Announcement

Collapse
No announcement yet.

OSForensics V6.1 Beta

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics V6.1 Beta

    The final V6.1 release is now available. So beta testing has closed.

    DOWNLOAD:
    https://www.osforensics.com/download.html

    PROBLEMS
    If you find any problems, either post them in the forum here, or EMail us.

    WHAT'S NEW

    Device support
    - Updates to handle accessing Apple's new APFS file system. Both for physical disks and disk images.

    Create Index
    - Updates to handle indexing APFS images
    - Fixed multi-threaded indexing problems when accessing Linux EXT2 file systems.
    - Fixed memory estimation (was previously not including some offline buffers)

    Forensic Imaging
    - Made some changes to how Encase format images (.E01 and .Ex01) are created to work around an issue that limited the final image creation to a maximum of 64 .E01/.Ex01 files, which resulted in uncompressed images larger than 100GB in size and more than 64 files being unreadable. The bug caused the header of the first E01 file to be corrupted (it could be manually corrected, but it was a lot of work to do ti).

    Mobile Artifacts
    - Addition of new module to scan for mobile device information
    - Currently only supports Android disk image (looks for items in data folder) and/or backup (apps folder)

    SQLite Browser
    - Changed SQLite Browser into a viewer so users can have multiple instances open (Up to 10).

    Changes since 6.1 beta 1

    Deleted Files

    - Fixed NTFS MFT record size calculation, which can prevent parsing of the MFT in the raw disk viewer and in deleted files module. This can correct the error message, "Initialize MFT summary Message: The parameter is incorrect", which was seen on some systems.

    System Information
    - Fixed crash bug due to buffer overflow with long case device names. Device names over 12 characters caused problems in the system information module.

    Changes since 6.1 beta 2

    Email Viewer
    - Single Email Viewer can view Gmail email stored within Android mailstore.<username>@gmail.com.db.

    Mobile Artifacts
    - Added date filtering.
    - Added Right Click Menu to lists (e.g. Add to Case and Export List options).

    Recent Activity
    - Fixed a bug where subitems counts in the treeview was not actively reflecting the actual filtered counts.

    Report Templates
    - Updated report templates to include Mobile Artifacts

    Start/Navigation
    - Added "Add to case" action on start screen and left hand menu button to allow quick access to add a device to a case

    System Information
    - Added new commands to get Windows information (product name, build and install date) and last shutdown time from the registry

    UsnJrnl Viewer
    - Fixed incorrect filenames due to incorect length truncation

    Misc
    - Preliminary support for mounting "group" devices such as entire physical disks. Contained partitions are mounted as "subdevices" and appears as folders under the parent device
    - Changed timezone drop down for GMT/UTC 0 from "GMT +0:00" to "GMT 0:00" to visually stand out more in list

    Changes since 6.1 beta 3

    Case Manager
    - Added support for mounting an image file as a "group" device. Partitions are listed as a folder of the top device.
    - When displaying the volume shadow info to add to case, the creation time now includes the GMT offset

    Create Index
    - New "broad numeric matching" feature

    Deleted Files Search
    - Partial support for scanning "group" devices for deleted files

    File Name Search
    -Fixed file type string not appearing correctly for "partition" folders
    - Fixed a bug when searching for deleted files

    File Previewer
    - When viewing compress archived (e.g. .7z or .ab), added right-click option to save file to disk.

    File System Browser
    - Fixed crash with internal viewer when clicking prev/next after file system browser is closed

    Hash lookup
    - Fixed hang when error occurs while attempting to read from deleted files

    Mobile Artifacts
    - Added support for OSFDevMgr Group Devices
    - Added column sorting and reordering for details list
    - Added quick text filtering and GUI usability changes.
    - Additional artifact type: Photos. Will scan for photo info from data\\com.google.android.apps.photos\\db\\gphotos0 .db

    Internal Viewer - File Info
    - Show the total/used/free space for "partition" folders. Show the disk size for devices/partitions
    - Fixed attributes for mounted device partition

    Changes since 6.1 beta 4

    Deleted File Search
    - Fixed buffer overrun crash when parsing slack space for $I30 record

    Raw disk viewer
    - Added clickable link for File Rec#
    - Fixed bug with jumping to an LBA from the MBR/GPT
    - Added option to jump to MFT record
    - Added decoding of $FILE_NAME attribute

    Misc
    - Fixed buffer overrun crash when parsing slack space for $I30 record on NTFS volumes

    Changes since 6.1 beta 5

    Case Manager
    - New feature: Paste Clipboard to Case. Can now add external BITMAP (e.g. screenshots) and Copy/Paste Text to case. This allows the user to use Print-Screen and Alt-Print Screen keys to capture screen shots quickly.

    Install to USB
    - Updated WinPEBuilder used for self boot USB, added option under Program Tab to allow selection of Storage Area Network (SAN) Policy. Default for OSForensics is set to 3 - Doesn't mount storage devices.

    Internal Viewers
    - Started saving Internal Viewer x,y positions (previously was just size) in config file and will restore them to the last position on next open

    Mobile Artifacts
    -Initial support for password encrypted android backups. When opening file in FileViewer, OSF will prompt for password and attempt to decrypt the backup.

    Password Recovery
    - Fixed crash when running windows login / password search simultaneously due to shared global variable. This could crash auto-triage on rare occasions.

    Raw Disk Viewer
    - Added decoding of NTFS attribute common header
    - Support for parsing MFT attributes SECURITY_DESCRIPTOR, OBJECT_ID, VOLUME_NAME, VOLUME_INFORMATION, INDEX_ROOT

    Recent Activity
    - Now collects more information from LNK files (Windows Explorer - Recent Items) such as volume name, volume serial and link target create/access/modified dates

    Web Browser
    -Export Webpage Dialog can be resized vertically to fit smaller screens.

    Changes since 6.1 beta 6

    Case Manager
    - Fixed a crash bug when switching between cases, where one case is closed and another opened and volume shadow copies were in use. A file handle to the old case's shadow copy was not correctly closed which on rare occasions could cause a crash. (Either a crash dump, or the entire application suddenly disappearing).

    Internal Viewer
    - Fixed multithreading issues with sharing a handle to a video file. This potentially can cause a crash.
    - Added checkbox to link the selected file in the list (file name search, mismatch search, etc...), and the current file in the internal viewer

    Mobile Artifacts
    - Fixed a memory leak

    Raw disk viewer
    - APFS GPT partition GUID now detected and displayed in Data Decode window
    - APFS file system string now properly displayed in Disk Info window

    Misc
    - Made some changes so that the logo and version text on the main start page are now next to the help / mouse over text area to save some vertical space

    Changes since 6.1 beta 7

    File system support
    - Several fixes for APFS support in OSF modules
    - Support for compressed files (zlib & lzvn) in APFS

    Mobile Artifacts / Android Artifacts
    - Renamed "Mobile Artifacts" to "Android Artifacts" to reflect current ability of module (iOS is not currently supported).

    Raw Disk Viewer
    - Regular expression searching, made a change to prevent an infinite loop when a partial match was found

    SQLite Browser
    - Fixed bug that prevented additional sqlite viewers to be open even after closing opened sqlite viewers.
    - Fixed bug with "View Cell with internal viewer" returning "Not an Error" message.

    Start/Navigation
    - File and Hex Viewer, will now open File Preview Tab as default.

    Changes since 6.1 beta 8

    Create Index
    - Updates for encrypted APFS support
    - Added Precognitive Search feature, return matches for trigger keywords during the "Create Index" process.
    - Overhaul of template function for indexing and added additional advanced indexing options to the Create Index Steps.
    - Fixed "\r" in default skip list

    File system support
    -Added support for specifying a password to decrypt encrypted file systems

    Forensic Imaging
    -Copy Logical Android Image. Will obtain files off Android device using 'adb pull' command. User must have adb.exe installed or downloaded on their System. To use adb with a device connected over USB, you must enable USB debugging in the Android device system settings, under Developer options.

    Raw disk viewer
    -Fixed excessive quotes for 'Context' field in exported CSV
    -Replace unprintable characters with '.' when displaying context
    Last edited by Tim (PassMark); Oct-02-2018, 02:08 AM.

  • #2
    Here is what a group device looks like with multiple partitions.

    So operations (like search and indexing) can be performed on multiple partitions at the same time.


    Device Group Partitions

    Comment


    • #3
      Here is the new jump to MFT record function. Just enter in the master file record number and jump to that location on the disk.

      This screen shot also shows off some of the enhanced decoding of attributes in a MFT record in the data decode window.

      Lookup MFT record number

      Comment


      • #4
        Hi David,
        here the new Features works very well ich check at this time leaving Handy Backups on a test Image to evaluate the new Mobile Features a very very cool Feature in my Eyes
        best
        Andre

        Comment


        • #5
          Here is what the new Paste clipboard to case function in the Manage Case window looks like.

          Image data in the Clipboard is stored as a bitmap. Which are really inefficient in terms of memory use and disk space usage. So we convert them to a PNG file before writing out screen shots into the case. (PNG is preferable to JPG, as PNG is lossless).

          The function is good for capturing web / cloud content in cases where the internal browser can't be used (e.g. passwords aren't know, but the user is logged in).

          Use Print-Screen and Alt-Print Screen to capture screen shots quickly

          Comment


          • #6
            Here is a screen shot showing the Internal File Viewer synchronising with the file selected in the main window. Allow for fast browsing of images and other documents. No need to reopen the viewer for each image.

            You can also use the keyboard to navigate between files in main window (Arrow keys, Home, End) and have the image viewer window track the current selection.

            To activate the synchronisation, check the "Automatically open selected item in list" box in the viewer window.

            This is particularly good for dual screen setups. Can have viewer window on one screen and main window on other.

            Click image for larger version  Name:	FileSync.png Views:	1 Size:	359.5 KB ID:	42809

            Comment


            • #7
              Originally posted by David (PassMark) View Post
              Here is what the new Paste clipboard to case function in the Manage Case window looks like.

              Image data in the Clipboard is stored as a bitmap. Which are really inefficient in terms of memory use and disk space usage. So we convert them to a PNG file before writing out screen shots into the case. (PNG is preferable to JPG, as PNG is lossless).

              Use Print-Screen and Alt-Print Screen to capture screen shots quickly
              That cat definitely looks guilty

              Comment


              • #8
                Here is a screen shot showing an Apple Mac's APFS file system image being browsed on a Windows machine. Also shows the internal Plist viewer in action.

                Note: At the moment there is no support for APFS snap shots, encryption and recovering deleted files.
                Update: Encryption support was added in Beta 9.


                APFS on the Mac

                Comment


                • #9
                  Hi David (and hole others from PM Team)

                  I can not tell you about how this small enhancement with pasting pictures to case make my Live easier
                  That small Tool make it so easy enhance my Reports with Photos from inside the case file
                  I know that works in other way too but using Clipboard for creating Case entrees ist perfect

                  best

                  Andre


                  Originally posted by David (PassMark) View Post
                  Here is what the new Paste clipboard to case function in the Manage Case window looks like.

                  Image data in the Clipboard is stored as a bitmap. Which are really inefficient in terms of memory use and disk space usage. So we convert them to a PNG file before writing out screen shots into the case. (PNG is preferable to JPG, as PNG is lossless).

                  The function is good for capturing web / cloud content in cases where the internal browser can't be used (e.g. passwords aren't know, but the user is logged in).

                  Use Print-Screen and Alt-Print Screen to capture screen shots quickly

                  Comment


                  • #10
                    Hi David

                    is it possible that you can make a screenshot Function to Timeline Window ? that will be a great help !!!
                    I mostly use screenshots from timelines to show what activity in Filesystem was in that Time that is for
                    Popele without any Forensic knowing very helpful they can interpreting such a picture much much better
                    than a List of Files with dates and so far.

                    If there is a small chance to get that in 6.1 please make a Button for create Pictures from timelines that are
                    in Focus at that Time, like now you help me very much with paste clipboard but I need every time a external screenshot tool
                    with such a Button I can directly paste a Timeline picture to Case for using it in my Report.

                    best

                    Andre

                    Comment


                    • #11
                      I've made a note of the timeline screen shot request.
                      Unlikely it will go into V6.1 as we are should finish development on V6.1 tomorrow and then just be doing testing.
                      But as a work around, you can reduce the size of the workflow menu, then use Alt-Tab to grab the screen shot. Then Paste to Case. No external tools required.

                      Click image for larger version  Name:	TimeLine.png Views:	1 Size:	192.9 KB ID:	42869

                      Comment


                      • #12
                        Hi, good Job. I found a little bug, which is probably already known. Using German Umlaut in a file path or file name gives a write or read error. This occurs when imaging a drive. No Problem, when the path or file name is without german umlaut.

                        Maybe you can fix this.

                        Br

                        Maik

                        Comment


                        • #13
                          Maik,

                          We were not able to reproduce this in the beta release, so we think it has been fixed.I assume you were using V6.0 when you found this problem?

                          Comment


                          • #14
                            Another new feature, Precognitive Search:

                            You can now as part of the indexing process enter in a list of up to 400 words (or regular expressions). As each document that is indexed, the document's content is immediately checked against the Precog search words.

                            So instead of waiting until the index to be fully built before doing a search, you can get some results back hours or even days earlier. You can start your investigation while the indexing process continues in the background.


                            Precognitive Search feature
                            Note that searching for lots of words (or complex regular expressions) can slow down the indexing process slightly. So if you have a huge word list to search for (1000s of words), you are still better off doing this after the index is built.

                            Comment


                            • #15
                              The final V6.1 release is now available. So beta testing has closed.

                              Planning for a V6.2 release is now underway.

                              Comment

                              Working...
                              X