We've released a beta for OSForensics 2.1 (build 100), it can be found on the OSForensics download page.
Changes:
Changes:
- Initial support for browsing Volume Shadow Copies. Note: Still Experimental. At the moment, not recommended to use on large drives.
- Changes to try and stop the recent activity/registry viewing crashing in invalid data circumstances (causes by null records in the registry).
- Made some change to the Chrome download section in recent activity to work with newer chrome versions (26.0.1410.64) as the database structure has changed.
- Made some changes to stop a reported crash in the registry viewer.
- Fixed issue where "Add to Case" menu item was enabled when case is not yet opened.
- When an error occurs when adding multiple items to case, added a Message Box to prompt if user wants to continue (or quit). This avoids a situation where hundreds of error boxes might otherwise be displayed in a loop.
- Raw disk viewer searches are no longer aborted when the search window is hidden.
- Added keyboard shortcuts to Internal file and email viewers.
- Can now select 'Use entire image file' when selecting a partition from an image file.
- Raw disk viewer decode window can now identify a dynamic volume as "Windows dynamic volume (LDM)
- Can now detect dynamic volumes in dynamic disks (LDM)
- In the 'Drive imaging' module, added 'Rebuild RAID' tab for rebuilding a single RAID image from multiple source disk images. Support for auto-detecting Intel Matrix RAID (IMSM) & software RAID was included. Additional auto-detecting features for other RAID formats are expected to be supported in future releases. Added support for manually changing image file offset/size for RAID rebuilding.
- Carved files will now have FILETIME set to Jan 1, 1601 12:00 PM when the real date information is not recoverable.
- File Carving percent complete display bug fix.
- File Carving put more safety checks when carving Zip / OfficeXML files to prevent crash.
- Thumbnail Viewer - Fixed problem with thumbnails without a visible size being drawn as black box
- Added HPA/DCO imaging. This allows hidden area on the disk to be made accessible for copying. HPA = Host protected area. DCO = Device configuration overlay. Note that on some drives there is locking that will prevent changing the HPA/DCO disk extent limits.
Comment