Announcement

Collapse
No announcement yet.

OSForensics 2.1 Beta Release

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics 2.1 Beta Release

    We've released a beta for OSForensics 2.1 (build 100), it can be found on the OSForensics download page.

    Changes:
    • Initial support for browsing Volume Shadow Copies. Note: Still Experimental. At the moment, not recommended to use on large drives.
    • Changes to try and stop the recent activity/registry viewing crashing in invalid data circumstances (causes by null records in the registry).
    • Made some change to the Chrome download section in recent activity to work with newer chrome versions (26.0.1410.64) as the database structure has changed.
    • Made some changes to stop a reported crash in the registry viewer.
    • Fixed issue where "Add to Case" menu item was enabled when case is not yet opened.
    • When an error occurs when adding multiple items to case, added a Message Box to prompt if user wants to continue (or quit). This avoids a situation where hundreds of error boxes might otherwise be displayed in a loop.
    • Raw disk viewer searches are no longer aborted when the search window is hidden.
    • Added keyboard shortcuts to Internal file and email viewers.
    • Can now select 'Use entire image file' when selecting a partition from an image file.
    • Raw disk viewer decode window can now identify a dynamic volume as "Windows dynamic volume (LDM)
    • Can now detect dynamic volumes in dynamic disks (LDM)
    • In the 'Drive imaging' module, added 'Rebuild RAID' tab for rebuilding a single RAID image from multiple source disk images. Support for auto-detecting Intel Matrix RAID (IMSM) & software RAID was included. Additional auto-detecting features for other RAID formats are expected to be supported in future releases. Added support for manually changing image file offset/size for RAID rebuilding.
    • Carved files will now have FILETIME set to Jan 1, 1601 12:00 PM when the real date information is not recoverable.
    • File Carving percent complete display bug fix.
    • File Carving put more safety checks when carving Zip / OfficeXML files to prevent crash.
    • Thumbnail Viewer - Fixed problem with thumbnails without a visible size being drawn as black box
    • Added HPA/DCO imaging. This allows hidden area on the disk to be made accessible for copying. HPA = Host protected area. DCO = Device configuration overlay. Note that on some drives there is locking that will prevent changing the HPA/DCO disk extent limits.

  • #2
    An updated beta is now available, V2.1 build 101. Additional changes from build 100 are,

    • Fixed some potential memory allocation in the internal file viewer issues when viewing buffers. (Which is how deleted files are viewed).
    • Numerous bug fixes in accessing shadow volumes and code clean up.
    • Improved performance when using shadow copies as a result of caching data in RAM. This should also allow larger drives to be examined in a reasonable amount of time.
    • Fixed a crash that could occur in recent activity during the IE URL scan, some URL paths were longer than expected
    • Added "Add All" Volume Shadow Copies option to Add Device dialog window.
    • Added 'Info' button to retrieve and display the RAID metadata from an image file in the Disk Imaging module.

    Comment


    • #3
      An updated beta is now available, V2.1 build 102. Additional changes from build 101 are,

      • Added ability to open Internet Explorer IE10 history databases and retrieve visited URLs (Vista and newer only). IE10 has a new internal format for storing this data compared to previous releases.
      • Added Volume shadow copies to the File System Browser. Currently considers a file is a shadow if the modified time of file is different from the current volume file. Steps to use this feature are,
        1. Add Disk Image OR Drive in forensics mode OR Disk to case
        2. Add subsequent Volume Shadows for just added device.
        3. Load File system browser and enable Show shadows under options menu.
        4. Browse (the shadow copy files text/label will be a shade of grey).
      • Added support for rebuilding RAID images for the following RAID metadata types
        - SNIA DDFv1
        - Highpoint v2 RocketRAID
        - Highpoint v3 RocketRAID
        - Adaptec HostRAID
        - Integrated Technology Express RAID
        - JMicron RAID
        - LSILogic V2 MegaRAID
        - LSILogic V3 MegaRAID
        - nVidia MediaShield
        - Promise FastTrak
        - Silicon Image Medley RAID
        - Silicon Integrated Systems RAID
        - VIA Tech V-RAID
        (Note that not all permutations have been tested)
      • Added RAID 0+1, RAID1+0, RAID 3, SPANNED rebuilding support
      • Can now select between multiple RAID metadata types if multiple formats detected
      • RAID "Info" dialog now shows the metadata for all matching RAID formats
      • Help file updates for HPA / DCO hidden areas in Disk Imaging and 'RAID Rebuild' functionality.

      Comment


      • #4
        An updated beta is now available, V2.1 build 103 (27/June/2013).
        Additional changes in build 103, compared to build 102 are,
        • Updated document indexer to handle indexing recursive PST files (PST and MSG files attached to E-mails inside PST files).
        • Fixed some memory leaks when indexing emails and attachments.
        • Fixed Email Viewer appearing (with no error messages and no emails) when PST file cannot be opened (e.g. because Outlook is open and holding access). It now shows an error message and destroys the Email Viewer window before it displays.
        • Fixed EmailViewer appearing (with truncated email contents) when user hits "Cancel" during PST loading
        • Fixed the EMail viewer's handling of embedded emails (.msg files attached to a .msg file) in the EmailViewer.


        This will most likely be the last beta release before the final V2.1 release.
        It should be very stable (more stable than the V2.0 release in fact).

        Comment

        Working...
        X