generated when 'Copy files' is checked
- Improved the performance of adding items to case by performing the hash calculations all at once (rather than separately)
- Improved the performance of updating case flags by not re-drawing the lists for File Name Search, Mismatch Search, Deleted File Search, Index Search, File System Browser
- Allowed the HTMLeditor to be left opened from the "Edit Case Detail" dialog window. However, as a result, the case narrative is prevented from being edited from the New Case dialog procedure.
Case Log Viewer
- Improved the performance of adding new log entries
Decryption & Password Recovery
- Added Openoffice (LibreOffice) extensions to select file dialog
- Removed bell sound from gpu client, cpu client, and server and replaced with a different (chime) sound
- Fixed typo in default definition file
Forensic Copy
- Added a clear log button and started displaying the number of files copied
- Reduced the amount of memory used substantially during the forensic copy process
Recent Activity
- Added Time Source Column for 'All'

V4.0.1000 - 10th November 2016

Licence changes
- Free version has been replaced by a 30 day trial.
- USB installation is now available only in the Pro version.
- Changed the maximum number of items that can be indexed (in create index) to 2500 for the Trial version
- Recent activity exported list is now limited to 10 items in the Trial version.
- Changed the maxium number of browser passwords displayed to 5 per browser for the Trial version.
Password recovery
- Wifi passwords are now recovered & decrypted from the registry and file system.
- Windows auto-logon password are now recovered & decrypted from registry.
- Outlook & Windows live mail passwords are now recovered & decrypted.
- Microsoft product keys are extracted from the Windows registry.
- New Configuration window has been added to allow the user to select what items are recovered, enter in an account password for offline decryption & select a dictionary for brute force attacks on the account password.
- Specific rows in the password report can now be selected for export or adding to the case.
- GPU accelerated hardware support for brute force password recovery on Office documents, PDF, Zip & RAR file. (Work in progress).
- Support for new MS Office 2013 encryption standards for DOCX, PPTX, etc... (SHA512 hashing has been implemented in addition to SHA-1).
- New columns in the report have been added for password strength & length, which can be useful when checking for compliance with password policies.
- Added NTLM hash cracking to the common password check for the Windows login password.
- Added NTLM hash rainbow table generation.
User interface & work flow
- It is now possible to change the order of buttons in the left menu. Now called the Work Flow menu. This can allow the button order to reflect the chronological order of specific forensics processed.
- Checkboxes in several windows rather than multi-select with having to continuously hold select/ctrl.
- New 'File Details' tab in several windows that displays the search results in a list view.
Recent activity artifacts
- Added OS X artefacts to Recent Activity feature for Mac drives.
- Added mobile backups, lists the backups found from iTunes (e.g. iPod, iPad, and iPhone).
- Updates in Recent Activity for newer browsers (including Edge).
- Faster collection of Window Search terms in recent activity (reducing hours to minutes for the worst case).
- Added additional USB devices from SYSTEM\CurrentControlSet\Enum\USB in Recent activity.
- Added USB first connected time from parsing setupapi.dev.log.
- The ability to reorganize and/or hide show certain columns by right clicking on the column title area to configure it on the File Details tab was added.
- GUI will show incrementing artefact count during the scan.
File system support & imaging
- exFAT is now a supported.
- Added read-support for .Ex01, .Lx01, and .L01 image formats.
- Improvements to HFS+ support for Macs.
- Added the ability for users to create Logical images from the Forensic Copy feature. Logical images are created as a .VHD virtual disk & can be remounted back into OSF or manipulated with 3rd party tools.
- Added a log option for Forensics Copy.
- Added ability to supply multiple source paths when performing Forensic Copy.
- Owner/group/permissions are now preserved in Forensic Copy.
- Better exposed the function to compare shadow copies.
Memory viewer
- The Memory Viewer has been overhauled. Now has 47 columns of metadata for all processes.
- Handles and loaded Modules are displayed per process when available.
- Users can create Process Specific binary dumps through right click options and add to the case.
ESEDB Viewer
- Dialog to select from a list of known files now shows the file size.
- Added right-click option to copy values (ie. cells) to clipboard.
- Added right-click option to view values (ie. cells) as binary data in the internal viewer.
- Added right-click option to export values (ie. cells) as binary data to file.
- Added right-click option to export values (ie. cells) as binary data to case.
- Added right-click option to export tables to case.
- Fixed some memory allocation issues when exporting tables that can cause a crash.
- Fixed horizontal scroll bar not appearing for some tables.
- Binary data is now displayed in byte groupings.
- Fixed a bug when retrieving a record multi-value.
File name search
- The user can now edit the list of pre-sets by editing the FileNameSearchPresets.txt file (in the C:\ProgramData\Passmark\OSForensics folder).
- Peer to peer file types have been added as a new pre-set search selection.
- The number of characters allowed in the search string field has been increased from 256 characters to 1023 characters.
- Improved the default settings.
- Ability to group the search results by file type in 'File Details' view.
- When grouping the results by file type, the groups are collapsed by default.
File indexing and searching
- Added image file EXIF header indexing for Camera Make Model, GPS date/time, GPS Latitude, and GPS Longitude.
- Improved relevance scoring when hundreds of matches are found within the same file.
- Restored torrent file indexing which got accidentally broken in a past release.
- Fixed bug when indexing invalid file types (e.g. misnamed or corrupt files) causing incorrect content to be indexed.
- Improved search results layout.
- Fixed bugs when indexing meta data (title, keywords, etc) from DOC files.
Reporting & Case Management
- PDF output added.
- New streamlined report layout, including a sidebar for quick access to specific forensic artifacts.
- Added option to include file EXIF metadata in the report.
- Custom Logos are now easier to added.
- Added two custom fields to Case Information (The Edit Case and New Case windows) & allow the user to rename the fields.
- Added and Add External report feature in case management will support adding an external HTML report directory to properly display other tools report.
- Reduced the time required to populate the list of log entries.
- Index search history is now loaded on demand to reduce case load time.
- File size of the case item is no longer retrieved to reduce case load time.
- The default mount name for volume shadows now contains the index number.
- When mounting devices, there is no longer an attempt to open a handle to the drive to reduce case load time.
- When adding device to case, 'Case default device' checkbox is set by default.
- Improved error message when generating a report in a location that already contains an existing report.
- Fixed error when generating links in a report to a file that contains > 260 characters.
- Fixed forward slashes in links being escaped causing problems in some browsers (eg. Chrome).
- Fixed error when deleting a read-only file from case.
- Fixed error when deleting a file with long file name from case.
- Added retry mechanism when attempting to add a file to case that is being used.
- When automatically adding files to case, added option to ignore future errors.
- Updated Report Templates to include the 'Case Activity Log' section in the main report.
- Added checkbox option to include 'Case Activity Log' into the main report.
- When generating a Case Log report, the exported log entries are exactly as displayed in the Case Log Viewer (ie. Verbosity, filters, sorting, etc applied).
- Added a HTML Editor to allow user to modify case summary narrative. Can be located under "Edit Case Details".
- Added progress bar when saving the case files to a folder before the case is deleted.
- Added new report type 'Log Report' for Case Log reports.
Shadow copies
- Fixed an issue when adding shadow copies to a case, if selecting an individual shadow copy it would store an incorrect Device path (eg Drive-C instead of Drive-C:\) which would lead to it not being displayed on the analyze shadow copy dialog.
- Added an Shadow Copy Analyze icon to start page.
- Stopped a shadow copy entities being compared against itself as it only makes sense to compare different shadows.
- Added a warning message when opening the analyze dialog if no shadow copies were added to the case.
System information
- BitLocker Detection preset added to System Information.
- Updates to System information to detect new CPU types.
- Added Printer Info from registry for live/scan drive and Printer Info from (WinSpool) for Live Systems in the System Information module.
Registry Hive viewer
- Fixed a bug when opening a backup hive that was locked and a shadow copy was required to provide access.
- Dialog to select from a list of known files now shows the file size.
Hashing
- Button to add Hash results to case.
Thumbnail database viewer
- Fixed large memory usage when reading Win10 thumbcache files.
- Added support for Win10 thumbcache files. The Win10 thumbcache header uses a different format than previous versions.
- Added to list of known thumbnail cache files.
- Replaced thumbnail size radio buttons with combo box.
- Dialog to select from a list of known files now shows the file size.
Internal file viewer
- Updated video previewer to support more video formats. Including video in these formats. 3GP, ASF, ADTS, MPEG-4, SAMI, AAC, WMA, DV Video, H.264/H.263, WMV.
- Can do screen capture from the File Viewer.
Email searching
- Added BCC searching for Emails.
- Additional details are indexed when indexing Emails (for some formats).
- Support for MIME UTF8 encoded FROM, TO, CC, BCC, SUBJECT fields in MBOX files.
Deleted files
- Added a new checkbox for full disk / unallocated space carving. Previously only unallocated space was used for caving, as it is usually much faster. But in rare situations the full disk option can be useful (e.g. file slack space examination).
- Added a new window showing the list of File Types that are carved (opened from within the config window). This list can be modified to add custom signatures by the user by editing the osf_filecarve.conf file.
- Ability to group the search results by file type in 'File Details' view.
- When grouping the results by file type, the groups are collapsed by default.
Other changes
- Added better time resolution, now fractions of seconds, in File Name Search/Mismatch Search/Deleted Search.
- Added support for Win10 prefetch files, which are compressed using lzxpress huffman stream encoding.
- Compare signatures can now display identical files. This is useful for duplicate file detection. There is a configuration dialog for specifying folders to exclude and file extensions to include.
- Dozens of other bug fixes and minor usability improvements, including fixing a couple of crash bugs.
- Fixed up broken XP compatibility. This is very likely the last release we do that has any support for running on Window XP.
- Populating the drive list (for drive preparation) is no longer performed on program startup to speed up load time.
- Loading of Magic config file (for mismatch search)is now performed on demand to speed up program load time.
- Populating the device list (for raw disk viewer) is no longer performed on program startup to speed up load time.
- When loading the log file (secure log), a buffer is now used to speed up load time.

V3.3.1001 - 8th of February 2016

Deleted Files Search
- File Carving, naming of recovered carved files has been changed to "Carved (type) file (Sector Location in HEX).extention" e.g. Carved 'jpg' file 0x00001F2B.jpg.
File name search
- Fixed a bug that was preventing sort by foreground/background colour working correctly on results when OSForensics was using direct access (eg direct access of an image file).
Hash Sets
- Fixed a crash when first trying to open the hash sets tab.
Misc
- Some help file updates.

V3.3.1000 - 4th of February 2016

Case Management
- Increased Notes character limit to 64000 characters.
- Can now remove file from case in right-click menu.
- When adding an attachment to case that already exists, prompt the user to overwrite.
Create Signature
- E-mail files are no longer saved as temporary files when creating a hash of the file. This improves the speed when creating a signature.
- Fixed wrong directory path being displayed especially when hashing large files.
- Fixed performance bug when hashing NTFS compressed files. Caused a 20x slowdown reading compressed files.
Compare Signature
- When comparing file attributes, mask out the extra attributes used by OSForensics Forensics mode (eg. FILE_ATTRIBUTE_ATTR_MODIFY). This gives a more accurate list of modified files.
Deleted File Search
- Added 'Remove deleted file from case' right-click menu option.
- Fixed search results clearing when flags are updated.
Drive Preparation
- Added WAIT icon to drive refresh, so user can see when refresh is complete.
- Fixed physical drives are now supported, including system drive. However, if the system drive is selected, an error message is displayed.
Drive Imaging
- By default, 'Verify Image File' and 'Disable Shadow Copy' checkboxes are now checked.
- Added option to attach Image metadata (.info) file to case on completion.
- Changed extension of Image metadata file from .info to .info.txt.
Email Viewer
- When parsing DBX e-mail files in forensics mode, a temporary copy of the file is no longer created. This saves some time opening the file.
ESEDB viewer
- Updated the Extensible Storage Engine database (ESEDB) viewer to support the new Win10 file structure.
- Fixed list of records being cleared when attempting to access a page that is out of bounds.
- Fixed bug with non NULL-terminated string.
- Added sanity check for endianness for Vista DBs due to possibility of fields being either big or little endian.
File Indexer
- 12x increased unique words capacity (from 16 million base words to 200 million). Allows more documents to be indexed in a single index.
- Approximate 5x faster Forensics Mode indexing. This resulted from better caching, better parsing of the MFT and new low overhead methods of getting file attributes.
- Improved JPG, PNG image indexing speed with new methods of calling exiftool. Performance is approximately 5x faster on photographic images.
- Fixed bugs with indexing of archives (zip, tar, 7z, etc.) in Forensics Mode.
- Added support for ZIP files using non-DEFLATE methods (e.g. IMPLODE).
- Improved file type identifications and attempted indexing methods. At lot fewer warnings and errors should now be logged when indexing.
- Fixed 64-bit bugs with 7z64.dll.
- Fixed corrupt messages e.g. "Error: Cannot delete output file: ... ". Sometimes this error was caused by indexing E-mails that contained malware. The antivirus (AV) solutions running on machines would detect the malware on extraction of attachments from the E-mail and unexpectedly delete the temporary file, causing a cascade of errors. We have a work around for the errors, but active AV solutions can still prevent indexing of files containing malware. Which can be a good or bad thing depending on your point of view.
- Fixed failing to open .gz and .tar.gz files from forensic mode mounted drive.
- Fixed bugs with failing to extract files from certain problematic ZIPs and attempting every file (with magic and extraction and indexing) causing 3 error messages per file in the Zip file. Corrupted Zip files should no longer produce this cascade of errors.
- Fixed crash bug with truncated MP3 files.
- Fixed OLE parsing bug when loading corrupted MSG Email file.
- Improved memory estimation of indexing, to better judge if there is sufficient RAM available to start the indexing job. No point starting an indexing job only to die half way through it.
File Name Search
- Fixed 'Current Folder' not being correctly displayed.
- Fixed search results clearing when flags are updated.
File System Browser
- Display "(Sparse)" for the "Starting LCN" column of sparse files.
- Fixed incomplete folder size being displayed when folder size calculation is cancelled midway (eg. when items are being sorted).
- Speed improvement when calculating folder sizes in forensics mode. Approx 3x faster depending on collection of files.
Internal Viewer
- File info: For reparse points the linked path is now displayed.
- No longer displays message box when failing to open file.
- Hex viewer, Display error message in the status bar when failing to open file.
Mismatch Search
- Fixed 'Current Folder' not being correctly displayed.
Password Recovery
- Fixed crash when writing an entry to the log.
- Windows Login - List views are now resized.
- Windows Login - Added 'Password Required' column to 'Local Users' table to indicate whether a password is required for login.
- Windows Login - Fixed crash when saving local users/domain users to file.
Recent Activity
- Added file type sub classification for Windows Search Items. Files are classified using the MIME type and extensions.
- Removed directories from Windows Search Items.
- Fixed Security event log entries not appearing in the results.
- Selected items in 'File Details' and 'File List' tabs are now independent of each other. This caused problems when the exported list of selected items contain items that were not selected.
- Re-arranged the order of tabs so that 'File Details' is the default tab.
- Fixed scan status not displaying in 'File Details' view.
- Fixed sorting of items in 'File Details' view.
- flickering of tree view.
- Fixed error message appearing when JumpList is not selected in the scan.
- Fixed a shellbag retrieval crash in Windows 10.
- Fixed a jumplist crash in Windows 10.
- Fixed a bug preventing some jumplist items from being retrieved.
- Changed "Stream Number" jumplist item name to "Entry ID".
- Fixed an offset bug when getting the name of a shellbag item in Windows 10 which caused names with invalid characters to appear.
- Updated function that retrieves Windows desktop search terms. The database format recently changed in Win10 and broke older releases of OSF.
Registry Viewer
- Can switch between Hex, ASCII, Unicode in right-click menu.
- Hives under \Windows\System32\config\RegBack are now listed when selecting a registry hive to open.
- Added buttons for common operations (Add file, Add to case, Export, Find).
- Fixed a crash when trying to view/open the SAM file in Windows 10.
Search Index
- Updated search engine code to support new increased capacity index format with extended unique words.
- Added 'Remove item from case' right-click menu option.
- Fixed search results clearing when flags are updated.
Thumbnail View
- Improved performance of loading photographic image thumbnails in forensics mode. Is approx 10x faster.
- Improved speed + memory usage when drawing thumbnails. Especially noticeable when scrolling the display, which should now be smoother.
Drive imaging
- Fixed error "Unable to read end of drive". This occurred when imaging a volume (e.g. Drive F:), when the size of the file system (e.g. NTFS) is smaller than the volume size. The imaging process will now continue beyond the end of the file system to read the entire volume.
Misc
- Fixed some memory leaks found by the leak checker.
Licensing
- In the free edition of the software,.
- The indexing process will be restricted to 10,000 files or E-mails.
- The search results from an index will be limited to 250 files per search.
- Only 10 items to be added to each Case file.
- Only the first 10 passwords from each browser type will be listed in the passwords function.
Installer
- The installer package is now signed with an Extended Validation coding signing certificate. This avoids some SmartScreen installation warnings in Windows 10, like Windows "prevented an unrecognised app from starting".

V3.2.1003 - 6th of October 2015

Create Index
- Added support for zipx, 7z, rar, .arj, .dmg, .iso, .chm, .cab, .bz2, .lzo.
- Fixed indexing bug with repeated "Core engine not responding" messages.
Disk Imaging
- Reduced the vertical space used by the controls to support lower resolutions.
EmailViewer
- Can now re-scan for recovered e-mails after cancelling a previously started scan.
- Removed 'Tools' menu.
Misc
- Help updates for system information.

V3.2.1002 - 28th of August 2015

Create Index
- Improved MSG/EML/MBOX indexing support. Now using MIMETIC.
- Fixed many common errors and warning messages and file recognition.
- Fixed many issues with .zip, .gz, and .tar.gz archives. And recursive archives.
- Fixed filter buttons/checkboxes not working when viewing a failed/cancelled index.
- Added fix for "Core engine is not responding" when indexer was stuck in "Finishing" stage due to large index or slow disk write.
Email Viewer
- Added right-click option to jump to the message ID of an e-mail file.
- Added progress details when scanning for deleted e-mails.
- fixed bug with deleted e-mails not being displayed in the EmailViewer.
- Fixed 'assert' error appearing when Subject field is missing in MIME headers.
Index Log Viewer
- Fixed crash when trying to view a previous index log while an indexing job is running.
Recent activity
- Fixed an issue when trying to get IE10+ URLs from a read only drive.
- Fixed an issue with "dirty" IE10+ databases that were displaying a "Failed to attach IE10 database" error in some cases.
- Fixed an "autofill_dates" missing error caused by a Chrome update removing this table.
- Fixed a "malformed" database error when getting Chrome cookie information.
- Fixed some display and sorting issues with shellbag items on the file details tab.
Registry Viewer
- Fixed a crash when opening a corrupt registry file.
Misc
- exFAT partitions are now properly detected as opposed to being identified as "Unknown".

V3.2.1001 - 22nd of June 2015

Case Manager
- E-mail attachment paths now include the attachment index number following the file name (eg. c:\email.pst*990*attach.txt:2). This is to distinguish multiple attachments with the same name.
Create Index
- Fixed some bugs relating to email attachments.
- New URL format for attachments.
- Fixed bugs with indexing attachments from mbox (.eml) in nested format.
- Fixed bug with not indexing From/To details for Mbox attachments.
- Fixed bug with indexing attachment titles incorrectly.
- Fixed a bug that was causing "Failed to rename file zoom_pagedata.tmp to ..." appear at end of indexing.
Email Viewer
- When extracting e-mail details, if FILETYPE_UNKNOWN is specified as the e-mail file type, the function will try opening the file with each format until successful.
- Fixed potential heap corruption when exporting an e-mail with a large text body.
- Fixed possible memory leak.
Recent Activity
- Added shellbag item from registry files collection and display.
- Fixed a date conversion issue with Google chrome downloads date.
Search Index
- Fixed some results not being filtered into the correct tab (eg. images in e-mail attachments).
- E-mail attachments with the same name can now be distinguished properly.
- When doing bulk adding of items to case, user is no longer prompted when the item already exists in the case after checking the 'Repeat action' checkbox.
- Fixed various problems related to adding nested attachments/e-mails/archives to case.
- For E-mail paths that do not have a message ID in the path, a message ID of "0" is assigned.
- Fixed issues with the case flags not appearing for some items.
Misc
- Fixed some date formatting bugs introduced in the previous build that were causing dates to appear blank.

V3.2.1000 - 10th of June 2015

Create Index
- Added indexing of From, To, CC, BCC, etc. fields for PST attachments.
- Added indexing of From/CC/To etc. addresses from MSG attachments.
- Added missing support for indexing headers for MSG files.
- The start and end dates for the advanced search options are now correctly using the current case timezone setting when a search is performed.
- Fixed bug in Create Index -> Edit Template -> "Scan system paging and hibernation files" setting being lost.
- Fixed bug with Search Index -> Email Attachments -> Export ... results carrying incorrect From/To/CC information from previous results.
- Fixed bug with indexing attachments from MSG files (failing to recognize file type properly).
- Fixes for crashes and infinite loops when indexing corrupt DOC, XLS and PPT files.
- Fixed bug with empty emails in PST files causing previous buffer to be used for content and custom meta.
Case Manager
- User can now specify whether logging is enabled/disabled when creating or editing a case.
- Error message is displayed if the log file is corrupted or tampered with.
- When generating a report Added "No title" to when there was no title for an item so the link to the file is visibly created.
- When renaming (moving) cases, case items still used the old metafile path causing issues with non-existant paths. Fixed by reloading case after moving.
- E-mail attachment paths now include the attachment index number, due to the possibility of having multiple attachments with the same name.
Case Log
- Supplemental log entries added across all modules.
- When logging is disabled, controls are now disabled and message is shown to the user.
Create/Verify Hash
- Fixed drive drop down list to include Case devices.
CSV Exports
- Removed "," separator between date and times for CSV exports so that Excel will automatically pick them up as dates.
Deleted Files
- Fixed bug with retrieving the clusters of a deleted NTFS file. This bug can potential cause an invalid memory access crash.
- Unallocated cluster information now being used for mounted devices.
- Fixed bug with unable to save multiple deleted files from a partition without a drive letter (due to invalid characters in the device path).
- The number of files that were not saved due to reallocation now displayed.
- Improved performance of saving deleted NTFS files.
- Deleted files stored in multiple MFT records are now being handled.
- Proper stream names are being used when restoring a deleted NTFS file.
Disk Imaging
- Fixed no default drive being selected in 'Hidden Areas - HPA/DCO' tab.
- Added check for no physical disk selected.
- The sizes of each respective max LBA are now displayed in the log after detecting HPA/DCO.
Event Info
- Bug fix, stripped trailing space character from event title.
Email Viewer
- A dotted border is now custom drawn on the selected folder/e-mail so that even when the control loses focus, the selection is still apparent.
- Fixed not being able to add multiple e-mail attachments with the same name. Each attachment now has a unique path.
File Name Search
- Added 'Save to disk' right-click option. Re-arranged right-click menu to be more readable.
Hash sets
- Files less than 5 bytes in size are now excluded from hash set lookups (this is to prevent tiny file (eg 0 byte files always appearing in a hash set where there was a 0 byte file on creation).
Password Recovery (Windows Login Passwords)
- Added cached domain users to recovery for local drives.
- Fixed a crash that could happen when recovering cached domain users.
Recent Activity
- Added timestamps to WLAN items for the associated XML profile or registry key (where available).
- Bug fix, export event to CSV will now include the item's title.
- Columns will remember their widths when filtering, sorting and navigating to different activity types.
Search Index
- Added To/From/CC information to attachment output when searching an index.
- Removed the from/to/cc fields from the CSV export of an search for items that aren't emails/attachments.
- Fixed bug with broken links in search index results for files containing percent encoding in filename.
System Information
- Added cached domain users to "Get User Info (registry)".
ThumbCache Viewer
- Fixed 'In Case' flag incorrectly displayed for all items in thumbnail view.
User Interface
- List/tree views across OSF now shows the selected item regardless of when the control loses focus.
- Fixed drawing issues when minimizing navigation buttons.
- Removed flickering when resizing window.
- Fixed buttons not being displayed when resizing window.
- Fixed drawing issues when resizing file/folder popup dialog.
WinPEBuilder
- Bug Fix. Selecting OSForensics or BurnInTest as the selected program in WinPEBuilder will now add the required WinPE packages on the WinPE/Packages tab.
Misc
- Updated help for new Case Activity Log section to describe logging feature.
- Updated help with info on user editable file carving configuration file, osf_filecarve.conf.
- Updated help to mention timezone in case management.
- Updated System information library.

V3.1.1007 - 4th of May 2015

Case Log
- Added preliminary implementation of Case activity logging.
Case Management
- Made add note window resizable.
- Added veritcal and horizontal scrollbars to Add note dialog, allowing more data to be saved and making it easier to format the notes.
Deleted files
- Fixed crash when displaying deleted file thumbnails on ext2/HFS+ drives (due to different threads sharing same drive handle).
Hash Sets
- Fixed bug in deleting hash set from Tree View.
Web Browser
- Fixed missing URL info when adding web snapshot to case.
WinPEBuilder
- Can pass in .cfg file to preload some values of WinPEBuilder.exe.
Install to USB
- Updated GUI. If installing to USB Drive, then only USB location will be allowed. If creating a bootable device, then any folder is allowed. OSForensics will prefill the output destination of OSForensics (via WinPE Builder config file) when launching WinPE Builder (Requires WinPE Builder 1.0.107 and up).
Misc
- Updated System information library.

V3.1.1006 - 5th of March 2015

Case Manager
- Before deleting search indexes they will now be unloaded if currently in use rather than displaying an error message.
Email Viewer
- Added check for if the recipient address is in X400 format. If so, try to obtain the SMTP Address instead.
File Indexing
- Fixed a crash caused by partially compressed NTFS drives.
- Fixed bug with missing title and from addresses from index.
- Fixed bug with PST files not opening from search results due to incorrect/corrupt path.
- Fixed bug with x400 email address format when smtp format available for recipients.
Password Recovery
- Windows login passwords: Added recovery of cached domain users, updated help file to match new UI and functions.
Install to USB
- Fixed a bug where if the initial start failed (eg invalid target directory) the disabled buttons were not re-enabled, causing OSF to become un-usable.
Misc
- Updated error message when trying to copy files to clipboard from non supported devices.

V3.1.1005 - 18th of February 2015

File Indexing
- Updated Zoom indexer to fix some crash issues.
- Bug fixes when indexing DOC and XLS files inside ZIP files.
Install to USB
- WinPEBuilder will launch with option to format USB drive filesystem as NTFS.
Password Recovery (Browser Passwords)
- Fixed a bug with chrome and opera password recovery where the wrong password could be displayed in some cases (out by 1 place in the list) or no password might be displayed despite not being blacklisted.
System Information
- Fixed a bug that was displaying an error message when trying to run a custom command on the system information tab when using a selected drive.

V3.1.1004 - 16th of January 2015

Email Viewer
- Added handling of rfc2047 encoding in subject/address fields of MIME headers.
- Fixed buffer overflow in status message while recovering deleted e-mails in PST files.
- Fixed 'S' shortcut key being processed instead of 'Ctrl+S' to add attachments to case.
- Fixed a bug with saving embedded message in PST/OST files as .msg. LIBPFF_ENTRY_TYPE_ATTACHMENT_DATA_OBJECT property was being saved as a stream instead of storage.
ESEDB Viewer
- Fixed population of known ESEDB files to use localised folder names instead of hard-coded locations.
File Indexing
- Pre-scanning can now be cancelled while scanning PST messages.
- Updated Zoom indexer to fix some crash issues.
- Updated Zoom Office XML plugin.
- Improved length limit for meta fields in email files (used for FROM/TO/CC/BCC) from 255 characters to 65,535 characters.
- During indexing, fixed Total Bytes/Peak Physical Memory/Peak Virtual Memory not updating properly when > 2GB.
- Fixed crash bug with buffer overflow and infinite add URL when indexing .MSG file with many attachments.
- Fixed bug with only using last filename for all attachments of the same .MSG file.
- Fixed bug with losing generated body text with attachment filenames "Attachment(s): ... , ..." for .MSG file indexed.
- Fixed bugs with indexing plain text emails in .MSG files.
- Fixed bugs with indexing Chinese PST files (metafield length limit caused Unicode corruption).
- Fixed bug with possible Unicode string corruption when longer than available buffer (with languages such as Chinese with 4 char MB UTF-8 characters).
- Fixed a bug with files sizes not being indexed in offline mode.
- Fixed a potential crash caused by long URLS.
- Fixed a crash during pre-scanning when indexing unallocated clusters.
- Fixed bug with search index failing on old format index files after a search with new format index files.
- Fixed DOCX plugin that split words incorrectly due to revision history.
- Fixed crash bug with XLS files with invalid cell.templateID values.
Import Hash
- Fixed String/Buffer overflow during import progress updates (if import folder name is too long) by increasing string size.
Internal Viewer
- If viewing an excel document that is password protected it will now display a relevant error message.
Password Recovery
- Shadow copy now used if registry file is locked.
Recent Activity
- Now attempting to get the localised name for the "Documents and Settings" folder from the registry when starting a recent activity scan so more information will be retrieved on non-english Windows installations.
- Shadow copy now used if registry file is locked.
- Should now resolve shortcut (.lnk) files in User's Recent Items folder (when not using live acquisition scan option).
- Fixed scanning of system registry hives when no user hives are found.
Search Index
- Fixed processing of FILETYPE_MSG and FILETYPE_ATTACHMENT_MSG index results.
System Information
- Shadow copy now used if registry file is locked.
ThumbCache Viewer
- When looking up default Windows.edb location, now using localised folder names instead of hard-coded locations.
WinPE Builder
- Updated build of WinPE Builder. (Allows user to set NTFS filesystem with command line argument '-f'. Not enabled by default, since FAT32 supports booting both BIOS-based and UEFI-based PCs. UEFI based systems require that the boot files reside on FAT32 partition. If they are not on FAT32 the system may not see the device as bootable.).
Misc
- Fixed bug with handling of NTFS files with mix of compressed/non-compressed fragments.
- Help file updates.

v3.1.1002/v3.1.1003

Internal builds.

v3.1.1001 - 16th of December 2014

Case Management
- Fixed potential deadlock after clicking 'Cancel' when items are being added to the case.
- Fixed 'To' field missing in e-mail case properties.
- Fixed 'From', 'To', 'Subject' fields missing in case report.
- Removed check for empty e-mail headers (From, To, Subject, etc...) when adding e-mail to case. Adding warning to log file instead.
Email Viewer
- When exporting e-mails to file/case, 'Print-friendly' HTML file is now generated. Currently, only HTML/text is supported.
File Indexing
- Indexer updated to the latest Zoom Engine.
- Fixed a bug when indexing email attachments with accent characters in the folder path.
- Fixed infinite loop bug when indexing corrupted ZIP files.
- Fixed a crash bug with indexing MSI files (and any other files that can be misidentified as DOC).
- Added error message when handling bad ZIP files./li>
- Added default handling of .msi files as binary (filename only) format.
Recent Activity
- Will now return files/folder from user's Recent Item folder (shell folder).
- Added Support for Word 2013 Reading Locations to Recent File List Item.
- Added Support for Office 2013 (Word, PowerPoint, Excel) Recent File List.
- Added Adobe Acrobat Reader MRU locations.
- Now also parsing the subkeys to Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs\\.xxx, where .xxx is file extension to retrieve more information.
- Added Right Click Menu Option - Copy Row to Clipboard.
- GUI Fixes, Help File Link Update.
- Added Filter for text search of all fields for an activity type.
- Installed Programs, if there is no program name, will return registry location as the title.
Registry Viewer
- When opening key paths containing SYSTEM\CurrentControlSet which is a volatile symbolic link, replaced with 'ControlSet00n' where n is the current control set.
Search Index
- Improved performance of adding PST e-mail/attachments to case by using the same e-mail file handle, instead of opening and closing for every e-mail message.

v3.1.1000 - 19th of November 2014

Email Viewer
- Only one instance of the e-mail viewer window is now available and shared amongst all modules. This allows e-mail messages to be opened instantly without having to reload the e-mail file if it was previously opened.
- Partially loaded e-mail files (ie. cancelled halfway during loading) are no longer allowed and removed from the tree view.
- Added support for recovering deleted and orphaned e-mails in PST files.
- Added status bar on the bottom of the window to indicate the number of items in the current folder.
- Fixed header field (From, To, Cc) text not showing when text length is too long.
- Fixed saving attachments with invalid filename characters.
- Added implementation to save PST emails with embedded message attachments in MSG format.
- Removed storage of e-mail file path for each mail item to reduce memory usage.
- Fixed a crash when closing e-mail viewer while still loading e-mail/searching.
Direct Access
- Reduced the memory usage for VMDK, VHDI and raw images
- Cache data is now share globally per device rather than per device/thread. This reduces memory usage and increases performance
- NTFS
  Fixed loading of $MFT file split into multiple MFT records
  Added caching of ATTRIBUTE_LIST to improve performance
  Fixed a possible crash when saving to disk
Internal viewer
- Fixed a crash related to merged cells when converting excel document to html.
- Fixed a bug with POLE library causing large files to be saved improperly.
- Fixed hex view showing incorrect bytes while performing search
Forensic Copy
- Fixed error message preventing files to be copied to a windows drive destination.
File Indexing
- Added support for indexing .tar, .gz, .tar.gz, etc.
- Added BinStringsUseBigram option for create index binary string extraction settings, Code words and Extreme.
- Added options to index "System hibernation and paging files".
- Changed email prescan estimate to handle more cases.
- Added a MAXPAGES min. cap of 100,000 pages when scanning attachments.
- Fixed a bug with not detecting if wordmap merging failed mid write due to out of space or other causes.
- Fixed a bug with free edition not indexing PDF files properly (indexed as html).
- Fixed a bug with not being able to perform searches on indexes created within a folder path that contains Unicode character (e.g. unicode characters in user name or in case name).
- Fixed an issue with not scanning text files (non plugin files) when scan .sys files is enabled.
- Fixed a bug with an infinite loop when indexing a file misnamed as DOC (e.g. a RTF file).
- Fixed several bugs when indexing emails.
Recent Activity
- New user interface, summary of items shown in left hand treeview side, added filters, new sortable list.
- Updated to work with latest version of opera (23).
- Now searching localised folder names so should return more results on non-english installs of Windows.
- Now searching more registry locations for installed programs so far more results should be returned.
- Fixed a bug where registry locations of some installed programs weren't displayed fully.
- Fixed some issues when trying to get recent activity from non-system drives.
Drive Preparation
- Improvements to Disk preparation error messages.
- Improvement to the Drive preparation progress update.
Disk Imaging
- Raid rebuilding, fixed detection of RAID metadata for Promise RAID controllers.

v3.0.1001 - 19th of August 2014

Case Management
- Images/drives without valid partition/file system info (ie. boot sector) can now be added to the case. This allows the drive to be viewable using the Raw Disk Viewer.
File Indexing
- Added support for indexing extracted binary text from "hiberfil.sys" and "pagefile.sys" (not limited by max file size limit).
- Fixed stemming problems during indexing.
- Fixed bug with updating indexing status causing small indexing jobs to report no files being indexed.
- Fixed bugs with identifying misnamed ZIP files during indexing.
- Updated Engine/CGIs to V7 build 1008.
- Image search results that are nested in archives are now displayed in the 'Images' tab.
- Image search results that are nested in archives are now displayed with an 'archive' overlay on the top left corner of the icon.
- Fixed bugs with accented characters in search result URLs.
- Fixed bug with opening search results in the Internal Viewer.
Deleted Files Search
- Fixed bug in file carving of .mov files (was including 4 additional bytes in the end, now removed).
- Fixed file carving of .pdf files. Will now check buffer for four known combination for end markers. If not found, will default to look for %EOF.
- Fixed scanning of deleted files on mounted drives without partition information.
Raw Disk Viewer
- Fixed divide by error bug when performing a raw disk search on a disk with sector size = 0.
- Fixed partition info in the Decode window not being updated correctly when a new disk is loaded.
Web Browser
- Module Will now load on first use instead of loading on startup. Starting Page is now set to about:blank (was set "http://www.osforensics.com ). This minmises the impact on a live target system when running OSF from a USB drive.
Internal Viewer
- Fixed image stored in the alternate stream of a file not being displayed.
Misc
- Fixed bug with FAT file system parsing caused by truncating errors when calculating cluster offset. This could prevent some FAT partitions from being mounted when the FAT partition's starting offset was a long way from the start of the disk.
- Added debug statements to FAT file system parsing (when DEBUGMODE mode is enabled).
- Added debug statements when there are NTFS file system parsing errors in applying fixup values to MFT and index records (when DEBUGMODE mode is enabled).
- Updated WinPEBuilder.exe to include more debug messages.

v3.0.1000 - 14th of July 2014

New Modules:
- ThumbCache viewer for viewing cached thumbnails stored in the Windows thumbnail cache database (Windows Vista and later only).
- ESE database viewer for viewing the records stored in ESE database files (.edb). ESE database format is used by a variety of Microsoft applications and can often contain data of forensics value.
- Prefetch Viewer for viewing the application prefech data stored by the operating system's prefetcher. This data includes when the application was last run and how frequently it has been run.
Case Management
- Added option to "Make case default" when adding a device to a case so it is selected by default for future actions.
- When deleting cases, added prompt to allow the case files to be saved to another location before deleting.
- Adding attachments from case devices now supported.
- Multiple image partitions can now be mounted at the same time.
- VHD image files can now be mounted.
- Added 'Repeat action' checkbox to message box when adding a file already existing in case.
- Fixed a bug that was preventing undeleted files from being exported as part of a report.
- Fixed bug with selecting default drive when creating case. Also removed current case's devices from default drive dropdown list.
- Fixed issue with setting newly mounted drives as default drive.
- Fixed bug with condensing white space when reading .OSFCfg files.
- When adding shadow drives, fixed combo box not being reset when changing drive selection.
- Changed the error message when adding an image file to a case to include the image name.
- Fixed a bug preventing bookmark tables in reports from being sorted
Deleted Files Search
- Searching for deleted files in HFS+ drives now supported.
- Results can now be displayed in 'thumbnail' and 'timeline' view.
- Timeline view now shows stacked bars grouped by file extension.
- Fixed overall system slowdown caused by large blocking file reads when file carving.
- Removed right click menu options that aren't unsupported by the file system.
- Fixed a crash when pressing a key with nothing selected.
- Fixed deleted directory icon not being displayed for non-NTFS file systems.
- Fixed deleted file fragmentation info not displaying for NTFS case devices.
- Fixed crash with invalid memory access when searching for ext2 deleted files.
File System Browser
- Added extra metadata column for the LCN of the first cluster of the file. This is useful for seeing if files are grouped together on the disk.
- Deleted files/directories can now be displayed (in red text). Added menu option to enable deleted files to be displayed.
- Added right-click menu option to attach selected files to case.
- Attribute modify date is now displayed for ext2 file systems.
- Fixed deleted icon overlay so that it displays correctly on XP.
File Indexing
- Indexer updated to the new Zoom Engine, which includes support for real-time logging.
- Indexing now supported for Shadow Volumes.
- Timeline view now shows stacked bars grouped by file type.
- Multiple history items can now be added to case.
- Multiple history items can now be deleted.
- Changed indexing/searching limit to 25000 items for Free version.
- Optimized index search by not reloading dictionary for every search.
- Fixed a crash when indexing multiple partitions mounted from image files.
- Fixed potential Thumbnail view crash due to lists being deleted while thumbnails are loading.
- Fixed bug with DBX message count not being included in total e-mail count.
- Fixed Custom Limits not being saved/applied in Edit Template.
- Fixed 'default' button not deselecting non-default filters in log window.
- Fixed unallocated cluster indexing not working for drives mounted in Standard mode.
- Fixed timeline date filter not filtering items correctly.
- Fixed regex filter combo box in 'Browse Index' tab showing invalid characters.
- Fixed invalid characters showing up in 'History' under the 'Settings' column.
File Name Search
- Timeline view now shows stacked bars grouped by file extension.
- Deleted files/directories can now be displayed (in red text). Added menu option to enable deleted files to be displayed.
- Attribute modify date now displayed for ext2/hfs file systems.
- Fixed a memory leak when closing window.
Hash set lookup
- Added list of matched files when performing hash set look up of more than 1 items. The list view contains a list of files that are found in the hash set. Previously, only the number of matches are displayed without any information on the files that matched.
- Added support for deleted files hash lookup.
Internal Viewer
- Metadata viewer tab now displays $I30 entries (normal + deleted) for NTFS directories.
- Metadata View tab now displays EXIFTool metadata for deleted files.
- Metadata View tab now displays carved $I30 records for deleted directories.
- Added jump to index right-click menu option.
- Deleted files opened from the file system browser can now be viewed.
- Thumbnail cache data opened from the ThumbCache viewer can now be viewed.
- File Info tab now shows the file's starting LCN.
- Increased the default number of strings limit in Hex view tab to 50,000. Increased the max number of strings limit to 1,000,000.
- Improved loading and caching of files.
- Reduced file loading time by optimizing file system accesses.
- Ctrl-C (copy)/Ctrl-A (select all) keyboard shortcuts now work in Text View.
- Fixed minor issue in File Info tab with short filenames appearing incorrectly.
- Fixed bug with hex viewer string extraction not stopping when max # results reached.
- Fixed viewer string extraction omitting words in results.
- Fixed 'Copy ASCII' in Hew view tab to copy all characters other than '\0' to clipboard.
- Fixed icon transparency not displaying correctly in Windows 8.
- Fixed metadata view tab showing icons when displaying EXIF metadata.
- 'Unsupported file type' text is now displayed when failing to convert document files to text.
- 'Fixed crash due to buffer overflow bug with handling Excel document conversions.
Email Viewer
- Added support for searching message body.
- Added support for date filtering.
- Updated "Print" functionality.
- Fixed a bug with HTML email printing not having any headers.
- Fixed a bug with not printing full headers, RTF, and plain text mail.
Recent Activity
- Added scanning of Windows search database (Windows.edb) index records.
- Added scanning of prefetch items.
- Added scanning of windows credential manager for browser passwords.
- Added 'Config' window for configuring scan options (date range, items to scan).
- Added additional filter for MRU sub-categories when filtering by 'MRU'.
- Timeline view now shows the breakdown of activity types via stacked bar graph.
- Changed behaviour when using the right click "Export to" options in the timeline so only the items from the active timeline section are included (previously all the found items were exported).
- Timeline view is now synchronized with File List view.
- Removed 'Summary' button. Summary dialog now appears when clicking the 'Total Items' hyperlink.
- Fixed crash when pressing 'Enter' with nothing selected.
- Fixed item selection when 'End' is pressed.
- Fixed stack overflow bug.
- Fixed error when opening the selected item with the registry viewer.
- For Chrome downloads, results now show filename from source URL if destination download path unavailable.
- Fixed scanning of IE history not working for certain versions of IE.
- Fixed a bug preventing the name of items from being output correctly for CSV export.
Mismatch search
- Added text colour to "Identified Type:" field for emphasis.
- Fixed a bug that was causing a crash when adding a file to a case.
SQLite Browser
- Files saved in temp folder are removed when exiting.
- Fixed unitialized pointer bug when exiting program.
Password Recovery
- Added "a-z A-Z 0-9" Alphanumeric option to password recovery random character options.
- Updated the Firefox password recovery feature to work with the latest version of Firefox (24).
- Fixed a bug where the password was not displayed if there was only one password entry stored in the Firefox database.
- Updated error message to show correct error code when permissions prevented some registry changes.
- Fixed crash when adding .rti rainbow tables without valid file segments.
- Under 'Generate Rainbow Table' tab, moved the character set definition in the combo box to an edit control due to length.
- Under 'Generate Rainbow Table' tab, changed character set combo box to non-editable.
Drive Preparation
- Fixed Write pattern function incorrectly reporting a write error near the very end of the drive for some USB flash drives.
Drive Imaging
- Restoring VHD image files now supported.
- Disk image name and type is now maintained when using the browse button (if already entered).
- Fixed bug with imaging drives as Encase files.
Install to USB
- Added window message processing during the USB installation process so the application doesn't display as "Not responding".
- Disabled Install/Exit/Browse buttons when install process starts.
- Stopped "Install to USB" function from working when not installing to a USB/removable drive.
Web Browser
- No longer creates a web browser temporary dir as it was not being used and was not being cleaned up properly after program exit.
Misc
- Deleted files are now supported in thumbnail view.
- Various performance improvements when loading thumbnails in thumbnail view.
- Fixed display of files without high resolution icons in thumbnail view. Previously this meant a tiny icon was drawn.
- Deleted file thumbnails now show the proper icon/thumbnail with a deleted overlay flag in thumbnail view.
- Fixed crash caused by bug with retrieving the file icon in thumbnail view.
- Fixed crash caused by overflow of the label exceeding 260 characters in thumbnail view.
- Added support for stacked bar graphs via groups in timeline view.
- Fixed bug when the data spans greater than 30 years in timeline view.
- Increased copy to clipboard limit from 100 to 10,000 files.
- Fixed a crash when handling compressed files on NTFS for cluster sizes <4KB.
- Redirected stdout containing Unicode characters should now work correctly (eg from System information tools).
- Fixed some flickering when adding files to case.
- Updated OSFMount to v1.5.1015.
- Fixed several crashes that could occur when closing OSF.
- Fixed crash when attempting to shadow copy files from a drive mounted in standard mode.
- Non-raw image files that cannot be opened properly will be opened as raw.
- Reduced flickering when resizing window.
- Fixed copying of shadow copies of locked files into temporary directory.

v2.2.1000 - 10th of September 2013

Added support for creating a self booting USB solution from the "Install to USB" section, this is a new tool called "WinPE builder" that can be launched after the "Install to USB" process. There is an in depth guide on how to use this new feature here.

v2.1.1000 - 9th of August 2013

Indexing changes;
- Will now process e-mail headers.
- Added .zipx extension in filetypes to be recognized, handled as "Binary (filename only)".
- Added handling of ZIPX as "Binary (filename only)".
- Added checkbox to scan attachments in e-mails to advanced template configuration window.
Added Volume shadow copies support to the File System Browser. Currently considers a file is a shadow if the modified time of file is different from the current volume file. Steps to use this feature are,
- Add Disk Image OR Drive in forensics mode OR Disk to case.
- Add subsequent Volume Shadows for just added device.
- Load File system browser and enable Show shadows under options menu.
- Browse (the shadow copy files text/label will be a shade of grey).
Added "Add All" Volume Shadow Copies option to Add Device dialog window.
Added "loading" dialog box when parsing shadow copies.
Shadow copies can now only be loaded for devices that are already added to case.
Improved performance when using shadow copies as a result of caching data in RAM. This should also allow larger drives to be examined in a reasonable amount of time.
Added button to FSB Toolbar that launches a module to perform volume "diffs" for shadow copies, it behaves similarly to the Create/Compare signature function.
Added keyboard shortcuts to Internal file and email viewers.
Raw disk viewer searches are no longer aborted when the search window is hidden.
Made some change to the Chrome download section in recent activity to work with newer chrome versions (26.0.1410.64) as the database structure has changed.
Can now select 'Use entire image file' when selecting a partition from an image file.
Added Loading progress indicator for the advanced EmailViewer.
When an error occurs when adding multiple items to case, added a Message Box to prompt if user wants to continue (or quit). This avoids a situation where hundreds of error boxes might otherwise be displayed in a loop.
Raw disk viewer decode window can now identify a dynamic volume as "Windows dynamic volume (LDM).
Can now detect dynamic volumes in dynamic disks (LDM).
In the 'Drive imaging' module, added 'Rebuild RAID' tab for rebuilding a single RAID image from multiple source disk images. Support for auto-detecting Intel Matrix RAID (IMSM) & software RAID was included. Additional auto-detecting features for other RAID formats are expected to be supported in future releases. Added support for manually changing image file offset/size for RAID rebuilding.
Rebuilding RAID images for the following RAID metadata types
- SNIA DDFv1.
- Highpoint v2 RocketRAID.
- Highpoint v3 RocketRAID.
- Adaptec HostRAID.
- Integrated Technology Express RAID.
- JMicron RAID.
- LSILogic V2 MegaRAID.
- LSILogic V3 MegaRAID.
- nVidia MediaShield.
- Promise FastTrak.
- Silicon Image Medley RAID.
- Silicon Integrated Systems RAID.
- VIA Tech V-RAID.
Added RAID 0+1, RAID1+0, RAID 3, SPANNED rebuilding support.
RAID "Info" dialog now shows the metadata for all matching RAID formats.
Can select between multiple RAID metadata types if multiple formats detected.
Added HPA/DCO imaging. This allows hidden area on the disk to be made accessible for copying. HPA = Host protected area. DCO = Device configuration overlay. Note that on some drives there is locking that will prevent changing the HPA/DCO disk extent limits.
Carved files will now have FILETIME set to Jan 1, 1601 12:00 PM when the real date information is not recoverable.
File Carving percent complete display bug fix.
File Carving put more safety checks when carving Zip / OfficeXML files to prevent crash.
Thumbnail Viewer, fixed a problem with thumbnails without a visible size being drawn as black box.
Fixed some potential memory allocation in the internal file viewer issues when viewing buffers. (Which is how deleted files are viewed).
Fixed a crash that could occur in recent activity during the IE URL scan, some URL paths were longer than expected.
Added 'Info' button to retrieve and display the RAID metadata from an image file in the Disk Imaging module.
Added ability to open Internet Explorer IE10 history databases and retrieve visited URLs (Vista and newer only). IE10 has a new internal format for storing this data compared to previous releases.
Updated document indexer to handle indexing recursive PST files (PST and MSG files attached to E-mails inside PST files).
Fixed issue where "Add to Case" menu item was enabled when a case is not yet opened.
Fixed some memory leaks when indexing emails and attachments.
Fixed Email Viewer appearing (with no error messages and no emails) when PST file cannot be opened (e.g. because Outlook is open and holding access). It now shows an error message and destroys the Email Viewer window before it displays.
Fixed EmailViewer appearing (with truncated email contents) when user hits "Cancel" during PST loading.
Fixed the EMail viewer's handling of embedded emails (.msg files attached to a .msg file) in the EmailViewer.
Made some changes to stop a reported crash in the registry viewer.
Fixed a bug with the Windows Login Password when using "Live acquisition of current machine", a required registry permissions was failing to be set correctly.
Old/simple PSTViewer is now restored in project and used when PST file is > 10GB.
Changes to try and stop the recent activity/registry viewing crashing in invalid data circumstances (causes by null records in the registry).
Added help context for Volume Shadow Copies.
Help file updates for HPA / DCO hidden areas in Disk Imaging and 'RAID Rebuild' functionality.

v2.0.1003 - 22nd of March 2013

Forensic Copy.

Fixed Forensic File Copy not copying folder 8.3 short names.
Made change to handle setting 8.3 short file names on files that have a read-only flag.

Added fractions of seconds to internal viewer file properties output.
Recent Activity - Now also searches registry location for typed IE URLs.
System information

Changed the dialog title to reflect that a command is being edited rather than a new command.
Fixed a bug where if the first entry in the list was editable then it wasn't loading correctly and defaulting to the new command dialog.
Fixed a bug where if the list management dialog was closed using the X button rather than OK the current command window display was not being updated to reflect any changes.
Added new system information functions (Get User Info, Get Timezone, Get computer name, Get network info) that can query the registry for information, these functions can be used on the local system as well as disk images and other system drives.

Navigation Bar - Added 'Registry Viewer' button.
Start Page - Dialog for selecting registry file now closes when the Registry Viewer is opened.
Registry Viewer

Correct icon is now displayed for Find/Goto windows.
All search types now selected by default in Find window.
and keys now work properly for Find/Goto windows.
Cancel button now works properly for Find/Goto windows.
Find/Goto windows stay open after search.
Added splitter bar and fixed resizing issues.
Added shortcut keys for searching (Ctrl+F, F3, Ctrl+G).
Find/Find next now traverses the tree in order according to currently selected entry.
Added support for opening multiple registry files in one viewer.
Added icons for tree view.

Email Viewer.

Fixed bug with retrieving the HTML body using the MVCOM library. Should use _bstr_t instead of BSTR.
Changed header fields to Edit controls to fix redraw issues when resizing.
Improved parsing of Data/Time strings.

Hex View.

Added Ctrl+C (copy hex) and Ctrl+A (select all) keyboard shortcuts.
Fixed crash carving data.
Changed string extraction so that it no longer separates URL strings into components (eg. 'http', 'www'), this was preventing the URL filter be useful.

Password Recovery.

Changed behaviour when recovering Firefox passwords so that is a firefox install isn't found on the drive being scanned OSForensics will also check for a FireFox install on the system drive.
If a FireFox location is not found an error message is now displayed.
Added warning to password recovery and system information functions when running on a live system and the permissions of the SAM registry files need to be changed.

v2.0.1002 - 11th of March 2013

Fixed error when attempting to select a file in the listview with no items.
$I30 directory entries now returned even if the MFT record does not contain a $FILE_NAME attribute.
Fixed a bug in the report template where Web Snapshots, Notes, Emails and Bookmark tables were not being sorted when their heading columns were clicked.
Fixed a crash when changing hex view settings.
Changes to Forensic File Copy to better handle conflicts with 8.3 names on NTFS.
Fixed a bug in the recent activity scan on non-live systems where USB devices were not displaying a last connected time and date.
Fixed a bug where the scroll bar was not updating on the recent activity page when using the mousewheel.
In File Info tab, added 'Short file name' field for NTFS/FAT 8.3 short filenames.
Fixed a bug that was preventing the recent activity module from getting windows system event information for the live system.
Added filename and file extension sorting to index search.
Fixed a crash when viewing/export a download recent activity record.
Added right-click option to save file to disk for the filepath hyperlink in the Decode Window.
Added progress bar when saving file to disk, allowing the user to cancel if taking too long.
Fixed a crash that could occur when scrolling on the recent activity tab.
Fixed a bug where in the recent activity items the chrome form history items could be saved with the currently registered username for OSF not the local user.
Fixing a bug in the recent activity CSV save to case / export where the time offset was saved in the location field for MRU items.

v2.0.1001 - 4th of February 2013

Added Web Snapshots category to case management for exports from the web browser module.
Added additional URL meta data to Web Snapshots (viewable from case item properties window).
Fixed index search bug causing variant words like "testing" instead of "test" to not be found.
Fixed index search bug causing exact phrases using quote characters to not return any search results.

v2.0.1000 - 30th of January 2013

Major changes

Support for multiple drives & folders when indexing. So an single index can now span more than drive.
Support for templates in the file indexing module. (to save re-entering data each time an index in created).
Ability to capture pages from web sites and add them to a case (not finished in this Alpha release).
Add support for searching multiple set of index files in a single search.
Added much improved E-mail viewer / browser.

Will open automatically if viewing an E-mail archive.
Can now add Email attachments to case.

Added the option to copy files from a case to the output directory when creating a case report (instead of just including a reference to the files).
Changes to the Internal File Viewer.

Window can now be maximized. Minimum window size limits removed.
Minor metadata fixes.
Can now add string list to case in Hex Viewer.
Exported string list now contains string extraction settings.
Can now carve to file (and add to case) in Hex Viewer.
Can now directly open Office documents without the need for an external tool to extract the text. Should be significantly faster to open large documents in images.

The index search function in now built into OSF (so it is no longer an external .exe). This allows better persistent caching of the index which in some cases leads to much faster searches e.g. 500% times faster, for large sets of index files and search terms that give small result sets. Even in the worst case there will be around a 10% improvement on search times.
Carved file can now be added to case in the raw disk viewer.
Implemented functions for reading the $I30 info file for NTFS directories. I30 data now shown in Hex View tab for NTFS directories.
WebBrowser, Added ability to add/save complete webpage to case as MHTML (.mht) file and image file. Can select region of screen to save or full screen. Free version of software will contain watermark, Pro version won't.
Changes to the raw disk viewer.

Added right-click menu to search results in raw disk viewer. In particular, users can now export the search results to disk.
'Select Range' dialog now populates 'Start offset' with current offset.
'Select Range' dialog shows the number of bytes between the start and end offset.

Minor changes

Changed UI layout to tab-based of memory viewer module. Re-organized buttons.
Bug fix when accessing zip file content on FAT16 volume using direct image access.
Fixed bug where FAT clusters were incorrectly flagged as deleted.
Several speed improvements on FAT volume with using direct image access.
Bug fix for assert errors at startup on machines with large amounts of RAM (> 32GB).
Fixed pre-scan file counting bug relating to upper and lower case files names in the indexing module.
The last folder used for a report is now stored to avoid the need to re-enter it.
Fixed a crash on exit caused by the memviewer freeing resources that it shouldn't be freeing.
Fixed a bug that prevented case reports being generated on any drive other than the one the case resided on.
Made some changes to the Opera browser recent activity functions to prevent a possible crash.
Added toolbar for quick access to changing views in file system browser.
Fixed file name issues when exporting HFS+ files to an NTFS drive where the file name on the Mac system used characters that are illegal characters on a NTFS system.
Changed behaviour when adding emails from a search to overwrite existing ones (previously would create a second copy with a number appended to the name).
Change behaviour so that when an email overwrites one that already exists the list view item of the old item is updated with the new title.
Added right-click function for directories in file system viewer to switch to 'Create Signature' module and automatically fill in location.
Better handling of nested e-mail/attachments in the index search function.
New indexer with fixes for index search results showing corrupted URLs for email attachments & also fixed binary string extraction skipping longer phrases.
Fixed bug in Mbox Email Reader with attachments missing characters in the filename.
Fixed progress bar for adding email and attachment to the case.
Fixed Email path issues in the file signature function.
DOS batch (.bat) files can now be run from the system information function.
Corrected an issue where the "Live system Capable" radio buttons was not checked when editing a command in system information function.
Allow right-click Copy/Copy All in the system information results tab.
Fixed buffer overflow caused by long header fields (eg. 'To:').
More information about the index is displayed under the results window.
Changed default number of maximum search results to 1000 from 5000.
Adding logging and error conditions for searching an index.
Fixed a bug preventing FireFox recent activity history from being read when directly accessing an image file.
Fixed a bug where the location of IE & Safari recent activity entries could show uninitialised character values when directly accessing an image file.
Fixed bug when in search index function when opening a word list that contains extended ASCII characters.
Fixed bug in search index history list view when a past search query contains spaces.
Bulk searches performed via 'Browse Index' tab can now be cancelled by the user before they have completed.
Added message box after successfully carving to file in the raw disk viewer.
Fixed a bug with Chrome timestamps not being converted correctly in recent activity and new Chrome releases.
Fixed a typo in recent activity drop down (Form History).
Fixed incorrect display of Cyrillic characters in some recent activity output (Chrome and Firefox).

v1.2.1003 - 3rd of October 2012

Fixed indexing for drive root.

v1.2.1002 - 3rd of October 2012

Fixed bug causing certain case items to not load correctly.
Fixed bug where NTFS file data reads were not sector aligned.
Fixed error loading DirectIo Driver.
Added warning message that search reuslts are limited to 1,000,000.

v1.2.1001 - 26th of September 2012

Added cancel button to stop drive scanning in the raw disk viewer.
Added ability to jump to disk offset of deleted files in the deleted files search.
The device name is now displayed for deleted ext2 files in the deleted files search.
Fixed artifact issue when panning images in the internal file viewer.
Fixed cancel functionality for FAT/ext2 in the deleted files search.
Fixed a bug where if there were no hash databases then the "New DB" button was disabled at startup and no new databases could be created.
Fixed a bug preventing the recent activity scan from searching the root directory of a drive.
Fixed a crash when retrieving MFT values.
File carving of physical disks bug fixes.
Image restore now allows image files that are smaller than the disk size.
Added support for FAT12 file system.
Fixed a bug when recoving file when carving via partition number.
Changed create index progress bar to not complete when indexing was manually cancelled.
Added new "Max results" option to search index options.
Added "Display search results" and "Display search results & add to case" right click options for the history tab of search index.
Significantly reduced memory usage of open cases with a large number of items.

v1.2.1000 - 31st of August 2012

Major changes

Support for Apple Mac file systems. Including HFS+ as used in Mac, iPhone, iPod and iPad. So it is now possible to view & investigate files from a Mac or iPhone on your windows machine with OSForensics. Includes changes to,.

Indexer.
File viewer.
Raw disk viewer.
Device manager.

Support for Linux file systems. Including EXT2, EXT3, EXT4. Includes changes most modules in OSF.
SQLite database viewer is now included in the OSF package. This is useful for looking into database files created by several applications on the iPhone and also by Firefox.
Added support for APM partition scheme (Apple Partition Map).
Updated RecentActivity Module to display Browser information for when querying Unbutu machines images.
Added firefox form history retriveal to the recent activity.
Made CSV import into hash sets a significantly more robust and added better documentation.
Changed regular expression searching in search index to use a slower algorithm, but it is more able to execute complex regexes.
Deleted file search now supports hash set lookup and displays icons for status.
Internal file viewer supports right-click functionality for deleted files (Open/Hash lookup/Add to case).
Can now image drives to .E01, .AFF format, in addition to dd format. The compression level can now also be selected (None, Fast compression, Best compression).
Additional advanced indexing options to allow the user to select the type of content to be indexed. The user can now, for example, choose to just index document meta data without indexing the document content.
Sector number and byte offset are now displayed in the list of caved files in the undeleted files module.

Minor changes

Changed progress bar in Create Index to complete with 100% instead of 0%.
Fixed Registry Viewer to use custom file selection dialog. Making it easier to view registry files with directly accessing an image file.
Help file updates.
Fixed vmdk crash bug.
Added a maximum limit for # of items in cache to prevent allocation of an abnormally large amount of RAM at startup by Thumbnail view.
Fixed handle/memory leaks causing potential crash in Thumbnail view.
Fixed crash when closing OSF when search is running in raw disk viewer.
Changed double click of thumbnail in Image tab of "Search Index" to open in internal viewer.
Extended vshadow executable timeout to 2 minutes for slow machines.
Fixed a crash when a case with no indexes was selected and the "Browse Index" tab was clicked on.
Fixed a possible crash when using the scroll wheel in the recent activity window.
Added cookie name and content to CSV export of cookies.
Added cookie content to information displayed in the recent activiy window and included in the TXT and HTML exports.
Fixed bug opening fileset from hash lookup dialog after first sorting.
Can now sort by whether or not the file is in the hash set in deleted file search.
The 'Include Special Characters' checkbox in the hex viewer settings is now functional.
Changed 2GB max file size limit for indexing to 4GB.
Fixed possible crash when adding file to case in free version in deleted files module.
Fix possible crash problem when indexing PST files.
Fixed icons in "File List" tab for OSF devices.
Can now image partitions without drive letters or without recognized file systems.
Sorting by bookmarks is now available from the File name search and index search functions.
The normally hidden NTFS MFT Modify Date field is now exposed. You can see it as an extra column in the File System browser for example. Note that this is a different value from the "Modified date" that is normally associated with a file and displayed in Windows Explorer.
The time line function in the File Name Search module can now generate a timeline based on different sets of dates. e.g. you can do a time line on file creation date or modified date. Previously the timeline always used modified date.
From the Manage Case module it is now possible to right click on a bookmark and add the bookmarked file directly to the case.
In the drive imaging function there is now a new Restore Image tab. This tab allows a disk image to to restored back to a physical drive. This might be useful if you want to attempt to boot a disk image from a physical drive.
From the search index module you can now right click on a word in the Browse Index tab and search for the word in the index and add it to the case in a single step.
You can now export a list of words from the index as CSV via the Browse Index tab.
Allowed multi-select when adding bookmarked files to case. Previously only 1 file could be done at a time.
Allowed multi-select when changing bookmark colors. Previously only 1 bookmark could be done at a time.
Added Export to CSV options to history tab in search index.
Changed list on search index history tab to allow multiple selection.
File system browser - sorting by column click now works for access date and any extra date fields (if applicable, depending on file system and mount method).
Internal viewer - Added extra date fields to 'File Info' tab for "Attribute Modify Date" in HFS and NTFS MFT Modify Date.
File Name Search - When results are filtered via timeline, the date filter used is displayed above the tabs.
File Name Search - Configuration window now has filters for 'Access Date' and any extra date fields (if applicable).
File Name Search - Added new sorting criteria (access date and extra date field) to combo box.
Added support for hidden "Attribute Modify Date" field in Apple Mac HFS file system.
Improved forensic disk access speed via caching.
Various other minor bug fixes in existing functionality.

v1.1.1002 - 5th of June 2012

Addressed problems with indexing many EML Email files. Code for the handling of EML files was completely re-written to be 80% more memory efficient. This can prevent crashes due to lack of memory when indexing large numbers of E-mails.
Fixed a bug in the Windows Login Passwords function preventing the help page opening correctly.
Fixed a crash bug when retrieving IE cookies on some systems. This correction was in common code used by several modules and so might correct other (unknown) issue.

v1.1.1001 - 4th of May 2012

Added support for directly accessing image files of the following formats from within OSF:.

Split Raw Image (.00n).
Advanced Forensics Format Images (AFF).
Advanced Forensics Format Images w/ meta data (AFM).
Advanced Forensics Format Directories (AFD).
VMWare Image (.VMDK).
EnCase EWF (.E01).
SMART EWF (.S01).

Fixed bug opening unallocated clusters in OSF internal viewer.

v1.1.1000 - 26th of April 2012

Added ability to investigate raw NTFS image files directly from OSF without mounting them.

Images and physical drives can now be added to the case as devices.
All of OSF features have been updated to act on these devices.
Image files can now be given a short hand ‘display name' handle. E.g. Case123:\.
Completely by passes file system and file permissions.

Added File System Browser.

View hidden NTFS files ($AttrDef, $MFT, $Boot, etc..).
View and copy locked files.
Automatic calculation of directory size in a background thread.
Browse history location bar.
Integration into bookmark, hashing, indexing and file viewing functions.
Can jump to file's offset on the raw disk.
Disk NTFS stream information (pro version only).
Display of cluster information and file fragmentation.
Added right-click functionality to jump to file's disk offset in raw disk viewer.

Registry Viewer
- Improved speed of Registry Viewer.
- Enabled the data/values/match whole options in the registry viewer search dialog.
- Fixed a bug where the last search term in the registry viewer wasn't being cleared properly for a new search in some cases (leading to no results).
- Various other crash bug fixes.
Added new warning when trying to import NSRL data into the existing example database.
Can now add notes to case without needing to add as an attachment.
Added From: and To: and Subject: fields for email exports from search results.
Can now attempt to crack passwords on encrypted 7zip files.
New right click option in case management to verify file hashes on case items.
Indexing now supports Email attachments with attachments being displayed on separate tab.
Improved image viewing quality in internal viewer.
Added option to use MD5 hashes when creating signatures, in addition to SHA1.
Can now set case acquisition mode. This will warn the user if they try to perform an acquisition task that does not make sense with their case setting. Some functions only make sense in the context of a live investigation.
Added timestamp fields to data decoder in raw disk viewer.
Fixed bug in displayed totals in signature comparison.
Reduced initial memory usage of the memory viewer which was allocating buffers unnecessarily at startup.
Fixed bug adding files with no extension to the case.
Fixed hash set creation freeze on certain locked files.
Added "Browse Index" tab to "Search Index" module. Loads currently selected index dictionary.
Recent activity and password recovery updated to support Opera 10/11 & Firefox 10.
Better support for long path names, up to 32,000 characters in a path.
MD5 is now calculated for items in the case (as well as SHA-1 & 256).
Signature/File listing may now include E-mails in PST, EML, MSG & MBOX. DBX is also possible but attachments are not listed at the moment.
Direct access to FAT16 and FAT32 image files.
Support for Win7 jump lists in recent activity.
Bug fixes and other minor changes. See this post for more detail.

v1.0.1005 - 6th of December 2011

Fixed XP compatibility issue caused by missing SHGetStockIconInfo function in SHELL32.dll.
Fixed crash bug when opening the live registry or creating volume drive images via shadowcopy on Vista.
Added support for multiple instances of registry viewer.
Added "Export to text" function to registry viewer.
Added "Save to case" right click menu option for keys and values in registry viewer.
Added "Search" menu for registry viewer.
Fixed a bug where REG_QWORD types were not being converted for display correctly.
Fixed bug where registry viewer right click menu could be displayed when not clicking on the value list.

v1.0.1004 - 1st of December 2011

Added "extra information" check box option to case report generation dialog. When checked it adds SHA1 and SHA256 fields to the case report.
Added inbuilt Registry viewer functionality, available via the start page. It is now possible to view key update times and avoid registry permission issues.
Added "Open registry File..." to right click options for recent activity items that come from the registry, which will open the associated registry file and display the key and values.
Added ability to open locked (live system) registry files, (via shadow copy to temp directory).
Changed some recent activity items, those sourced from the registry, to store the full location of the registry file data was collected from and the full key location as two separate items.
Behaviour of IE password scanning for non-live drives changed to display "N/A" for username and password if found but fail to decrypt.
Fixed bug on Windows Login password tab where both radio buttons could be selected at the same time.
Fixed possible bug where scanning for passwords on a read-only mounted drive image could give an "I/O error", affected files are now copied to the temp directory before opening.
Changes to Rainbow Table generation and recovery.

Can now use indexed rainbow table files (.RTI) to decrypt passwords. This inlcudes support for the tables from freerainbowtables.com in RTI1 format.
Added checkbox to turn RT to RTC compression on/off.
Added configuration file to define character sets.
Updated Rainbow Table help file.
Fixed several bugs.

New builds of the indexer that fixes datetime bug that caused files to be dated 1 second behind.
Fixed bug where valid license keys were not accepted if username was too big.
Added filetype for OpenOffice documents and Recycle Bin Meta files. So .ODT files can now be indexed and searched. This also includes support for KOffice & Google Docs.
Fixed a deleted files search crash bug.
Fixed bug with indexing OpenDocument support and Recycle Bin Meta files.
Fixed bug with searching index for unallocated clusters, and filename only files. Results were displayed incorrectly and may not open in the internal viewer.
Fixed bug with missing context descriptions for some search results, and stemmed base words appearing in context.
Fixed bugs with some initial word variants missing from index.

v1.0.1003 - 8th of November 2011

Added silent copy to temp directory of registry files if they can't be opened due to read-only error (eg mounted a disk image as read only) when retrieving windows passwords.
Fixed a bug that was preventing individual partitions from being imaged correctly and displaying an access denied message.
Fixed a bug where if a username associated with a licence key was too large it would not be recognised as a valid key.
Fixed a datetime bug in the create index / search index that caused files to be dated 1 second behind.

v1.0.1002 - 2nd of November 2011

Removed beta expiry from create index process that was mistakenly left in.
Indexing now supports OpenOffice documents, Windows Recycle Bin Meta file indexing, and soft hyphen indexing.
Fixed rare crash in the raw disk viewer.

v1.0.1001 - 13th of October 2011

Added icon for mounted drives in recent activity list.
Fixed bug with cookie recent activity export not exporting date correctly.
Added silent copy to temp directory of registry files if they can't be opened due to read-only error (eg mounted a disk image as read only).
Added retrieval of user assist items from registry to recent activity.
Improved internal viewer to better display various text document formats.
Fixed a crash creating a new case when entering too much data into the organization or contact fields.
Added warning message to disk imaging when trying to image a partition without a drive letter.

v1.0.1000 - 10th of October 2011

Increased index log window from 5000 to 10000 lines.
Added search MRU items for Windows7 in recent activity.
Added mounted drive letters + volumes to recent activity.
Fixed a bug where on some systems file carving would end up in an infinite loop.
Fixed bug with creating an index with Custom Limits being stuck on Step 3.
Updated OSF Icon to have 256x256 size.

v0.99j Beta - 28th of September 2011

Fixed a crash when indexing certain email files.
Improved Drive Imaging. Now locks drives when unable to shadow copy, also has option to force shadow copy off.
Changed drive imaging so that image write re-attempts on failure.
Updated report export to include emails.
Fixed email export to case for eml files, plus other rare instances with possible name conflicts.
Fixed crash exporting emails before opening the internal email viewer that left OSF in a state that would crash on next export or email view.
Fixed DPI issue in email viewer.
Improvements to ZIP password cracking.
Added ability to get Recent Documents MRU from registry files.
Added ability to get Autorun items from registry and display in recent activity.
Fixed a bug where the random password definition was not being created correctly when a known character was entered.
Fixed crash when exporting recent activity items.
Fixed a bug on the recent activity dialog where "Included dateless items" was not being disabled correctly after a scan finished.
Fixed a bug in the recent activities export where dateless items were not being exported.
Fixed bug with hexviewer ascii/hex radio buttons.
Updated FileCarving to handle .EML format.
Added display of registry key location where registry passwords were retrieved from.
Made some changes to PDF password cracking to add 0-9 and 00-99 to each word in the dictionary.
Index search, fixed bug with not opening files and folders containing entitized characters (e.g. apostrophes) in its name.
Create Index.

Added handling for temp. Office created "owner files" e.g. "~$MyDoc.dot".
Added handling for "Could not open file" errors from RTF messages in PST files.
Fixed problem with "Activation context generation failed" error messages in the Windows Event Log.

Version 0.99i Beta - 15th of September 2011

Fixed a crash collecting recent activity on some systems.
Fixed a rare crash manipulating files in the thumbnail view.
Added ability to retrive list of installed programs in recent activity function.
When picking a particular drive in the recent activity scan, registry files will now also be searched for in the root of the drive.
Updated common password list.
Added code to search both halves LM hash for Windows password recovery.
Can now detects empty Windows passwords.
Improved cracking of passwords in PWDUMP files.
LM and NTLM hashes will only be searched within their respective tables.
Support for cracking of zip files with directory encryption (PKZIP format).
Zip file cracking now up to 10 times faster.

Version 0.99h Beta - 6th of September 2011

Added registry password retrieval dialog to password recovery tab and support code to get windows logins and password hashes from SAM hives.
Undelete Files.

For FAT formatted disks, files in deleted directories are now also shown (rather than just directly deleted files).
For NTFS formatted disks, deleted files that are older than the directories they are in are now also shown.

Disk Preparation.

The list of disks is now shown by default (without pressing the refresh button).
The SMART parameters are refreshed from the disk at the end of the disk test.
The disk test didn't seem to be able to open the disk for writing, this has been corrected.

Fixed issues with .eml files containing CRLF in Subject: headings which broke the index file format.
Added support for carving files from EXT2 partitioned drives.
Added support for filtering file search results by attributes.
Fixed bug in "ole" file parsing.
Auto-update of disk dropdown list when new disks are inserted/mounted.
Fixed identification of unicode strings for binary string extraction.
Rainbow Table cracking now supports PWDUMP text format.

Version 0.99g Beta - 24th of August 2011

Moved expiry date forward to November 15th.
Ctrl-a now works in deleted files module.
Significantly increased speed of browser password recovery in certain circumstances.
Added support for Firefox 6 in recent activity module.
Fixed a number of possible crashes in recent activity module.
Fixed critical memory leak in thumbnail view.
Change made to indexing process to allow searching for email addresses within the content of a document.
Fixed "Performing Search…" message in index search.

Version 0.99f Beta - 12th of August 2011

Fixed bug in Index search causing 0 results to be returned on first try.
Updated file carving to handle mounted images without volume letters and no physical drive numbers.
Can now carve .wma, .wmv and .mov files.
Additional bug fixes to email indexing.

Version 0.99e Beta - 11th of August 2011

Moved beta expiry to 15th of October.
Fixed crash in sig creation when creating hashes and first file hashed is 0 length.
Fixed potential infinite loop in sig creation when creating hashes.
Fixed possible buffer overflow issue in signature creation when trying to hash a file that is inaccessible.
Added ability to change color of bookmarks in case management window.
Added file name search presets for video and audio files.
Fixed a crash when comparing signatures that had extermely long registry key paths.
Fixed a index search crash relating to certain exact phrase searches.
Several fixes and improvements to Rainbow Table generation and recovery.
Rainbow Table changes have rendered any previously generated tables unusable. Tables will have to be re-generated.
Fixed problems with not extracting From: and To: for some emails during indexing.
Added button to minimise/maximise navigation buttons to make low resolution use easier.
Added right click menu to navigation bar to make the buttons thinner.
Can now use the raw disk viewer on unpartitioned or corrupted drive images.
Added a second check for locked chrome database.
Added a way of remembering the copy on locked choice so user doesn't have to sit though multiple dialogs.
Renamed "Get Network drive Info" to "Get Network Info".
Added Edit option to command list management to edit customised (not default) commands.
Internal viewer can now view office documents and pdf files.
Fixed keyboard shortcuts in email list of index search.
Fixed a thumbnail bug in index search lists.
Fixed a bug where bookmarks would not be removed from case management window when they were removed elsewhere in OSF.

Version 0.99d Beta - 29th of July 2011

Fixed critical bugs in both the index creation and search.
Added thumbnail for loading video files.
Added a few extra index bulk search sample lists.

Version 0.99c Beta - 28th of July 2011

Index Search history functionality added.
Index bulk search functionality added.
Internal viewer can now play audio/video files.
Added keyboard shortcuts to internal viewer.
Added keyboard shortcuts to many of the results lists.
Changed report export to allow multiple report types, added ability to select output location.
Added more report tags (organisation, contact details, tiezeone, default drive, case folder).
Fixed a bug where 40bit encryption would not start correctly if a root folder was selected (eg c:\).
Fixed registry signature comparison.
Added Raw Disk Viewer Bookmark functionality.
Some Rainbow Table UI problems fixed.
Default Rainbow Table format has been changed from .RT to .RTC for compression.
Rainbow Table Recovery now supports both .RT and .RTC files.
OSFMount updated.

Version 0.99b Beta - 13th of July 2011

Fixed a bug preventing the creation of a new case.

Version 0.99 Beta - 12th of July 2011

New file bookmarking functionality.
Can now see which files have already been viewed for a particular case.
Can now brute force passwords using random passwords and specify the randok pattern.
Can get Chrome and Firefox password even if the browsers are still open.
Updated a few of the password dictionaries.
Updated indexer executable with some minor bug fixes. Most noteably fixed a crash that occured indexing emails on Windows XP.
Fixed a bug preventing overwriting USB installs with more recent versions of OSF.

Version 0.98 Beta - 22th of June 2011

Beta expiry moved to the beginning of August.
New "Forensic Folder Copy" feature added that allows copying the contents of folders whilst maintaining timestamps.
Can now add emails found from searching an index to the case (via right click on the E-mail).
Files copied to case now retain their original timestamps.
Can now search index for foreign characters with unicode input in the search field.
Index searching now natively supports 64-bit for increased speed (when running 64-bit OSF).
64-bit index search support also corrects a bug when searching very large indexes.
Can now add registry keys/values to signatures (in addition the the file system). This allows snap shots of the registry to be compared, and a list of differences exported. Which can be important for tracking malware behavior.
Improved Rainbow Table benchmark performance.
Can now run multiple create index tasks concurrently by opening multiple copies of OSF.
File Decryption can now use dictionaries to try and brut force the password of encrypted documents.

Added a dictionary containing a list of most commonly used passwords.
Added a dictionary of the english language.
Also has the ability to use the custom dictionaries created by the create index process, which contain every word found by the indexer on the disk being examined.

Added ability to Force OSF to quit if a task fails to stop.
Fixed a number of minor UI quirks.
Fixed a bug copying hash sets between databases.

Version 0.97 Beta - 27th of May 2011

Added drive imaging module. Can now create drive images of live systems.
Mismatch files date filter.

Can now filter on both modify and create date
Is now inclusive of end dates
Now correctly respects the case time zone

File decryption tab renamed to Decryption & Password Recovery.

Now supports Word/Excel/Powerpoint/PDF/ZIP/RAR password recovery based on a dictionary attack (currently only a default english dictonary is used)
Different options will be available depending on the type of file encryption detected

Rainbow Tables.

In Rainbow Table Generation, added automatic and manual input modes for basic and advanced users respectively
Separated Rainbow Tables Inputs into two groups, Password Parameters and Table Dimensions

Version 0.96 Beta - 6th of May 2011

Fixed crash when trying to use the file decryption module.
Fixed list of default drives in new case and edit case dialogs.
Fixed an issue with the right click menu not working in the thumbnail view on XP systems.
Fixed an issue with the thumbnail list not updated on XP.
Fixed tabbing, and tab ordering in most windows.
Rainbow Tables.

Added an LM specific character set.
Added automatic incrementing of rainbow tables with the same parameters (by incrementing the rainbow table index/reduction offset) to prevent overwriting of files and to add breadth the coverage of the tables.
Removed a hash input, so that the text edit box is shared between the raw hash input and the select hash file input.
Rearranged the UI to be more space efficient.

Fixed Create Rainbow Table button, which was not getting re-enabled when generation is cancelled.
Fixed rainbow table file text control to have left to right text.
Fixed issue with drive list not refreshing in "Browser Password" and "Create/Verify Hash" modules.
Indexing.

Fixed bug with foreign characters in text files.
Fixed error message regarding date script.

Version 0.95b Beta - 21st of April 2011

Fixed error when trying to create an index with the 64-bit version of OSF.
Changed order of indexing process so that when no errors occur pre-scan will move straight into indexing.
Added cancel button to create index pre-scan.
Updated OSFMount to V1.5.1003.
Fixed an occasional bug in setting the default drive letter.

Version 0.95 Beta - 20th of April 2011

Improved IE password discovery.
Bug fixes and improvements for creating indexes.

Fixed issues with non-English date formats in Outlook e-mail messages.
Changed handling of errors when indexing unallocated clusters. Will now continue to index next start point or finish indexing instead of aborting.
Fixed issue with SWF plugin crashes (due to invalid SWF files) appearing.
Fixed bug with not indexing RTF format e-mail messages in .PST or .MSG files.

Changed all list exports to use utf-8 instead of utf-16.
Fixed bug exporting recent activity to HTML format.
Added option to switch choose between UTF-8 or UTF-16 when hashing text.
Column sorting in password recovery window is no longer case sensitive.
Fixed bug copying some items from browser password list.
Updated OSFMount to v1.5.1002.
Minor improvements to internal system information gathering commands.
Minor improvements to rainbow tables UI.

Version 0.94b Beta - 15th of April 2011

Fixed a crash in the recent activity page.
Added 'Hash Text' option to hashing window.
Fixed column sorting issue in browser password recovery.

Version 0.94 Beta - 14th of April 2011

New password recovery and file decryption module.

Moved browser passwords recovery from recent activity to passwords window.
New rainbow tables for recovering a password from a hash.
Can now decrypt PDF, DOC and XLS files with 40-bit encryption.

Added a visual indication in the side bar of what modules are currently running tasks.
Fixed bug collecting some system information on 32-bit systems.
Can now copy files to clipboard so they can be pasted in windows explorer.
Fixed crash when scanning recent activity on system with Firefox 4.
Fixed bug causing default system information lists to not be added.
Fixed bug causing crash when deleting multiple indexes.
Change NSRL import feature to allow pointing at a directory without sub folders.
Links in emails viewed internally now work and open an external browser.
Internal report links in system information report now work.
Removed useless link accidentally placed in signature window.
Corrections for undelete file across a physical disk (i.e. multiple partitions).
Corrected bugs related to undelete files on Files Systems with MFT's with more than 500000 entries.
Changed deleted recycle bin meta data file display to be clearer that it is not the original file.
DiskViewer changes.

"Select Range..." option in right-click menu.
Data interpreter window now resizable.
Jump/Select range dialog now holds previous settings.

MemViewer.

Added legend for memory layout map.
Removed Idle process (PID: 0) and System process (PID: 4) from combo box.
Combo box is now sorted alphabetically.
Refresh now retains the current process.
Fixed memory layout map bug for Wow64 processes with IMAGE_FILE_LARGE_ADDRESS_AWARE flag set.
Fixed bug with memory walking routine.

Improved CSV export. OSForensics now generates valid CSV formatted files.
Can now undelete files directly to case.
Added ability to index Chinese/Japanese text.
Can now sort by user in recent activity.
Added 'Exit' navigation button.
Drive Preperation now allow sselection of byte pattern, some like zeros, some like ones, and some like h7F.
Changed it so that clicking the captions in the help index expands the item.
Fixed bug in case export where empty tables would cause sorting on subsequent tables to fail.
Moved beta expiry date forward to 15th of July 2011.

Version 0.93 Beta - 18th of March 2011

Redesigned System Information module with greater flexibility.
Fixed RTF Viewer in built-in email viewer.
Updated packaged OSFMount to v1.5.
Fixed bug when adding files from very long paths to case.
Fixed crash related to retrieving non-English bookmarks from Chrome.
Changed font in search lists to support unicode where available.
Fixed bug allowing adding of files to case when case not open.
Disk Viewer
- Fixed MFT scan lock-up bug.
- Moved button functionality to right-click (View with viewer, Carve, etc...).
- Changed decode window to be open by default.
- Misc. performance enhancements.
- Code refactoring + documentation.
- Improved error message for drive scanning errors.
- Fixed minor auto-highlighting issue.
Internal viewer
- Resizable FileInfoViewer.
- FileInfo Viewer metadata information for raw disk bytes.
MemViewer
- Fixed “Select Process” bug.
- “Select Process” now supports multiple monitors.

Version 0.92 Beta - 4th of March 2011

Unified x86/x64 installer.
Improved USB Install both versions of OSF are now installed to USB and the correct version is launched automatically depending on the system.
Include OSF Mount in OSF Installer and allowed OSF Mount to be launched from within OSF.
Added link from start page detailing how to create drive images.
Improved file carving functionality.
Fixed export functionality for attachments.
Disk Viewer
- Auto-highlight (files, system files, slack space, streams, etc...).
- Decode window is now resizable.
- Decode window includes an extra field to identify the object type (eg. file, directory, slack space, streams, etc...).
- Fixed auto-highlight colour scheme.
- Added auto-highlight legend.
- Auto-highlight of MBR.
- MBR decode.
- Support for volume/file system slack space.
- FAT parse bug fixes.
- Delay disk scanning until user selects tab.
- Miscellaneous bug fixes and performance improvements.
.
Can now filter lists to only show a specific date range in the timeline view.
Fixed File Name Search date range lookup, previous fix broke end date conditions.
Fixed date range in recent activity lookup.
Date and time display format is now based on the Windows regional settings.

Version 0.91 Beta - 22nd of February 2011

Fixed bug preventing the creation of new hash sets.
Date range selection in File Name Search now works correctly. Previously it was slightly off due to lack of correcting for time zone differences.
Added message on memory viewer warning user that this feature is only useful for live acquisitions.
If trying to install a USB copy to the root of a drive OSF will automatically specify a sub-directory to install to.
Current OSForensics configuration is now copied with USB installation.

Version 0.90 Beta - 18th of February 2011

Fixed bug preventing the creation of a new case.
Added sector markers to raw disk viewer.
Added progress info when searching raw disk.
Updated help file pages on raw disk veiwer.

Version 0.89 Beta - 16th of February 2011

Added raw disk viewer.
Can now specify a default drive to perform actions on as part of the case.
Fixed memory handle leak when searching for alternate streams.
Fixed opening a files location where the file exists in a folder with a comma.
Indexing process now skips known file types that are deselected when choosing to index unknown file types.
Fixed bug in advanced index configuration not allowing max file size less than 2GB.
Can now view alternate streams in internal viewer.
Fixed progress bar being wrong by a factor of 10 during the hashing stage of signature creation.
Fixed a bug preventing some files from being opened from the index log.
Added progress bar to indexing status window.
Added maximum number of files to index status window.
Improved some indexing failure error messages.
Fixed incorrect counting of .dbx files in some instances during indexing pre-scan.
Indexing process by default now excludes '.zdat' files (index files).
Fixed bug with indexing Outlook .msg files.
Fixed bug with missing from and to addresses for some HTML emails from .pst files.
Max file size indexed is now determined by the amount of RAM in the system rather than the largest file on disk.
File search no longer shows folder when limits on streams are set.
Can now sort by number and size of streams in File Search.
Index search now shows an indication when context has been truncated.
Fixed minor bug that would re-enable the controls in the deleted files search before the search was completed if the user browsed to another window and back.
Add ability to stop the deleted file search while running.
Fixed crash when closing the internal file viewer while a large file was being loaded into the text viewer.
Case management item list now shows the date the item was added.
Renaming indexes in the case management window now correctly updates the names in the search index window.
Fixed crash in recent activity search when limiting by date range.
Minor improvements to NSRL import speed.

Version 0.88 Beta - 4th of February 2011

External documents can now be attached and included into case reports.
Can now sort images by foreground or background color in file search.
Can now perform file carving in the deleted files window, finding deleted files that no longer have any associated file table entries.
Recent Activity scan now threaded so other actions can be performed while the scan is going.
Fixed a potential issue where the recent activity can could end up in an infinite loop.
Can now recover browser bookmarks in recent activity module.
Indexing file size limitation no longer apply to container files such as zip and pst. (Files within containers are still subject to the limit).
Can now import the National Software Reference Library (NSRL) data set as a hash database (all 62 million records).
Invalid character checking on case creation fixed.
OSF will now launch as admin by default, however there is a start menu option to launch as non elevated admin. Admin permissions are required for operations like recovering deleted files. But it is important that the software can still run on systems where the administrator's password is not available.
System information window now shows more memory information.
Threaded document loading for the internal text viewer. (with cancel button for large documents).
Case sensitive checkbox for text search in the internal text viewer.
Possible fix for text search on unallocated sector in internal viewer, which was previously very slow.
Internal Text Viewer GUI fixes.
Fixed resize issue when minimizing/maximizing internal HEX viewer.
Indexing process no longer tries to index the files it is creating.
Fixed a DPI issue on the start page.
Added functionality to search and filter files by NTFS streams (based on the number and size of the stream)

Version 0.87 Beta - 16th of December 2010

Fixed bug in 64-bit indexing causing files to be skipped when max file size was greater than 2GB. Max file size is now limited to 2GB.
Fixed bug in 32-bit where pre-scan would never allow a max file size greater than 50MB, limit is now 512MB in 32-bit pre-scan.
Various other fixes/improvements to the indexing process.
Improved stability in the recent activity module.

Version 0.86 Beta - 13th of December 2010

Redesigned case management module for easier selection between multiple cases. Some underlying changes with this will make cases created with previous versions of OSF incompatible.
Indexing process has had significant improvements, especially in the area of binary string extraction and indexing unallocated sectors.
Different levels of binary string extraction can now be selected from the advanced indexing options.
Any file can now be added as an attachment to a case.
Case creation date now stored.
Organization and Contact Details can now be stored as part of a case.
Extra details about created indexes are now stored in the case and can be viewed through the case item properties window.
Fixed issue indexing unallocated clusters from a drive image mounted with OSFMount.
Fixed issue with file name search populating thumbnail view for searches that complete quickly.
Fixed a rare index search crash on browsing results.
Better support for recent activity gathering of Internet Explorer related activities on non active drives.
Fixed big in saving window size that caused the window to shrink vertically slightly between runs.
Added ability to get logins/passwords from IE, Chrome and Opera.

Version 0.85 Beta - 1st of December 2010

Faster Unallocated Cluster indexing.
Can now open unallocated index search results in the internal viewer.
Fixed rare crash browsing unallocated cluster index search results.
Fixed crash on Recent Activity related to new Firefox login extraction.
Improved System Memory Information.
Search Index, searches with a single result now show properly.

Version 0.84 Beta - 29th of November 2010

Redesigned create index module into a wizard. It is now much more user friendly.
The indexing process should also now be more reliable with a number of bug fixes and other assorted improvements.
Recent activity module can now retrieve saved passwords from Firefox (where the user is not using a master password).
Upgraded removable drive to also allow for drive zeroing.
Made a change to the indexing process to better support Thunderbird mail files.
Fixed issue with dates from emails in mbox files.
Fixed Index searching when dealing with non English characters.
OSF now saves last window size.
Updated start page descriptions and icons.
Re-arranged left panel.
Deleted files search now applies filters on when clicking the search button as well as the apply filter button.

Version 0.83 Beta - 10nd of November 2010

New Start Page tab to better navigate the features of OSForensics.
Fixed bug on Windows XP preventing the creation of Case Files.
Can now gather recent activity from system event logs.
Fixed bug getting browser recent activity from non active drives.
Improved Indexing max limits.
Improved index gathering of dates in emails.
Improved Undelete functionality on highly fragmented FAT partitions.
Increased number of strings extractable using Hex viewer.
Fixed memory viewer window so that all information fits correctly.
Added warning for users running the 32-bit version on 64-bit Windows.
Minor additions to help file on certain topics.

Version 0.82 Beta - 22nd of October 2010

By default OSF now displays in local time rather than UTC.
Added ability to select time zone for display as part of case properties.
Added time zone information to html, csv and text exports.
Fixed bug causing radio to remain on volume after no admin warning in hash lookup.
Update need admin message in deleted files and create hash modules.
Changed website link in about window to point to osforensics.com.
Changed about window to display 32/64 bit version info.
Added feedback button (for Beta only, will be removed in final release).

Version 0.81 Beta - 13th of October 2010

Beta period extended to 1st of July 2011.
Added ability to hash entire drives.
Additional information about where the data was retrieved from in the recent activity module, for WLAN, USB and URL items.
Miscellaneous help file improvements.
Added “add to case” functionality in “Recent activity”, “Search index”, “Deleted file search” and “system information” modules.
Allowed adding CSV exports to case.
Fixed bug causing an error to display at start-up about no disk in drive when certain USB devices are connected (such as USB card readers).
Fixed crash while scrolling recent activity window.
Added CSV export to “Recent activity” module.
Improve error for new case when non existent folder is selected.
No longer attempt to hash folders when hashing files found in the File Search module.
No longer lose selection when hashing files in the file search module if sort order is anything other than sort by "In hash set".
Minor modifications to the Deleted Files Search interface.
Added additional templates for case export.
Added a better default mismatch search filter.
Extra sort options in Recent Activity Module.
When exceeding theoretical word/page limits in Indexing the log now shows a proper error.

Version 0.8 Beta

Initial Release.

What's New?

V11.1 build 1007 6th May 2025

V11.1 build 1006 29th April 2025

V11.1 build 1005 16th April 2025

V11.1 build 1004 19th March 2025

V11.1 build 1003 28th February 2025

V11.1 build 1002 18th February 2025

V11.1 build 1001 10th February 2025

V11.1 build 1000 30th January 2025

V11.0 build 1015 29th October 2024

V11.0 build 1014 3rd October 2024

V11.0 build 1013 24th September 2024

V11.0 build 1012 20th September 2024

V11.0 build 1011 17th September 2024

V11.0 build 1010 6th September 2024

V11.0 build 1009 *was not publicly available*

V11.0 build 1008 13th June 2024

V11.0 build 1007 20th March 2024

V11.0 build 1006 4th March 2024

V11.0 build 1005 28th February 2024

V11.0 build 1004 13th February 2024

V11.0 build 1003 7th February 2024

V11.0 build 1002 2nd February 2024

V11.0 build 1001 18th January 2024

V11.0 Build 1000 10th January 2024

V10.0 Build 1016 10th October 2023

V10.0 Build 1015 19th July 2023

V10.0 Build 1014 14th June 2023

V10.0 Build 1014 14th June 2023

V10.0 Build 1013 26th May 2023

V10.0 Build 1012 16th May 2023

V10.0 Build 1011 12th May 2023

V10.0 Build 1010 26th April 2023

V10.0 Build 1009 23rd February 2023

V10.0 Build 1008 22nd February 2023

V10.0 Build 1007 23rd January 2023

V10.0 Build 1006 28th November 2022

V10.0 Build 1005 14th November 2022

V10.0 Build 1004 27th September 2022

V10.0 Build 1003 9th August 2022

V10.0 Build 1002 5th August 2022

V10.0 Build 1001 22nd July 2022

V10.0 Build 1000 14th July 2022

V9.2 Build 1000 14th July 2022

V9.1 Build 1012 6th April 2022

V9.1 Build 1011 4th April 2022

V9.1 Build 1010 24th March 2022

V9.1 Build 1009 3rd February 2022

V9.1 Build 1008 25th January 2022

V9.1 Build 1007 24th January 2022

V9.1 Build 1006 23rd December 2021

V9.1 build 1005 21st December 2021

V9.1 build 1004 9th December 2021

V9.1 build 1003 2nd December 2021

V9.1 build 1002 19th November 2021

V9.1 build 1001 12th November 2021

V9.1 build 1000 11th November 2021

V9.0 build 1002 8th September 2021

V9.0 build 1001 17th August 2021

V9.0 build 1000 5th August 2021

V8.0 build 1008 7th June 2021

V8.0 build 1007 17th February 2021

V8.0 build 1006 28th January 2021

V8.0 build 1005 29th December 2020

V8.0 build 1004 4th December 2020

V8.0 build 1003 25th November 2020

V8.0 build 1002 9th November 2020

V8.0 build 1001 3rd November 2020

V8.0 build 1000 22nd October 2020

V7.1 build 1012 28th May 2020

V7.1 build 1011 20th April 2020

V7.1 build 1010 25th March 2020

V7.1 build 1009 23rd March 2020

V7.1 build 1008 17th March 2020

V7.1 build 1007 5th March 2020

V7.1 build 1006 18th February 2020

V7.1 build 1005 24th January 2020

V7.1 build 1004 6th January 2020

V7.1 build 1003 16th December 2019

V7.1 build 1002 6th December 2019

V11.0 build 1009 was not publicly available