Announcement

Collapse
No announcement yet.

OSF V2.0 Beta release

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OSF V2.0 Beta release

    We are pleased to announce a beta release of V2.0 of OSF. We are expecting to get the final release done early 2013.

    Current Version
    Beta releases are finished : Final V2.0 release is now out.

    Download Link
    http://www.osforensics.com/download.html


    What's New
    The following is a summary of what has changed in V2.0 compared to V1.2.

    Major changes
    • Support for multiple drives & folders when indexing. So an single index can now span more than drive.
    • Support for templates in the file indexing module. (to save re-entering data each time an index in created)
    • Ability to capture pages from web sites and add them to a case (not finished in this Alpha release).
    • Add support for searching multiple set of index files in a single search.
    • Added much improved E-mail viewer / browser.
      • Will open automatically if viewing an E-mail archive.
      • Can now add Email attachments to case

    • Added the option to copy files from a case to the output directory when creating a case report (instead of just including a reference to the files).
    • Changes to the Internal File Viewer.
      • Window can now be maximized. Minimum window size limits removed.
      • Minor metadata fixes
      • Can now add string list to case in Hex Viewer
      • Exported string list now contains string extraction settings
      • Can now carve to file (and add to case) in Hex Viewer
      • Can now directly open Office documents without the need for an external tool to extract the text. Should be significantly faster to open large documents in images.

    • The index search function in now built into OSF (so it is no longer an external .exe). This allows better persistent caching of the index which in some cases leads to much faster searches e.g. 500% times faster, for large sets of index files and search terms that give small result sets. Even in the worst case there will be around a 10% improvement on search times.
    • Carved file can now be added to case in the raw disk viewer
    • Implemented functions for reading the $I30 info file for NTFS directories. I30 data now shown in Hex View tab for NTFS directories.
    • WebBrowser, Added ability to add/save complete webpage to case as MHTML (.mht) file and image file. Can select region of screen to save or full screen. Free version of software will contain watermark, Pro version won't.
    • Changes to the raw disk viewer
      • Added right-click menu to search results in raw disk viewer. In particular, users can now export the search results to disk
      • 'Select Range' dialog now populates 'Start offset' with current offset
      • 'Select Range' dialog shows the number of bytes between the start and end offset



    Minor changes
    • Changed UI layout to tab-based of memory viewer module. Re-organized buttons.
    • Bug fix when accessing zip file content on FAT16 volume using direct image access.
    • Fixed bug where FAT clusters were incorrectly flagged as deleted
    • Several speed improvements on FAT volume with using direct image access
    • Bug fix for assert errors at startup on machines with large amounts of RAM (> 32GB)
    • Fixed pre-scan file counting bug relating to upper and lower case files names in the indexing module.
    • The last folder used for a report is now stored to avoid the need to re-enter it.
    • Fixed a crash on exit caused by the memviewer freeing resources that it shouldn't be freeing.
    • Fixed a bug that prevented case reports being generated on any drive other than the one the case resided on.
    • Made some changes to the Opera browser recent activity functions to prevent a possible crash.
    • Added toolbar for quick access to changing views in file system browser.
    • Fixed file name issues when exporting HFS+ files to an NTFS drive where the file name on the Mac system used characters that are illegal characters on a NTFS system.
    • Changed behaviour when adding emails from a search to overwrite existing ones (previously would create a second copy with a number appended to the name)
    • Change behaviour so that when an email overwrites one that already exists the list view item of the old item is updated with the new title
    • Added right-click function for directories in file system viewer to switch to 'Create Signature' module and automatically fill in location
    • Better handling of nested e-mail/attachments in the index search function
    • New indexer with fixes for index search results showing corrupted URLs for email attachments & also fixed binary string extraction skipping longer phrases
    • Fixed bug in Mbox Email Reader with attachments missing characters in the filename.
    • Fixed progress bar for adding email and attachment to the case
    • Fixed Email path issues in the file signature function.
    • DOS batch (.bat) files can now be run from the system information function.
    • Corrected an issue where the "Live system Capable" radio buttons was not checked when editing a command in system information function.
    • Allow right-click Copy/Copy All in the system information results tab
    • Fixed buffer overflow caused by long header fields (eg. 'To:')
    • More information about the index is displayed under the results window.
    • Changed default number of maximum search results to 1000 from 5000.
    • Adding logging and error conditions for searching an index
    • Fixed a bug preventing FireFox recent activity history from being read when directly accessing an image file
    • Fixed a bug where the location of IE & Safari recent activity entries could show uninitialised character values when directly accessing an image file
    • Fixed bug when in search index function when opening a word list that contains extended ASCII characters.
    • Fixed bug in search index history list view when a past search query contains spaces
    • Bulk searches performed via 'Browse Index' tab can now be cancelled by the user before they have completed
    • Added message box after successfully carving to file in the raw disk viewer
    • Fixed a bug with Chrome timestamps not being converted correctly in recent activity and new Chrome releases.
    • Fixed a typo in recent activity drop down (Form History)
    • Fixed incorrect display of Cyrillic characters in some recent activity output (Chrome and Firefox)



    Feedback
    Should you have any feedback, please let us know.
    Last edited by Michael (Passmark); Jan-11-2013, 01:17 AM.

  • #2
    Congratulations. Your software is getting better and better.

    Working on a case including file carving I Žd like to see features in OSF 2 like carving files in specific Unallocated Space Results of Keyword Searches. And I would love to have the possibility to define individual search strings for carving.

    The possibility to hash the unallocated space and export it to an external case folder so I can proof its integrity when working with the data in other tools.

    Sector/Cluster range infos in the hex viewer so I can see cluster/Sector boundaries much better, Search string stats in hex/text viewer and search index results like Counts and offset addresses per keyword.

    As christmas is near maybe my wishes come true (smile)

    Does OSF check CRC checksums in E01 files?

    Thank you very much for your answer in advance.

    Best regards

    Comment


    • #3
      Sorry for slow reply. It was a busy week.

      We have found a few bugs in the Alpha, so there will need to be a new release soon. Probably end of Nov.

      Having search strings for carving is a bit of a chicken and egg problem. In many cases you only know the text in a document *after* it has been carved. For example in a DOCX Word document. You need to carve the file and uncompress it before any text in the file can be seen. So a text search would miss this text until after carving has taken place.

      The E01 CRC error is covered in your other post,
      http://www.passmark.com/forum/showth...fy-Create-Hash

      You can export ranges of data from the hex viewer. Including unallocated space. Carving files also effectively exports unallocated space. Ignoring the carving function, there isn't a function just to export all the unallocated space in a single hit. Does it make sense to do this? Unallocated space isn't a continuous region on the disk. So you'd be exporting a huge number of small disk fragments in general. Then you would need some special file format or naming scheme to record where each fragment came from. Isn't it easier just to supply the entire disk image in this case?

      > Sector/Cluster range infos in the hex viewer
      > so I can see cluster/Sector boundaries much better

      Are you talking about the raw disk viewer, or the hex view tab in the file viewer? Do you mean that you want to display the range of bytes you have selected with the mouse? Do you know you can right click in the raw disk viewer and then select a range?

      > Search string stats in hex/text viewer

      Yes, there is probably more we could do here.

      > and search index results like Counts and offset addresses per keyword.

      In the search index you can already get hit counts from the Browse Index tab. No sure if it makes sense to display offset addresses. A single word might occur in 1,000,000 documents and 10 times in each document. This would mean displaying 10,000,000 offset addresses for this single word, and there might be 5,000,000 words in the index. The offset addresses would also not be correct. For example if a word was found in a .DOC file that was in a compressed ZIP file, then there is no raw disk offset you can go to to view the word, as all the text is obscured via compression.

      Comment


      • #4
        What I would like to do is to export index search results from unallocated space to an external file carver. To do this in a forensic sound manner IŽd have to hash the data first, export it then and check the hash value to ensure data integrity.

        Sector/Cluster range infos
        I am refering to teh hex view tab and looking for infos defing the beginning and ending of a cluster. As filesystems do store data in clusters (fe 8 sectors or 4 KB) it would be very nice to have this boundary information at one glance. I could see where a cluster starts and ends. Other hex viewers provide this feature and I find it very useful by analyzing data. It would be also very helpful being able to define a starting and ending address explicitly for copying data.

        earch index results like Counts and offset addresses per keyword.
        I was looking for this information in single search index entry within unallocated space. Knowing where the keyword occures and how often would help to identify occurences in closed areas (like keyword proximity)

        Best regards

        Comment


        • #5
          V2.0 Beta release 14 is now up.
          So it should now be feature complete. The list of changes / new features above has also been updated.

          Just need to do some more testing now.

          Comment


          • #6
            Final V2.0 release is out today.

            Download is here,
            http://www.osforensics.com/download.html

            Final what's new list is here,
            http://www.osforensics.com/whatsnew.html

            As usual if you find any problems, please let us know.

            Comment

            Working...
            X