PassMark Software

Announcement

Collapse
No announcement yet.

OSForensics V4 Beta release

Collapse
This is a sticky topic.
X
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics V4 Beta release

    OSF V4 is now available for beta testing.

    Beta details

    Current Version: V4.0 Beta 3
    Date: 25/Oct/2016
    Download link: OSFV4 Beta download link.

    Download size: 65MB
    OS Support: XP to Win10.
    (We suggest using Win7,8, or 10. As XP is missing some features like Shadow copy & GPU support)
    License keys: V3 keys continue to work in V4 beta. New V4 keys will be required for the final V4 release
    Price: No change from V3. Free upgrades for past orders with paid up support & maintenance.
    Expiry: Beta will expire on 15/Nov. We'll have a new beta or the final release out before then.


    What's new

    Password recovery
    • Wifi passwords are now recovered & decrypted from the registry and file system.
    • Windows auto-logon password are now recovered & decrypted from registry.
    • Outlook & Windows live mail passwords are now recovered & decrypted.
    • Microsoft product keys are extracted from the Windows registry
    • New Configuration window has been added to allow the user to select what items are recovered, enter in an account password for offline decryption & select a dictionary for brute force attacks on the account password.
    • Specific rows in the password report can now be selected for export or adding to the case.
    • GPU accelerated hardware support for brute force password recovery on Office documents, PDF, Zip & RAR file. (Work in progress)
    • Support for new MS Office 2013 encryption standards for DOCX, PPTX, etc... (SHA512 hashing has been implemented in addition to SHA-1).
    • New columns in the report have been added for password strength & length, which can be useful when checking for compliance with password policies.
    • Added NTLM hash cracking to the common password check for the Windows login password
    • Added NTLM hash rainbow table generation.
    User interface & work flow
    • It is now possible to change the order of buttons in the left menu. Now called the Work Flow menu. This can allow the button order to reflect the chronological order of specific forensics processed.
    • Checkboxes in several windows rather than multi-select with having to continuously hold select/ctrl.
    • New 'File Details' tab in several windows that displays the search results in a list view.
    Recent activity artifacts
    • Added OS X artefacts to Recent Activity feature for Mac drives
    • Added mobile backups, lists the backups found from iTunes (e.g. iPod, iPad, and iPhone).
    • Updates in Recent Activity for newer browsers (including Edge)
    • Faster collection of Window Search terms in recent activity (reducing hours to minutes for the worst case)
    • Added additional USB devices from SYSTEM\CurrentControlSet\Enum\USB in Recent activity
    • Added USB first connected time from parsing setupapi.dev.log
    • The ability to reorganize and/or hide show certain columns by right clicking on the column title area to configure it on the File Details tab was added.
    • GUI will show incrementing artefact count during the scan
    File system support & imaging
    • exFAT is now a supported
    • Added read-support for .Ex01, .Lx01, and .L01 image formats
    • Improvements to HFS+ support for Macs.
    • Added the ability for users to create Logical images from the Forensic Copy feature. Logical images are created as a .VHD virtual disk & can be remounted back into OSF or manipulated with 3rd party tools.
    • Added a log option for Forensics Copy
    • Added ability to supply multiple source paths when performing Forensic Copy
    • Owner/group/permissions are now preserved in Forensic Copy
    • Better exposed the function to compare shadow copies.
    Memory viewer
    • The Memory Viewer has been overhauled. Now has 47 columns of metadata for all processes.
    • Handles and loaded Modules are displayed per process when available
    • Users can create Process Specific binary dumps through right click options and add to the case.
    ESEDB Viewer
    • Dialog to select from a list of known files now shows the file size
    • Added right-click option to copy values (ie. cells) to clipboard
    • Added right-click option to view values (ie. cells) as binary data in the internal viewer
    • Added right-click option to export values (ie. cells) as binary data to file
    • Added right-click option to export values (ie. cells) as binary data to case
    • Added right-click option to export tables to case
    • Fixed some memory allocation issues when exporting tables that can cause a crash
    • Fixed horizontal scroll bar not appearing for some tables
    • Binary data is now displayed in byte groupings
    • Fixed a bug when retrieving a record multi-value
    File name search
    • The user can now edit the list of pre-sets by editing the FileNameSearchPresets.txt file (in the C:\ProgramData\Passmark\OSForensics folder).
    • Peer to peer file types have been added as a new pre-set search selection.
    • The number of characters allowed in the search string field has been increased from 256 characters to 1023 characters.
    • Improved the default settings
    • Ability to group the search results by file type in 'File Details' view
    • When grouping the results by file type, the groups are collapsed by default
    File indexing and searching
    • Added image file EXIF header indexing for Camera Make Model, GPS date/time, GPS Latitude, and GPS Longitude
    • Improved relevance scoring when hundreds of matches are found within the same file
    • Restored torrent file indexing which got accidentally broken in a past release.
    • Fixed bug when indexing invalid file types (e.g. misnamed or corrupt files) causing incorrect content to be indexed.
    • Improved search results layout
    Reporting & Case Management
    • PDF output added.
    • New streamlined report layout, including a sidebar for quick access to specific forensic artifacts
    • Added option to include file EXIF metadata in the report
    • Custom Logos are now easier to added
    • Added two custom fields to Case Information (The Edit Case and New Case windows) & allow the user to rename the fields
    • Added and Add External report feature in case management will support adding an external HTML report directory to properly display other tools report.
    • Reduced the time required to populate the list of log entries
    • Index search history is now loaded on demand to reduce case load time.
    • File size of the case item is no longer retrieved to reduce case load time
    • The default mount name for volume shadows now contains the index number
    • When mounting devices, there is no longer an attempt to open a handle to the drive to reduce case load time.
    Shadow copies
    • Fixed an issue when adding shadow copies to a case, if selecting an individual shadow copy it would store an incorrect Device path (eg Drive-C instead of Drive-C:\) which would lead to it not being displayed on the analyze shadow copy dialog.
    • Added an Shadow Copy Analyze icon to start page
    • Stopped a shadow copy entities being compared against itself as it only makes sense to compare different shadows.
    • Added a warning message when opening the analyze dialog if no shadow copies were added to the case.
    System information
    • BitLocker Detection preset added to System Information
    • Updates to System information to detect new CPU types
    • Added Printer Info from registry for live/scan drive and Printer Info from (WinSpool) for Live Systems in the System Information module.
    Registry Hive viewer
    • Fixed a bug when opening a backup hive that was locked and a shadow copy was required to provide access.
    • Dialog to select from a list of known files now shows the file size
    Hashing
    • Button to add Hash results to case
    Thumbnail database viewer
    • Fixed large memory usage when reading Win10 thumbcache files.
    • Added support for Win10 thumbcache files. The Win10 thumbcache header uses a different format than previous versions
    • Added to list of known thumbnail cache files
    • Replaced thumbnail size radio buttons with combo box
    • Dialog to select from a list of known files now shows the file size
    Internal file viewer
    • Updated video previewer to support more video formats. Including video in these formats. 3GP, ASF, ADTS, MPEG-4, SAMI, AAC, WMA, DV Video, H.264/H.263, WMV
    • Can do screen capture from the File Viewer.
    Email searching
    • Added BCC searching for Emails.
    • Additional details are indexed when indexing Emails (for some formats).
    • Support for MIME UTF8 encoded FROM, TO, CC, BCC, SUBJECT fields in MBOX files
    Deleted files
    • Added a new checkbox for full disk / unallocated space carving. Previously only unallocated space was used for caving, as it is usually much faster. But in rare situations the full disk option can be useful (e.g. file slack space examination).
    • Added a new window showing the list of File Types that are carved (opened from within the config window). This list can be modified to add custom signatures by the user by editing the osf_filecarve.conf file.
    • Ability to group the search results by file type in 'File Details' view
    • When grouping the results by file type, the groups are collapsed by default
    Other changes
    • Added better time resolution, now fractions of seconds, in File Name Search/Mismatch Search/Deleted Search
    • Added support for Win10 prefetch files, which are compressed using lzxpress huffman stream encoding
    • Compare signatures can now display identical files. This is useful for duplicate file detection. There is a configuration dialog for specifying folders to exclude and file extensions to include.
    • Dozens of other bug fixes and minor usability improvements, including fixing a couple of crash bugs
    • Fixed up broken XP compatibility. This is very likely the last release we do that has any support for running on Window XP.
    • Populating the drive list (for drive preparation) is no longer performed on program startup to speed up load time
    • Loading of Magic config file (for mismatch search)is now performed on demand to speed up program load time
    • Populating the device list (for raw disk viewer) is no longer performed on program startup to speed up load time
    • When loading the log file (secure log), a buffer is now used to speed up load time
    Last edited by Tim (PassMark); 10-25-2016, 03:07 AM.

  • #2
    Hi David,
    if i found Issues where should i post it ?

    best
    Andre

    Comment


    • #3
      You can post it on this thread or send email in.

      Comment


      • #4
        Hi Richard,

        ok i found some maybe issues.

        I try at first a live Case on that VM where i installed V4 Beta when i try open Registry (only system Registry User one works ) i get that what you can see on first attached Picture
        Second if i try last activity i get Error from second picture

        More Tests are running at this time i try Indexing that need some time to complete

        best

        Andre
        Attached Files

        Comment


        • #5
          Hi
          i send you a Email with that Pictures they look very small here in tread

          best

          Andre

          Comment


          • #6
            As this beta version is coming to an end do you have an update? Beta 3 or release. Thanks!

            Comment


            • #7
              As this beta version is coming to an end do you have an update? Beta 3 or release.
              Beta 2 was only released about 12 hours ago. So I am not sure what is making you think it is finished.
              We'll likely do a Beta 3 release, maybe in another week or so, then the final release assuming no serious problems are uncovered.

              Comment


              • #8
                Hi,

                I was playing with the beta and get the attached error when starting it.

                Attempted to manually register the DLL with no success.

                Do you have any tips you could share?

                Thanks.

                Steven

                Comment


                • #9
                  iPecker,

                  For the "libeay32.dll is missing from your computer" error, can you give us a bit more information.

                  Was this a desktop install, or running from a USB drive?
                  Did it initially work, then stop working?
                  Which O/S are you running on (e.g. Vista, Win10, 32bit, 64bit)?
                  Was this with Beta 1 or Beta 2?

                  Comment


                  • #10
                    Hi
                    for Beta 2 i check now hole Indxing without any Problem great work !
                    all other is tested works also good, but sam not at end of tests i check only Windows for now
                    next i try linux and OS Images.

                    I have a small Problem with Hash Database, i have a bad hash file from a Malware Scanner Site that are only
                    md5 hashes comma separated without Filename or anything else.
                    OSF can't use such a File others than hash the disk and compare it against that hash file but i canīt get it into
                    hash database like the one you give for Download or NSRL.
                    Maleware like Virus and others have mostly not realy a name so here are only hashes what i need and will use
                    names are not important if i put some of that hashes to virus total i get many names for that hash so what i mean
                    is that a real known bad hash file have only hashes no names no size it would be great if such hash Files could be
                    imported to hash Database for use in other Modules.
                    Other Tools like Autopsy can use such files in Modules

                    best

                    Andre

                    Comment


                    • #11
                      lauzona,

                      OSF can import a list of hashes into a "Hash Set". It should be no problem. Obviously if you don't have file name some fields will be blank. Which might mean you need to edit the CSV file in Excel or a text editor to get it into the right format.
                      If you can't get it to work then E-Mail us the hash list as CSV and we'll check it.

                      Comment


                      • #12
                        Sorry for the delay but I am away from the office for work.

                        I am running several VMs (Win 7 and Win 8.1) and it is a local install.

                        The error is displayed after running setup and starting OSForensics.

                        It is the latest download version.

                        Thanks.

                        Comment


                        • #13
                          iPecker,

                          Can you have another try. The libeay32 dll issue should be fixed in Beta 3.

                          Comment


                          • #14
                            After testing with Beta 3 it seems to only happen inside a VM.

                            On a physical PC it works.

                            We are a MAC shop and run all our Windows tools inside VMs when traveling.

                            Comment

                            Working...
                            X