No announcement yet.

OSForensics V9 Beta release

  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics V9 Beta release

    We are pleased to announce the Beta release of V9 of OSForensics for community testing and feedback.

    Download link:
    UPDATE: The final V9 version has been released.
    Downloads are on the OSForensics download page.

    Licence requirements:
    Old keys from V8 will not work in V9.
    You should be able to have V8 and V9 installed at the same time (if you select different installation folders).
    The link above will work as a 30 day trial.

    Free upgrades:
    When the final V9 release is complete anyone will active support or a subscription will get a free upgrade to V9.

    Is it complete:
    No. We are still adding new functionality

    Is it stable:
    Probably not as stable as V8. But should be mostly OK. We aren't aware of any crash bugs at this time, but please tell us if it isn't stable.

    What's new:

    Map Viewer
    • Added Map Viewer module which enables users to view GPS locations marked on a world map.
    • Added a new pre-set search option, “Photos with GPS Locations” to automatically find all photos with embedded GPS locations (via EXIF data) and then graphically locate where these photographs were taken on a map. On mouse over of the location on the map thumbnail images and image meta are displayed.
    • Ability to import and map GPS coordinates from CSV, GPX and KML files and IP addresses, and search for GPS location by name (ie. Geocoding
    • Added map <=> email viewer integration, to draw arrows between the source and destination of an Email, plus any intermediate transit nodes referenced in Email header.
    Auto Triage
    • Removed some unnecessary warning messages (You are attempting a non-live…) displayed when running Auto Triage
    • Updated the Passwords to select "Live acquisition" for scan when running Auto Triage.
    Boot VM
    • Updated to now allow booting for MacOS (10.13 and above)
    • Now includes support for VMWare Workstation Player 16
    Clipboard Viewer and Signatures Module
    • Restructured UI for consistency and simplicity in OSForensics user experience
    Create / Search Index
    • Restructured UI for simplified user experience. This included convert to 'Sort' link, convert to 'Index' link, move 'Use Word List File' to button dropdown, and consolidated regex filter to search bar.
    • Improved indexing of XML files to index not only data content, but also attribute values in tags. Combined with expanding the max word length to 40 characters, this now allow indexing of GUIDs values in XML files. This allows finding GUIDs in peer-2-peer file sharing files (e.g. Profiles.xml file from Shareaza)
    • Added sub tabs under ‘Browse Index’. These include Words, Files and Protected lists.
    • Reporting of “protected” (or encrypted) files that were encountered and not indexed. Provides a quick way to identify all commonly encrypted document types.
    • Fixed bug with "Search Index", when matching exact phrases only found in meta description
    • Fixed crash bug for when page is near end of index
    • Fixed bug with extra text appearing after highlighting when exact phrase matched in meta description
    • Fixed timeline filter and other UI issues
    • Fixed cleanup of previous state when closing case
    Disk Preparation
    • Fixed a bug stopping Disk 0 from being formatted
    Decrypt File
    • Password Benchmark (i.e. num password per second) is now calculated per thread. Previously only the first benchmark collected was used as the benchmark value for all clients.
    Deleted File Recovery
    • Restructured UI for consistency and simplicity (convert to 'Sort' link, convert to 'Preset' link, reduce clutter at the bottom)
    • Added ability to right click on an extension in the scan status tab to view the set of files.
    • Added the Face and Nudity Scan feature to the sorting option
    • FileCarver Config GUI changed the +/- icons to normal expand/collapse icons. Removed the Linux EXT2 option, FileCarver will try to determine the file system and enable it if necessary.
    • Fixed display bug where scrolling to the right and then back, where the listview checkbox/extension column would be unreadable. Added note to expand the extension groups to view the header/footer/etc details for each extension family.
    • Fixed a crash that could occur when no files where found
    Device Manager
    • Added support for per-volume encryption, as used in newer versions of Apple’s APFS file system.
    Email Viewer
    • Added right-click option to lookup IP addresses in e-mail headers and then mark on Map Viewer.
    • Added "Overview" button to view email address statistics in email viewer. Can now get a quick count of Emails To / From each Email address.
    • OSForensics will attempt to convert X.400/X.500 e-mail addresses by parsing the MIME headers if available
    • Added support for indexing EMLX files from Apple Mail
    Event Log Viewer
    • Added OSF generated event information as a summary string in quotation marks when viewing items in the event log viewer (for eg “Disconnected USB device "TOSHIBA External USB 3.0 " , Serial Number: XXX").
    File Name Search
    • Optimizations for improved scan speed and performance, especially when using the direct access mode (also called forensics mode).
    • Reorganized UI for consistency and simplicity (convert to 'Sort' link, convert to 'Preset' link, move configuration text to tooltip for 'Config' link)
    • Dynamically populate map view as files with GPS locations are found, and display image thumbnail (and file metadata) on mouseover of location while in map view
    • Fix stack overflow crash due to large local string variables
    Hash Sets and Create Hash
    • Grouped the two modules into one main hashing module (File Hashing) with two tabs (Hash Sets & Create Hash).
    • Added SHA3 (256, 512) as hash options
    Internal Viewer
    • Re-implemented thumbnails using global thumbnail cache for better performance. Increased number of thumbnails in lower bar to fill window width and added support for video thumbnails.
    • Jump to file when double clicking thumbnail
    • Add extracting of embedded thumbnails in image file within the 'Analyze' dialog. This can help with checking for image manipulation.
    • When a file is fragmented on disk, viewer can display list of file fragments + right-click option to jump to fragment
    • Improved drawing performance and navigation buttons.
    • Hex view, add 'Export strings...' link to string extractor
    • Initial support for viewing PDF files using native API in Win10. This allows faster more accurate PDF rendering in viewer.
    • Display Office Documents (docx, xlsx, pptx, etc) and OpenDocument (odt, odp, odx) files as HTML.
    Mismatch Search
    • Restructured UI for consistency and simplicity.
    • Fix bug with 0 byte files not being excluded from results
    Password Recovery
    • Restructured UI for consistency and simplicity.
    • Distributed password cracking with support for Multiple GPUs (Pro Only). Supports up to 1000 total clients when using distributed cracking
    • Fixed an issue with Firefox password recovery, a crash that could occur when parsing Firefox V31 and earlier versions passwords
    Program Artifacts
    • Restructured UI for consistency and simplicity.
    Raw Disk Viewer
    • Restructured UI for consistency and simplicity (move buttons to 'Actions' link, convert to 'Config' link, add search bar)
    System Information
    • Re-organized UI for simplicity and consistency (consolidate "Live acquisition" into combo box, convert into "command list" link).
    Thumbnail Viewer
    • Fixed drawing of images with alpha channel.
    • Changed behaviour of Tagging Files. Keyboard Shortcut (Ctrl+T) applies to selected (not checked) files. The Checked Items Submenu will have options to Tag/Untag checked files by submenu selection only. This has been implemented in FileSystem Browser and Find Name Search.
    • Ability to open some tagged items in the case manager, e.g. cookie tagged item. ‘Open internal viewer’ will open the SQLite database where cookie was stored.
    • Items tagged in the User Activity modules will indicate they were added in this module in the Case Manager
    User Activity
    • Restructured UI for simplicity and consistency.
    • Moved 'Remove filter' link to 'Activity Filters' drop down
    • Added Anti-Forensics Artifacts to scan the traces of Anti-Forensics programs
    • Search Terms, cut down on duplicate entries by using DISTINCT in SQL query
    • Events, filtered out 4624 event when logon type is 5 (too many system generated events swamping others)
    • Added Cryptocurrency Wallet Apps to scan artifacts of wallet applications installed on the system
    • Fixed activity-specific right click menu options and enter/double click options
    • Added support for parsing UseNet NZB files to display filename, file size, poster and time
    • Added Newshosting UseNet client P2P artifacts
    • Changed the tree-view “Most Recently Used” item to be collapsed by default
    • Fixed crash with change to Autofill in Edge Chromium when data value in Sqlite DB is not encrypted.
    • Added a 3 second display of message "User Activity Scan Finished - No items found" when no items are found
    • Added more checks for cancelled scan when processing ESEDB databases so cancel will complete faster
    • Added support to parse the BitTorrent .torrent file format to display its contents info like the filename, file size, and time
    • Added scanning for WiFi passwords stored on the Windows system and display under the WLAN category
    • Fixed an issue with Firefox password recovery, a crash that could occur when parsing Firefox V31 and earlier versions passwords
    • Update EXIFTool to 12.25 due to ACE security vulnerability
    Last edited by Tim (PassMark); 08-05-2021, 01:46 AM.

  • #2
    Changes for Beta 3:

    Create / Search Index
    • - Added "Save to disk" checked items menu option
    • - Added "Uncheck all" menu option
    • - Updated text for "Save to disk" option
    Email Overview
    • Fix overflow with long To/Cc/Bcc strings in mbox and dbx files. Fix missing single address summary icon. Add Top 10 contacts filter to sankey graph. Combine sankey graph and summary table when added to case.
    File Name Search
    • Updated the P2P presets to include UseNet related keywords
    Logical Image
    • Fixed a bug in creating destination folders when source path is a network folder (eg. \\holly\temp)
    User Activity:
    • Added an option in the config to allow full scan of the selected drives, which will search Torrent and NZB files across the drives and parse them

    Changes for Beta 2:

    OS Support
    • Adding Windows 11 support.
      (at this point there is one open issue with parsing the am-cache data in Win11. All other modules should work in Win11)

    Email Viewer
    • Added single email summary and sankey graph
    • Fixed buffer overflow when there are too many destination e-mail addresses
    Email Overview
    • Added email summary to case manager
    User Activity
    • Added feature to scan the Anti-Forensics artifacts from AppCompatFlags records.
    • Added Desktop and Documents locations for P2P artifacts scan
    • Added sub-category under P2P
    • Updated P2P columns
    • Restored 'User Activity - Summary' dialog box to tree right-click menu (to hide items in the tree view that have zero results)
    ESEDB Viewer
    • Fixed an issue where tree-view items are not loaded in the ESEDB Viewer if User Activity has not been initialized before
    • Fixed an issue loading ESE Database files of Windows 11 Pro Version 21H2
    File Name Search
    • Fixed map view popup with incorrect width due to unitialized variable
    • Change alpha of map view popup thumbnail from 50% -> 100%
    Last edited by Tim (PassMark); 07-21-2021, 04:25 AM.