Tweet
The final V6.1 release is now available. So beta testing has closed.
DOWNLOAD:
https://www.osforensics.com/download.html
PROBLEMS
If you find any problems, either post them in the forum here, or EMail us.
WHAT'S NEW
Device support
- Updates to handle accessing Apple's new APFS file system. Both for physical disks and disk images.
Create Index
- Updates to handle indexing APFS images
- Fixed multi-threaded indexing problems when accessing Linux EXT2 file systems.
- Fixed memory estimation (was previously not including some offline buffers)
Forensic Imaging
- Made some changes to how Encase format images (.E01 and .Ex01) are created to work around an issue that limited the final image creation to a maximum of 64 .E01/.Ex01 files, which resulted in uncompressed images larger than 100GB in size and more than 64 files being unreadable. The bug caused the header of the first E01 file to be corrupted (it could be manually corrected, but it was a lot of work to do ti).
Mobile Artifacts
- Addition of new module to scan for mobile device information
- Currently only supports Android disk image (looks for items in data folder) and/or backup (apps folder)
SQLite Browser
- Changed SQLite Browser into a viewer so users can have multiple instances open (Up to 10).
Changes since 6.1 beta 1
Deleted Files
- Fixed NTFS MFT record size calculation, which can prevent parsing of the MFT in the raw disk viewer and in deleted files module. This can correct the error message, "Initialize MFT summary Message: The parameter is incorrect", which was seen on some systems.
System Information
- Fixed crash bug due to buffer overflow with long case device names. Device names over 12 characters caused problems in the system information module.
Changes since 6.1 beta 2
Email Viewer
- Single Email Viewer can view Gmail email stored within Android mailstore.<username>@gmail.com.db.
Mobile Artifacts
- Added date filtering.
- Added Right Click Menu to lists (e.g. Add to Case and Export List options).
Recent Activity
- Fixed a bug where subitems counts in the treeview was not actively reflecting the actual filtered counts.
Report Templates
- Updated report templates to include Mobile Artifacts
Start/Navigation
- Added "Add to case" action on start screen and left hand menu button to allow quick access to add a device to a case
System Information
- Added new commands to get Windows information (product name, build and install date) and last shutdown time from the registry
UsnJrnl Viewer
- Fixed incorrect filenames due to incorect length truncation
Misc
- Preliminary support for mounting "group" devices such as entire physical disks. Contained partitions are mounted as "subdevices" and appears as folders under the parent device
- Changed timezone drop down for GMT/UTC 0 from "GMT +0:00" to "GMT 0:00" to visually stand out more in list
Changes since 6.1 beta 3
Case Manager
- Added support for mounting an image file as a "group" device. Partitions are listed as a folder of the top device.
- When displaying the volume shadow info to add to case, the creation time now includes the GMT offset
Create Index
- New "broad numeric matching" feature
Deleted Files Search
- Partial support for scanning "group" devices for deleted files
File Name Search
-Fixed file type string not appearing correctly for "partition" folders
- Fixed a bug when searching for deleted files
File Previewer
- When viewing compress archived (e.g. .7z or .ab), added right-click option to save file to disk.
File System Browser
- Fixed crash with internal viewer when clicking prev/next after file system browser is closed
Hash lookup
- Fixed hang when error occurs while attempting to read from deleted files
Mobile Artifacts
- Added support for OSFDevMgr Group Devices
- Added column sorting and reordering for details list
- Added quick text filtering and GUI usability changes.
- Additional artifact type: Photos. Will scan for photo info from data\\com.google.android.apps.photos\\db\\gphotos0 .db
Internal Viewer - File Info
- Show the total/used/free space for "partition" folders. Show the disk size for devices/partitions
- Fixed attributes for mounted device partition
Changes since 6.1 beta 4
Deleted File Search
- Fixed buffer overrun crash when parsing slack space for $I30 record
Raw disk viewer
- Added clickable link for File Rec#
- Fixed bug with jumping to an LBA from the MBR/GPT
- Added option to jump to MFT record
- Added decoding of $FILE_NAME attribute
Misc
- Fixed buffer overrun crash when parsing slack space for $I30 record on NTFS volumes
Changes since 6.1 beta 5
Case Manager
- New feature: Paste Clipboard to Case. Can now add external BITMAP (e.g. screenshots) and Copy/Paste Text to case. This allows the user to use Print-Screen and Alt-Print Screen keys to capture screen shots quickly.
Install to USB
- Updated WinPEBuilder used for self boot USB, added option under Program Tab to allow selection of Storage Area Network (SAN) Policy. Default for OSForensics is set to 3 - Doesn't mount storage devices.
Internal Viewers
- Started saving Internal Viewer x,y positions (previously was just size) in config file and will restore them to the last position on next open
Mobile Artifacts
-Initial support for password encrypted android backups. When opening file in FileViewer, OSF will prompt for password and attempt to decrypt the backup.
Password Recovery
- Fixed crash when running windows login / password search simultaneously due to shared global variable. This could crash auto-triage on rare occasions.
Raw Disk Viewer
- Added decoding of NTFS attribute common header
- Support for parsing MFT attributes SECURITY_DESCRIPTOR, OBJECT_ID, VOLUME_NAME, VOLUME_INFORMATION, INDEX_ROOT
Recent Activity
- Now collects more information from LNK files (Windows Explorer - Recent Items) such as volume name, volume serial and link target create/access/modified dates
Web Browser
-Export Webpage Dialog can be resized vertically to fit smaller screens.
Changes since 6.1 beta 6
Case Manager
- Fixed a crash bug when switching between cases, where one case is closed and another opened and volume shadow copies were in use. A file handle to the old case's shadow copy was not correctly closed which on rare occasions could cause a crash. (Either a crash dump, or the entire application suddenly disappearing).
Internal Viewer
- Fixed multithreading issues with sharing a handle to a video file. This potentially can cause a crash.
- Added checkbox to link the selected file in the list (file name search, mismatch search, etc...), and the current file in the internal viewer
Mobile Artifacts
- Fixed a memory leak
Raw disk viewer
- APFS GPT partition GUID now detected and displayed in Data Decode window
- APFS file system string now properly displayed in Disk Info window
Misc
- Made some changes so that the logo and version text on the main start page are now next to the help / mouse over text area to save some vertical space
Changes since 6.1 beta 7
File system support
- Several fixes for APFS support in OSF modules
- Support for compressed files (zlib & lzvn) in APFS
Mobile Artifacts / Android Artifacts
- Renamed "Mobile Artifacts" to "Android Artifacts" to reflect current ability of module (iOS is not currently supported).
Raw Disk Viewer
- Regular expression searching, made a change to prevent an infinite loop when a partial match was found
SQLite Browser
- Fixed bug that prevented additional sqlite viewers to be open even after closing opened sqlite viewers.
- Fixed bug with "View Cell with internal viewer" returning "Not an Error" message.
Start/Navigation
- File and Hex Viewer, will now open File Preview Tab as default.
Changes since 6.1 beta 8
Create Index
- Updates for encrypted APFS support
- Added Precognitive Search feature, return matches for trigger keywords during the "Create Index" process.
- Overhaul of template function for indexing and added additional advanced indexing options to the Create Index Steps.
- Fixed "\r" in default skip list
File system support
-Added support for specifying a password to decrypt encrypted file systems
Forensic Imaging
-Copy Logical Android Image. Will obtain files off Android device using 'adb pull' command. User must have adb.exe installed or downloaded on their System. To use adb with a device connected over USB, you must enable USB debugging in the Android device system settings, under Developer options.
Raw disk viewer
-Fixed excessive quotes for 'Context' field in exported CSV
-Replace unprintable characters with '.' when displaying context
DOWNLOAD:
https://www.osforensics.com/download.html
PROBLEMS
If you find any problems, either post them in the forum here, or EMail us.
WHAT'S NEW
Device support
- Updates to handle accessing Apple's new APFS file system. Both for physical disks and disk images.
Create Index
- Updates to handle indexing APFS images
- Fixed multi-threaded indexing problems when accessing Linux EXT2 file systems.
- Fixed memory estimation (was previously not including some offline buffers)
Forensic Imaging
- Made some changes to how Encase format images (.E01 and .Ex01) are created to work around an issue that limited the final image creation to a maximum of 64 .E01/.Ex01 files, which resulted in uncompressed images larger than 100GB in size and more than 64 files being unreadable. The bug caused the header of the first E01 file to be corrupted (it could be manually corrected, but it was a lot of work to do ti).
Mobile Artifacts
- Addition of new module to scan for mobile device information
- Currently only supports Android disk image (looks for items in data folder) and/or backup (apps folder)
SQLite Browser
- Changed SQLite Browser into a viewer so users can have multiple instances open (Up to 10).
Changes since 6.1 beta 1
Deleted Files
- Fixed NTFS MFT record size calculation, which can prevent parsing of the MFT in the raw disk viewer and in deleted files module. This can correct the error message, "Initialize MFT summary Message: The parameter is incorrect", which was seen on some systems.
System Information
- Fixed crash bug due to buffer overflow with long case device names. Device names over 12 characters caused problems in the system information module.
Changes since 6.1 beta 2
Email Viewer
- Single Email Viewer can view Gmail email stored within Android mailstore.<username>@gmail.com.db.
Mobile Artifacts
- Added date filtering.
- Added Right Click Menu to lists (e.g. Add to Case and Export List options).
Recent Activity
- Fixed a bug where subitems counts in the treeview was not actively reflecting the actual filtered counts.
Report Templates
- Updated report templates to include Mobile Artifacts
Start/Navigation
- Added "Add to case" action on start screen and left hand menu button to allow quick access to add a device to a case
System Information
- Added new commands to get Windows information (product name, build and install date) and last shutdown time from the registry
UsnJrnl Viewer
- Fixed incorrect filenames due to incorect length truncation
Misc
- Preliminary support for mounting "group" devices such as entire physical disks. Contained partitions are mounted as "subdevices" and appears as folders under the parent device
- Changed timezone drop down for GMT/UTC 0 from "GMT +0:00" to "GMT 0:00" to visually stand out more in list
Changes since 6.1 beta 3
Case Manager
- Added support for mounting an image file as a "group" device. Partitions are listed as a folder of the top device.
- When displaying the volume shadow info to add to case, the creation time now includes the GMT offset
Create Index
- New "broad numeric matching" feature
Deleted Files Search
- Partial support for scanning "group" devices for deleted files
File Name Search
-Fixed file type string not appearing correctly for "partition" folders
- Fixed a bug when searching for deleted files
File Previewer
- When viewing compress archived (e.g. .7z or .ab), added right-click option to save file to disk.
File System Browser
- Fixed crash with internal viewer when clicking prev/next after file system browser is closed
Hash lookup
- Fixed hang when error occurs while attempting to read from deleted files
Mobile Artifacts
- Added support for OSFDevMgr Group Devices
- Added column sorting and reordering for details list
- Added quick text filtering and GUI usability changes.
- Additional artifact type: Photos. Will scan for photo info from data\\com.google.android.apps.photos\\db\\gphotos0 .db
Internal Viewer - File Info
- Show the total/used/free space for "partition" folders. Show the disk size for devices/partitions
- Fixed attributes for mounted device partition
Changes since 6.1 beta 4
Deleted File Search
- Fixed buffer overrun crash when parsing slack space for $I30 record
Raw disk viewer
- Added clickable link for File Rec#
- Fixed bug with jumping to an LBA from the MBR/GPT
- Added option to jump to MFT record
- Added decoding of $FILE_NAME attribute
Misc
- Fixed buffer overrun crash when parsing slack space for $I30 record on NTFS volumes
Changes since 6.1 beta 5
Case Manager
- New feature: Paste Clipboard to Case. Can now add external BITMAP (e.g. screenshots) and Copy/Paste Text to case. This allows the user to use Print-Screen and Alt-Print Screen keys to capture screen shots quickly.
Install to USB
- Updated WinPEBuilder used for self boot USB, added option under Program Tab to allow selection of Storage Area Network (SAN) Policy. Default for OSForensics is set to 3 - Doesn't mount storage devices.
Internal Viewers
- Started saving Internal Viewer x,y positions (previously was just size) in config file and will restore them to the last position on next open
Mobile Artifacts
-Initial support for password encrypted android backups. When opening file in FileViewer, OSF will prompt for password and attempt to decrypt the backup.
Password Recovery
- Fixed crash when running windows login / password search simultaneously due to shared global variable. This could crash auto-triage on rare occasions.
Raw Disk Viewer
- Added decoding of NTFS attribute common header
- Support for parsing MFT attributes SECURITY_DESCRIPTOR, OBJECT_ID, VOLUME_NAME, VOLUME_INFORMATION, INDEX_ROOT
Recent Activity
- Now collects more information from LNK files (Windows Explorer - Recent Items) such as volume name, volume serial and link target create/access/modified dates
Web Browser
-Export Webpage Dialog can be resized vertically to fit smaller screens.
Changes since 6.1 beta 6
Case Manager
- Fixed a crash bug when switching between cases, where one case is closed and another opened and volume shadow copies were in use. A file handle to the old case's shadow copy was not correctly closed which on rare occasions could cause a crash. (Either a crash dump, or the entire application suddenly disappearing).
Internal Viewer
- Fixed multithreading issues with sharing a handle to a video file. This potentially can cause a crash.
- Added checkbox to link the selected file in the list (file name search, mismatch search, etc...), and the current file in the internal viewer
Mobile Artifacts
- Fixed a memory leak
Raw disk viewer
- APFS GPT partition GUID now detected and displayed in Data Decode window
- APFS file system string now properly displayed in Disk Info window
Misc
- Made some changes so that the logo and version text on the main start page are now next to the help / mouse over text area to save some vertical space
Changes since 6.1 beta 7
File system support
- Several fixes for APFS support in OSF modules
- Support for compressed files (zlib & lzvn) in APFS
Mobile Artifacts / Android Artifacts
- Renamed "Mobile Artifacts" to "Android Artifacts" to reflect current ability of module (iOS is not currently supported).
Raw Disk Viewer
- Regular expression searching, made a change to prevent an infinite loop when a partial match was found
SQLite Browser
- Fixed bug that prevented additional sqlite viewers to be open even after closing opened sqlite viewers.
- Fixed bug with "View Cell with internal viewer" returning "Not an Error" message.
Start/Navigation
- File and Hex Viewer, will now open File Preview Tab as default.
Changes since 6.1 beta 8
Create Index
- Updates for encrypted APFS support
- Added Precognitive Search feature, return matches for trigger keywords during the "Create Index" process.
- Overhaul of template function for indexing and added additional advanced indexing options to the Create Index Steps.
- Fixed "\r" in default skip list
File system support
-Added support for specifying a password to decrypt encrypted file systems
Forensic Imaging
-Copy Logical Android Image. Will obtain files off Android device using 'adb pull' command. User must have adb.exe installed or downloaded on their System. To use adb with a device connected over USB, you must enable USB debugging in the Android device system settings, under Developer options.
Raw disk viewer
-Fixed excessive quotes for 'Context' field in exported CSV
-Replace unprintable characters with '.' when displaying context
Comment