No announcement yet.

OSForensics V6 - Final release

  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics V6 - Final release

    We are pleased to announce the release of OSForensics V6 - 22/June/2018
    V6 has around 150 new features and bug fixes


    For the final release new free keys will be issued if you have paid support. If you purchased V5 after the 22 December 2017 then the upgrade will be free.
    Discounted upgrades will also be available if you have an older release.

    You can install this version over the top of previous installations.

    If you find any problems, either post them in the forum here, or EMail us.


    Case Management
    - Added "Export case" button
    - Added a list of reports that have been generated (in case directory or last known export directory)
    - When creating/editing case, user can now specify whether or not USB write-block should be enabled. Whenever the USB write-block settings are changed, a warning is displayed to the user to detach/re-attach connected USB devices for the settings to take effect.
    - Changed list view to allow groups (devices, reports, files etc) to be collapsible
    - Added last access date to case management when case is loaded
    - Fixed error copying files with long file paths in when a report was created and the report contained deep / long paths.
    - Fixed a bug when creating a case report that was leaving a file handle open
    - Added support for encrypting PDF report
    - Added predefined offenses list to 'Offense' drop down list when creating/editing case
    - Case Details Dialog, fixed bug that might cause case narrative text to be reset to default when editing case details.
    - Case Details Dialog, will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
    - Case Export, changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.
    - Re-added "E-mail Delivery Time" to report and the associated timezone
    - Case load window was added at startup and when a case is loaded from the Case Management window. This is useful for showing load progress for very large cases with 10,000s of files in the case.
    - Report production progress window was added to show some progress activity when very large reports are produced.
    - New Command Line Parameter to load a specific case (-C <PathToCaseFolder>), if path does not exists or CaseDetails.OSFCase file cannot be found, OSF will default to loading the the last case used.
    - Can now insert images into the case narrative text using the HTML editor. Images need to have already been added to the case. Previously images could be added, but the links where broken when a report was produced.
    - Added unique 'Case Item ID' attribute to each case item. This ID is displayed in the 'Manage Case' window, as well as included in the generated reports. The ID is stored within the .OSFMeta file for each case item. Case Manager maintains 'Next Case Item ID' variable that gets assigned to any new items added to the case.
    - Fixed special characters not being escaped when generating reports

    Create Index
    - New indexing engine (Zoom V8 with multi-threaded offline indexing)
    - Much better indexing performance (3x speed increase)
    - Updated Create Index interface with new file type selections,
    - New "Memory optimization / Indexing Limits" step to bypass Pre-scan
    - Added support for user configurable number of indexing threads (up to 10)
    - Added options to enable RAM drive for temporary files
    - Improved RAM estimations and Indexing Limits settings
    - Improved indexing Status interface
    - Updated OSF interface to show multi-threaded indexing
    - Updated OSF Create Index options to offer more control with file type selection
    - Removed unnecessary indexing warnings
    - Added count display for Prescan
    - Added thousands grouping for large numbers shown in Create Index windows
    - Increased sleep/wait time while starting indexer to allow for a slower initialisation which could cause an error to be displayed
    - Renamed indexing process. Now using "OSFIndexer32.exe" and "OSFIndexer64.exe" instead of ZoomEngine32.exe and ZoomEngine64.exe, this should make it more obvious what is running in task manager.
    - Added some internal checking to clean up detached instances of OSFIndexer and temporary RAM drives.
    - Fixed a bug with indexing the compete content of Emails in PST files that were text only EMails.
    - OCR (Optical Character Recognition) can now be done on photographic images while they are being indexed. Like all OCR, the results depend on the quality and resolution of the source image, how clear the text is and the level of contrast. This is only supported on Win10. Depending on the images >10 images per second are possible.

    Deleted Files
    - Column ordering, visibility and size now saved in OSForensics config file
    - Configuration options now saved in OSForensics config file
    - Fixed a crash caused by logging a magic number incorrectly when getting deleted files
    - Fixed uncaught exception error when loading MFT for some OSF devices
    - Fix Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
    - Added check for buffer overrun when looking for slack $I30 entries
    - Errors when parsing non-resident attributes of deleted MFT records no longer causes the search to terminate and throw an error message. This is an expected case. Errors are now written to the debug log and the process continues.
    - Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
    - File Carver, added minimum file size option when carving. Changed "Reserved/Future Use" field in osf_filecarve.conf to "Min File Size"
    - File Carver, TIFF/CR2 extraction should be better.

    Disk Imaging
    - Added extra check if the first read fails when verifying the image created.
    - Previously if the disk did not contain a valid MBR this would cause it not to show up in the list (as it would have no partitions) But the disk might be file system boot sector. These disk are now correctly shown.
    - There is now the option to specify primary and/or secondary hash functions for imaging disk. So the user can select SHA1 instead of just MD5. Or calculate two hashes at the same time.

    Disk Preparation
    - Can now wipe BitLocked drives. Previously these drives appeared to be lock and could not be formatted.
    - In case of a physical drive failure, additional error codes have been added to the status window

    Disk Test
    - Fixed issue with formatting as FAT32 on small drives.
    - Fixed Crash when formatting as FAT32 fails.

    E-mail Viewer
    - E-mail times now include the timezone offset, both 'Delivery Time' and 'Client Submit Time'
    - Fixed printed e-mails missing e-mail addresses due to HTML entities not being escaped
    - Fixed bug where case item title set to '<Use item name>' when selecting 'Use same details for all'

    File System Browser
    - Added right-click menu option to jump to MFT record in the raw disk viewer
    - Fixed stack overflow when attempting to add device to case

    File Name Search
    - Added an "Uncheck all" menu item to uncheck currently selected items
    - Added 'Windows Shortcut Files' (ie. lnk files) to the file name search presets list
    - Column ordering, visibility and size now saved in OSForensics config file
    - Removed folders from results when filtering using hash set
    - When filtering using hash set, fixed bug with current file being added to results after cancelling search
    - 'In hash set' flag is now set for results when hash set is used and made active
    - Added support for filtering by whether or not the file belongs in the hash set. This allows the user to search for files on disk that match a set of hash values
    - Re-arranged configuration dialog

    Forensic Imaging
    - Re-arranged tabs
    - Create Image, for physical disks, disk model and serial number are now saved in the info file
    - Added new 'Device and SMART Info' for displaying physical disk attributes + SMART info
    - Device & SMART Info, Added support for export and adding report to case
    - Device/SMART Info, added mouseover tooltip descriptions for SMART attributes

    Forensics Copy
    - Moved allocation of virtual disk image to thread to prevent system from being unresponsive

    Hash Set
    - Added option to create 'Quick hash set', allowing the user to quickly create a hash set by specifying a list of hashes
    - Fixed deleted hash set databases appearing in the file name search config drop down box
    - Re-organised buttons in main window
    - Added functionality for importing Project VIC JSON files with MD5 hashes & optimised the import load time.
    - Added default database name when importing VIC data set
    - Stopped navigation bar being disabled when importing hash set. User can now do other tasks in parallel to importing a large hash set.
    - Fixed hash set operation LED still "active" when there's an error
    - Fixed number display and file size formatting to be more readable for large import files (> 4GB)
    - When creating hash set databases, columns are no longer created for hashes that don't exist (eg. VIC/NSRL datasets)

    Hash set lookup
    - Added right click menu option to open files in internal viewer
    - Fixed incorrect # files hashed text due to not updating the dialog once all files are hashed
    - When performing hash set lookups, hashes are no longer checked for columns that do not exist. This reduces the query time for large hash sets. e.g. we don't check for SHA1 matches if the particular hash set doesn't have SHA1 values. Results were a significant speed up for hash lookups.
    - When performing single file hash lookups, filename matches are no longer queried. This reduces the query time for large hash sets.

    Install and run from USB
    - Added help Link
    - Added separate "temp build" directory field when using WinPEBuilder.
    - Updated WinPE builder to deal with new latest WinPE10 changes

    Internal File Viewer
    - EFS Support (encrypted file system). When an EFS file now opened in the file viewer a temp copy will be created and passed to the hex and text viewer. If the matching certificate has been installed on the system then the text should appear decrypted.
    - Hex View, added right-click option to add selected strings to case (as HTML file)
    - Fixed potential mem leak when generating video thumbnails
    - Fixed potential concurrency issues when loading videos
    - Added OCR view (Win10 only)

    Memory viewer
    - Column ordering, visibility and size now saved in OSForensics config file
    - Added button to add memory dump to case
    - Removed 'Error' text and icon from message box when process memory cannot be dumped because of access restrictions
    - Updated version of Volatility Workbench, with Mac & Linux support and ability to add your own profiles.

    Mismatch File Search
    - Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV

    NSRL Hash Import
    - Import 9x faster. While importing repeated file hashes, checks for duplicity are no longer being done using a lookup on non-indexed database (very slow). Now checks are done by comparing product code between two consecutive lines in input file.
    - Import will create new database automatically with default name based on date and time. Thus, incremental import is no longer an option.
    - New NSRL import config window to specify input and (temp) output folders
    - Temp Output folder can be specified so that user can specify RAM drive or SSD to speed up the import. Database is then moved from temp location to default hash sets location.
    - Updated help file with info about allocating enough space on a RAM drive.
    - Status now displays percentage counter during file importing

    Password Recovery
    - Added tab to allow PFX certificates to be installed on the local system, to facilitate opening EFS encrypted files when the certificate and password are available
    - Column ordering, visibility and size now saved in OSForensics config file
    - Browser passwords, made some changes to Firefox login recovery, now has a 64bit and 32bit helper executable (as FireFox have started distributing as 64bit).
    - Registry passwords, now displaying password hint value next to 'NT Password' column. Displays '(empty)' if not present.
    - Registry Passwords , added support for win10 anniversary update for live system in Forensics mode
    - Removed a "File not found" error when running the windows password search on a non system drive

    Prefetch Viewer
    - Added right-click option to export selected items to CSV

    Rainbow Tables
    - Fixed crash occurring when cracking hashes from a pwdump txt file - wrong data types were being past to format string when secure case logger was enabled

    Raw Disk Viewer
    - Added progress window when carving to file
    - Renamed 'Decode' window to 'Disk Info'
    - Renamed 'Data Interpreter' window to 'Data Decode', split windows and shuffled content between decode window.
    - Added right-click menu options to 'Data Decode' window, Jump to File and Jump to File Record.
    - Clicking on file paths now open the internal viewer
    - Clicking on LCN/offsets now jump to the offset in the raw disk viewer
    - Data Interpreter window now shows the MFT record number and filepath if the current cursor position is inside the $MFT file
    - Fixed crash issue when sector size could not be determined
    - Fixed right-click "Jump to offset" not working some of the time
    - Hexadecimal addresses copied from the Windows calculator into the search box didn't work. The calculator was inserting non printable characters into the string. Non printable characters are now being removed.

    Recent Activity
    - Added a quick filter option (text box and button) to quickly apply a text filter to recent activity items
    - "Show empty activity types" checkbox to default to on so empty types are displayed
    - Results are now sorted by Date (desc order) by default
    - Fixed possible crash when reading jumplist info
    - Added function to collect new Win10 Timeline database for artifacts
    - Added more displayed information for windows event items.

    Registry Viewer
    - Support for generating reports for known registry hives (currently only SOFTWARE hive at the moment)
    - Fixed a possible crash when processing a registry file

    SQLite Browser
    - Will checks for Skype Sqlite database files during "Scan for DB Files".
    - Resizeable Dialog/Controls
    - Option (enabled by default) to convert known timestamps to readable format
    - Scan Folder button is now more useful. Will now populate with locations of known SQLite files (e.g. Chrome and Firefox profile directories)
    - Scan Folder button will scan for known Android user data directory (where apps usually store their own data) on currently selected drive

    System Information
    - A new tab is now created for every new system information command
    - Added option to restore command lists back to default
    - Added "Recovery of Bitlocker Keys" to command list
    - Added ability to assign a name to an entered command. This name will then be displayed in the output/report.
    - Added support for Embedded Python 3.6.5
    - Removed the "Get" from the start of some item names.
    - Changed button text from 'Add...' to 'New...' when adding new commands
    - Moved 'Reset lists to default' option to dialog window. Added confirmation prompt to prevent accidental press.
    - Replaced spin control for moving items up/down due to overriding the handling of mouse wheel messages
    - Re-organized controls
    - Added command to get current clipboard contents
    - Added command to get anti malware (windows defender) software status
    - Added command to get current TPM status
    - Started encoding HTML special entities in output from tools so anything with HTML characters will display correctly
    - Fixed crash possible with getting printer info when system returns bad information.

    Triage Wizard (now renamed to Auto-Triage)
    - Changed Wizard icon to fingerprint icon & removed forensics dude. R.I.P forensics dude, we loved you, but the world just wan't ready for you.
    - Added option to create logical image with known system files
    - Added agent help text when mouse is hovering over a control
    - Added a free disk space check (for at least 1GB + memory size if memory dump selected)
    - Fixed a unhandled exception that could occur in the triage wizard when running a scan on a non system drive (eg D) and having only windows passwords selected.
    - Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found
    - Fixed a crash caused by trial limitations when running the triage wizard

    Web Browser
    - Added status bar to browser.
    - Can now select export format as Web Archive Format (.mht) when exporting webpage.
    - Can now export linked PDF, ZIP and other files. Also added check boxes to allow user to select what is downloaded.
    - There is an option to download videos (MP4 format) from sites such as YouTube and add them to the case.
    - Added a progress indicator for downloading large files.

    - Added colour coding of encrypted files displayed in a file list
    - Added exit confirmation message
    - Added warning message on OSF shutdown whenever the USB write-protect settings are changed during the course of execution
    - Fixed a long delay at startup when not running as Admin
    - Removed agent icon from feature description text on start window
    - After successfully saving a file to disk, fixed a bug with activity monitor displaying task is still active
    - Changed how temp files are stored, each thread now has a temp folder
    - Increased a timeout (from 60 seconds to 180 seconds) when trying to repair esedb databases with esetutl as was timing out during triage runs
    - To prevent machine from sleeping when running from USB, the mouse will jiggle if the time between user input (i.e. keyboard or mouse input) surpasses 10 secs.
    - Added DLL (MSVCR120.dll) required by wkhtmltopdf.exe to installer (error seen on windows )
    - Switched debug logging to logging library g3log for thread-safe, crash-safe, faster logging
    Last edited by Tim (PassMark); 06-15-2018, 05:00 AM.

  • #2


    • #3
      Beta #2 was released today. 24/May/2018. The main post above has been updated with the additional changes.


      • #4
        Beta #3 was released today. 25/May/2018. The main post above has been updated with the additional changes.
        Beta #4 was released today. 30/May/2018. The main post above has been updated with the additional changes.


        • #5
          So will we be contacted with new keys for v6 if under support, or do we need to submit a request?


          • #6
            V6 keys are not yet available. But they will be on the day of the V6 release, for customers with active support. You can pick them up here by logging in here
            using the Email address used for the original purchase.

            Estimate at the moment is 2 to 3 weeks for the final release.


            • #7
              Best #5 was released today. 8/June/2018. The main post above has been updated with the additional changes.
              Big additions are Win10 Timeline extraction and OCR on images while indexing.
              Fingers crossed, this will be the final beta release.


              • #8
                Final V6 release was on the 22/June/2018