Tweet
We are pleased to announce the Beta releases of OSForensics V11 for community testing and feedback.
Download link:
OSF V11 Beta5
Licence requirements:
Old keys from V10 will not work in V11.
The link above will work as a 30 day trial.
Free upgrades:
When the final V11 release is complete, anyone with active support or a subscription will get a free upgrade to V11.
Is it complete:
Mostly. A re-write of Android phone module is still being completed.
Is it stable:
Probably not as stable as V10. But should be mostly OK.
Beta 1 - 3rd November 2023:
Analyze Shadow Copies
- Fixed issue where analyzing "Drive-C" shadow copies was not working
- Re-arranged some UI elements
Android Artifacts
- Changed to use a wizard to obtain, scan and load Android artifacts [Work in progress in Beta 1]
Create Logical Android Image
- Updated OSFExtract app to support newer versions of Android [Work in progress in Beta 1]
Boot VM
- Added VirtualBox 7 and VMWare 17 to supported hypervisors
- Fixed issue with long .vmx filenames
Auto Triage
- Added automatic encryption certificate collection option
Deleted File Search
- Added Carving Option to main Deleted Files Screen, so no need to go into Config file anymore.
- Added "Calculate Hash of File(s)" to right click menu
- Added ability for the user to create a new folder when utilizing the "Save Deleted File(s) to Disk" option
Email Viewer
- Support displaying email messages when loading MBOX folders found on MacOS
- Added "To" column to the email list view
- Updated default email export title to "[<filename>] <first 32 chars of subject>"
- Updated to allow Email Boxes/Files to be removed by right-clicking on tree view item
Event Log Viewer
- Added a new filtering option to allow searching all event log files at the same time
- Added RDP and PowerShell logs to the presets list
- Added option to allow cancelling of loading process that is taking a long time
- Updated to allow for reading of event log files located anywhere on the machine, in case they have been moved from their standard location.
- Improved presets filtering to make it also work on folder scan and single log file scan
- Improved performance of loading large log files
File Name Search
- It is now faster. A lot faster. In some cases up to 40x faster. Whole hard drives can be searched in under 1 second (depending on hardware and the number of files). This was the result of improved caching and dozens of separate low level optimisations.
- Added second level search to search the File Name column within the existing results, supports wildcard characters
- Added new presets: "All Folders (No Files)", "All Files (No Folders)", "Certificate Files"
- Renamed "All Files" to "All Items (Files & Folders)" preset
- Added config option to detect encryption/compression by File Analysis (and/or Entropy)
- Start location will now display hint text if no devices in to case (for non-live acquisition only)
- Changed "folder to scan" field so it now shows "<Multiple directories selected>" instead of the first folder in the list
- Changed so when "Search in Hash Set Database" is checked, the hash being used is shown in the status bar
- Changed so the sort order prior to a new scan is reset to prevent triggering the Face/Illicit Detect on search completion
- Changed so user is warned if the start directory specified is a child or parent directory of existing item in the directory to be scanned list
- Changed to allow searching through directories that are re-parse points when device is in Forensics Mode
- Changed to allow adding re-parse point files to case
- Opening a folder will now open the folder in File System Browser
- Increased the length of the text users can type into the configuration directory field
- Updated several search presets to exclude folders to avoid false positives and changed the search string from using wildcard (*) to improve search times
- Set the current device selection as the default value for the Directory in the Config dialog
- Set the Directory value as the case default drive when user clicks the Reset button in the Config dialog
- Fixed bug where "Make Database Active" setting was not updating the Active Database in the Hash module
- Fixed bug where "Folder to Scan" would revert to the Case default directory when switching to/from different modules
- Fixed issue where it would add to directories to scan rather than replacing them
File Viewer
- Viewed, Tagged or Categories values can now be modified
- Separated flags into OSF and User flags
- Added "Check file in list" option, when checked, updates checkbox in file list view of the File Name, Deleted File and Mismatch File Search modules
- Added new graph to chart the entropy for a file
- Added "not in hash set" flag to File Info tab
- Added categorized case item status and category name in the file info tab
- Added EXIF metadata tag group (family) name, this would be helpful to distinguish the two tags which have the same name but belong to different tag groups
- Tag group names are now shown in the case item properties window and exported report
- Automatically rotate images based on EXIF data
- Fixed "in hash set" flag always being enabled even when file is not in a hash set
- Fixed issue with being unable to play .avi files with tscc encoding
- Fixed issue where images were distorted when rotated
- Fixed issue when attempting to load videos from logical drive
- Fixed column headers disappearing in OSF File Viewer for Compressed filetype when moving/hiding window
- Fixed possible crash when opening .heic images from file
File System Browser
- Added option to right-click menu to allow users to open a file with OSF internal viewer
- Fixed the bug where MFT Modify Date(Attribute Modify Date) column name was not displaying properly
Indexing
- Combined the Create Index and Search Index modules into a single module with tabs for each module
- Added ability to index Windows Event Log files
- Fixed looping/hang issue when trying to index invalid MBOX files
JSON Viewer
- Fixed freezing on large JSON files
- Fixed crash when importing JSON files
Hash Sets
- Added PhotoDNA hash support to hash set lookup
- Added tags field to hash sets
Logical Image
- Added individual file hashing option when creating logical image
- Fixed bug where logical image creation log could not be added to case after completion due to file naming issue
Manage Case
- Added new caching modes when using Forensics mode. These are set automatically:
• For disk images and read only devices, persistent caching is used. This means we hold the data from the disk (or disk image) in RAM forever. This gives maximum speed, with the second search run typically getting faster than the first run, as everything gets cached on the first run. This works well for read only devices. It doesn’t work so well for live disks that have files being added and deleted all the time.
• Temporary caching means we throw away the cache before each search. Caching still occurs during the search however, but the cache starts empty. So it isn’t as fast as persistent caching. The advantage is that it picks up any new files that have been created since the last search.
• You can also turn caching off. Which is useful only in very rare circumstances for debugging purposes or if the drive is very very active and being even a few seconds behind the live disk activity is an issue.
- Added Case type: Criminal; Criminal (Contains Child Exploitation Material); Civil; Internal / Confidential; Other
- Added option when importing a case, if a custom location is detected then ask user if they want to try and restore the case to the same location
- Added option to choose what date format to use for the selected case when displaying/exporting records
- Added shortcut keys to case categories
- Added the ability to account for daylight saving time
- Added "Settings" right-click option for case devices for setting the device caching mode
- Added Device Dialog will appear after creating a case when using Investigate Disk from Another Machine option
- Added check for opened temp file when saving case narrative
- Case List sort setting is now saved, with default sort set to by access date descending (Most recent listed first)
- Loaded case always appears on top of the list of Case List (regardless of sorting selected)
- Changed edit narrative tab to display HTML preview
- Updated list of available time zones
- Updated Manage Devices dialog UI
- Populate category colors when creating a new case
- Allow for rearranging of case categories in list view
- Highlight categorized case items if color is assigned to the category
- Display the color of the selected category in case item exports/properties dialogs
- Moved the Case Type from Offense & Custody Data to Basic Case Data window
- Fixed base metadata tags config for the report export
- Fixed crash when exiting case narrative editor
- Fixed incorrect error shown when trying to create case with no name
- Fixed the bug where OSF crashes when editing summary of job in the Offense & Custody Data in advance edit mode
- Fixed issue when a device was renamed in the Case Manager
- Fixed bug where the item deleted in the Manage Devices were not being deleted in the case itself
- Fixed clipping of elements with footer for Chain of Custody report
Manage Case - Generate Report
- Changed export window to a wizard dialog
- Exported HEIC/HEIF/TIFF images in the report will shown a PNG converted thumbnail of the original image, the exported file and link to the exported file remain unchanged.
- Added option to display files in grid view
- Added a metadata level option to the report export wizard to allow fine control of the metadata level for the report generation
- Added the option to enable/disable displaying time zone next to the date and times
- Allows users to select EXIF metadata tags per file extension to include in the case report
- Save the custom report logo file paths and report output location after use and preload the saved paths when the export report wizard dialog is reopened
- Updated report so that apart from report.html, all files are now in a "ReportData" folder
- Updated list of default EXIF metadata tags that will be enabled and included in the report for common file types
- Updated time zone display name
- Automatically uncheck include thumbnail when created redacted report
- Fixed layout issue with image display on grid layout
- Fixed window redraw issue when switching tabs
- Fixed bug that report was not being properly generated for "Case Report PDF - Printer Friendly", erroring out because template does not have "categories.html" template file
- Fixed issue where report generation fails when using templates with no "files.html" file
Memory Viewer
- Display total RAM of current system in Live Analysis tab
Mismatch File Search
- Added a new Scan browser cached images option, when checked it will perform a scan of browsers (Chrome, Edge, Opera, Firefox) cache directories to search for image files.
- Added support for Brave, Vivaldi, Yandex browsers cached images scan
- Added Scan Time taken results on completion
- Added call to flush cache before each scan
- Added "Exclude Edge Cache image files" option in config
- Changed to allow customization of columns in list view
- Start location will now display hint text if no devices in to case (for non-live acquisition only)
- Fixed issue where certain columns were not able to be sorted
- Fixed bug where "Folder to Scan" would revert to the Case default directory when switching to/from different modules
- Fixed bug where found items were incorrectly colored in the list compared to the file attributes
Passwords
- Added ability to scan for installed certificates in the windows certificate store
- Added scan entire file system option for encryption certificates
- Added activity light to encryption Certificate scan
- Updated Windows Login Password to confirm with user if they want to continue to scan Non-Windows file system when scanning for Windows Login Password
- Fixed crash when running encryption Certificate scan on entire drive
- Fixed a bug where not all DPAPI system master keys were collected, which affected passwords decryption relying on it like WiFi password
Registry Viewer
- Added amcache.hve file as a option to select for viewing
- Fixed incorrect Time Zone values when exporting System Hive
SQLite DB Browser
- Added the Windows.db Windows Search database file to known locations
- Added Windows 10 Push Notification file-path to the SQLite Browser known locations
- Changed to try and open corresponding .shm & .wal files if they exist
- Fixed issue where Run SQL crashes under some conditions
System Information
- Added support to collect Mac OS system info including: Model and serial number, Computer name, local host name, Timezone info, OS version info, User login info
- Added note that ProductName may be inaccurate for Win11
- Removed date after running each command, single date at the top of the report instead
- Fixed arrangement of preset dropdown
ThumbCache Viewer
- Added support to collect thumbnails EXIF data from "Windows.db" file for Windows 11
- Improved the performance to get data from Windows.db file, especially on the machines with many thumbcache entries
- Fixed issue where VLC Media Player artifacts not recognized by the internal file viewer properly
- Fixed possible crash in thumbnail view when mousing over different video items quickly
User Activity
- Added a new Open Evidence Source option to the right-click menu to make it clear whether users are opening an item or its evidence source file
- Added support to collect Windows Search info for Windows 11
- Added support to collect MS Office Backstage artifacts (recent documents and folders)
- Added support for parsing Mac OS Safari artifacts including Downloads, Browser History and Bookmarks records
- Added support for parsing .url format URL shortcut files for the Recent Files artifacts
- Added support for reading additional OSX MRU files (VLC, TextEdit, QuickTime Player, Recent Documents, Recent Applications)
- Added support for recycle bin artifacts in OSX
- Added new subcategory in Event Logs: OSX - KnowledgeC
- Added new category "Call History" - currently only for OSX
- Added option to scan dynamic-*.dat files used for auto-correction and predictive text features in OSX for Form History artifacts
- Added scanning progress and scan time taken on completion
- Added a new column to show Visit Duration of URLs in Browser History
- Browser History now shows all the web page visits
- Changed the tree-view to stay in the previously selected category/subcategory after filtering
- Changed Browser History to show all visits to a webpage instead of just the last visit
- Updated to collect cookies in updated file locations for newer versions of Google Chrome, MS Edge, and Opera
- Updated right-click menu options for P2P
- Updated list-view double-click/Enter behavior
- Updated to scan Downloads location for the Anti-Forensics artifacts
- Updated so tree-view width can now be adjusted
- Disable sort drop-down if timeline tab is selected
- Fixed the issue where VLC Media Player artifacts not recognized by the internal file viewer properly
- Fixed issue with displaying Installed programs evidence location for Linux images scan
- Fixed issue with parsing event logs from Linux images
- Fixed issue with parsing Chrome/Edge/Firefox browser artifacts on Linux & OSX
- Fixed issue where MRU item name displayed a empty string in LNK, Recent Files and MS Office categories
- Fixed issue where MUICache artifacts evidence file did not open correctly by Registry Viewer
- Fixed crash when adding a filter in the config dialog
- Fixed potential buffer overflow issue during the Event Log rendering
- Fixed system.log gathering in OSX
- Fixed issue where "Sort by:" text was not updated when switching between categories
- Fixed issue where some categories were using the same color in the timeline tab
- Fixed images not displaying in File Previewer when opening Recycle bin items
- Fixed text overflowing in File List tab for some types of artifacts
- Reordered Internet Artifacts
Verify Hash
- Added auto population of comparison hash field when internal hash value exists, so users do not have to re-validate EO1 files with pre-calculated hashes when importing into OSF
Web Browser
- Allow user to select whether the captured image to be added to case or save to file
- Updated Export GUI
Misc
- Added options to export and import OSFConfig files from Settings
- Added right click option to customize workflow in start page area
- Added color legend when exporting timelines as image
- Added deactivate option for perpetual licenses
- Added some missing time zones
- Added option to settings that allows user to pick a custom location for temp files
- Added RAM drive as a option for a custom temp location
- Added "FBI Most Wanted Terrorists 2023" search list as a new Word List for the index search module.
- Changed wording of "Other devices available" option to warn that it’s not running in Forensics mode
- Changed USB write block icon text and description text to be clearer when its enabled/disabled
- Changed to use UTC instead of GMT for time zone information
- Changed thumbnail size slide button to allow to view images with larger sizes
- Updated "Add Device" & "Manage Devices" icons
- Updated Volatility Workbench to support Volatility3 V2.4.1 (for memory dump analysis)
- Update OSFMount x64 binaries to v3.1.1002 to fix mounting image files on a network share using physical emulation. Previously there could be problems with network share permission as the device driver would be running under a different user from the current user.
- Improved performance when hovering over a thumbnail to see a video preview
- Display a more serious warning when running OSF as a non admin user, as several important features are missing if you are not running as Admin.
- Make backup of old config file when updating/downgrading OSF
- Module running statuses on now cleared when loading a new case
- Fixed tabbing on some "Add to case" windows
- Fixed incorrect GUI Message (Warning drive/valid not found for APFS) on Password/User Activity module
- Fixed text clipping with the legend in timelines
Download link:
OSF V11 Beta5
Licence requirements:
Old keys from V10 will not work in V11.
The link above will work as a 30 day trial.
Free upgrades:
When the final V11 release is complete, anyone with active support or a subscription will get a free upgrade to V11.
Is it complete:
Mostly. A re-write of Android phone module is still being completed.
Is it stable:
Probably not as stable as V10. But should be mostly OK.
Beta 1 - 3rd November 2023:
Analyze Shadow Copies
- Fixed issue where analyzing "Drive-C" shadow copies was not working
- Re-arranged some UI elements
Android Artifacts
- Changed to use a wizard to obtain, scan and load Android artifacts [Work in progress in Beta 1]
Create Logical Android Image
- Updated OSFExtract app to support newer versions of Android [Work in progress in Beta 1]
Boot VM
- Added VirtualBox 7 and VMWare 17 to supported hypervisors
- Fixed issue with long .vmx filenames
Auto Triage
- Added automatic encryption certificate collection option
Deleted File Search
- Added Carving Option to main Deleted Files Screen, so no need to go into Config file anymore.
- Added "Calculate Hash of File(s)" to right click menu
- Added ability for the user to create a new folder when utilizing the "Save Deleted File(s) to Disk" option
Email Viewer
- Support displaying email messages when loading MBOX folders found on MacOS
- Added "To" column to the email list view
- Updated default email export title to "[<filename>] <first 32 chars of subject>"
- Updated to allow Email Boxes/Files to be removed by right-clicking on tree view item
Event Log Viewer
- Added a new filtering option to allow searching all event log files at the same time
- Added RDP and PowerShell logs to the presets list
- Added option to allow cancelling of loading process that is taking a long time
- Updated to allow for reading of event log files located anywhere on the machine, in case they have been moved from their standard location.
- Improved presets filtering to make it also work on folder scan and single log file scan
- Improved performance of loading large log files
File Name Search
- It is now faster. A lot faster. In some cases up to 40x faster. Whole hard drives can be searched in under 1 second (depending on hardware and the number of files). This was the result of improved caching and dozens of separate low level optimisations.
- Added second level search to search the File Name column within the existing results, supports wildcard characters
- Added new presets: "All Folders (No Files)", "All Files (No Folders)", "Certificate Files"
- Renamed "All Files" to "All Items (Files & Folders)" preset
- Added config option to detect encryption/compression by File Analysis (and/or Entropy)
- Start location will now display hint text if no devices in to case (for non-live acquisition only)
- Changed "folder to scan" field so it now shows "<Multiple directories selected>" instead of the first folder in the list
- Changed so when "Search in Hash Set Database" is checked, the hash being used is shown in the status bar
- Changed so the sort order prior to a new scan is reset to prevent triggering the Face/Illicit Detect on search completion
- Changed so user is warned if the start directory specified is a child or parent directory of existing item in the directory to be scanned list
- Changed to allow searching through directories that are re-parse points when device is in Forensics Mode
- Changed to allow adding re-parse point files to case
- Opening a folder will now open the folder in File System Browser
- Increased the length of the text users can type into the configuration directory field
- Updated several search presets to exclude folders to avoid false positives and changed the search string from using wildcard (*) to improve search times
- Set the current device selection as the default value for the Directory in the Config dialog
- Set the Directory value as the case default drive when user clicks the Reset button in the Config dialog
- Fixed bug where "Make Database Active" setting was not updating the Active Database in the Hash module
- Fixed bug where "Folder to Scan" would revert to the Case default directory when switching to/from different modules
- Fixed issue where it would add to directories to scan rather than replacing them
File Viewer
- Viewed, Tagged or Categories values can now be modified
- Separated flags into OSF and User flags
- Added "Check file in list" option, when checked, updates checkbox in file list view of the File Name, Deleted File and Mismatch File Search modules
- Added new graph to chart the entropy for a file
- Added "not in hash set" flag to File Info tab
- Added categorized case item status and category name in the file info tab
- Added EXIF metadata tag group (family) name, this would be helpful to distinguish the two tags which have the same name but belong to different tag groups
- Tag group names are now shown in the case item properties window and exported report
- Automatically rotate images based on EXIF data
- Fixed "in hash set" flag always being enabled even when file is not in a hash set
- Fixed issue with being unable to play .avi files with tscc encoding
- Fixed issue where images were distorted when rotated
- Fixed issue when attempting to load videos from logical drive
- Fixed column headers disappearing in OSF File Viewer for Compressed filetype when moving/hiding window
- Fixed possible crash when opening .heic images from file
File System Browser
- Added option to right-click menu to allow users to open a file with OSF internal viewer
- Fixed the bug where MFT Modify Date(Attribute Modify Date) column name was not displaying properly
Indexing
- Combined the Create Index and Search Index modules into a single module with tabs for each module
- Added ability to index Windows Event Log files
- Fixed looping/hang issue when trying to index invalid MBOX files
JSON Viewer
- Fixed freezing on large JSON files
- Fixed crash when importing JSON files
Hash Sets
- Added PhotoDNA hash support to hash set lookup
- Added tags field to hash sets
Logical Image
- Added individual file hashing option when creating logical image
- Fixed bug where logical image creation log could not be added to case after completion due to file naming issue
Manage Case
- Added new caching modes when using Forensics mode. These are set automatically:
• For disk images and read only devices, persistent caching is used. This means we hold the data from the disk (or disk image) in RAM forever. This gives maximum speed, with the second search run typically getting faster than the first run, as everything gets cached on the first run. This works well for read only devices. It doesn’t work so well for live disks that have files being added and deleted all the time.
• Temporary caching means we throw away the cache before each search. Caching still occurs during the search however, but the cache starts empty. So it isn’t as fast as persistent caching. The advantage is that it picks up any new files that have been created since the last search.
• You can also turn caching off. Which is useful only in very rare circumstances for debugging purposes or if the drive is very very active and being even a few seconds behind the live disk activity is an issue.
- Added Case type: Criminal; Criminal (Contains Child Exploitation Material); Civil; Internal / Confidential; Other
- Added option when importing a case, if a custom location is detected then ask user if they want to try and restore the case to the same location
- Added option to choose what date format to use for the selected case when displaying/exporting records
- Added shortcut keys to case categories
- Added the ability to account for daylight saving time
- Added "Settings" right-click option for case devices for setting the device caching mode
- Added Device Dialog will appear after creating a case when using Investigate Disk from Another Machine option
- Added check for opened temp file when saving case narrative
- Case List sort setting is now saved, with default sort set to by access date descending (Most recent listed first)
- Loaded case always appears on top of the list of Case List (regardless of sorting selected)
- Changed edit narrative tab to display HTML preview
- Updated list of available time zones
- Updated Manage Devices dialog UI
- Populate category colors when creating a new case
- Allow for rearranging of case categories in list view
- Highlight categorized case items if color is assigned to the category
- Display the color of the selected category in case item exports/properties dialogs
- Moved the Case Type from Offense & Custody Data to Basic Case Data window
- Fixed base metadata tags config for the report export
- Fixed crash when exiting case narrative editor
- Fixed incorrect error shown when trying to create case with no name
- Fixed the bug where OSF crashes when editing summary of job in the Offense & Custody Data in advance edit mode
- Fixed issue when a device was renamed in the Case Manager
- Fixed bug where the item deleted in the Manage Devices were not being deleted in the case itself
- Fixed clipping of elements with footer for Chain of Custody report
Manage Case - Generate Report
- Changed export window to a wizard dialog
- Exported HEIC/HEIF/TIFF images in the report will shown a PNG converted thumbnail of the original image, the exported file and link to the exported file remain unchanged.
- Added option to display files in grid view
- Added a metadata level option to the report export wizard to allow fine control of the metadata level for the report generation
- Added the option to enable/disable displaying time zone next to the date and times
- Allows users to select EXIF metadata tags per file extension to include in the case report
- Save the custom report logo file paths and report output location after use and preload the saved paths when the export report wizard dialog is reopened
- Updated report so that apart from report.html, all files are now in a "ReportData" folder
- Updated list of default EXIF metadata tags that will be enabled and included in the report for common file types
- Updated time zone display name
- Automatically uncheck include thumbnail when created redacted report
- Fixed layout issue with image display on grid layout
- Fixed window redraw issue when switching tabs
- Fixed bug that report was not being properly generated for "Case Report PDF - Printer Friendly", erroring out because template does not have "categories.html" template file
- Fixed issue where report generation fails when using templates with no "files.html" file
Memory Viewer
- Display total RAM of current system in Live Analysis tab
Mismatch File Search
- Added a new Scan browser cached images option, when checked it will perform a scan of browsers (Chrome, Edge, Opera, Firefox) cache directories to search for image files.
- Added support for Brave, Vivaldi, Yandex browsers cached images scan
- Added Scan Time taken results on completion
- Added call to flush cache before each scan
- Added "Exclude Edge Cache image files" option in config
- Changed to allow customization of columns in list view
- Start location will now display hint text if no devices in to case (for non-live acquisition only)
- Fixed issue where certain columns were not able to be sorted
- Fixed bug where "Folder to Scan" would revert to the Case default directory when switching to/from different modules
- Fixed bug where found items were incorrectly colored in the list compared to the file attributes
Passwords
- Added ability to scan for installed certificates in the windows certificate store
- Added scan entire file system option for encryption certificates
- Added activity light to encryption Certificate scan
- Updated Windows Login Password to confirm with user if they want to continue to scan Non-Windows file system when scanning for Windows Login Password
- Fixed crash when running encryption Certificate scan on entire drive
- Fixed a bug where not all DPAPI system master keys were collected, which affected passwords decryption relying on it like WiFi password
Registry Viewer
- Added amcache.hve file as a option to select for viewing
- Fixed incorrect Time Zone values when exporting System Hive
SQLite DB Browser
- Added the Windows.db Windows Search database file to known locations
- Added Windows 10 Push Notification file-path to the SQLite Browser known locations
- Changed to try and open corresponding .shm & .wal files if they exist
- Fixed issue where Run SQL crashes under some conditions
System Information
- Added support to collect Mac OS system info including: Model and serial number, Computer name, local host name, Timezone info, OS version info, User login info
- Added note that ProductName may be inaccurate for Win11
- Removed date after running each command, single date at the top of the report instead
- Fixed arrangement of preset dropdown
ThumbCache Viewer
- Added support to collect thumbnails EXIF data from "Windows.db" file for Windows 11
- Improved the performance to get data from Windows.db file, especially on the machines with many thumbcache entries
- Fixed issue where VLC Media Player artifacts not recognized by the internal file viewer properly
- Fixed possible crash in thumbnail view when mousing over different video items quickly
User Activity
- Added a new Open Evidence Source option to the right-click menu to make it clear whether users are opening an item or its evidence source file
- Added support to collect Windows Search info for Windows 11
- Added support to collect MS Office Backstage artifacts (recent documents and folders)
- Added support for parsing Mac OS Safari artifacts including Downloads, Browser History and Bookmarks records
- Added support for parsing .url format URL shortcut files for the Recent Files artifacts
- Added support for reading additional OSX MRU files (VLC, TextEdit, QuickTime Player, Recent Documents, Recent Applications)
- Added support for recycle bin artifacts in OSX
- Added new subcategory in Event Logs: OSX - KnowledgeC
- Added new category "Call History" - currently only for OSX
- Added option to scan dynamic-*.dat files used for auto-correction and predictive text features in OSX for Form History artifacts
- Added scanning progress and scan time taken on completion
- Added a new column to show Visit Duration of URLs in Browser History
- Browser History now shows all the web page visits
- Changed the tree-view to stay in the previously selected category/subcategory after filtering
- Changed Browser History to show all visits to a webpage instead of just the last visit
- Updated to collect cookies in updated file locations for newer versions of Google Chrome, MS Edge, and Opera
- Updated right-click menu options for P2P
- Updated list-view double-click/Enter behavior
- Updated to scan Downloads location for the Anti-Forensics artifacts
- Updated so tree-view width can now be adjusted
- Disable sort drop-down if timeline tab is selected
- Fixed the issue where VLC Media Player artifacts not recognized by the internal file viewer properly
- Fixed issue with displaying Installed programs evidence location for Linux images scan
- Fixed issue with parsing event logs from Linux images
- Fixed issue with parsing Chrome/Edge/Firefox browser artifacts on Linux & OSX
- Fixed issue where MRU item name displayed a empty string in LNK, Recent Files and MS Office categories
- Fixed issue where MUICache artifacts evidence file did not open correctly by Registry Viewer
- Fixed crash when adding a filter in the config dialog
- Fixed potential buffer overflow issue during the Event Log rendering
- Fixed system.log gathering in OSX
- Fixed issue where "Sort by:" text was not updated when switching between categories
- Fixed issue where some categories were using the same color in the timeline tab
- Fixed images not displaying in File Previewer when opening Recycle bin items
- Fixed text overflowing in File List tab for some types of artifacts
- Reordered Internet Artifacts
Verify Hash
- Added auto population of comparison hash field when internal hash value exists, so users do not have to re-validate EO1 files with pre-calculated hashes when importing into OSF
Web Browser
- Allow user to select whether the captured image to be added to case or save to file
- Updated Export GUI
Misc
- Added options to export and import OSFConfig files from Settings
- Added right click option to customize workflow in start page area
- Added color legend when exporting timelines as image
- Added deactivate option for perpetual licenses
- Added some missing time zones
- Added option to settings that allows user to pick a custom location for temp files
- Added RAM drive as a option for a custom temp location
- Added "FBI Most Wanted Terrorists 2023" search list as a new Word List for the index search module.
- Changed wording of "Other devices available" option to warn that it’s not running in Forensics mode
- Changed USB write block icon text and description text to be clearer when its enabled/disabled
- Changed to use UTC instead of GMT for time zone information
- Changed thumbnail size slide button to allow to view images with larger sizes
- Updated "Add Device" & "Manage Devices" icons
- Updated Volatility Workbench to support Volatility3 V2.4.1 (for memory dump analysis)
- Update OSFMount x64 binaries to v3.1.1002 to fix mounting image files on a network share using physical emulation. Previously there could be problems with network share permission as the device driver would be running under a different user from the current user.
- Improved performance when hovering over a thumbnail to see a video preview
- Display a more serious warning when running OSF as a non admin user, as several important features are missing if you are not running as Admin.
- Make backup of old config file when updating/downgrading OSF
- Module running statuses on now cleared when loading a new case
- Fixed tabbing on some "Add to case" windows
- Fixed incorrect GUI Message (Warning drive/valid not found for APFS) on Password/User Activity module
- Fixed text clipping with the legend in timelines
Comment