OSF V1.2 Alpha / Beta release

[David (PassMark)]

We are pleased to announce a beta release of V1.2 of OSF. We are expecting to get the final release done within the next week or two.

Current Version
Update 31/Aug/2012: It's done, V1.2 is no longer in beta. You can get the final release from the download page.

Download Page
http://www.osforensics.com/download.html

What's New
The following is a summary of what has changed in V1.2 compared to V1.1.

Major changes

• Support for Apple Mac file systems. Including HFS+ as used in Mac, iPhone, iPod and iPad. So it is now possible to view & investigate files from a Mac or iPhone on your windows machine with OSForensics. Includes changes to,
  
  • Indexer
  • File viewer
  • Raw disk viewer
  • Device manager
  
  
• Support for Linux file systems. Including EXT2, EXT3, EXT4. Includes changes most modules in OSF.
• SQLite database viewer is now included in the OSF package. This is useful for looking into database files created by several applications on the iPhone and also by Firefox.
• Added support for APM partition scheme (Apple Partition Map)
• Updated RecentActivity Module to display Browser information for when querying Unbutu machines images.
• Added firefox form history retriveal to the recent activity
• Made CSV import into hash sets a significantly more robust and added better documentation.
• Changed regular expression searching in search index to use a slower algorithm, but it is more able to execute complex regexes.
• Deleted file search now supports hash set lookup and displays icons for status.
• Internal file viewer supports right-click functionality for deleted files (Open/Hash lookup/Add to case)

Minor changes

• Changed progress bar in Create Index to complete with 100% instead of 0%
• Fixed Registry Viewer to use custom file selection dialog. Making it easier to view registry files with directly accessing an image file.
• Help file updates
• Fixed vmdk crash bug
• Added a maximum limit for # of items in cache to prevent allocation of an abnormally large amount of RAM at startup by Thumbnail view.
• Fixed handle/memory leaks causing potential crash in Thumbnail view.
• Fixed crash when closing OSF when search is running in raw disk viewer
• Changed double click of thumbnail in Image tab of "Search Index" to open in internal viewer
• Extended vshadow executable timeout to 2 minutes for slow machines
• Fixed a crash when a case with no indexes was selected and the "Browse Index" tab was clicked on.
• Fixed a possible crash when using the scroll wheel in the recent activity window
• Added cookie name and content to CSV export of cookies
• Added cookie content to information displayed in the recent activiy window and included in the TXT and HTML exports
• Fixed bug opening fileset from hash lookup dialog after first sorting
• Can now sort by whether or not the file is in the hash set in deleted file search
• The 'Include Special Characters' checkbox in the hex viewer settings is now functional
• Changed 2GB max file size limit for indexing to 4GB
• Fixed possible crash when adding file to case in free version in deleted files module
• Fix possible crash problem when indexing PST files.
• Fixed icons in "File List" tab for OSF devices

[FQuerceto]

No support for .E01 images yet ??

[David (PassMark)]

They have been supported for some time now, at least when they were using FAT32 or NTFS as the file system.

This release will add support for HFS+, EXT2/3/4 in .E01 and .AFF images (as well as raw dd images)

[David (PassMark)]

Alpha 2 is now available. Download details in the initial post (above) have been updated.

Differences from Alpha 1 are,
- Bug fix for indexing of drive images using direct access with multiple partitions where the 1st partition isn't being indexed.
- Changes to support WinPE for a up coming self boot option.

[d8a4n6]

Alpha 2 is crashing while opening and email message from an index search. The error indicated to send the dump file in the OSforensics folder. Is that the file you want? It's just shy of 90MB.

[David (PassMark)]

It is probably it yes. How big is it if you zip it up?

What type of file was it (.PST, .EML, .MBOX, etc..)?

What would be better however would be to get a copy of the E-mail archive file that didn't open. (e.g. inbox.pst). Reproducing the problem here with the original file if going to be a much more efficient debugging method than a crash dump. Crash dumps only help about 30% of the time, where as there is probably near 100% chance it can be fixed once we can reproduce the problem.

[David (PassMark)]

You can FTP upload the crash dump to us. It will be too big for E-mail.

We have anonymous ftp at,
ftp://www.passmark.com
You can drop things into the incoming folder.

Note that you can't list files or download files from the incoming folder, but you should still be able to upload when using a real FTP client (not a browser).

[David (PassMark)]

Alpha 3 has just be released.

The download link above has been updated.

Changes from the last Alpha are,

• Fix for stemming of German words in index. This bug prevented some German words with accents being searchable if stemming was enabled.
• Fixed crash bug with "type to find" in "Browse Index" tab. Previously scrolling the word list in the dictionary browse index function using key presses could cause a crash.
• Several fixes for OSX file system support, including mounting of physical OSX drives.
• Can now image drives to .E01, .AFF format, in addition to dd format. The compression level can now also be selected (None, Fast compression, Best compression).
• Can now image partitions without drive letters or without recognized file systems.

[David (PassMark)]

Beta 1 has just be released.

The download link above has been updated.

Changes from the Alpha are,

• Additional advanced indexing options to allow the user to select the type of content to be indexed. The user can now, for example, choose to just index document meta data without indexing the document content.
• Sector number and byte offset are now displayed in the list of caved files in the undeleted files module.
• Sorting by bookmarks is now available from the File name search function.
• The normally hidden NTFS MFT Modify Date field is now exposed. You can see it as an extra column in the File System browser for example. Note that this is a different value from the "Modified date" that is normally associated with a file and displayed in Windows Explorer.
• The time line function in the File Name Search module can now generate a timeline based on different sets of dates. e.g. you can do a time line on file creation date or modified date. Previously the timeline always used modified date.
• From the Manage Case module it is now possible to right click on a bookmark and add the bookmarked file directly to the case.
• In the drive imaging function there is now a new Restore Image tab. This tab allows a disk image to to restored back to a physical drive. This might be useful if you want to attempt to boot a disk image from a physical drive.
• From the search index module you can now right click on a word in the Browse Index tab and search for the word in the index and add it to the case in a single step.
• You can now export a list of words from the index as CSV via the Browse Index tab.

[d8a4n6]

All very handy additions.