UPDATE: FINAL RELEASE IS NOW AVAILABLE AS OF 1/JUNE/2017 - Beta testing is finished.

OSF V5 is now available for beta testing.
Current Version: V5.0 Beta 5
Date: 26/May/2017
Download link: OSFV5 Beta download link.

Download size: 78MB
OS Support: XP to Win10.
(We suggest using Win7,8, or 10. As XP is missing some features like Shadow copy & GPU support)
License keys: V4 keys will not work in the V5 beta. New V5 keys will be required for the final V5 release

What's new

• NEW PList Viewer
- Added a new Plist viewer
- Added reverse text searching option. For nodes that contain "data", added quick hex preview popup dialog when field is single-clicked (double clicking will open a new file viewer window).

• NEW $UsnJrnl Viewer
- Added support for loading $UsnJrnl files saved as a regular file (ie. not as $J alternate data stream)
- Added support for $MFT file lookup to determine full path
- Added support for searching for subtext
- Added right-click menu options for viewing file, exporting records and adding records to case
- Added progress bar when parsing USN records, loading $MFT file and searching for subtext

• Analyze Shadow Volume
- Results can now be exported in HTML and CSV format
- Added button to export results to case
- Added right-click menu for exporting results

• Case Manager
- Added support for mounting file paths as a device in the case
- Adding devices to case now supports adding local folders in addition to network paths. Renamed 'Network Path (UNC)' to 'Folder / Network Path'
- When adding an image file to case, the 'Select partition' dialog has been updated to reduce confusion.
- Added option to export $UsnJrnl records to report
- Fixed index OOB error when exporting deleted files to report
- Added support for adding BitLocker-encrypted drives to case. The drive must have been previously added to the case.
- Fixed error message when viewing the properties of a Case Device
- Recent history items for case name, investigator, contact details etc are now saved to the config and will be reloaded when OSForensics is started.

• Compare Signature
- Check if signature reports as version 3 but is actually 4 (two extra fields were added but internal version number of signature was not changed).

• Deleted Files Search
- Added right-click menu to re-arrange columns in Details View
- Added 'Source' and 'File number' columns to details view
- Directory records found in $I30 slack space are now included in the results
- Records found in $I30 attribute in deleted MFT directory records are now included in the results
- Fixed bug with misreported quality when multiple streams exist for the deleted file
- "Save and Open" right-click options no longer prompt the user for the a location to save the file; it shall be saved automatically to the temp folder and immediately opened. The right-click options have also been renamed accordingly
- When opening deleted files in the internal viewer, the initial tab that is displayed will correspond to the file extension
- Fixed bug with saving deleted files to disk when the file fragments are greater than 64KB
- Added *.msg to the search preset for e-mails

• Drive Imaging
- Fixed error copying single files to logical image due to directories not being created
- Fixed file size of single file not included when calculating VHD image size
- When calculating VHD image size, the file size on disk is now used. This is to account for sparse/compressed files that occupy less disk space than its file size.
- Fixed bug with drive list in 'Create Image' tab containing devices from previous case after switching cases

• Email Viewer
- Fixed buffer overflow of 'From' field
- Fixed heap corruption when opening .eml files with quoted printable encoded text

• File Indexer
- New Zoom build with fixes for
- Fixed bug with indexing zero date as "23/04/2009 6:24:48"
- Indexing "delivery time" for PST emails. Only index "submit time" if former is not available.
Previously was only indexing submit time, which means Drafts/Deleted items would have no time in index but be inconsistent with EmailViewer, which would display a date/time.
- Fixed bug with Search Index -> Advanced settings' Date/Time range not being applied.

• File Name Search
- Added right-click menu to re-arrange columns in Details View
- Added *.msg to the search presets for e-mail

• File System Browser
- Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the 'n item(s) checked' link opens a menu with a list of operations to perform.
- Fixed text not appearing in icon/list view
- Improved responsiveness when changing directories
- Fixed bug with calculating folder size on disk for non-NTFS file systems
- Fixed deadlock when multiple threads are accessing mounted devices simultaneously
- Added right-click menu to re-arrange columns in Details View
- When calculating folder sizes, stream sizes are now included
- Added error messages when performing certain operations on $I30 slack items
- Deleted artificats recovered from $I30 slack space can now be displayed.

• Hash Sets
- Fixed a NSRL has set import error that could occur when the manufacturer name was greater than 100 characters

• Internal Viewer / File and Hex Viewer
- File Viewer tab, changed volume controls to trackbar + mute button
- Added 'IP address' filter to Hex Viewer string extraction
- When viewing buffers (eg. deleted files) in the "file viewer" tab, the buffer shall first be saved to a temporary file and then loaded. Previously, a 'Unsupported file format' message is displayed.
- Removed unnecessary saving of temporary files for file paths containing case devices
- Extracting strings is now threaded so the window is no longer blocked. String extraction can also be cancelled half way.
- Removed limit on the number of extracted strings

• Memory Viewer
- Added right-click menu to re-arrange columns of the process list

• Passwords
- Find Passwords & Keys: Added right-click menu to re-arrange columns
- Find Passwords & Keys: Added checkboxes for performing operations on multiple items without having to continuously hold select/ctrl. Clicking on the 'n item(s) checked' link opens a menu with a list of operations to perform.
- Fixed bug where Wifi profiles weren’t searching the correct location in some cases when “Live acquisition” was picked (could search incorrect drive letter)
- Fixed bug where Wifi profiles might not search correct location in localised (non-english) version of windows
- Fixed a crash that could occur when searching Wifi profiles
- Fixed possible crash when getting system passwords
- Added more info to display, client thread status, benchmark, password length and prefix.

• Prefetch Viewer
- Fixed possible crash due to buffer overflow

• Raw Disk Viewer
- Added a list of preset regular expressions combo box that can be used when performing a raw search
- Improved performance of search window list view
- Removed max search results limit in search window
- Fixed synchronization issues potentially resulting in crash

• Recent Activity
- Changed how the windows user directories are searched for so all operating system dependant locations (XP, Win7 etc) are searched now instead
of searching the known location of the first one found. For example if an XP system contained a "Users" folder in the root directory then it was
previously only searching the (possibly empty) Users folder and then not searching the "Documents and Settings" location.
- Fixed a "missing column" error for old versions of Firefox cookies
- Made some changes when trying to repair a "dirty" windows search database (eg from a system image of a currently running system) so that if the esentutl tool crashes OSF will attempt to run it again
- Added P2P artifacts from BitTorrent and UTorrent resume.dat folder, also checks the User's Download directory for .torrent extensions.

• Report Templates
- Combined 'Drive Imaging' and 'Forensic Copy' HTML template into a single 'Forensic Imaging' HTML template

• Start Window
- Renamed “Website Passwords” to “Scan for Passwords/Keys”
- Renamed “Removable Drive Preparation” to “Drive Preparation”

• System Information
- Made some changes to the system information command dialogs, added columns to show "Live acquisition" / "Drive acquisition" / "Image acquisition" differences of commands

• Web Browser
- Fixed bug where saving the complete webpage was not working correctly

• Misc
- Changed date/time format to 24-hour clock
- Fixed crash when Exception filter is executed
- Moved 'Forensic Copy' module to 'Drive Imaging' module as a new tab. Renamed 'Drive Imaging' to 'Forensic Imaging'
- Fixed 'Forensic Copy' and 'Drive Imaging' logs not appearing in generated report
- Fixed some flickering issues when resizing
- Updated File Name Search preset list to include Virtual Machine files
- Fixed bug with EmailView and EmailViewer displaying 1/01/1601 when a 0 datetime value is given. Now reports "Unknown date".
- When selecting a directory via a popup dialog, if the entered path in the text box is valid, it will be returned. Otherwise, the directory selected in the tree view is returned.
- Added template files for exporting $UsnJrnl records to report
- Fixed bug with the initial directory not being set correctly in the select file dialog
- When prompted to select a file, the last directory path is now used as the initial directory if not specified
- Fixed bug in handling alternate data streams with multiple $DATA attributes
- Added support for accessing bitlocker encrypted drives in raw form
- Updated HTML Editor to show character count.
- External Viewers (File, Registry, FS Browser, Email, Thumbcache, ESEDB, USNNRNL and Plist) will retain the size of their last viewer window closed for subsequent openings
- Performance increase when opening registry files

Changes in Beta 3

Plist Viewer
- Added Export and Add to Case Right Click Options.

Create / Verify Hash
- Added secondary hash function to allow calculating 2 different hashes simultaneously

File System Browser
- When saving a file to disk with the same name, allow the option to rename the file.
- Fixed tree view selection box not being updated when clicking on a new drive

File indexing and searching
- New zoom build supporting Win10 CompactOS compression (when used with the default XPRESS compression option). Viewing and indexing these files is now possible.
- On History tab, when choosing right-click menu's "Display Search Results & Add to Case...", it will now export the list of results to the case along with adding the corresponding files.

File Name Search
- Fixed performance issue when searching with alternate stream criteria. Basic search criteria (eg. file name, attributes, etc.) should be checked before performing the much slower stream criteria check.

• Internal Viewer / File and Hex Viewer
- Initial support for viewing archive files in 'File Viewer' tab
- When viewing archive files, the current directory within the archive is now displayed
- When opening files within archive files, the file is extracted to a temporary directory and opened in a separate internal viewer
- When opening archive files, internal viewer will display the 'File Viewer' tab by default
- Fixed crash when reading files from drives mounted in Standard Mode in earlier versions of Windows (eg. Win 7)

Report Templates
- Modified the Chain of Custody template to be more functional for PDF/printing

Deleted Files
- New optimized carving process to allow results to be passed back while carving.

Password Recovery
- New updated password cracking library. Improved GPU acceleration allows for faster cracking. Double the speed in some cases.
- Fixed a possible crash

Changes in Beta 4

$UsnJrnl Viewer
- Path is now determined using the Parent MFT# stored in the USN record, followed by the filename stored in the USN record.
- Paths that may not be correct are coloured in red. This occurs when the filename or the parent MFT# in the USN record does not match what is stored in the $MFT
- For files that no longer exist, show warning text in the 'File Path' column
- Improved loading speed by searching for records from the end of the file
- Fixed progress window being hidden when activating another window
- Fixed incorrect icon for the window
- Fixed buffer overrun issues

File System Browser
- Files that have reparse points are now displayed in green

Internal Viewer / File and Hex Viewer
- Added encryption, reparse point, sparse file, system compression attribute checkboxes
- Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.
- Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)

Plist Viewer
- Fixed a crash when parsing invalid plist file with incorrect encoding.
- Fixed a bug with buttons overlapping when resizing.
- Added help file links

Recent Activity
- Fixed Bug with P2P Items not showing details on the File List Tab
- Added Search queries artifacts for Ares Galaxy

Misc
- Fixed several potential crash points when closing the OSF application while the progress window is still showing
- Added encryption, reparse point, sparse file, system compression attribute checkboxes
- Added right-click menu option to save data to disk. This allows saving file streams and buffers (eg. deleted files) to a file.
- Added warning text when attempting to view a non-file buffer that exceeds the maximum size (128MB for 64-bit, 16MB for 32-bit)

Changes in Beta 5

Memory Viewer
- Changed encoding of memory dump VW cfg file from UTF16-BE to UTF-8
- Added tabs for 'Live Analysis' and 'Static Analysis'. Previous view has been moved to 'Live Analysis' tab.
'Static Analysis' allows the user to launch 'Volatility Workbench' process with the specified memory dump file.

Recent Activity
- Added Shareaza P2P Search Artifacts.
- Added Emule P2P Artifacts
- Added SABnzbd P2P Artifacts.

Start Window
- Added icon for launching 'Volatility Workbench' under 'Viewers' group

Misc
- Updated help file with $UsnJrnl Viewer section
- Fixed a bug that may cause Temp Registry Files in the function call CreateTempRegFileIfNeeded() not be created when debugmode is enabled.