No announcement yet.

OSForensics V11 Beta Release

This is a sticky topic.
  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics V11 Beta Release

    We are pleased to announce the Beta releases of OSForensics V11 for community testing and feedback.

    Download link:
    OSF V11 Beta 3

    Licence requirements:
    Old keys from V10 will not work in V11.
    The link above will work as a 30 day trial.

    Free upgrades:
    When the final V11 release is complete, anyone with active support or a subscription will get a free upgrade to V11.

    Is it complete:
    Mostly. A re-write of Android phone module is still being completed.

    Is it stable:
    Probably not as stable as V10. But should be mostly OK.

    Beta 1​ - 3rd November 2023:

    Analyze Shadow Copies
    - Fixed issue where analyzing "Drive-C" shadow copies was not working
    - Re-arranged some UI elements

    Android Artifacts
    - Changed to use a wizard to obtain, scan and load Android artifacts [Work in progress in Beta 1]

    Create Logical Android Image
    - Updated OSFExtract app to support newer versions of Android [Work in progress in Beta 1]

    Boot VM
    - Added VirtualBox 7 and VMWare 17 to supported hypervisors
    - Fixed issue with long .vmx filenames

    Auto Triage
    - Added automatic encryption certificate collection option

    Deleted File Search
    - Added Carving Option to main Deleted Files Screen, so no need to go into Config file anymore.
    - Added "Calculate Hash of File(s)" to right click menu
    - Added ability for the user to create a new folder when utilizing the "Save Deleted File(s) to Disk" option

    Email Viewer
    - Support displaying email messages when loading MBOX folders found on MacOS
    - Added "To" column to the email list view
    - Updated default email export title to "[<filename>] <first 32 chars of subject>"
    - Updated to allow Email Boxes/Files to be removed by right-clicking on tree view item

    Event Log Viewer
    - Added a new filtering option to allow searching all event log files at the same time
    - Added RDP and PowerShell logs to the presets list
    - Added option to allow cancelling of loading process that is taking a long time
    - Updated to allow for reading of event log files located anywhere on the machine, in case they have been moved from their standard location.
    - Improved presets filtering to make it also work on folder scan and single log file scan
    - Improved performance of loading large log files​

    File Name Search
    - It is now faster. A lot faster. In some cases up to 40x faster. Whole hard drives can be searched in under 1 second (depending on hardware and the number of files). This was the result of improved caching and dozens of separate low level optimisations.
    ​- Added second level search to search the File Name column within the existing results, supports wildcard characters
    - Added new presets: "All Folders (No Files)", "All Files (No Folders)", "Certificate Files"
    - Renamed "All Files" to "All Items (Files & Folders)" preset
    - Added config option to detect encryption/compression by File Analysis (and/or Entropy)
    - Start location will now display hint text if no devices in to case (for non-live acquisition only)
    - Changed "folder to scan" field so it now shows "<Multiple directories selected>" instead of the first folder in the list
    - Changed so when "Search in Hash Set Database" is checked, the hash being used is shown in the status bar
    - Changed so the sort order prior to a new scan is reset to prevent triggering the Face/Illicit Detect on search completion
    - Changed so user is warned if the start directory specified is a child or parent directory of existing item in the directory to be scanned list
    - Changed to allow searching through directories that are re-parse points when device is in Forensics Mode
    - Changed to allow adding re-parse point files to case
    - Opening a folder will now open the folder in File System Browser
    - Increased the length of the text users can type into the configuration directory field
    - Updated several search presets to exclude folders to avoid false positives and changed the search string from using wildcard (*) to improve search times
    - Set the current device selection as the default value for the Directory in the Config dialog
    - Set the Directory value as the case default drive when user clicks the Reset button in the Config dialog
    - Fixed bug where "Make Database Active" setting was not updating the Active Database in the Hash module
    - Fixed bug where "Folder to Scan" would revert to the Case default directory when switching to/from different modules
    - Fixed issue where it would add to directories to scan rather than replacing them

    File Viewer
    - Viewed, Tagged or Categories values can now be modified
    - Separated flags into OSF and User flags
    - Added "Check file in list" option, when checked, updates checkbox in file list view of the File Name, Deleted File and Mismatch File Search modules
    - Added new graph to chart the entropy for a file
    - Added "not in hash set" flag to File Info tab
    - Added categorized case item status and category name in the file info tab
    - Added EXIF metadata tag group (family) name, this would be helpful to distinguish the two tags which have the same name but belong to different tag groups
    - Tag group names are now shown in the case item properties window and exported report
    - Automatically rotate images based on EXIF data
    - Fixed "in hash set" flag always being enabled even when file is not in a hash set
    - Fixed issue with being unable to play .avi files with tscc encoding
    - Fixed issue where images were distorted when rotated
    - Fixed issue when attempting to load videos from logical drive
    - Fixed column headers disappearing in OSF File Viewer for Compressed filetype when moving/hiding window
    - Fixed possible crash when opening .heic images from file

    File System Browser
    - Added option to right-click menu to allow users to open a file with OSF internal viewer
    - Fixed the bug where MFT Modify Date(Attribute Modify Date) column name was not displaying properly

    - Combined the Create Index and Search Index modules into a single module with tabs for each module
    - Added ability to index Windows Event Log files
    - Fixed looping/hang issue when trying to index invalid MBOX files

    JSON Viewer
    - Fixed freezing on large JSON files
    - Fixed crash when importing JSON files

    Hash Sets
    - Added PhotoDNA hash support to hash set lookup
    - Added tags field to hash sets

    Logical Image
    - Added individual file hashing option when creating logical image
    - Fixed bug where logical image creation log could not be added to case after completion due to file naming issue

    Manage Case
    - Added new caching modes when using Forensics mode. These are set automatically:
    • For disk images and read only devices, persistent caching is used. This means we hold the data from the disk (or disk image) in RAM forever. This gives maximum speed, with the second search run typically getting faster than the first run, as everything gets cached on the first run. This works well for read only devices. It doesn’t work so well for live disks that have files being added and deleted all the time.
    • Temporary caching means we throw away the cache before each search. Caching still occurs during the search however, but the cache starts empty. So it isn’t as fast as persistent caching. The advantage is that it picks up any new files that have been created since the last search.
    • You can also turn caching off. Which is useful only in very rare circumstances for debugging purposes or if the drive is very very active and being even a few seconds behind the live disk activity is an issue.
    - Added Case type: Criminal; Criminal (Contains Child Exploitation Material); Civil; Internal / Confidential; Other
    - Added option when importing a case, if a custom location is detected then ask user if they want to try and restore the case to the same location
    - Added option to choose what date format to use for the selected case when displaying/exporting records
    - Added shortcut keys to case categories
    - Added the ability to account for daylight saving time
    - Added "Settings" right-click option for case devices for setting the device caching mode
    - Added Device Dialog will appear after creating a case when using Investigate Disk from Another Machine option
    - Added check for opened temp file when saving case narrative
    - Case List sort setting is now saved, with default sort set to by access date descending (Most recent listed first)
    - Loaded case always appears on top of the list of Case List (regardless of sorting selected)
    - Changed edit narrative tab to display HTML preview
    - Updated list of available time zones
    - Updated Manage Devices dialog UI
    - Populate category colors when creating a new case
    - Allow for rearranging of case categories in list view
    - Highlight categorized case items if color is assigned to the category
    - Display the color of the selected category in case item exports/properties dialogs
    - Moved the Case Type from Offense & Custody Data to Basic Case Data window
    - Fixed base metadata tags config for the report export
    - Fixed crash when exiting case narrative editor
    - Fixed incorrect error shown when trying to create case with no name
    - Fixed the bug where OSF crashes when editing summary of job in the Offense & Custody Data in advance edit mode
    - Fixed issue when a device was renamed in the Case Manager
    - Fixed bug where the item deleted in the Manage Devices were not being deleted in the case itself
    - Fixed clipping of elements with footer for Chain of Custody report​

    Manage Case - Generate Report
    - Changed export window to a wizard dialog
    - Exported HEIC/HEIF/TIFF images in the report will shown a PNG converted thumbnail of the original image, the exported file and link to the exported file remain unchanged.
    - Added option to display files in grid view
    - Added a metadata level option to the report export wizard to allow fine control of the metadata level for the report generation
    - Added the option to enable/disable displaying time zone next to the date and times
    - Allows users to select EXIF metadata tags per file extension to include in the case report
    - Save the custom report logo file paths and report output location after use and preload the saved paths when the export report wizard dialog is reopened
    - Updated report so that apart from report.html, all files are now in a "ReportData" folder
    - Updated list of default EXIF metadata tags that will be enabled and included in the report for common file types
    - Updated time zone display name
    - Automatically uncheck include thumbnail when created redacted report
    - Fixed layout issue with image display on grid layout
    - Fixed window redraw issue when switching tabs
    - Fixed bug that report was not being properly generated for "Case Report PDF - Printer Friendly", erroring out because template does not have "categories.html" template file
    - Fixed issue where report generation fails when using templates with no "files.html" file

    Memory Viewer
    - Display total RAM of current system in Live Analysis tab

    Mismatch File Search
    - Added a new Scan browser cached images option, when checked it will perform a scan of browsers (Chrome, Edge, Opera, Firefox) cache directories to search for image files.
    - Added support for Brave, Vivaldi, Yandex browsers cached images scan
    - Added Scan Time taken results on completion
    - Added call to flush cache before each scan
    - Added "Exclude Edge Cache image files" option in config
    - Changed to allow customization of columns in list view
    - Start location will now display hint text if no devices in to case (for non-live acquisition only)
    - Fixed issue where certain columns were not able to be sorted
    - Fixed bug where "Folder to Scan" would revert to the Case default directory when switching to/from different modules
    - Fixed bug where found items were incorrectly colored in the list compared to the file attributes

    - Added ability to scan for installed certificates in the windows certificate store
    - Added scan entire file system option for encryption certificates
    - Added activity light to encryption Certificate scan
    - Updated Windows Login Password to confirm with user if they want to continue to scan Non-Windows file system when scanning for Windows Login Password
    - Fixed crash when running encryption Certificate scan on entire drive
    - Fixed a bug where not all DPAPI system master keys were collected, which affected passwords decryption relying on it like WiFi password

    Registry Viewer
    - Added amcache.hve file as a option to select for viewing
    - Fixed incorrect Time Zone values when exporting System Hive

    SQLite DB Browser
    - Added the Windows.db Windows Search database file to known locations
    - Added Windows 10 Push Notification file-path to the SQLite Browser known locations
    - Changed to try and open corresponding .shm & .wal files if they exist
    - Fixed issue where Run SQL crashes under some conditions

    System Information
    - Added support to collect Mac OS system info including: Model and serial number, Computer name, local host name, Timezone info, OS version info, User login info
    - Added note that ProductName may be inaccurate for Win11
    - Removed date after running each command, single date at the top of the report instead
    - Fixed arrangement of preset dropdown

    ThumbCache Viewer
    - Added support to collect thumbnails EXIF data from "Windows.db" file for Windows 11
    - Improved the performance to get data from Windows.db file, especially on the machines with many thumbcache entries
    - Fixed issue where VLC Media Player artifacts not recognized by the internal file viewer properly
    - Fixed possible crash in thumbnail view when mousing over different video items quickly

    User Activity
    - Added a new Open Evidence Source option to the right-click menu to make it clear whether users are opening an item or its evidence source file
    - Added support to collect Windows Search info for Windows 11
    - Added support to collect MS Office Backstage artifacts (recent documents and folders)
    - Added support for parsing Mac OS Safari artifacts including Downloads, Browser History and Bookmarks records
    - Added support for parsing .url format URL shortcut files for the Recent Files artifacts
    - Added support for reading additional OSX MRU files (VLC, TextEdit, QuickTime Player, Recent Documents, Recent Applications)
    - Added support for recycle bin artifacts in OSX
    - Added new subcategory in Event Logs: OSX - KnowledgeC
    - Added new category "Call History" - currently only for OSX
    - Added option to scan dynamic-*.dat files used for auto-correction and predictive text features in OSX for Form History artifacts
    - Added scanning progress and scan time taken on completion
    - Added a new column to show Visit Duration of URLs in Browser History
    - Browser History now shows all the web page visits
    - Changed the tree-view to stay in the previously selected category/subcategory after filtering
    - Changed Browser History to show all visits to a webpage instead of just the last visit
    - Updated to collect cookies in updated file locations for newer versions of Google Chrome, MS Edge, and Opera
    - Updated right-click menu options for P2P
    - Updated list-view double-click/Enter behavior
    - Updated to scan Downloads location for the Anti-Forensics artifacts
    - Updated so tree-view width can now be adjusted
    - Disable sort drop-down if timeline tab is selected
    - Fixed the issue where VLC Media Player artifacts not recognized by the internal file viewer properly
    - Fixed issue with displaying Installed programs evidence location for Linux images scan
    - Fixed issue with parsing event logs from Linux images
    - Fixed issue with parsing Chrome/Edge/Firefox browser artifacts on Linux & OSX
    - Fixed issue where MRU item name displayed a empty string in LNK, Recent Files and MS Office categories
    - Fixed issue where MUICache artifacts evidence file did not open correctly by Registry Viewer
    - Fixed crash when adding a filter in the config dialog
    - Fixed potential buffer overflow issue during the Event Log rendering
    - Fixed system.log gathering in OSX
    - Fixed issue where "Sort by:" text was not updated when switching between categories
    - Fixed issue where some categories were using the same color in the timeline tab
    - Fixed images not displaying in File Previewer when opening Recycle bin items
    - Fixed text overflowing in File List tab for some types of artifacts
    - Reordered Internet Artifacts

    Verify Hash
    - Added auto population of comparison hash field when internal hash value exists, so users do not have to re-validate EO1 files with pre-calculated hashes when importing into OSF

    Web Browser
    - Allow user to select whether the captured image to be added to case or save to file
    - Updated Export GUI

    - Added options to export and import OSFConfig files from Settings
    - Added right click option to customize workflow in start page area
    - Added color legend when exporting timelines as image
    - Added deactivate option for perpetual licenses
    - Added some missing time zones
    - Added option to settings that allows user to pick a custom location for temp files
    - Added RAM drive as a option for a custom temp location
    - Added "FBI Most Wanted Terrorists 2023" search list as a new Word List for the index search module.
    - Changed wording of "Other devices available" option to warn that it’s not running in Forensics mode
    - Changed USB write block icon text and description text to be clearer when its enabled/disabled
    - Changed to use UTC instead of GMT for time zone information
    - Changed thumbnail size slide button to allow to view images with larger sizes
    - Updated "Add Device" & "Manage Devices" icons
    - Updated Volatility Workbench to support Volatility3 V2.4.1 (for memory dump analysis)
    - Update OSFMount x64 binaries to v3.1.1002 to fix mounting image files on a network share using physical emulation. Previously there could be problems with network share permission as the device driver would be running under a different user from the current user.
    - Improved performance when hovering over a thumbnail to see a video preview
    - Display a more serious warning when running OSF as a non admin user, as several important features are missing if you are not running as Admin.
    - Make backup of old config file when updating/downgrading OSF
    - Module running statuses on now cleared when loading a new case
    - Fixed tabbing on some "Add to case" windows
    - Fixed incorrect GUI Message (Warning drive/valid not found for APFS) on Password/User Activity module
    - Fixed text clipping with the legend in timelines​

  • #2
    Beta 2 - 9th November 2023:

    Android Artifacts
    - Various changes to the UI
    - Added 'no messages' to artifact preview panel
    - Fixed crash resulting from not properly closing previous artifact tabs
    - Removed 'create logical android image' from create forensic image tab

    File Name Search
    - Added .msf to the Email file search preset (.msf file is only the index, but it is an indication that Emails might be in the same folder)

    Manage Case
    - Device Manager, Fixed cache not being de-allocated after removing device
    - Edit Case, Restructured Case Narrative and Job Summary Data to be more user intuitive. RichEdit textbox no longer editable, but instead will display HTML Preview of the contents. Case Narrative and Job Summary must now be edited through the OSF HTML Editor
    - Changed so when deleting more than 10 cases at the same time, do not list all cases
    - Fixed case sorting issue when sorting by access date after selecting different cases
    - Cleaned up updating the access time when selecting a case

    Manage Case - Generate Report
    - Added option to disable the signature/footer
    - Automatically Uncheck Thumbnail Preview option when selecting Redacted Report option
    - HEIF/HEIC/TIFF thumbnails are saved as JPG and default dimension increased to 256px (Grid Display, small = 128px, medium = 256px, large = 512px)
    - When loading Case Narrative Template, added warning if template exceed max characters allowed and contents will be truncated
    - Removed links in title column when selecting Redacted Report option
    - Changed 'medium' grid size from 500px to 400px
    - Fixed missing css properties for thumbnail grid display
    - Fixed sizing issue with vertical images overflowing in grid display
    - Fixed grid display not working in non default styles
    - Fixed uncategorized category page not displaying only uncategorized items
    - Fixed repeating (and also incorrect) heading for Uncategorized report page.
    - Fixed navigation bar formatting issue when all files are uncategorized
    - Fixed issue where nothing is displayed in uncategorized category page when all files are uncategorized
    - Optimized report generation Code for category generation

    Memory Viewer
    - After creating a process specific memory capture, browsing in static analysis tab opens to directory they were saved to

    System Information
    - When using "Windows Info (Registry)" command, changed ProductName note, recommend using the "Operating System" command instead​


    • #3
      hi; simon
      can you integrate tools like PhotoDNA and CSAM when developing the new version


      • #4
        PhotoDNA is already in the list above and in the software. But it is for law enforcement only. So you need to Email us with your order number to get it activated.


        • #5
          Beta 3 - 1st December 2023:

          Android Artifacts
          - Added check for whether OSFExtract is in foreground after installation
          - Added Auto Scroll button
          - Added ability to check whether OSFExtract is running
          - Added txt & csv export for MMS and Conversation list
          - Split "Times contacted" into multiple headings
          - Removed "Transfer" button and now the transfer begins on its own
          - Updated TXT/HTML/CSV exports
          - Updated to display device info like product name, model, device and transport ID
          - Updated to check whether the app is installed
          - Updated to display log text in colors
          - Updated for better handling of errors and displaying on the logs list-view
          - Updated for better column sorting, column header resizing
          - Updated Android Artifacts icon
          - Destination type and target info is remembered and loaded on init
          - Changed the Managed Device dialog to be resizable
          - Changed tab select to single click
          - Changed the name of some headings to be more consistent
          - Config options are now saved on exit
          - Fixed sorting issue on a number of columns
          - Fixed MMS/SMS ordering
          - Fixed bug with Android dates, which come in different formats, and also truncation of dates
          - Fixed date truncation of MMS threads
          - Fixed issue with loading VHD image
          - Fixed display of times contacted and last contacted in contact tab
          - Fixed bug with date conversion with some artifacts
          - Fixed crash when attempting to reload device

          Auto Triage
          - Fixed issue where Windows certificates task never completed
          - Fixed Windows certificates option check not being saved
          - Fixed certificates added to case being categorized as images
          - Fixed generated report html files were incorrectly copied

          Deleted Files
          - Fixed possible crash when no drive is selected for scanning
          - Fixed no drive being set for scanning when loaded case has no default drive

          Email Viewer
          - When opening an MSF file (meta data file) which Thunderbird uses to index emails, the Email Viewer will attempt to load the corresponding MBOX in the same directory (the MBOX has the same name as MSF file but without an extension)

          ESEDB Viewer
          - Added support for Win11 22H2 & 23H2

          File Hashing
          - Fixed Quick Set not adding to treeview
          - Fixed on hash set viewer closing, it would swap to different window

          File System Browser
          - Mapped the Back/Forward buttons on the mouse (XBUTTONS) to the existing GUI Back/Forward button on the File System Browser

          File Viewer
          - Fixed non-monospace font used for hex viewer in WinPE

          JSON Viewer
          - Fixed possible crash on JSON Viewer exit

          Manage Case
          - Fixed Case Activity Log not displaying anything when starting OSF and loading last case
          - Fixed Case Activity Log generate report settings not set properly on open
          - Display full path to report listed for Case Reports in the case items list
          - Changed missing thumbnail message to be more accurate

          Manage Case - Report Generation
          - Fixed issue where using 'included Chain of Custody' option did not add to Case
          - Fixed issue when using 'included Chain of Custody' option, attempting to open Case Report would open Chain of Custody instead
          - Disable thumbnail grid options when not selecting case report
          - Aligned grid cells to the top instead of the center

          - Encryption Certificates, Fixed possible crash when certificate has an unknown expiration date
          - Encryption Certificates, Fixed dropdown being out of order

          Search Index
          - Fixed save dialog not appearing when saving files in the email tab

          System Info
          - Added notes to the output for Windows Version from Registry command concerning ProductName (e.g. Windows 11 may appear as Windows 10 when querying the registry)

          User Activity
          - Fixed possible crash when scanning browser artifacts
          - Fixed possible crash when Windows 10 Timeline scan fails to open ActivitiesCache.db database
          - Fixed possible crash when using activity filters
          - Updated to display status for some slow scan processes

          Web Server Viewer
          - Fixed issue where the log format radio buttons were not checked/unchecked properly when switching around them

          - Added support for scanning images with multiple partitions for various modules
          - Fixed OSF being unable to load on Win7
          - Fixed main screen icons not loading properly while running in WinPE
          - Updated VolatilityWorkbench to v3.0.1006
          - Updated French localization