Tweet
OSF V4 is now available for beta testing.
Beta details
Current Version: V4.0 Beta 3
Date: 25/Oct/2016
Download link: OSFV4 Beta download link.
Download size: 65MB
OS Support: XP to Win10.
(We suggest using Win7,8, or 10. As XP is missing some features like Shadow copy & GPU support)
License keys: V3 keys continue to work in V4 beta. New V4 keys will be required for the final V4 release
Price: No change from V3. Free upgrades for past orders with paid up support & maintenance.
Expiry: Beta will expire on 15/Nov. We'll have a new beta or the final release out before then.
What's new
Password recovery
Beta details
Current Version: V4.0 Beta 3
Date: 25/Oct/2016
Download link: OSFV4 Beta download link.
Download size: 65MB
OS Support: XP to Win10.
(We suggest using Win7,8, or 10. As XP is missing some features like Shadow copy & GPU support)
License keys: V3 keys continue to work in V4 beta. New V4 keys will be required for the final V4 release
Price: No change from V3. Free upgrades for past orders with paid up support & maintenance.
Expiry: Beta will expire on 15/Nov. We'll have a new beta or the final release out before then.
What's new
Password recovery
- Wifi passwords are now recovered & decrypted from the registry and file system.
- Windows auto-logon password are now recovered & decrypted from registry.
- Outlook & Windows live mail passwords are now recovered & decrypted.
- Microsoft product keys are extracted from the Windows registry
- New Configuration window has been added to allow the user to select what items are recovered, enter in an account password for offline decryption & select a dictionary for brute force attacks on the account password.
- Specific rows in the password report can now be selected for export or adding to the case.
- GPU accelerated hardware support for brute force password recovery on Office documents, PDF, Zip & RAR file. (Work in progress)
- Support for new MS Office 2013 encryption standards for DOCX, PPTX, etc... (SHA512 hashing has been implemented in addition to SHA-1).
- New columns in the report have been added for password strength & length, which can be useful when checking for compliance with password policies.
- Added NTLM hash cracking to the common password check for the Windows login password
- Added NTLM hash rainbow table generation.
- It is now possible to change the order of buttons in the left menu. Now called the Work Flow menu. This can allow the button order to reflect the chronological order of specific forensics processed.
- Checkboxes in several windows rather than multi-select with having to continuously hold select/ctrl.
- New 'File Details' tab in several windows that displays the search results in a list view.
- Added OS X artefacts to Recent Activity feature for Mac drives
- Added mobile backups, lists the backups found from iTunes (e.g. iPod, iPad, and iPhone).
- Updates in Recent Activity for newer browsers (including Edge)
- Faster collection of Window Search terms in recent activity (reducing hours to minutes for the worst case)
- Added additional USB devices from SYSTEM\CurrentControlSet\Enum\USB in Recent activity
- Added USB first connected time from parsing setupapi.dev.log
- The ability to reorganize and/or hide show certain columns by right clicking on the column title area to configure it on the File Details tab was added.
- GUI will show incrementing artefact count during the scan
- exFAT is now a supported
- Added read-support for .Ex01, .Lx01, and .L01 image formats
- Improvements to HFS+ support for Macs.
- Added the ability for users to create Logical images from the Forensic Copy feature. Logical images are created as a .VHD virtual disk & can be remounted back into OSF or manipulated with 3rd party tools.
- Added a log option for Forensics Copy
- Added ability to supply multiple source paths when performing Forensic Copy
- Owner/group/permissions are now preserved in Forensic Copy
- Better exposed the function to compare shadow copies.
- The Memory Viewer has been overhauled. Now has 47 columns of metadata for all processes.
- Handles and loaded Modules are displayed per process when available
- Users can create Process Specific binary dumps through right click options and add to the case.
- Dialog to select from a list of known files now shows the file size
- Added right-click option to copy values (ie. cells) to clipboard
- Added right-click option to view values (ie. cells) as binary data in the internal viewer
- Added right-click option to export values (ie. cells) as binary data to file
- Added right-click option to export values (ie. cells) as binary data to case
- Added right-click option to export tables to case
- Fixed some memory allocation issues when exporting tables that can cause a crash
- Fixed horizontal scroll bar not appearing for some tables
- Binary data is now displayed in byte groupings
- Fixed a bug when retrieving a record multi-value
- The user can now edit the list of pre-sets by editing the FileNameSearchPresets.txt file (in the C:\ProgramData\Passmark\OSForensics folder).
- Peer to peer file types have been added as a new pre-set search selection.
- The number of characters allowed in the search string field has been increased from 256 characters to 1023 characters.
- Improved the default settings
- Ability to group the search results by file type in 'File Details' view
- When grouping the results by file type, the groups are collapsed by default
- Added image file EXIF header indexing for Camera Make Model, GPS date/time, GPS Latitude, and GPS Longitude
- Improved relevance scoring when hundreds of matches are found within the same file
- Restored torrent file indexing which got accidentally broken in a past release.
- Fixed bug when indexing invalid file types (e.g. misnamed or corrupt files) causing incorrect content to be indexed.
- Improved search results layout
- PDF output added.
- New streamlined report layout, including a sidebar for quick access to specific forensic artifacts
- Added option to include file EXIF metadata in the report
- Custom Logos are now easier to added
- Added two custom fields to Case Information (The Edit Case and New Case windows) & allow the user to rename the fields
- Added and Add External report feature in case management will support adding an external HTML report directory to properly display other tools report.
- Reduced the time required to populate the list of log entries
- Index search history is now loaded on demand to reduce case load time.
- File size of the case item is no longer retrieved to reduce case load time
- The default mount name for volume shadows now contains the index number
- When mounting devices, there is no longer an attempt to open a handle to the drive to reduce case load time.
- Fixed an issue when adding shadow copies to a case, if selecting an individual shadow copy it would store an incorrect Device path (eg Drive-C instead of Drive-C:\) which would lead to it not being displayed on the analyze shadow copy dialog.
- Added an Shadow Copy Analyze icon to start page
- Stopped a shadow copy entities being compared against itself as it only makes sense to compare different shadows.
- Added a warning message when opening the analyze dialog if no shadow copies were added to the case.
- BitLocker Detection preset added to System Information
- Updates to System information to detect new CPU types
- Added Printer Info from registry for live/scan drive and Printer Info from (WinSpool) for Live Systems in the System Information module.
- Fixed a bug when opening a backup hive that was locked and a shadow copy was required to provide access.
- Dialog to select from a list of known files now shows the file size
- Button to add Hash results to case
- Fixed large memory usage when reading Win10 thumbcache files.
- Added support for Win10 thumbcache files. The Win10 thumbcache header uses a different format than previous versions
- Added to list of known thumbnail cache files
- Replaced thumbnail size radio buttons with combo box
- Dialog to select from a list of known files now shows the file size
- Updated video previewer to support more video formats. Including video in these formats. 3GP, ASF, ADTS, MPEG-4, SAMI, AAC, WMA, DV Video, H.264/H.263, WMV
- Can do screen capture from the File Viewer.
- Added BCC searching for Emails.
- Additional details are indexed when indexing Emails (for some formats).
- Support for MIME UTF8 encoded FROM, TO, CC, BCC, SUBJECT fields in MBOX files
- Added a new checkbox for full disk / unallocated space carving. Previously only unallocated space was used for caving, as it is usually much faster. But in rare situations the full disk option can be useful (e.g. file slack space examination).
- Added a new window showing the list of File Types that are carved (opened from within the config window). This list can be modified to add custom signatures by the user by editing the osf_filecarve.conf file.
- Ability to group the search results by file type in 'File Details' view
- When grouping the results by file type, the groups are collapsed by default
- Added better time resolution, now fractions of seconds, in File Name Search/Mismatch Search/Deleted Search
- Added support for Win10 prefetch files, which are compressed using lzxpress huffman stream encoding
- Compare signatures can now display identical files. This is useful for duplicate file detection. There is a configuration dialog for specifying folders to exclude and file extensions to include.
- Dozens of other bug fixes and minor usability improvements, including fixing a couple of crash bugs
- Fixed up broken XP compatibility. This is very likely the last release we do that has any support for running on Window XP.
- Populating the drive list (for drive preparation) is no longer performed on program startup to speed up load time
- Loading of Magic config file (for mismatch search)is now performed on demand to speed up program load time
- Populating the device list (for raw disk viewer) is no longer performed on program startup to speed up load time
- When loading the log file (secure log), a buffer is now used to speed up load time
Comment