Announcement

Collapse
No announcement yet.

OSForensics V10 Alpha / Beta release

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics V10 Alpha / Beta release

    Announcement:
    We are pleased to announce the Alpha / Beta releases of V10 of OSForensics for community testing and feedback.

    Download link:
    Beta period is now over. Final V10 download link is here
    https://www.osforensics.com/download.html

    Licence requirements:
    Old keys from V9 will not work in V10.
    The link above will work as a 30 day trial.

    Free upgrades:
    When the final V10 release is complete anyone will active support or a subscription will get a free upgrade to V10.

    Is it complete:
    No. We are still adding new functionality

    Is it stable:
    Probably not as stable as V9. But should be mostly OK. We aren't aware of any crash bugs at this time, but please tell us if it isn't stable.


    What's new in Alpha 1

    Boot VM
    • Will now display a proper error message when booting from VirtualBox failed (eg. when Intel VT-x/AMD-V is not enabled)
    • Added check for whether VirtualBox extension pack is installed if USB 2.0 or USB 3.0 controller is selected
    • Added check and display error for partition-only images without a supported OS before mounting as physical disk
    • Added support for password bypass for Win 10/Server 2016 Builds 17763 and 19041 (via PEPassPass v1.2.3)

    Case Manager
    • Support for adding recovered partitions to case
    • Added ability to save and load custom templates for evidence categories
    • Added ability to rename case devices after they have been added
    • Add Device, changed the default display name to include the date the shadow copy was taken.
    • Report Generation, separated the HTML and PDF report options into different templates, no longer need to generate a HTML report to get a PDF copy
    • Report Generation, added the details of OSFOrensics digital signature to generated reports
    • Report Generation, updated "Link to case files" and "Copy files to report location" options to "Create Redacted Report" and "Create Full Length Report" to be more descriptive
    • Report Generation, added ability to toggle the inclusion of signature certificate verification information in report generation dialog
    • Report Generation, Added "Software Verification" link in report sidebar
    • Report Generation, Added certificate verification information to non HTML reports

    Clipboard Viewer / ThumbCache Viewer
    • Will now draw checkerboard background for improved display of transparent images
    • Improved drawing of images to reduce flickering

    Deleted Files
    • Updated to allow selecting of carving of MFT Only, MFT and Carving, or Carving Only
    • MFT and Carving now enabled by default
    • Added minimum size requirement for carved JPGs (126 bytes), GIFs (43 Bytes), PNGs (68 bytes)
    • Changed name Plist to Binary Plist and improved detection to limit false positives
    • File carving, fixed possible crash when carving MP3 files
    • File carving, improved MP3/JPG detection to cut down on the number of false positive results returned
    • Added secondary sorting on second column (via dropdown and/or control click on details tab)
    • Disabled sorting while deleted file scan is in progress
    • Lowered priority level of carving threads to improve response from computer when carving is in progress
    • Thumbnail Tab, added a quality level indicator to the thumbnails preview
    • Added support for carving MFT file records on non-NTFS quick formatted volumes
    • Added support for recovering files from carved MFT records. This enables recovery of files from a quick-formatted volume
    • Added new scan method to config window, changed dropdown box to checkboxes.
    • Prepend "Carved MFT" to 'Source String' of files recovered from carved MFT records to differentiate from normal deleted files
    • Added check for large buffer sizes before allocating memory when detecting faces
    • Background LED indicator fixed, indicator would incorrectly reset after "Saving Delete File to Disk" while scan is running.
    • File carving, optimization, improved efficiency of pattern matching code. This change roughly doubles the speed of file carving.
    • File carving, optimization, updated extensions with header signature. Changed empty buffer detection to faster implementation to detect empty or repeating blocks read from disk. Scanning empty sectors is now 6 times faster
    • File carving, optimization, improved the responsiveness for OSForensics when carving is running
    • File carving, optimization, increased the number of carving threads to 75% of available logical processors, up to a max of 32
    • File carving, improved carving of HTML files
    • File carving, reduced false positives for FLV files
    • File carving, changed the naming of file to be more informative, new format "Carved .JPG file found at 310GB - byte offset 0x482D709C00.jpg"
    • File carving, better handling of .eml files (will verify that both "From:" and "Date:" field are present
    • File carving, reduced repeated carving for file signatures with the same headers (e.g. TIFF family, ZIP family).
    • File carving, ensure recovered carved file will not exceed the max file size specified by extension (or 100 MB, whichever is less)
    • Opening internal viewer for Plist Files from within the deleted files module should now work
    • Further optimizations to file carving. Improved accuracy for JPG files and overall performance. Compared to final V9 release, current file carving code is over 6x faster (benchmarked with an Mac E01 disk image with default carving config)

    Device Manager
    • Scan up to a maximum number of sectors when looking for recovered partitions. This prevents unbounded scanning of disks with large amount of unpartitioned space

    Disk Image and Filesystem Support
    • HFS+, preliminary support for compressed files
    • HFS+, fixed bug in decompressing zlib-compressed file data
    • HFS+, support for reading lzvn-compressed file data stored in resource fork
    • APFS, fixed bug causing buffer overflow when reading extended attributes (eg. compressed files)
    • APFS, fixed reading compressed file data for files with hard links
    • APFS, fixed bug in decompressing zlib-compressed file data

    <Hit length limit - see next post for more>
    Last edited by Tim (PassMark); 06-24-2022, 06:22 AM.

  • #2
    What's New Continued...

    E-mail Viewer
    • Message body containing inline content (eg. base64-encoded jpgs) now displayed as attachments

    ESEDB Viewer
    • Viewer now displays when binary data has been found
    • Search now looks for ASCII strings present in binary data fields.

    File Name Search
    • Fixed $FILE_NAME dates not being displayed for entire disk images added to case
    • Added a reset button to config dialog which sets all changes made by user back to their defaults
    • Made several popup dialogs to close when 'esc' is pressed
    • Now using ffmpeg library instead of exiftool for counting video tracks for better performance

    Forensic and Cloud Imaging
    • Rebuild RAID Disk, added support for detecting and rebuilding Linux mdadm RAID using superblock v1.X

    Internal Viewer
    • Perform initialization/shutdown of Media Foundation once rather than for every internal viewer instance
    • Fixed issue that prevented deleted files opened from File System Browser from showing in the File Viewer
    • Fixed incorrect thumbnail being draw for current item, after the list is updated
    • Migrated library for media playback from Windows Media Foundation to ffmpeg
    • Added support for playing media from memory buffer sources (eg. deleted files)
    • Will now display a specific error message when attempting to open media file with corrupted attributes (duration, video pixel format, etc)
    • Fixed flickering from redrawing thumbnails from deleted search result
    • Added a check to only redraw thumbnails if the items changed
    • Metadata, display an error message if exiftool executable was not found
    • Fixed multithreading bug causing media playback issues when opening multiple instances of the same file
    • Fixed video paint issues when resizing window
    • Fixed first video frame occasionally being displayed immediately after loading preview thumbnail images

    Install to USB
    • Fixed bug, files required by the web browser module were not being copied

    Localisation
    • Added localisation support for Korean and Chinese (simplified and traditional) (still a work in progress)

    OSForensics Digital Signature Verification
    • Added button to start screen (in housekeeping section) that verifies the integrity the program and displays a dialog with the information. Equivalent to going to the properties for the OSF executable, going to the digital signatures tab and clicking the details of the signature to verify the digital certificate is valid.

    Password Recovery
    • Fixed decrypting of wifi passwords on some machines due to a bug in PBKDF2 algorithm
    • Updated common passwords dictionary with passwords obtained from more recent data breaches, increased number of unique passwords from ~10,000 to ~2.3 Million
    • Fixed password recovery issue with the records in "Windows.old" folder
    • Fixed crash in ZIP password recovery when testing a single password

    Search Index
    • Fixed GDI handle leak

    SQLite Browser
    • New Tab to shown Unallocated Space (Free Pages/Blocks) within SQLite database file
    • Added Run SQL tab, allows users to write their own SQL statements
    • Updated sqlite source files (e.g. Sqlite3.c/Sqlite3.h) from 3.8.11.1 to V3.38.0

    Start Window
    • Added settings option to allow for selecting language in use

    System Information
    • Added partition selection dialog when scanning whole disk image with multiple partitions

    Thumbnail Cache / Viewer
    • Attempt to generate video file thumbnails if file extension is a known video type
    • Attempt to load thumbnails only if the filename has a known file extension
    • Set maximum thumbnail cache size of 2000 to prevent exceeding GDI handle limit
    • Fixed multithreaded handling of video thumbnail generation using Media Foundation
    • Fixed thumbnail icons not appearing in thumbnail view
    • Added check for large buffer sizes before allocating memory for displaying thumbnails
    • Migrated library used for video thumbnail generation from Windows Media Foundation to ffmpeg
    • Fixed pixelated play icon for video thumbnails

    User Activity
    • Added Cortana history category. Finds reminders, events, contacts and search history as well as location at time of creation.
    • Passwords, added an option to scan "Windows.old" folder which stores the backups of the previously installed Windows, this option is enabled by default and can be disabled from the Config dialog.
    • Fixed an issue where Moved Downloads not recognizing the system drive on live acquisition mode

    Web Server Log Viewer
    • Added menu for filtering for common web exploits such as SQL injections

    Misc
    • Refresh physical disk info only when there is device change notification, to reduce costly re-scanning of physical disks
    • Keep single instance of physical disk info shared between all modules
    • Fixed bugs with some MessageBoxes opening to wrong handle
    • Changed some dialogs to close when 'esc' is pressed and centred others
    • Installer, added language selection when running installer

    Comment


    • #3
      Alpha 2 12th May 2022

      File Name Search
      • Added Hash Set column which identifies which hash set the file was located in
      • Moved filter description to the right of dialog more so it wasn't overwriting the tab names

      Help
      • Fixed invalid character appearing in Python API HTML documentation causing compile errors in Help+Manual

      Internal Viewer
      • Automatically rotate videos if rotation metadata available

      Localisation
      • Added localization for Search Index, Signatures, Analyze Volume Shadow Copies, File Hashing, Remote Acquisition, Customize Workflow, File System Browser and some Top/Right-click menus

      Mismatch File Search
      • Separated default and user-created filters, removed “built-in” text

      Manage Case
      • Added time zone names to time zone drop down and case report

      Misc
      • Rearranged some ok/cancel buttons for consistency, fixed up some out of place buttons/controls

      Search Index
      • Fixed bug where swapping tabs did not update 'sort by' text to what has been selected for that tab
      • Fixed bug where 'sort by' popup menu had wrong sort option checked
      • Disabled 'sort by' control when selecting timeline/browse index/history tabs

      SQLite Browser
      • Fixed Bug where SQLite associated files were not being opened by SQLite Browser

      Alpha 3 13th May 2022

      File Name Search
      • Fixed bug that was preventing file name search from working correctly

      Alpha 4 2nd June 2022

      Auto triage
      • Added option to enable running auto triage automatically on startup, which can be enabled in the install to usb dialog and use settings last set
      • Added splash screen and progress bar when running auto triage as a standalone option

      Email Viewer
      • Thumbnail preview for supported image attachments on mouse over.

      File System Browser
      • Fixed incorrectly checked sort type in right-click menu

      Internal Viewer
      • Added right-click menu support for deleted files
      • Fixed thumbnails when opening single file
      • Fixed thumbnails for deleted files
      • File viewer support, added opening deleted files (image, video/audio, android backup, compressed archive, office files)
      • OCR, support for deleted files
      • File info, fixed metadata for deleted files

      Localisation
      • Added for Web Server Log Viewer, Event Log Viewer, Registry Viewer menu, Clipboard Viewer, SQLite DB Browser.
      • Added for ESEDB Viewer, $UsnJrnl Viewer, Plist Viewer, Map Viewer, Android Artifacts, Web Browser, Install to USB or Network, Script Player, Drive Preparation.
      • Added for some right click menus

      System Information
      • Added category for basic system information collection from non Windows machines.

      User Activity
      • Added browser artifact support for some modern versions of Linux
      • MRU, shortcut Files, will prompt users if they would like to open the .lnk file itself if the target file/directory is no longer available

      Misc
      • Centred some dialogs to main window for consistency
      • GPUSupport DLLs, changed the runtime library for them to /MT instead of /MD to avoid a missing VC runtime error on older Windows systems.

      Last edited by Tim (PassMark); 06-10-2022, 04:16 AM.

      Comment


      • #4
        Beta 1, released 10th June 2022

        Deleted Files
        • NTFS, fixed potential memory issue when restoring deleted files
        • NTFS, added more debug verbosity when restoring deleted files to disk

        Localisation
        • Added localisation for Japanese

        Raw Disk Viewer
        • Fixed a bug where search button was not working after added localization

        SQLite Browser
        • Fixed bug to address possible circular reference/offset when parsing corrupted/bad free blocks

        System Information
        • Fixed issue with files on Linux images not being opened correctly

        User Activity
        • USB, added support to collect USB Artifacts of USB Storage Device connection and disconnection history. This feature is achieved by analyzing Windows Event Log Event IDs 2003 and 2012 (Microsoft-Windows-DriverFrameworks-UserMode/Operational channel). Event logging of this channel is not enabled by default, users / system administrators need to have enabled it in the past in order for OSF to collect the relevant events.
        • Added parsing for Linux log files located in the /var/log directory

        Misc
        • Help file, updated file carving config info + images
        • UI adjustments, centred additional dialogs
        • Installer, updated OSFMount to v3.1.1001
        • Installer, added Japanese language selection option

        Beta 2, release 24th June 2022

        Case Management
        • Fixed report strings Create Redacted Report / Create Full Length Report using old text

        Create Index
        • Fixed bug where 'memory dump files' was not disabled when using saved configurations
        • Fixed duplicate static dialog name

        Start Page
        • Moved "Verify OSForensics" and "Settings" from "Housekeeping" section into "Help and Information" to better balance the display

        Deleted Files
        • For FAT and NTFS files systems, added option to carve only Allocated sectors

        Forensic and Cloud Imaging
        • Forensics Copy, added ability to export forensic image as zip file

        User Activity
        • Added "Create Super Timeline" button that performs a complete scan of all activity sub-categories
        • Added warning when attempting to scan a drive image that does not exist
        • Fixed issue where items automatically unchecked after running quick scan
        • Shellbag, fixed possible heap corruption crash when parsing (corrupted) URI shell item
        • USB, fixed an issue where artifacts of USB devices were not properly parsed from Windows Registry location "SYSTEM\CurrentControlSet\Enum\SCSI" in Live Acquisition mode
        • USB, Added "Filter Results for This Device" option to the right-click menu for quick filtering by USB device serial.
        • Fixed miscellaneous crashes in anti-forensics info and registry info

        Localisation
        • Added Spanish localization
        • Updated Japanese localization

        Search index
        • Fixed some odd behaviour (corrupt strings, crashing) that could happen when switching between tabs on the search index page

        System Information
        • Added more sources for Linux and Mac system information.

        Misc
        • Removed "Selected items" option from the right-click menu for consistency. Affected modules include JSON Viewer, ThumbCache Viewer, Web Server Log Viewer
        • User Interface, an info dialog will appear to point the user to the Help Link and other OSF resources online if OSForensics is the active/foreground Window, no other OSF task is running and no user input detected for 5 minutes.
        • Changed side navbuttons to change width depending on language selected
        • Added functions to resize controls to fit text and arrange controls
        • More UI adjustments for localizations
        Last edited by Tim (PassMark); 06-24-2022, 06:25 AM.

        Comment


        • #5
          Any chance of getting a key to beta of version 10? Cant seem to find it or get it to work. I am subscribed to OSF and want to try it out. Thanks!

          Comment


          • #6
            Originally posted by jcaruso View Post
            Any chance of getting a key to beta of version 10? Cant seem to find it or get it to work. I am subscribed to OSF and want to try it out. Thanks!
            V10 testing is wrapping up with some final changes/fixes and should be released (hopefully) soon...

            But you can try sending email in with your existing order or license key and request a temp beta key.

            Comment


            • #7
              Will there be also a localisation for German ?

              Comment


              • #8
                We plan to also add German and French over the next few weeks. Note that only the main user interface is localised in this release (not the Help file and some error messages).

                Comment


                • #9
                  Hi
                  it will be very helpful if License Owners can generate a Beta Key in the Owner License Portal.
                  that can be a 4 or 6 week Temp Key and after release than a final key.
                  If I test it like I done it owerwrithe my V9 installation and I will not use a other path my hole
                  Tools and scripts use the Path.
                  But I have no test Cases I have only real Cases and my Output goes from Operative Security (me)
                  to Our Security Officer.
                  For that a Trial version is not real cool
                  I understand that you must secure your License, but what is maximum error that can be ?
                  The maximum error was that a License Owner at his last Maintenance day create a trial key for 4 or 6 Weeks.
                  If he have Maintenance when beta goes to release he get a Final key and he get that key too if his Maintenance are only two days
                  end after V10 coms up.
                  In my Eyes you can not loose anything if at this point a User in maintenance or other License Modell can create
                  a Beta Key self.

                  Best

                  Andre

                  Comment


                  • #10
                    License management with a major upgrade is deceptively complex. Lots of edge cases and keys are linked to support periods (or subscription periods) and particular versions of the software.
                    If we thought the beta period was going to be a long one, we would definitely implement something better. But we are hoping to get the final release done in around two weeks.

                    For the moment temp V10 keys can be created manually, see the post above.
                    Or you can reinstall V9 and continue with V9 for the moment.

                    Comment


                    • #11
                      Hi David,
                      i understand no Problem.
                      for now I use V9 and wait for V10

                      best
                      Andre

                      Comment


                      • #12
                        V10 has now been released.

                        Final release notes page
                        https://www.osforensics.com/osforensics.html

                        What's new video summary
                        https://www.youtube.com/watch?v=31L-06HGiY4

                        Download
                        https://www.osforensics.com/download.html

                        If you find any problems, please let us know.

                        Comment

                        Working...
                        X