Announcement

Collapse
No announcement yet.

OSForensics V1.1 Public Beta

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics V1.1 Public Beta

    OSForensics V1.1 beta release

    Download Link
    V1.1 development and testing is now complete. The beta testing period has ended.
    You can download the current version here.

    What's new
    • Added ability to investigate raw NTFS image files directly from OSF without mounting them.
      • Images and physical drives can now be added to the case as devices.
      • All of OSF features have been updated to act on these devices.
      • Image files can now be given a short hand ‘display name’ handle. E.g. Case123:\
      • Completely by passes file system and file permissions.
    • Added File System Browser
      • View hidden NTFS files ($AttrDef, $MFT, $Boot, etc..)
      • View and copy locked files
      • Automatic calculation of directory size in a background thread.
      • Browse history location bar.
      • Integration into bookmark, hashing, indexing and file viewing functions
      • Can jump to file’s offset on the raw disk
      • Disk NTFS stream information (pro version only).
      • Display of cluster information and file fragmentation.
      • Added right-click functionality to jump to file's disk offset in raw disk viewer.
    • Registry Viewer
      • Improved speed of Registry Viewer.
      • Enabled the data/values/match whole options in the registry viewer search dialog.
      • Fixed a bug where the last search term in the registry viewer wasn't being cleared properly for a new search in some cases (leading to no results)
      • Various other crash bug fixes.
    • Added new warning when trying to import NSRL data into the existing example database.
    • Can now add notes to case without needing to add as an attachment.
    • Added From: and To: and Subject: fields for email exports from search results.
    • Can now attempt to crack passwords on encrypted 7zip files.
    • New right click option in case management to verify file hashes on case items.
    • Indexing now supports Email attachments with attachments being displayed on separate tab.
    • Improved image viewing quality in internal viewer.
    • Added option to use MD5 hashes when creating signatures, in addition to SHA1.
    • Can now set case acquisition mode. This will warn the user if they try to perform an acquisition task that does not make sense with their case setting. Some functions only make sense in the context of a live investigation.
    • Added timestamp fields to data decoder in raw disk viewer.
    • Fixed bug in displayed totals in signature comparison.
    • Reduced initial memory usage of the memory viewer which was allocating buffers unnecessarily at startup.
    • Fixed bug adding files with no extension to the case.
    • Fixed hash set creation freeze on certain locked files.
    • Added "Browse Index" tab to "Search Index" module. Loads currently selected index dictionary.
    • Recent activity and password recovery updated to support Opera 10/11 & Firefox 10.
    • Better support for long path names, up to 32,000 characters in a path.


    What's still broke in Beta #1
    • An issue with indexing / viewing E-mail attachments in MBOX E-mail archives
    • An bug in the NTFS direct access option with some NTFS compressed files
    • Decryption of 7zip files should be working, but isn't.
    • File listing only deals with PST E-mail archives at the moment.
    • No direct access to FAT volumes. They still need to be mounted with a drive letter (as per V1.0)


    Feedback
    Please send us your feedback. Either post it here, or get into contact with us.

  • #2
    Updated beta release #2 - 13/Mar/2012

    Download Link
    The download link in the first post has been updated.

    What's new in Beta #2 compared to Beta #1
    • Compressed NTFS files are now OK when doing direct image access.
    • MD5 is now calculated for items in the case (as well as SHA-1 & 256).
    • Indexing of mbox E-mail files and (most) attachments is OK.
    • Fixed a bug that prevented the indexer launching is fixed.
    • Fixed a bug with the right click menu in the indexer's log window.
    • Decryption of 7zip files is now working.
    • File listing is now working for E-mails in PST, EML & MSG. DBX is also possible but attachments are not listed at the moment.
    • Regex filters are now available in the browse index function. Including built in filters for phone numbers, URLs, etc..
    • Some help file updates


    What's still broke in Beta #2
    • There is a problem indexing nested E-mail attachments in mbox files
    • No direct access to FAT volumes. They still need to be mounted with a drive letter (as per V1.0)

    Comment


    • #3
      First test with OSForensics V1.1 Public Beta

      Hi
      There is one thing that seems not been working
      when i create a new case and click "Add Device ..." the
      "Physical Disk" option is greyed out and can't be selected.
      I'm testing on Windows Seven Ultimate, SP1, 64bit.
      I would like to be able to try that option to see if it can be used to
      work with the new feature (working directly on image files without mounting them) on .E01 images. With the size of hard disks that keeps growing
      the encase image format is VERY useful because it supports compression
      but OSForensic doesn't lists .E01 files among the disk image types it can
      work on without mounting so i was thinking to make a physical mount of
      the .E01 image with FTK Imager 3 and then work on it with OSForensic
      but, as i said, the "Physical Disk" option can't be selected.

      Comment


      • #4
        Yes, we are still making changes to the Add Device window and the functionality behind it.

        At the moment in Beta #1 & Beta #2 it is possible to do direct access to raw (dd) images with NTFS.

        In Beta #3, which should be out this week, we'll add
        - Direct access to raw FAT images.
        - Direct access to local physical volumes with NTFS and FAT (e.g C:\ )

        Before the release of V1.1 we'll add Direct access to local physical drives with NTFS and FAT. Which should address the 2nd part of your question.

        In V1.2 (later in the year) we'll add direct access to .E01 images, and several other file systems hopefully.

        In the meantime you can mount images with a drive letter using the 'Mount Drive Image' function in OSF. This already supports compressed .E01, AFF and several other image formats.

        Comment


        • #5
          Beta #3

          Updated beta release #3 - 23/Mar/2012

          Download Link
          The download link in the first post has been updated.

          What's new in Beta #3 compared to Beta #2
          • Direct access to FAT16 and FAT32 image files.
          • Direct access of physical drives now possible (but it is a bit slow at the moment).
          • Added creation date to signature difference details window
          • Added MD5 hashes to the verify dialog for case items
          • Added new MD5 style to report templates
          • Updated OSFMount to 1.5.1009, which will now auto-detect partition in an image
          • File metadata like streams and fragments is now loaded before the slower directory metadata in file browser
          • Added 'Forensics Mode' option in Add device window. 'Add Device' dialog allows the user to select between Forensics/Standard mode. Forensics Mode = Direct image access.
          • Added extraction of From/To/Date/Subject fields when opening parent email for an attachment
          • Added file/folder count in "File Info" tab when viewing folders in internal viewer
          • Added directory support for "Save to disk" right-click function. So can extract a folder from a image to a physical drive.
          • Added progress bar when saving files to disk
          • Email viewer can now see attachments for MBOX files. Also can save them to disk.
          • Fixed bug in signature creation that stopped the starting folder being longer than 30 characters.
          • Fixed some bugs preventing old Firefox (1.5, 2) URL history and password retrieval with direct image access
          • Fixed a bug when retrieving IE passwords from a disk image using direct access (registry files were not loaded correctly)
          • New builds of file indexer fixing PST/plugin accessing of non-direct access paths.
          • Fix a bug (index out of bounds) for determining file type of OLE files.
          • Fixed a crash when opening a disk image starting with 'C' in the registry viewer
          • Fixed bug where no registry files appeared in the registry viewer when image name was greater that 16 characters
          • Fixed bug where undelete files in exported case report could refer to hash values for attachments instead or cause a crash if there were undeleted files but no attachments in the case
          • Fixed bugs with offsets in mbox files (pointing to the wrong part of the message, etc.)
          • Added handling of nested boundary stacks for mbox E-mail.
          • File properties can now be retrieved even though access is denied in internal viewer
          • Fixed E-mail viewer issue with "----" lines showing at end of emails from MBOX
          • Fixed extraction of meta information for MBOX parent email (from attachment search results)
          • Updated Help file "Indexing" section and Browse Index, plus fixed some screen shots.
          • Added button for verify under Case items (open/delete/properties) to match right click menu
          • Changed navigation icons in file browser for higher quality icons and added tool tips
          • Folder size/size on disk is displayed in 'File Info' tab in internal viewer
          • Fix of a buffer overflows case when adding a list of recent activity items to a case
          • Fixed a crash bug when a device was added in the file browser without a case being opened


          What's still broke in Beta #3
          • Performance of direct access on physical drives is rather poor. We need to add a level of caching.
          • Help file could be improved in several areas.
          • Attachments to E-mails in MBox format aren't included in a file listing at the moment.
          • Still need to add direct access to physical drives (in addition to volumes which are already supported)

          Comment


          • #6
            Updated beta release #4 - 28/Mar/2012

            Download Link
            The download link in the first post has been updated.

            What's new in Beta #4 compared to Beta #3
            • Missing To: CC & BCC: addresses in file listing
            • Removal of highlight tags when exporting from search results
            • Better error reporting when a bad E-mail is encountered.
            • Ability to continue parsing PST files after a bad E-mail / attachment is found
            • Fixes to E-mail viewer
            • Addition of PST sub-folders into the overall file path for the device for file listings
            • Splitting up of date and time fields for file listing export
            • Can add a physical drive as a device in case management.
            • Fixes a bug on export of recent activity when an item has an invalid date
            • MBox E-mail attachments are now included in a file listing
            • Modifications to the word split rules for indexing words in apostrophes.


            What's still broke in Beta #4
            • Performance of direct access on physical drives is rather poor. We need to add a level of caching.
            • Help file could be improved in several areas.
            • Indexing of unallocated NTFS clusters when doing direct image access isn't working.
            • We are still planning on adding a function to allow network locations to be added as paths

            Comment


            • #7
              Beta release #5

              Updated beta release #5 - 5/Apr/2012

              Download Link
              The download link in the first post has been updated.

              What's new in Beta #5 compared to Beta #4
              • Updated OSFMount tool to fix a bug mounting split dd images with multiple partitions
              • Performance improvements when directly accessing an image (up to x10 faster in some cases)
              • Bug fix in Windows Login Password recovery when working with direct access images
              • Added arrow key and Page Up/Down handling to browse search index
              • Fixed up progress bar indicator to be more accurate when testing encryption passwords from multiple dictionaries
              • Replaced generic device icons in the file browser with custom icons.
              • Support for adding a network location as a device
              • PST E-mail viewer now displays CC and BCC fields and Delivery date
              • Fixed several bugs when doing direct access on FAT volumes
              • Fixed missing attributes for files with alternative streams in the internal file viewer
              • Improved debug log to get a better log for startup errors
              • Fixed a bug preventing FireFox passwords from being collected when doing direct drive access (missing dll)


              What's still broke in Beta #5
              • Indexing of unallocated NTFS clusters when doing direct image access isn't working. (Works OK for mounted images)

              Comment


              • #8
                Beta release #6

                Updated beta release #6 - 13/Apr/2012

                Download Link
                The download link in the first post has been updated.

                What's new in Beta #6 compared to Beta #5
                • Support for indexing content of unallocated cluster using direct disk access
                • Added check box to skip E-mail attachments during a E-Mail listing
                • Some internal code restructuring to improve ongoing maintainability
                • It is now possible to get device properties via right click in the File Browser.
                • Crash bug fixed in thumbnail view.
                • Bug fixes to undelete file function when used with direct access.


                What's still broke in Beta #6
                • We like to add support for Win7 jump lists in recent activity before final V1.1 release
                • We like to add extra date fields into the HTML report before V1.1 release
                • There are no known outstanding bugs at this point !!

                Comment


                • #9
                  Final V1.1 release was made public today. Thanks to everyone who reported bugs.
                  We aren't aware of any outstanding issues, but please report any new problems you find.
                  This release should be better in every respect (stability, functionality, speed, etc..) compared to the V1.0 release.

                  Comment

                  Working...
                  X