No announcement yet.

OSForensics V8 Beta release

  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics V8 Beta release

    We are pleased to announce the Beta release of V8 of OSForensics for community testing and feedback.

    Download link:

    Licence requirements:
    Old keys from V7 will not work in V8.
    You should be able to have V7 and V8 installed at the same time (if you select different installation folders).
    The link above will work as a 30 day trial.

    Free upgrades:
    When the final V8 release is complete anyone will active support (including all purchases of V7 in the 12 months prior to V8 release) will get a free upgrade to V8.
    Otherwise there will be discounted upgrades for older customers.

    Final release date:
    Date isn't fixed as yet. But expectation is for a release in the Aug / Sept 2020 time frame.

    Is it complete:
    No. We are still adding new functionality

    Is it stable:
    Probably not as stable as V7. But should be mostly OK. We aren't aware of any crash bugs at this time, but please tell us if it isn't stable.

    What's new:

    • Added New Face Detection module for still photographs & images
    - "Detect Faces" button was added in the Image Viewer
    - "Sort by Faces" in File Name Search module as added. Depending on the set of images, accuracy is around 80% at the moment. We are hoping to get closer to 95% before the final release. This can make sorting through large collections of images much much faster.

    • Added new Web Server Log Viewer module
    - Can load up log files from Apache, IIS and other web servers, then filter and sort the log data. A lot of effort was invested to support the loading of very large log files without having huge amounts of system RAM.

    • Added new Python Scripting module
    - Implemented new scripting engine, which allows access to internal OSF functions from Python scripting. Scripting commands such as osf.UserActivityGetResult(), osf.ReportGenerate() & osf.LogicalImageStart() are now available.
    - Added support for built-in script Python templates installed under ProgramData\PassMark\OSForensics\ScriptTemplates. The template can be selected under the 'New Script' button dropdown.
    - Added Python API reference for help file.

    • Added new Cloud Imaging support for Forensic Imaging
    - Added Cloud Download/Imaging for Google Drive, Microsoft OneDrive and Dropbox
    - Cloud imaging will create empty files (0 byte files with ".deleted" extension) for deleted items from Dropbox. Dropbox includes deleted files in their directory listing.

    • AmCache Viewer
    - Improved performance of reading amcache hive

    • Case Management
    - Add support for opening tagged e-mails & attachments via double-click/right-click

    • Create Index
    - Added indexing for HEIC and HEIF image files (from Apple devices)
    - Allowed indexing of memory dump files. .mem, Including .dmp, .mdmp (large file support does not apply if inside ZIP files)
    - Improved speed of large binary file extraction indexing (by way of parallel / 2 thread concurrency)
    - Fixed bytes progress status when indexing large binary file
    - Added Email Attachment indexing options ("index attachments by file types")
    - Fixed exiftool indexing issue (using the -fast3 parameter culled out alot of necessary meta information AND may incorrectly identify file type. Note removed -fast optimization will now be slower)
    - Fixed indexing of some GPS meta information from exiftool
    - Fixed issue with indexing OCR output from HEIC and HEIF files

    • Create Signature
    - Added support for SHA-256 hashes. This required changing the signature file format and incrementing the signature file version from 6 -> 7.
    - Add support for comparing previous signature file version with v7 signature file

    • Email Viewer
    - Support opening single e-mails from PST/DBX/MBOX files for faster loading
    - Added exporting e-mail messages to MSG file format
    - Add checkboxes to e-mail messages for bulk operations

    • File name search
    - Changed configuration dialog to support modifying include/exclude folders for each preset. This allows for more accurate preset searches to be defined. Users can also define their own preset searches in the new advanced format.
    - Preset searches are now fixed and cannot be modified inline
    - Added 'User-defined Search' for fully customizable search criteria

    • Forensic Imaging
    - Add option to select between single/split files when creating Encase E01 image files

    • Image Viewer
    - Added support for HEIC and HEIF image files (from Apple devices)
    - Added support for extracting meta data from HEIC and HEIF files

    • Passwords
    - Improved performance of reading Firefox, IE & Windows logins from registry
    - Fix heap corruption when retrieving LSA secrets
    - Fixed various memory leak issues

    • Registry reading
    - Improved performance of RegistryGetSubKeys() and RegistryGetKeyValues() methods for reading registry keys
    - Improved performance of reading registry entries in User Activity. On a 160MB SOFTWARE hive, load times improved from >10min to 20s (as compared to v7)
    - Added new registry function to read a single key in a hive for better performance without loading the entire registry file first

    • ThumbCache Viewer (complete rewrite)
    - Redesigned the interface allowing to load a single cache file, add multiple files by scanning drive or folder
    - Added a tree view to show list of added cache files, folders and drives
    - Added a new "All" option to the Thumbnail Size combo box to show all records in a cache index file
    - Added a new feature to allow loading multiple cache files and viewing all of the records in them in a single list view
    - Added Extended Information to show EXIF data of thumbnails retrieved from ESE Database
    - Updated the thumbnail preview window to be resizable
    - Improved the efficiency of loading ESE Database

    • Thumbnail View of files in various modules.
    - Added support for displaying thumbnails for video files
    - Support for animated video thumbnails on mouse hover (how cool is this!!)
    - Changes to thumbnail caching thread for better performance and robustness
    - Added support for deleted video thumbnails
    - Files that do not have thumbnails are cached and no longer reloaded

    • User Activity
    - Fixed bug in opening ARES registry key path
    - Added more Windows Event IDs to extract more forensically interesting logs
    - Added times to Browser Bookmarks and WLAN items
    - Fixed Time Source display error for some items under All category
    - Changed list-view default sorting as date and time descending order
    - Improved column sorting speed. Sorting large data sets is now 50x faster.
    - Updated column names for Autorun Commands and UserAssist

    • Boot Virtual Machine
    - Added the ability to select additional hard drives (data drives) when booting a VM from a disk image.
    Last edited by Tim (PassMark); 09-28-2020, 12:49 AM.

  • #2
    Changes for Beta 9

    •Case management
    - Generate Report, updated to hide the categories that have no items

    •Create/Compare Signature
    - Added options to have two hashing options (e.g. MD5 and SHA-256) for OSFSig and file listing. Note: Will work with V7 OSFSig files but not previous OSFV8 Beta OSFSig files before this commit. When comparing signatures with different hashing options, only signatures with matching hash will be compared. E.g. Sig1.OSFSig was created with MD5 only and Sig2.OSFSig was created with MD5 + SHA-256. Only MD5 will be used for comparison. If both signature files use the same hashing options both checksums will be used for comparison.

    •Password recovery
    - Made some changes to enable recovery of chrome, edge and opera passwords in some cases where it was previously failing

    •Script Player
    - Allow resizing of package manager dialog

    - Extended beta expiry date

    Changes for Beta 8

    •Android Extract
    - Added extra debug logging.

    •Case Manager
    - Multiple select enabled for Case Management. Can now delete or export multiple cases at a time.

    •Create/Compare Signature
    - Combined the create and compare into a single "Signatures" module with separate tabs. Functionality wise unchanged.

    •Deleted Files
    - Enabled right-click menu option, Show File Location dialog, for deleted files on FAT filesystem. Note: The file location dialog will only show the first cluster of the deleted file for FAT filesystems as only the starting cluster is known and the link-list FAT entries for subsequent clusters are removed once a file is deleted on FAT filesystems.

    •File Previewer
    - Can click on prev/next thumbnails for navigation, behaviour same as prev/next buttons.

    •Install PFX
    - Fixed broken help file link.

    •Password recovery
    - Fixed potential crash when running the Passwords on Windows 10 V2004.
    - Fixed bug where selecting a single file would not populate the input file text box.

    •Python API
    - Added DirectAccess methods GetFileSize() GetFileAttributes() PathFileExists() PathIsDirectory() PathIsOSFDevice() PathIsDirectoryEmpty()
    - Added SelectFolderDialog() method for display a dialog for user to select a folder

    •Script Player
    - Add right-click menu to enter user-defined parameters to 'pip install'
    - Fix warning message fragments appearing in package list

    •Start Window
    - Added hypertext link for License Type under OSF Logo/Tag Line.

    •User Activity:
    - Fixed right-click menus for Downloads
    - Fixed file location display error on FireFox
    - Fixed times display errors on Web browsers

    - Fixed a crash that could occur in the trial version in deleted files and file name search

    Changes for Beta 7

    •File Name Search
    - Added colour backgrounds for results when sorting by Illicit or Face scores. Results are marked Red for likely illicit, Pink for probably illicit, and Green if Faces detected.
    - Minor UI layout updates
    - Removed border from 'Config' text
    - Increased width of preset/sorting combo box
    - Added missing icon file

    •Script Player
    - Changed to fixed width font (Consolas)

    •System Information
    - Made some changes to allow user entered commands (eg regripper) to be run when live acquisition OR drive letter is selected (as most user entered commands will likely have a hard coded location)

    •User Activity:
    - Fixed an issue with creating a temp file.

    - Fixed some bugs/crashes found during WinPE testing.
    - As SHBrowserForFolder() does not work in WinPE, updated emulate the functionality when running in WinPE.
    - Custom case location can now be specified for Live Triage and Case Manager's Create Case option.

    - Revised default workflow list
    - Added separate checkbox column to show/hide icon in Start page, hiding workflow buttons no longer hide the corresponding Start page icon

    Changes for Beta 6

    •Auto Triage
    - Fixed display/gui bug where the background of the scan options was not being updated in WinPE.

    •Case Management
    - Add button to open 'Manage Devices' window, for managing the devices added to the case

    - Updated Google and DropBox app keys for OAUTH2.

    •Image Viewer
    - Added Analyze Results popup window, showing results from AI face detect, AI illicit image detect, MD5, SHA1, etc.

    •Install to USB
    - Added missing AppData directories to USB install.

    - Add new 'Manage Devices' icon

    - Removed buttons not suitable for workflow

    Changes for Beta 5

    •ESEDB Viewer:
    - Fixed an issue where some values not displayed correctly in Windows 10 V2004

    •Illicit image detect
    - Changed to percentage based score
    - Fixed bug in Image Viewer, determined score was sometimes different to value in "File Name Search" due to image analysis being performed on image with face detection bounding box.

    •Internal viewer
    - Video, Display duration of media along with current timestamp

    •File Name Search
    - Added sort by "video tracks" option
    - Moved sorting combo box to the top (+ other minor layout tweaks)
    - Added 'Images + Illicit-detect AI' preset
    - Added "Video files (sorted by # Tracks)" preset
    - Fixed double closing of thread handle when running exiftool to determine # video tracks
    - Fixed skipped files issues with illicit image check
    - Consolidated filter text into single link control
    - Changed timeline date type combo box to link control
    - Removed 'Current Path' and added 'Scan Status' edit control
    - Moved 'Thumbnail size' slider and 'timeline date' control to top

    •File System Browser
    - Fixed bug where the Analyze Shadow from the button within FSB was not working.

    •Forensic Imaging
    - Fixed minor bug in selecting destination image file

    •Password Recovery
    - Decryption Tab, Added ability for users to select multiple files at a time.

    •User Activity:
    - Updated CSV export
    - Updated filters
    - Updated icons
    - Updated columns for some categories
    - Fixed issue with password decryption message
    - Fixed the issue that Windows Search showing incorrect times in Windows 10 V2004

    - Workflow buttons and Start window icons now have 1-to-1 correspondence
    - Moved 'Check Support Status' to Start window
    - Removed extra 'button' slot

    Changes for Beta 4:

    •About Dialog
    - Will show support inactive/active and expiration date for the license key registered.

    •Case Manager
    - Support selecting multiple files when adding evidence images to case

    •Compare Signature
    - Fixed SHA256 hash not being handled

    •Face Detect, Illicit image detection
    - Fixed single channel (greyscale) image format issues

    •Illicit image detection
    - Improved accuracy by better matching images to pre-training model

    •File and hex Viewer
    - Added a drop down to allow track selection for playback for multi track video files

    Forensic Imaging - Device/SMAR
    - Enabled SMART logging in SysInfoLog.txt

    •Hash Lookup
    - Fixed bug in release build where checksum were not being calculated.

    •Password Recovery
    - Removed support for Safari

    •Start Page
    - Added "Check Support Status" button.

    •User Activity
    - Changed config dialog design
    - Updated Event Log columns
    - Moved Top Sites items to Browser History category
    - Removed support for Safari
    - Removed support for Firefox V31 and earlier versions
    - Updated Browser History columns
    - Fixed slow scan of Cookies, Website Logins and Form History
    - Updated Windows Search File List view message
    - Updated Windows Search columns to display more meaningful message (instead of empty strings)
    - Fixed a crashing issue on the File List view for some categories
    - Updated File List view, HTML and Text exports output strings

    - On exit, OSF will check the parent Temp folder to clean up orphaned temp directories. It will only delete the temp directories that are older than the oldest running/active osf32.exe or osf64.exe process.

    Changes for Beta 3:

    •Cloud Download
    - Implemented Trial Limits, First 100 Files Downloaded, First 300 Emails Exported. Limits are per user account.

    •File and Hex Viewer
    - Replaced "Detect Faces" button in Image Viewer with "Analyze" button, and added illicit image detection feature.
    - Fixed video player not working when opening video files via DirectAccess
    - Fixed bug with video not playing when < 9 thumbnails were loaded
    - Fixed a possible crash when extracting strings

    •File Name Search
    - Added "Illicit images" detection. File Name Search can now sort by "Illicit score".

    •File System Browser
    -File size units can be selected in the FSB options dialog. Defaults to “Auto” and will display in Human readable file size. File size units selectable are: Auto, Bytes, KB, MB, GB. Selection saved in OSFConfig file.

    •Forensic Imaging
    - Initial support for creating AFF4 disk images

    •Hash Lookup
    - Fixed crash when attempting to export lookup results to text

    •User Activity:
    - Updated Downloads to support Firefox latest versions.
    - Updated columns for some categories
    - Updated Cookie columns
    - Fixed an issue where the drive letter format was not consistent resulting in different artifacts number on Live Acquisition and Drive scan

    - Updated Volatility Workbench to v3.0.1001-beta.1
    - Updated exiftool to version 12.03
    - Updated WinPEBuilder.

    Changes for Beta 2:

    •Case Manager
    - Opening of tagged items in case using old path format
    - Will now use Web Browser to open URL tags

    •File Name Search
    - Added new preset for searching for large images + sort by face detection score
    - Added new preset for searching for files modified since last month
    - Added new preset for searching for files modified since yesterday
    - Fixed memory leak for Face Detection
    - Fixed flickering/redraw issues with "Cancel" button missing on progress window while face detecting
    - Removed "...this may take some time, would you like to continue?" prompts for "sort by face" and "sort by colours"

    •Passwords Recovery
    - Fixed the Password Length column to display Not Available message when the password is not decrypted
    - Removed support for FireFox Version 31 and earlier

    •System Information
    - Will now pick "System information from registry" as default when live acquisition is not selected for the case
    - Will now skip commands that can't be run on the selected drive (eg live acquisition only and a drive letter is selected) and display a skipped message in the output

    •User Activity:
    - Fixed an issue where a path was not constructed correctly on a disk scan
    - Rearranged config dialog slightly to shrink height (previously unable to see OK button on 1080p laptop screen)
    - P2P, added extra error information display for decoder error during P2P scan
    - Fixed the issue where Event Logs might not be extracted on Live Acquisition
    - Updated Form History columns
    - Added Website Logins to obtain browser passwords
    - Removed support for FireFox Version 31 and earlier
    - Event Log, fixed handling of temporary cache files when opening event logs
    - Fixed extra colon in 'Location' column for browser items

    •Web Browser
    - Fixed video download crash

    •Security fix
    - Update to the DirectIO device driver to close off possible kernel exploit. Exploit has been not been seen in the field & user would need to already be elevated admin on the machine to attempt the exploit.

    Changes for Beta 1:

    •Case Manager
    - Define new path flag string format for various artifact types, in order to support opening with specific viewer

    •Email Viewer
    - Added right-click option to export e-mails to PDF

    •Find Files
    - Added colour status bar (green/red) for face detect progress

    •File Name Search / File System Browser
    - Added right-click hash selected files option with option to create a Quick Hash Set from the results of the hashed files.

    •Password Recovery
    - Removed support for Opera Version 22 and earlier

    •User Activity:
    - Added Search Term to extract search keywords used in browsers
    - Removed support for Opera Version 22 and earlier
    - Fixed an issue with Windows Search scan on Windows 10 V2004

    Changes for Alpha 4:

    •Auto triage
    - Started saving scan options and logical image options to config file

    •Face Detector
    - Fixed bug with score miscount on images with faces detected outside image dimensions

    •Find Files
    - Changed dropdown sort text from "Face score" to "Face detect score"
    - Added progress thumbnail for 'Face detect score' sorting

    •Forensic Copy - Logical Imaging
    - Added Microsoft Outlook (webmail) export to MBOX format (team chats are not exported).

    •Script Player
    - Added MessageBox(), SelectFileDialog(), GetTextDialog() Python API for obtaining user input
    - Added script examples for charting via matplotlib
    - Updated script templates with user input API examples
    - Added Python package manager for installing 3rd party packages

    •User Activity:
    - Added support for decrypting cookies value of the Chrome, Edge and Opera browsers
    - Added support for decrypting form history value of the Edge browser

    Changes for Alpha 3:

    •Face Detector
    - Added "Face score" calculation, now used for sorting in File Name Search

    •Logical Imaging
    - Cloud Email Download initial support
    - Added GMail export to MBOX format (hangout/chats not yet being exported)

    •Search Index
    - Added "Save to Disk" for checked items

    •Script Player
    - Renamed Python API 'HashSetLookupFile()' to 'HashSetLookup()' to handle both file and hash strings
    - Added HashSetMakeActive() Python API for making a hash set database active
    - Added ReadFile() Python API for reading file contents

    Changes for Alpha 2:

    •Auto Triage
    - Turned off default options for including System hibernation and page files and registry files as part of the logical image configuration

    •Face Detection
    - Improved accuracy of face detection (Switched from haar cascades to Deep Neural Network (DNN) Caffe models)
    - Added confidence value displayed next to box
    - Now skipping images less than 64 width or 64 height as typically there isn't enough pixels in these small image for accurate face detection

    •File Name Search
    - Fixed bug which prevented Face sort from working if we prematurely Stopped a search.

    •Password Recovery
    - Updated to support new Edge Chromium-based version (local account passwords only).
    - Updated to support Chrome V80 and beyond (local account passwords only).
    - Updated to support Opera V67 and beyond (local account passwords only).

    •Python Script Player
    - Added osf.HashFile() method for calculating hash of a file
    - Added HashDrive() Python API method for calculating hash of a drive
    - Added HashSetLookupFile() Python API for looking up a file in a hash set

    •User Activity
    - Updated Browser History, Downloads, Form, Bookmarks and Cookies to support the latest versions of Edge, Chrome and Opera browsers.
    Last edited by Tim (PassMark); 09-28-2020, 12:49 AM.