Tweet
Announcement:
We are pleased to announce the Alpha / Beta releases of V10 of OSForensics for community testing and feedback.
Download link:
Beta period is now over. Final V10 download link is here
https://www.osforensics.com/download.html
Licence requirements:
Old keys from V9 will not work in V10.
The link above will work as a 30 day trial.
Free upgrades:
When the final V10 release is complete anyone will active support or a subscription will get a free upgrade to V10.
Is it complete:
No. We are still adding new functionality
Is it stable:
Probably not as stable as V9. But should be mostly OK. We aren't aware of any crash bugs at this time, but please tell us if it isn't stable.
What's new in Alpha 1
Boot VM
• Will now display a proper error message when booting from VirtualBox failed (eg. when Intel VT-x/AMD-V is not enabled)
• Added check for whether VirtualBox extension pack is installed if USB 2.0 or USB 3.0 controller is selected
• Added check and display error for partition-only images without a supported OS before mounting as physical disk
• Added support for password bypass for Win 10/Server 2016 Builds 17763 and 19041 (via PEPassPass v1.2.3)
Case Manager
• Support for adding recovered partitions to case
• Added ability to save and load custom templates for evidence categories
• Added ability to rename case devices after they have been added
• Add Device, changed the default display name to include the date the shadow copy was taken.
• Report Generation, separated the HTML and PDF report options into different templates, no longer need to generate a HTML report to get a PDF copy
• Report Generation, added the details of OSFOrensics digital signature to generated reports
• Report Generation, updated "Link to case files" and "Copy files to report location" options to "Create Redacted Report" and "Create Full Length Report" to be more descriptive
• Report Generation, added ability to toggle the inclusion of signature certificate verification information in report generation dialog
• Report Generation, Added "Software Verification" link in report sidebar
• Report Generation, Added certificate verification information to non HTML reports
Clipboard Viewer / ThumbCache Viewer
• Will now draw checkerboard background for improved display of transparent images
• Improved drawing of images to reduce flickering
Deleted Files
• Updated to allow selecting of carving of MFT Only, MFT and Carving, or Carving Only
• MFT and Carving now enabled by default
• Added minimum size requirement for carved JPGs (126 bytes), GIFs (43 Bytes), PNGs (68 bytes)
• Changed name Plist to Binary Plist and improved detection to limit false positives
• File carving, fixed possible crash when carving MP3 files
• File carving, improved MP3/JPG detection to cut down on the number of false positive results returned
• Added secondary sorting on second column (via dropdown and/or control click on details tab)
• Disabled sorting while deleted file scan is in progress
• Lowered priority level of carving threads to improve response from computer when carving is in progress
• Thumbnail Tab, added a quality level indicator to the thumbnails preview
• Added support for carving MFT file records on non-NTFS quick formatted volumes
• Added support for recovering files from carved MFT records. This enables recovery of files from a quick-formatted volume
• Added new scan method to config window, changed dropdown box to checkboxes.
• Prepend "Carved MFT" to 'Source String' of files recovered from carved MFT records to differentiate from normal deleted files
• Added check for large buffer sizes before allocating memory when detecting faces
• Background LED indicator fixed, indicator would incorrectly reset after "Saving Delete File to Disk" while scan is running.
• File carving, optimization, improved efficiency of pattern matching code. This change roughly doubles the speed of file carving.
• File carving, optimization, updated extensions with header signature. Changed empty buffer detection to faster implementation to detect empty or repeating blocks read from disk. Scanning empty sectors is now 6 times faster
• File carving, optimization, improved the responsiveness for OSForensics when carving is running
• File carving, optimization, increased the number of carving threads to 75% of available logical processors, up to a max of 32
• File carving, improved carving of HTML files
• File carving, reduced false positives for FLV files
• File carving, changed the naming of file to be more informative, new format "Carved .JPG file found at 310GB - byte offset 0x482D709C00.jpg"
• File carving, better handling of .eml files (will verify that both "From:" and "Date:" field are present
• File carving, reduced repeated carving for file signatures with the same headers (e.g. TIFF family, ZIP family).
• File carving, ensure recovered carved file will not exceed the max file size specified by extension (or 100 MB, whichever is less)
• Opening internal viewer for Plist Files from within the deleted files module should now work
• Further optimizations to file carving. Improved accuracy for JPG files and overall performance. Compared to final V9 release, current file carving code is over 6x faster (benchmarked with an Mac E01 disk image with default carving config)
Device Manager
• Scan up to a maximum number of sectors when looking for recovered partitions. This prevents unbounded scanning of disks with large amount of unpartitioned space
Disk Image and Filesystem Support
• HFS+, preliminary support for compressed files
• HFS+, fixed bug in decompressing zlib-compressed file data
• HFS+, support for reading lzvn-compressed file data stored in resource fork
• APFS, fixed bug causing buffer overflow when reading extended attributes (eg. compressed files)
• APFS, fixed reading compressed file data for files with hard links
• APFS, fixed bug in decompressing zlib-compressed file data
<Hit length limit - see next post for more>
We are pleased to announce the Alpha / Beta releases of V10 of OSForensics for community testing and feedback.
Download link:
Beta period is now over. Final V10 download link is here
https://www.osforensics.com/download.html
Licence requirements:
Old keys from V9 will not work in V10.
The link above will work as a 30 day trial.
Free upgrades:
When the final V10 release is complete anyone will active support or a subscription will get a free upgrade to V10.
Is it complete:
No. We are still adding new functionality
Is it stable:
Probably not as stable as V9. But should be mostly OK. We aren't aware of any crash bugs at this time, but please tell us if it isn't stable.
What's new in Alpha 1
Boot VM
• Will now display a proper error message when booting from VirtualBox failed (eg. when Intel VT-x/AMD-V is not enabled)
• Added check for whether VirtualBox extension pack is installed if USB 2.0 or USB 3.0 controller is selected
• Added check and display error for partition-only images without a supported OS before mounting as physical disk
• Added support for password bypass for Win 10/Server 2016 Builds 17763 and 19041 (via PEPassPass v1.2.3)
Case Manager
• Support for adding recovered partitions to case
• Added ability to save and load custom templates for evidence categories
• Added ability to rename case devices after they have been added
• Add Device, changed the default display name to include the date the shadow copy was taken.
• Report Generation, separated the HTML and PDF report options into different templates, no longer need to generate a HTML report to get a PDF copy
• Report Generation, added the details of OSFOrensics digital signature to generated reports
• Report Generation, updated "Link to case files" and "Copy files to report location" options to "Create Redacted Report" and "Create Full Length Report" to be more descriptive
• Report Generation, added ability to toggle the inclusion of signature certificate verification information in report generation dialog
• Report Generation, Added "Software Verification" link in report sidebar
• Report Generation, Added certificate verification information to non HTML reports
Clipboard Viewer / ThumbCache Viewer
• Will now draw checkerboard background for improved display of transparent images
• Improved drawing of images to reduce flickering
Deleted Files
• Updated to allow selecting of carving of MFT Only, MFT and Carving, or Carving Only
• MFT and Carving now enabled by default
• Added minimum size requirement for carved JPGs (126 bytes), GIFs (43 Bytes), PNGs (68 bytes)
• Changed name Plist to Binary Plist and improved detection to limit false positives
• File carving, fixed possible crash when carving MP3 files
• File carving, improved MP3/JPG detection to cut down on the number of false positive results returned
• Added secondary sorting on second column (via dropdown and/or control click on details tab)
• Disabled sorting while deleted file scan is in progress
• Lowered priority level of carving threads to improve response from computer when carving is in progress
• Thumbnail Tab, added a quality level indicator to the thumbnails preview
• Added support for carving MFT file records on non-NTFS quick formatted volumes
• Added support for recovering files from carved MFT records. This enables recovery of files from a quick-formatted volume
• Added new scan method to config window, changed dropdown box to checkboxes.
• Prepend "Carved MFT" to 'Source String' of files recovered from carved MFT records to differentiate from normal deleted files
• Added check for large buffer sizes before allocating memory when detecting faces
• Background LED indicator fixed, indicator would incorrectly reset after "Saving Delete File to Disk" while scan is running.
• File carving, optimization, improved efficiency of pattern matching code. This change roughly doubles the speed of file carving.
• File carving, optimization, updated extensions with header signature. Changed empty buffer detection to faster implementation to detect empty or repeating blocks read from disk. Scanning empty sectors is now 6 times faster
• File carving, optimization, improved the responsiveness for OSForensics when carving is running
• File carving, optimization, increased the number of carving threads to 75% of available logical processors, up to a max of 32
• File carving, improved carving of HTML files
• File carving, reduced false positives for FLV files
• File carving, changed the naming of file to be more informative, new format "Carved .JPG file found at 310GB - byte offset 0x482D709C00.jpg"
• File carving, better handling of .eml files (will verify that both "From:" and "Date:" field are present
• File carving, reduced repeated carving for file signatures with the same headers (e.g. TIFF family, ZIP family).
• File carving, ensure recovered carved file will not exceed the max file size specified by extension (or 100 MB, whichever is less)
• Opening internal viewer for Plist Files from within the deleted files module should now work
• Further optimizations to file carving. Improved accuracy for JPG files and overall performance. Compared to final V9 release, current file carving code is over 6x faster (benchmarked with an Mac E01 disk image with default carving config)
Device Manager
• Scan up to a maximum number of sectors when looking for recovered partitions. This prevents unbounded scanning of disks with large amount of unpartitioned space
Disk Image and Filesystem Support
• HFS+, preliminary support for compressed files
• HFS+, fixed bug in decompressing zlib-compressed file data
• HFS+, support for reading lzvn-compressed file data stored in resource fork
• APFS, fixed bug causing buffer overflow when reading extended attributes (eg. compressed files)
• APFS, fixed reading compressed file data for files with hard links
• APFS, fixed bug in decompressing zlib-compressed file data
<Hit length limit - see next post for more>
Comment