Tweet
A beta version for V7 of OSForensics is now available for testing.
DOWNLOAD:
UPDATE: The final V7 version has been released.
Downloads are on the OSForensics download page.
PROBLEMS
If you find any problems, either post them in the forum here, or EMail us.
KEYS and UPGRADES
V6 keys will not work in V7.
Free upgrades will be available (with new keys) if you have current paid up support at the date of the final V7 release.
Otherwise a discounted upgrade will be available.
This download will function as a 30 day trial without a key.
EXPECTED RELEASE DATE
Baring any major problems we are hoping to do the final V7 release late July 2019.
WHAT'S NEW
Platform support
- OSF will no longer run on Windows XP systems. (But disk images from XP machines can still be investigated). If support for installing the software on a XP system is required, then V6 will need to be used.
Add Device
- Bitlocker volume details (eg. key protectors, encryption, etc) now displayed when adding a bitlocker-encrypted drive to case
- Removed "Forensics Dude" from the Add Device window. The formatting of the help text was changed to the same look as the other windows. RIP Forensics Dude.
Android Logical
- Fixed issue where during logical copy, some directories were not being included.
Android Artifact
- Removed misleading text indicated "images" can be added to scan. Added warning if adding ".vhd" (e.g. from logical copy) that it needs to be added to device first.
- Photo artifacts were only looking at the "data\\com.google.android.apps.photos\\db\\gph otos 0.db" (specified in Help File). But will now also do a quick scan for known image file extensions. Added notification to user to use File Name Search module for more advance viewing/search options.
- MMS extracted with OSFExtract will show recipients on the message.
Android Copy
- Copying to a Logical Image (VHD) will no longer require a full scan to calculate disk size. This should increase its responsiveness.
- Updated OSFExtract to V1.0.1003. Change: App will transfer "canonical_address" table from mmssms.db database file. Which contains the addresses (recipients) for MMS threads.
Auto triage
- Added configuration options for logical image creation
Boot Virtual Machine
- Added ability to boot an image as a VM from OSForensics.
- Image to be booted can be read only, as the image file is never modified. Instead changes to the image are written to separate cache files.
- Images format support includes E01, Raw, Split images, VMDK, VHD, etc..
- Write cache files are now used in mounting when 'Restore existing disk state' is checked, so VM can be restarted were you left off
- Added new menu option in Workflow navigation, "Boot Virtual machine" with 3 tabs showing running machines, and associated drives.
- Added 'Boot Virtual Machine' icon to Start page
- User can select number of cores to allocate to the VM, RAM size and if networking is enabled. Default values are scaled based on system specs of host.
- Support for booting partition images by pre-pending an MBR image to the disk in the .vmdk file. (normally it is impossible to boot just a bare partition). This includes images that use with ntldr for booting (Windows XP) and bootmgr + BCD images (Vista and above). Machines with EFI System Partitions are also supported.
- VMWare 14,15 and VirtualBox 6 are supported as hypervisors
- Host machine needs to be 64bit. Guest can be 32bit or 64bit. Guest image can be Mac OS X 10.13 (High Sierra), Windows XP to Win10 and some Linux distributions.
- Preliminary support for disk with multiple bootable partitions. Added warning text when multiple O/Ses are detected on the disk. Note: Not all permutations of multi-boot O/Ss will be supported (there are too many to test). Mac and Windows on the same disk is known to be problematic.
- Added option to bypass Windows login by patching a Windows system file and setting automatic logon option in the registry. This method is fast, but it doesn't crack the password of the user. So any files encrypted with EFS are not decrypted. As patching of system files are required, not all releases of Windows are supported. The Win 10 releases from March 2019 (17763) is known to have a problem.
- There is support for selecting which user account to auto-logon into in the case where the machine has multiple accounts.
- A new version of OSFMount is included with the package. V3.0 build 1005. This allows mounting of images as (emulated) physical drives and caching of disk writes to temp files.
Case Manager
- Fixed bug with trailing space characters allowed in case name (causing invalid Windows folder names to be created)
- Defined new hash set flag level "major" for Project VIC
- Add info dialog when adding a Bitlocker-encrypted drive to Case
- Added new case item group for virtual machines
- Fixed an annoyance, sometimes when switching cases the OSForensics GUI will lose focus and another window will be on Top.
- Fixed a bug where sometimes the status dialog window size can appear too large while generating report.
- Reporting, "Extra Information" box will export and identify $FILE_NAME timestamps for applicable items and label it as such. Note: Applies to new items added to case. Existing items in cases will not have the extra timestamps.
- Reporting, "Skip Empty" checkbox to do not include empty artifact categories in the generated reports.
- Add button for the Case Narrative (html) editor in the main Manage Case module.
- Double-clicking on virtual machine case item switches to 'Boot Virtual Machine' module and selecting the VM in the list
Create Index / Browse Index
- New Indexing feature added, Optical character recognition (OCR) for PDF files. Previously this was only done on photographic images.
- Updated indexing engine, with lots of more minor changes for handling different file types & performance.
- Added ability to skip pre-scan when creating an index
- At Step 1, have all options check-marked by default except binary executable files, which don't contain much useful text.
- Fixed bug with search being prematurely truncated when indexed 0x1A character in meta data (title, description, etc.)
- Fixed bug with substring searches applying within exact phrases
- Fixed bug with exact phrase searches spanning across page SECTIONS. This caused some exact phrase searches (containing words which occur on the page many times but not in that sequence) to take extraordinarily long.
- Fixed Check/Uncheck all buttons not affecting new file type options
- Fixed buffer overflow issues & crash bugs in Browse Index (removed unnecessary dictionary counting) and when Filtering results
- Fixed bug with filenames not being indexed for PDF files and other plugin formats
- Improved error messages when failing to launch indexer
Create Signature
- File system cache is now cleared before creating a signature in Direct Access mode. This is important for live file systems where the content is changing while OSF is running.
Compare Signature
- Increased number of recently selected signature comparison files (displayed in drop list when selecting a signature) from 10 to 15
- When creating a hash set from a comparison there is now the option to include all files in the comparison or just new ones
- Added a new difference type of "Attributes Modified"
Deleted Files
- Hashing of files will only be performed for non-empty files (0 byte files are skipped).
Drive preparation
- Fixed an open file handle from the Drive test that would prevent the data pattern write if the drive test was run first. This fixes a possible false report saying the drive was faulty, when in fact the drive was just locked
Email Viewer
- Fixed UI issues when minimizing and restoring windows
ESEDB Viewer
- Changed behaviour to load all items for selected table into data buffer so we can sort columns correctly, still only displaying 1000 entries per page. Will mean a slower initial load but much faster sorting and searching.
- Columns can now be sorted by clicking on the column heading
- Added SRUDB.dat to known esedb list when opening the ESEDB viewer and fixed some date display issues for the SRUDB date / time format.
File Carving
- Updated FileCarver to be threaded for better performance (by adding threading to several operations). Resulted in 2.6x faster carving on a test system.
- Added option to look within a sector for header pattern match. Enabled by default (same as previous behaviour) OSF only looks at the bytes only at the beginning of the sector.
- Added definition for HEIC/HEIF image file format to allow these types of images to be carved.
File Name Search
- Allow the user to enable the other four ($FILE_NAME attribute) time stamps in the File Name Search Details View.
- Added ability to create a New Preset option in the Config window. Defaults are still loaded from FileNameSearchPresets.txt file in AppData directory. User defined Presets are saved in the OSF config file, config.OSFCfg.
- Change the module icon from "disk" to "binocular" to be consistent with the main menu.
- Config, fixed bug where hash sets were not populating in the drop down selection.
- Added right-click option to show only checkmarked files.
- Added ability to include additional folders and/or exclude folders from the File Name Search.
- When switching cases, any previous search result previously performed will be cleared.
- Fixed a bug when enabling $FILE_NAMES attributes, the horizontal scroll will disappear in the List View.
- Added Right-Click menu option to "Jump to Thumbnail View" from the File Details and File List tab. And "Jump to File Details" from the Thumbnail Tab.
- Started saving column ordering, visibility and size in OSF config file
File System Browser
- Refreshing the current folder using the F5 now clears the file system cache and allows user to see changes to live file system.
- Fixed hidden scrollbar when minimizing/restoring the window
- Fixed vector Out of bounds crash
Forensic Imaging
- Create a Drive Imaging queue to allow user to add other drives to image once the first imaging job is complete.
Forensic Copy
- Added option to add individual files to the image list instead of just only folders.
Hash Set
- Added new built in hash sets for: Keyloggers, VPN Software, Peer to Peer (P2P) software, Cryptocurrency
- Added feature to import folder of VIC files. "Import VIC file set" will now prompt to either "import into existing active database" or "create new database". Updated import VIC feature to ignore Category: 0 which are considered Safe files
- Added support for importing V2.0 format VIC hash set.
- Added support for importing SHA1, MediaSize, LastUpdated fields from V1.3 VIC file format
- Fixed Bug with Right Click->Export to Text file output being corrupted. (Column Indexes to the ListView were not correct).
- Fixed Bug where Right Click->View with Internal Viewer was unable to open deleted files entries.
- Fixed Bug where false positive matches were being returned. (Previous result was not being cleared).
- When quitting, OSF will remember the current active hashset & reselect that hashset on startup.
- Made error message more descriptive on import failure. Fixed bug holding hast set open after failure to import that was preventing deletion.
- Fixed a bug preventing pasting folder locations into the NSRL data set input folder when importing
- Added "Delete" option from Hash Set Viewer window (right click menu)
- Added confirmation message box when deleting a hash set
- Added a more descriptive error message when an NSRL import fails due to errors in the file contents (eg invalid product number)
- Removed warning message about selecting a non-example / new hash set when importing an NSRL hash set (a new hash set is created by default when importing a NSRL hash set)
- Added more prominent highlighting when file is in hash set to highlight Project VIC hash sets
- Improved error message when failing to open .OSFHashSet file which is read only
- NSRL hash set import, added an error message when an operating system ID doesn't exist (eg corrupt/incomplete dataset). Will now add a dummy "unknown" entry and continue to import.
Install to USB
- Added option to exclude password recovery dictionaries and rainbow tables from USB install
- Changed out of space error message to use MB instead of bytes
- Added option to include Hash Sets to be exported during install.
Internal Viewer
- File Info, added text to indicate if the file does not exist at the location
- Added 'Help' link. Moved 'Capture' button and 'Alt Stream' Combo box to the left
- Added preservation of 'create' and 'access' times, when available
- Fixed contents of certain .rar files not being displayed (RAR5)
- CSVReader, fixed a possible crash opening CSV files with individual elements that contain over 512 characters (element will be truncated to 511 characters now)
- Hex View, will display file slack space in internal viewer. Can enable/disable in 'Settings'.
MemViewer
- Added warning if trying to save memory dump to a filesystem that doesn't support the file size of the dump e.g. Over 4GB on FAT32.
OSFDevMgr
- Fixed buffer overflow when calling FindFirstFile() on a group device's root directory (eg. "group_device:")
- Fixed FindFirstFile() not returning the list of subdevices for a group device's root directory (eg. "group_device:")
- Fixed a crash that could occur when a badly formed system path is passed to SplitFilePath
Password Recovery
- Fixed an issue where passwords from the windows credential manager were returned when running using the "scan drive" option when they are only available for the "live acquisition" option
- Made some changes so the registry reading code at this point so it is now thread safe and will work better with the auto triage.
- Started saving column ordering, visibility and size in OSF config file
- Changed LM/NT references from "(disabled)" to "(empty)"
- Added ability to add sequential decryption jobs in the Decryption & Password Recovery tab.
- 40-Bit Encryption, fix for parsing output of 40-bit file.
- Windows Login Passwords, updated GUI so list views expand as the size of the main window expands.
- Enabled debug logging for run_server.exe when OSF is ran in debug mode. Log can be found in run_server.exe directory while running and then is moved to the OSF documents folder when finished.
- Fixed bug that could cause possible memory corruption issue if GPU decryption is enabled.
Prefetch Viewer
- Added all available run times to results list and exports
Raw disk viewer
- Fixed incorrect GPT 'Partition name' in Data Decode window
Recent Activity
- Made the recent activity navigation pane with the Tree view resizable.
- Started encoding HTML special characters (eg <>&) in the HTML output for some items when exporting
- P2P, Fixed crash when running on Ubuntu drive
- Changed "Show empty activity types" checkbox to default to on so empty types are displayed
- Windows search is now using the ESEDB viewer to load the windows search database, will sometimes be slower but should be more reliable (no need to repair database using esentutl which would often crash or leave database in a dirty state still).
- No longer stopping the windows search service when the windows search option is selected for a live system scan
- Added new Recycle Bin activity. Will show items in the Recycle Bin (original file path/name and date deleted).
- Added the Last-Visited and Open/Save MRU's to the MRU category: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi on\Explorer\ComDlg32\LastVisitedPidlMRU and NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi on\Explorer\ComDlg32\OpenSavePIDlMRU
- Added the other 7 run time stamps for Prefetch Files (for 8 total).
- Fixed bug with non-ascii characters for recent activities that use a sqlite database (mostly browser - chrome, firefox, opera - activities)
- Added Event Log Login Types description
- Added MRU Adobe Acrobat Reader DC Artifacts
- Added Office 16 and Office365 Word, Excel and Powerpoint Artifacts from desktop install
- MRU, Fixed crash when parsing Window's XP Registry files for OpenSave and LastVisit MRU
- Added subcategories for the various browser artifacts (Firefox, Chrome, Edge, IE, etc)
- Added checkmarks besides each artifact category. Users can then deselect any artifacts they don’t want without going into the config settings.
- Added +/- expand collapse for artifacts that have subcategories.
- Add subcategories for Windows Event Logs (OAlerts, System, Security, Application, etc.)
- Fixed bug where the number of checked items links was not being shown in the File List Tab.
- Added VLC artifacts for Windows and OSX/Mac
- Added Windows Media Player Last played and folders artifacts
- Added Mapped Network Locations from HKCU\Network
Registry Viewer
- Unknown value data types will be shown as hex data by default (previously the data was not displayed at all. Useful for looking at Windows Store App's settings.dat file which are special registry hive with non documented value data types).
System Information
- Removed "Get" from the Registry Commands.
- Get User Info (Registry), fixed an issue where user accounts could display "Account disabled" incorrectly
- Changed error message slightly when only live acquisition tasks are in selected list when a drive letter is chosen instead of live acquisition
- Added a quick search box to search the text of the current result tab.
- Added full name, description and password hint to “Get user information (Registry)” output
- Fix to process "Enter" key notification while using the Find Text Control.
Misc
- Made some changes so OSF will start as the top most window (sometimes it would start in the background)
- Updated help file
- Fixed bug with unable to access Case devices as underlying drives. This caused problems reading from Bitlocker-encrypted drives
- Added ClearFileSystemCache_direct() function to clear the file system cache (for live disks). Previously changes in the live file system where not reflected in File System Browser due to caching.
- Updated 7zip DLL
- Better reporting of SQL errors with hashset databases
- Fix for bug with scroll bars in Compare Signature and Browse Index
- New logging engine when using DEBUGMODE. Has more detail and has less overhead.
continued in next post....
DOWNLOAD:
UPDATE: The final V7 version has been released.
Downloads are on the OSForensics download page.
PROBLEMS
If you find any problems, either post them in the forum here, or EMail us.
KEYS and UPGRADES
V6 keys will not work in V7.
Free upgrades will be available (with new keys) if you have current paid up support at the date of the final V7 release.
Otherwise a discounted upgrade will be available.
This download will function as a 30 day trial without a key.
EXPECTED RELEASE DATE
Baring any major problems we are hoping to do the final V7 release late July 2019.
WHAT'S NEW
Platform support
- OSF will no longer run on Windows XP systems. (But disk images from XP machines can still be investigated). If support for installing the software on a XP system is required, then V6 will need to be used.
Add Device
- Bitlocker volume details (eg. key protectors, encryption, etc) now displayed when adding a bitlocker-encrypted drive to case
- Removed "Forensics Dude" from the Add Device window. The formatting of the help text was changed to the same look as the other windows. RIP Forensics Dude.
Android Logical
- Fixed issue where during logical copy, some directories were not being included.
Android Artifact
- Removed misleading text indicated "images" can be added to scan. Added warning if adding ".vhd" (e.g. from logical copy) that it needs to be added to device first.
- Photo artifacts were only looking at the "data\\com.google.android.apps.photos\\db\\gph otos 0.db" (specified in Help File). But will now also do a quick scan for known image file extensions. Added notification to user to use File Name Search module for more advance viewing/search options.
- MMS extracted with OSFExtract will show recipients on the message.
Android Copy
- Copying to a Logical Image (VHD) will no longer require a full scan to calculate disk size. This should increase its responsiveness.
- Updated OSFExtract to V1.0.1003. Change: App will transfer "canonical_address" table from mmssms.db database file. Which contains the addresses (recipients) for MMS threads.
Auto triage
- Added configuration options for logical image creation
Boot Virtual Machine
- Added ability to boot an image as a VM from OSForensics.
- Image to be booted can be read only, as the image file is never modified. Instead changes to the image are written to separate cache files.
- Images format support includes E01, Raw, Split images, VMDK, VHD, etc..
- Write cache files are now used in mounting when 'Restore existing disk state' is checked, so VM can be restarted were you left off
- Added new menu option in Workflow navigation, "Boot Virtual machine" with 3 tabs showing running machines, and associated drives.
- Added 'Boot Virtual Machine' icon to Start page
- User can select number of cores to allocate to the VM, RAM size and if networking is enabled. Default values are scaled based on system specs of host.
- Support for booting partition images by pre-pending an MBR image to the disk in the .vmdk file. (normally it is impossible to boot just a bare partition). This includes images that use with ntldr for booting (Windows XP) and bootmgr + BCD images (Vista and above). Machines with EFI System Partitions are also supported.
- VMWare 14,15 and VirtualBox 6 are supported as hypervisors
- Host machine needs to be 64bit. Guest can be 32bit or 64bit. Guest image can be Mac OS X 10.13 (High Sierra), Windows XP to Win10 and some Linux distributions.
- Preliminary support for disk with multiple bootable partitions. Added warning text when multiple O/Ses are detected on the disk. Note: Not all permutations of multi-boot O/Ss will be supported (there are too many to test). Mac and Windows on the same disk is known to be problematic.
- Added option to bypass Windows login by patching a Windows system file and setting automatic logon option in the registry. This method is fast, but it doesn't crack the password of the user. So any files encrypted with EFS are not decrypted. As patching of system files are required, not all releases of Windows are supported. The Win 10 releases from March 2019 (17763) is known to have a problem.
- There is support for selecting which user account to auto-logon into in the case where the machine has multiple accounts.
- A new version of OSFMount is included with the package. V3.0 build 1005. This allows mounting of images as (emulated) physical drives and caching of disk writes to temp files.
Case Manager
- Fixed bug with trailing space characters allowed in case name (causing invalid Windows folder names to be created)
- Defined new hash set flag level "major" for Project VIC
- Add info dialog when adding a Bitlocker-encrypted drive to Case
- Added new case item group for virtual machines
- Fixed an annoyance, sometimes when switching cases the OSForensics GUI will lose focus and another window will be on Top.
- Fixed a bug where sometimes the status dialog window size can appear too large while generating report.
- Reporting, "Extra Information" box will export and identify $FILE_NAME timestamps for applicable items and label it as such. Note: Applies to new items added to case. Existing items in cases will not have the extra timestamps.
- Reporting, "Skip Empty" checkbox to do not include empty artifact categories in the generated reports.
- Add button for the Case Narrative (html) editor in the main Manage Case module.
- Double-clicking on virtual machine case item switches to 'Boot Virtual Machine' module and selecting the VM in the list
Create Index / Browse Index
- New Indexing feature added, Optical character recognition (OCR) for PDF files. Previously this was only done on photographic images.
- Updated indexing engine, with lots of more minor changes for handling different file types & performance.
- Added ability to skip pre-scan when creating an index
- At Step 1, have all options check-marked by default except binary executable files, which don't contain much useful text.
- Fixed bug with search being prematurely truncated when indexed 0x1A character in meta data (title, description, etc.)
- Fixed bug with substring searches applying within exact phrases
- Fixed bug with exact phrase searches spanning across page SECTIONS. This caused some exact phrase searches (containing words which occur on the page many times but not in that sequence) to take extraordinarily long.
- Fixed Check/Uncheck all buttons not affecting new file type options
- Fixed buffer overflow issues & crash bugs in Browse Index (removed unnecessary dictionary counting) and when Filtering results
- Fixed bug with filenames not being indexed for PDF files and other plugin formats
- Improved error messages when failing to launch indexer
Create Signature
- File system cache is now cleared before creating a signature in Direct Access mode. This is important for live file systems where the content is changing while OSF is running.
Compare Signature
- Increased number of recently selected signature comparison files (displayed in drop list when selecting a signature) from 10 to 15
- When creating a hash set from a comparison there is now the option to include all files in the comparison or just new ones
- Added a new difference type of "Attributes Modified"
Deleted Files
- Hashing of files will only be performed for non-empty files (0 byte files are skipped).
Drive preparation
- Fixed an open file handle from the Drive test that would prevent the data pattern write if the drive test was run first. This fixes a possible false report saying the drive was faulty, when in fact the drive was just locked
Email Viewer
- Fixed UI issues when minimizing and restoring windows
ESEDB Viewer
- Changed behaviour to load all items for selected table into data buffer so we can sort columns correctly, still only displaying 1000 entries per page. Will mean a slower initial load but much faster sorting and searching.
- Columns can now be sorted by clicking on the column heading
- Added SRUDB.dat to known esedb list when opening the ESEDB viewer and fixed some date display issues for the SRUDB date / time format.
File Carving
- Updated FileCarver to be threaded for better performance (by adding threading to several operations). Resulted in 2.6x faster carving on a test system.
- Added option to look within a sector for header pattern match. Enabled by default (same as previous behaviour) OSF only looks at the bytes only at the beginning of the sector.
- Added definition for HEIC/HEIF image file format to allow these types of images to be carved.
File Name Search
- Allow the user to enable the other four ($FILE_NAME attribute) time stamps in the File Name Search Details View.
- Added ability to create a New Preset option in the Config window. Defaults are still loaded from FileNameSearchPresets.txt file in AppData directory. User defined Presets are saved in the OSF config file, config.OSFCfg.
- Change the module icon from "disk" to "binocular" to be consistent with the main menu.
- Config, fixed bug where hash sets were not populating in the drop down selection.
- Added right-click option to show only checkmarked files.
- Added ability to include additional folders and/or exclude folders from the File Name Search.
- When switching cases, any previous search result previously performed will be cleared.
- Fixed a bug when enabling $FILE_NAMES attributes, the horizontal scroll will disappear in the List View.
- Added Right-Click menu option to "Jump to Thumbnail View" from the File Details and File List tab. And "Jump to File Details" from the Thumbnail Tab.
- Started saving column ordering, visibility and size in OSF config file
File System Browser
- Refreshing the current folder using the F5 now clears the file system cache and allows user to see changes to live file system.
- Fixed hidden scrollbar when minimizing/restoring the window
- Fixed vector Out of bounds crash
Forensic Imaging
- Create a Drive Imaging queue to allow user to add other drives to image once the first imaging job is complete.
Forensic Copy
- Added option to add individual files to the image list instead of just only folders.
Hash Set
- Added new built in hash sets for: Keyloggers, VPN Software, Peer to Peer (P2P) software, Cryptocurrency
- Added feature to import folder of VIC files. "Import VIC file set" will now prompt to either "import into existing active database" or "create new database". Updated import VIC feature to ignore Category: 0 which are considered Safe files
- Added support for importing V2.0 format VIC hash set.
- Added support for importing SHA1, MediaSize, LastUpdated fields from V1.3 VIC file format
- Fixed Bug with Right Click->Export to Text file output being corrupted. (Column Indexes to the ListView were not correct).
- Fixed Bug where Right Click->View with Internal Viewer was unable to open deleted files entries.
- Fixed Bug where false positive matches were being returned. (Previous result was not being cleared).
- When quitting, OSF will remember the current active hashset & reselect that hashset on startup.
- Made error message more descriptive on import failure. Fixed bug holding hast set open after failure to import that was preventing deletion.
- Fixed a bug preventing pasting folder locations into the NSRL data set input folder when importing
- Added "Delete" option from Hash Set Viewer window (right click menu)
- Added confirmation message box when deleting a hash set
- Added a more descriptive error message when an NSRL import fails due to errors in the file contents (eg invalid product number)
- Removed warning message about selecting a non-example / new hash set when importing an NSRL hash set (a new hash set is created by default when importing a NSRL hash set)
- Added more prominent highlighting when file is in hash set to highlight Project VIC hash sets
- Improved error message when failing to open .OSFHashSet file which is read only
- NSRL hash set import, added an error message when an operating system ID doesn't exist (eg corrupt/incomplete dataset). Will now add a dummy "unknown" entry and continue to import.
Install to USB
- Added option to exclude password recovery dictionaries and rainbow tables from USB install
- Changed out of space error message to use MB instead of bytes
- Added option to include Hash Sets to be exported during install.
Internal Viewer
- File Info, added text to indicate if the file does not exist at the location
- Added 'Help' link. Moved 'Capture' button and 'Alt Stream' Combo box to the left
- Added preservation of 'create' and 'access' times, when available
- Fixed contents of certain .rar files not being displayed (RAR5)
- CSVReader, fixed a possible crash opening CSV files with individual elements that contain over 512 characters (element will be truncated to 511 characters now)
- Hex View, will display file slack space in internal viewer. Can enable/disable in 'Settings'.
MemViewer
- Added warning if trying to save memory dump to a filesystem that doesn't support the file size of the dump e.g. Over 4GB on FAT32.
OSFDevMgr
- Fixed buffer overflow when calling FindFirstFile() on a group device's root directory (eg. "group_device:")
- Fixed FindFirstFile() not returning the list of subdevices for a group device's root directory (eg. "group_device:")
- Fixed a crash that could occur when a badly formed system path is passed to SplitFilePath
Password Recovery
- Fixed an issue where passwords from the windows credential manager were returned when running using the "scan drive" option when they are only available for the "live acquisition" option
- Made some changes so the registry reading code at this point so it is now thread safe and will work better with the auto triage.
- Started saving column ordering, visibility and size in OSF config file
- Changed LM/NT references from "(disabled)" to "(empty)"
- Added ability to add sequential decryption jobs in the Decryption & Password Recovery tab.
- 40-Bit Encryption, fix for parsing output of 40-bit file.
- Windows Login Passwords, updated GUI so list views expand as the size of the main window expands.
- Enabled debug logging for run_server.exe when OSF is ran in debug mode. Log can be found in run_server.exe directory while running and then is moved to the OSF documents folder when finished.
- Fixed bug that could cause possible memory corruption issue if GPU decryption is enabled.
Prefetch Viewer
- Added all available run times to results list and exports
Raw disk viewer
- Fixed incorrect GPT 'Partition name' in Data Decode window
Recent Activity
- Made the recent activity navigation pane with the Tree view resizable.
- Started encoding HTML special characters (eg <>&) in the HTML output for some items when exporting
- P2P, Fixed crash when running on Ubuntu drive
- Changed "Show empty activity types" checkbox to default to on so empty types are displayed
- Windows search is now using the ESEDB viewer to load the windows search database, will sometimes be slower but should be more reliable (no need to repair database using esentutl which would often crash or leave database in a dirty state still).
- No longer stopping the windows search service when the windows search option is selected for a live system scan
- Added new Recycle Bin activity. Will show items in the Recycle Bin (original file path/name and date deleted).
- Added the Last-Visited and Open/Save MRU's to the MRU category: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi on\Explorer\ComDlg32\LastVisitedPidlMRU and NTUSER.DAT\Software\Microsoft\Windows\CurrentVersi on\Explorer\ComDlg32\OpenSavePIDlMRU
- Added the other 7 run time stamps for Prefetch Files (for 8 total).
- Fixed bug with non-ascii characters for recent activities that use a sqlite database (mostly browser - chrome, firefox, opera - activities)
- Added Event Log Login Types description
- Added MRU Adobe Acrobat Reader DC Artifacts
- Added Office 16 and Office365 Word, Excel and Powerpoint Artifacts from desktop install
- MRU, Fixed crash when parsing Window's XP Registry files for OpenSave and LastVisit MRU
- Added subcategories for the various browser artifacts (Firefox, Chrome, Edge, IE, etc)
- Added checkmarks besides each artifact category. Users can then deselect any artifacts they don’t want without going into the config settings.
- Added +/- expand collapse for artifacts that have subcategories.
- Add subcategories for Windows Event Logs (OAlerts, System, Security, Application, etc.)
- Fixed bug where the number of checked items links was not being shown in the File List Tab.
- Added VLC artifacts for Windows and OSX/Mac
- Added Windows Media Player Last played and folders artifacts
- Added Mapped Network Locations from HKCU\Network
Registry Viewer
- Unknown value data types will be shown as hex data by default (previously the data was not displayed at all. Useful for looking at Windows Store App's settings.dat file which are special registry hive with non documented value data types).
System Information
- Removed "Get" from the Registry Commands.
- Get User Info (Registry), fixed an issue where user accounts could display "Account disabled" incorrectly
- Changed error message slightly when only live acquisition tasks are in selected list when a drive letter is chosen instead of live acquisition
- Added a quick search box to search the text of the current result tab.
- Added full name, description and password hint to “Get user information (Registry)” output
- Fix to process "Enter" key notification while using the Find Text Control.
Misc
- Made some changes so OSF will start as the top most window (sometimes it would start in the background)
- Updated help file
- Fixed bug with unable to access Case devices as underlying drives. This caused problems reading from Bitlocker-encrypted drives
- Added ClearFileSystemCache_direct() function to clear the file system cache (for live disks). Previously changes in the live file system where not reflected in File System Browser due to caching.
- Updated 7zip DLL
- Better reporting of SQL errors with hashset databases
- Fix for bug with scroll bars in Compare Signature and Browse Index
- New logging engine when using DEBUGMODE. Has more detail and has less overhead.
continued in next post....
Comment