No announcement yet.

OSForensics 3.0 Beta Release

  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics 3.0 Beta Release

    We've released a beta for OSForensics 2.3 (build 1), it can be found on the OSForensics download page.

    We'll continue to update and add new features to the beta, currently the changes include;

    • Increased copy to clipboard limit from 100 to 10,000 files
    • Password Recovery
      - Added "a-z A-Z 0-9" Alphanumeric option to password recovery random character options
      - Added scanning of windows credential manager for browser passwords as part of the recent activity function.
      - Updated the Firefox password recovery feature to work with the latest version of
      Firefox (24)
      - Fixed a bug where if there was only one password entry stored in the Firefox database it was not displayed
    • File System Browser
      - Added extra metadata column for the LCN of the first cluster of the file. This is useful for seeing if files are grouped together on the disk.
    • Drive Preparation
      - The Write pattern function, could incorrectly report a write error near the very end of the drive for some USB flash drives, this has been corrected.
    • Changed the error message when adding an image file to a case to include the image name.
    • Updated "Print" features for EmailViewer and PstViewer
    • Fixed a bug with HTML email printing not having any header
    • Fixed a bug with not printing full headers, RTF, and plain text mail

    NOTE ON THE VERSION NUMBERING: This was originally going to be a V2.3 release. But due to the amount of new features and improvements added we have decided to roll them all into a new major release (version 3). So what was V2.3 beta is now called V3.0 beta.

    UPDATE: V3 has now been released. See the last post in this thread for details.

    Last edited by Tim (PassMark); Nov-05-2013, 02:43 AM.

  • #2
    An updated beta is now available, V2.3 build 2, Additional changes from build 1 are;

    • In the Recent Activity function, Fixed a bug preventing the name of items from being output correctly for CSV export
    • Also in the In the Recent Activity function. Changed behaviour when using the right click "Export to" options in the timeline so only the items from the active timeline section are included (previously all the found items were expored)

    ** Update **

    There was a spelling mistake in the uploaded file so the previous installer wasn't overwritten, this has now been corrected and the download link now correctly points to the 2.3.2 installer.
    Last edited by Tim (PassMark); Nov-20-2013, 10:39 PM.


    • #3
      deficiencies in the program
      porn and child porn automatic detection of objects.
      What do you do when a new version programmatically.


      • #4
        There is unfortunately no reliable automatic detection method for CP. As for normal porn, people can't even agree on exactly what porn is and the definition varies by country. So reliably automatic detection seems unrealistic at this point.

        What you can already do however is two things.

        1) Color sorting
        sort all the images on a hard drive by the color of the main object in the picture.

        Here is an example.

        You still need to manually check the images, but the triage step is much quicker.

        2) Hash matching
        There are hash sets for CP and other illegal material. You can run these hash sets across the hard drive to find files which are known to be illegal. Doing this will automatically pick up any material that has previous been classified.


        • #5
          An updated beta is now available, V2.3 build 3, Additional changes from build 2 are;

          • Case Management
          - Fixed a bug preventing bookmark tables in reports from being sorted
          - When deleting cases, added prompt to allow the case files to be saved to another location before deleting
          - Adding attachments from OSF devices now supported
          • Deleted Files Search
          - HFS+ deleted files supported
          - Timeline view now shows stacked bars separated by file extension
          - Results can now be displayed in 'thumbnail' and 'timeline' view, via tab control
          - Removed right click menu options for unsupported file systems
          - Fixed a crash when pressing a key with nothing selected
          - Fixed deleted directory icon not being displayed for non-NTFS file systems
          - Fixed deleted file fragmentation info for NTFS OSF Devices
          • File Browser
          - Added menu option to show deleted files
          - Added right-click menu option to attach selected files to case
          - Attribute modify date now displayed for ext2 file systems
          - Orphaned files/directories are now supported via "<orphaned>" directory in the root directory
          - Deleted files/directories are now displayed in red text
          - Jump to disk offset, look up in hash set, save to disk, add to case now works for deleted files
          • File Index
          - Updated indexing engine
          - Timeline view now shows stacked bars separated by file type
          - Now supports Shadow Volumes
          - Fixed a crash when indexing multiple partitions mounted from image files
          • File Name Search
          - Timeline view now shows stacked bars separated by file extension
          - Fixed a memory leak when closing window
          - Attribute modify date now included a for ext2 file systems
          - Attribute modify date now displayed for ext2/hfs file systems
          • Hash set lookup
          - Added list view to multiple hash lookup dialog. The list view contains a list of files that are found in the hash set. Previously, only the number of matches are displayed without any information on the files that matched.
          - Added right-click option to export results to a text file for multiple lookups
          - Added support for deleted files
          • Internal Viewer
          - Added jump to index right-click option
          - Ctrl-C (copy)/Ctrl-A (select all) keyboard shortcuts now work in Text View
          - Deleted files can now be viewed in the internal viewer
          - File Info tab now shows the file's starting LCN
          - Fixed minor issue with short filename incorrectly appearing
          - Metadata viewer tab now displays $I30 entries (normal + deleted) for NTFS directories
          - Metadata View tab now displays EXIFTool metadata for deleted files
          - Metadata View tab now displays carved $I30 records for deleted directories
          • Email Viewer
          - Added support for searching message body
          - Added support for date filtering
          • Recent Activity
          - Changed behaviour when using the right click "Export to" options in the timeline so only the items from the active timeline section are included (previously all the found items were exported)
          - Fixed a bug preventing the name of items from being output correctly for CSV export
          - Timeline view now shows the breakdown of activity types via stacked bar graph
          • Mismatch search
          - Added text colour to "Identified Type:" field for emphasis
          • Thumbnail view
          - Deleted files are now supported
          - Various performance improvements
          • Timeline view
          - Added support for stacked bar graphs via groups
          - Fixed bug when the data spans greater than 30 years
          • Misc
          - Fixed a crash when handling compressed files on NTFS for cluster sizes <4KB
          - Redirected stdout containing Unicode characters should now work correctly (eg from System information tools)

          Here is an example of the new timeline view that now uses stacked bar graphs to display items in groups.
          Last edited by Tim (PassMark); Jan-31-2014, 02:54 AM. Reason: Added timeline pic


          • #6
            I started to test the program, but got error message in closing
            Click image for larger version

Name:	2014-02-03_19h02_05.png
Views:	1
Size:	16.6 KB
ID:	34867
            Click image for larger version

Name:	2014-02-03_19h01_23.jpg
Views:	1
Size:	72.7 KB
ID:	34866


            • #7
              Is the problem reproducible? Does it crash every time you close the application?
              What were the actions you took between opening and closing the application, if any?
              Can you make the .dmp file available to us? If it isn't too large via E-mail, otherwise via dropbox or similar, or we can provide a FTP server.


              • #8
                An updated beta is now available, V2.3 build 5, Additional changes are;

                Case Management
                - Added option to "Make case default" when adding a device to a case so it is selected by default for future actions
                - Multiple image partitions can now be mounted at the same time
                - Fixed a bug that was preventing undeleted files from being exported as part of a report
                - Fixed bug with selecting default drive when creating case. Also removed current case's devices from default drive dropdown list.
                Drive Imaging
                - Made some changes so disk image name and type is maintained when using the browse button (if already entered)
                Install to USB
                - Added a check for window messages during the process so the OSF window doesn't display as "Not responding"
                - Disabled Install/Exit/Browse buttons when install process starts
                - Stopped "Install to USB" function from working when not installing to a USB/removable drive
                Mismatch Search
                - Fixed a bug that was causing a crash when adding a file to a case
                ThumbCache viewer
                - Added ThumCache viewer (Windows Vista and later only)
                Thumbnail view
                - Fixed display of files without high resilution icons, previously this meant a tiny icon was drawn
                - Fixed some flickering when adding files to case
                - Updated OSFMount to v1.5.1015
                - Added support for VHD image files
                - Fixed several crashes that could occur when closing OSF


                • #9
                  Due to the amount of new features and improvements added we have decided to roll them all into a new major release (version 3). There is an updated beta build available here, additional changes are;

                  • ESE Database Viewer
                  - Aded ESE database viewer
                  - Added right-click option to customize columns to show
                  - Added Search bar for filtering records containing the specified text
                  - Added 'Advanced Search' dialog for filtering records matching one or more search criteria
                  - Added right-click option to Table list to export entire tables to disk
                  • Internal Viewer
                  - Added support for viewing thumbnail cache buffers
                  • Thumbnail Cache Viewer
                  - For thumbcache_idx.db files, entries that don't have thumbnails for the selected thumbnail size are filtered out
                  - List view now shows case icon for thumbnails that have been added to case
                  - Thumbnails can now be sorted
                  - Added right-click option to look up the original filepaths of thumbnails. User is prompted to select the Windows Search database file (Windows.edb) to use for lookup.
                  - Added right-click option to add thumbnails to case
                  - Added right-click menu to save thumbnails to disk
                  • Misc
                  - Added ESEDB Viewer to 'Viewers' group
                  - When opening ESEDB Viewer, user is now prompted to select from a list of known ESE database files


                  • #10
                    An updated beta is now available, V3.0 Beta build 2, Additional changes are;

                    • Case Management
                    - Added 'Repeat action' checkbox to message box prompting to overwrite an existing case file
                    - Fixed issue with setting newly mount drives as default drive
                    • ESEDB Viewer
                    - Added progress bar when performing search
                    - When loading the 'SystemIndex_0A' table, a subset of the columns are now shown
                    - 'Known' tables are now shown in a different text colour
                    - Added right-click option to add selected records to case
                    - Added to list of known table names to be highlighted
                    - Additional decoding of known columns
                    • File Carving
                    - Fixed overall system slowdown caused by large blocking file reads
                    • Internal viewer
                    - Improved loading and caching of files
                    - Reduced file loading time by optimizing file system accesses
                    • Password Recovery
                    - An error message was updated to show correct error code when permissions prevented some registry changes
                    • Rainbow Tables
                    - Added check for when adding .rti rainbow tables without valid file segments to prevent a crash
                    • Recent Activity
                    - Added Windows search index records
                    - Fixed crash when pressing 'Enter' with nothing selected
                    - Fixed item selection when 'End' is pressed
                    • Search Index
                    - Multiple history items can now be added to case
                    - Multiple history items can now be deleted
                    - Fixed potential Thumbnail View crash due to lists being deleted while thumbnails are loading
                    • SQLite Browser
                    - Cleaned up code to ensure files saved in temp folder are removed when exiting OSF.
                    • ThumbCache Viewer
                    - Added column for thumbnail size
                    - Added preliminary support for Win8 thumbnail cache
                    • Thumbnail View
                    - Deleted file thumbnails now show the proper icon/thumbnail with a deleted overlay flag
                    - Improved performance of loading thumbnails of deleted files
                    • WebBrowser
                    - No longer creates a web browser temp dir as it was not being used and was not being cleaned up properly after program exit.
                    • Misc
                    - Fixed bug with creating Encase files for imaging


                    • #11
                      Any thoughts about support .hash as available hash sets?


                      • #12
                        I assume you are referring to the proprietary EnCase file format?
                        As far as I know there is no industry standard format for hash files, except maybe the NSRL list format, which we already support.

                        See this older post, which covers the issue of importing .HASH files and simple text files into OSForensics.


                        • #13
                          V3.0 has now been officially released.

                          Download page is here,

                          Upgrade page is here,

                          The final list of What's New in V3 is here,