PassMark Software

Announcement

Collapse
No announcement yet.

OSForensics V6 - Public Beta release

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics V6 - Public Beta release

    SUMMARY:
    We are pleased to announce the release of OSForensics V6 Beta 1 - 15/May/2018
    V6 has around 150 new features and bug fixes

    DOWNLOAD:
    https://www.osforensics.com/downloads/osfV6Beta1.exe (99MB)

    LICENCE INFORMATION:
    Beta 1 will expire on 2018/08/01
    V5 License keys will work in V6 Beta 1. But for the final release new keys will be issued if you have paid support.
    Discounted upgrades will also be available if you have an older release.

    INSTALLATION
    You can install this version over the top of previous installations.

    PROBLEMS
    If you find any problems, either post them in the forum here, or EMail us.

    WHAT'S NEW

    Case Management
    - Added "Export case" button
    - Added a list of reports that have been generated (in case directory or last known export directory)
    - When creating/editing case, user can now specify whether or not USB write-block should be enabled. Whenever the USB write-block settings are changed, a warning is displayed to the user to detach/re-attach connected USB devices for the settings to take effect.
    - Changed list view to allow groups (devices, reports, files etc) to be collapsible
    - Added last access date to case management when case is loaded
    - Fixed error copying files with long file paths in when a report was created and the report contained deep / long paths.
    - Fixed a bug when creating a case report that was leaving a file handle open
    - Added support for encrypting PDF report
    - Added predefined offenses list to 'Offense' drop down list when creating/editing case
    - Case Details Dialog, fixed bug that might cause case narrative text to be reset to default when editing case details.
    - Case Details Dialog, will prompt user to confirm cancelling changes when they edited case details fields and clicking cancel.
    - Case Export, changed text on "Cancel" button to "Close" on the Generate Report Dialog since custom logos are saved to config once changed in the dialog.

    Create Index
    - New indexing engine (Zoom V8 with multi-threaded offline indexing)
    - Much better indexing performance (3x speed increase)
    - Updated Create Index interface with new file type selections,
    - New "Memory optimization / Indexing Limits" step to bypass Pre-scan
    - Added support for user configurable number of indexing threads (up to 10)
    - Added options to enable/disable RAM drive
    - Improved RAM estimations and Indexing Limits settings
    - Improved indexing Status interface
    - Updated OSF interface to show multi-threaded indexing
    - Updated OSF Create Index options to offer more control with file type selection
    - Removed unnecessary indexing warnings
    - Added count display for Prescan
    - Added thousands grouping for large numbers shown in Create Index windows
    - Increased sleep/wait time while starting indexer to allow for a slower initialisation which could cause an error to be displayed

    Deleted Files
    - Column ordering, visibility and size now saved in OSForensics config file
    - Configuration options now saved in OSForensics config file
    - Fixed a crash caused by logging a magic number incorrectly when getting deleted files
    - Fixed uncaught exception error when loading MFT for some OSF devices
    - Fix Bug where raw whole disc carving was incorrectly returning progress, causing possible crash when accessing the list.
    - Added check for buffer overrun when looking for slack $I30 entries
    - Errors when parsing non-resident attributes of deleted MFT records no longer causes the search to terminate and throw an error message. This is an expected case. Errors are now written to the debug log and the process continues.
    - Fixed a crash that could occur in deleted file search when file carving is selected but the physical disk has been removed from the system
    - File Carver, added minimum file size option when carving. Changed "Reserved/Future Use" field in osf_filecarve.conf to "Min File Size"
    - File Carver, TIFF/CR2 extraction should be better.

    Disk Imaging
    - Added extra check if the first read fails when verifying the image created.

    Disk Preparation
    - Can now wipe BitLocked drives. Previously these drives appeared to be lock and could not be formatted.

    Disk Test
    - Fixed issue with formatting as FAT32 on small drives.
    - Fixed Crash when formatting as FAT32 fails.

    E-mail Viewer
    - E-mail times now include the timezone offset, both 'Delivery Time' and 'Client Submit Time'
    - Fixed printed e-mails missing e-mail addresses due to HTML entities not being escaped

    File System Browser
    - Added right-click menu option to jump to MFT record in the raw disk viewer
    - Fixed stack overflow when attempting to add device to case

    File Name Search
    - Added an "Uncheck all" menu item to uncheck currently selected items
    - Added 'Windows Shortcut Files' (ie. lnk files) to the file name search presets list
    - Column ordering, visibility and size now saved in OSForensics config file
    - Removed folders from results when filtering using hash set
    - When filtering using hash set, fixed bug with current file being added to results after cancelling search
    - 'In hash set' flag is now set for results when hash set is used and made active
    - Added support for filtering by whether or not the file belongs in the hash set. This allows the user to search for files on disk that match a set of hash values
    - Re-arranged configuration dialog

    Forensic Imaging
    - Re-arranged tabs
    - Create Image, for physical disks, disk model and serial number are now saved in the info file
    - Added new 'Device and SMART Info' for displaying physical disk attributes + SMART info
    - Device & SMART Info, Added support for export and adding report to case
    - Device/SMART Info, added mouseover tooltip descriptions for SMART attributes

    Forensics Copy
    - Moved allocation of virtual disk image to thread to prevent system from being unresponsive

    Hash Set
    - Added option to create 'Quick hash set', allowing the user to quickly create a hash set by specifying a list of hashes
    - Fixed deleted hash set databases appearing in the file name search config drop down box
    - Re-organized buttons
    - Added functionality for importing Project VIC files

    Hash set lookup
    - Added right click menu option to open files in internal viewer
    - Fixed incorrect # files hashed text due to not updating the dialog once all files are hashed

    Install to USB
    - Added help Link
    - Added separate "temp build" directory field when using WinPEBuilder.

    Internal File Viewer
    - EFS Support. When an EFS file now opened in the file viewer a temp copy will be created and passed to the hex and text viewee. If the matching certificate has been installed on the system then the text should appear decrypted.
    - Hex View, added right-click option to add selected strings to case (as HTML file)
    - Fixed potential mem leak when generating video thumbnails
    - Fixed potential concurrency issues when loading videos

    Memory viewer
    - Column ordering, visibility and size now saved in OSForensics config file
    - Added button to add memory dump to case
    - Removed 'Error' text and icon from message box when process memory cannot be dumped because of access restrictions

    Mismatch File Search
    - Fixed a bug with the CSV export dialog displaying a .HTML file extensions instead of .CSV

    NSRL Hash Import
    - Import 9x faster. While importing repeated file hashes, checks for duplicity are no longer being done using a lookup on non-indexed database (very slow). Now checks are done by comparing product code between two consecutive lines in input file.
    - Import will create new database automatically with default name based on date and time. Thus, incremental import is no longer an option.
    - New NSRL import config window to specify input and (temp) output folders
    - Temp Output folder can be specified so that user can specify RAM drive or SSD to speed up the import. Database is then moved from temp location to default hash sets location.
    - Updated help file with info about allocating enough space on a RAM drive.
    - Status now displays percentage counter during file importing

    Password Recovery
    - Added tab to allow PFX certificates to be installed on the local system, to facilitate opening EFS encrypted files when the certificate and password are available
    - Column ordering, visibility and size now saved in OSForensics config file
    - Browser passwords, made some changes to Firefox login recovery, now has a 64bit and 32bit helper executable (as FireFox have started distributing as 64bit).
    - Registry passwords, now displaying password hint value next to 'NT Password' column. Displays '(empty)' if not present.
    - Registry Passwords , added support for win10 anniversary update for live system in Forensics mode
    - Removed a "File not found" error when running the windows password search on a non system drive

    Prefetch Viewer
    - Added right-click option to export selected items to CSV

    Rainbow Tables
    - Fixed crash occurring when cracking hashes from a pwdump txt file - wrong data types were being past to format string when secure case logger was enabled

    Raw Disk Viewer
    - Added progress window when carving to file
    - Renamed 'Decode' window to 'Disk Info'
    - Renamed 'Data Interpreter' window to 'Data Decode', split windows and shuffled content between decode window.
    - Added right-click menu options to 'Data Decode' window
    - Clicking on file paths now open the internal viewer
    - Clicking on LCN/offsets now jump to the offset in the raw disk viewer
    - Data Interpreter window now shows the MFT record number and filepath if the current cursor position is inside the $MFT file
    - Fixed crash issue when sector size could not be determined

    Recent Activity
    - Added a quick filter option (text box and button) to quickly apply a text filter to recent activity items
    - "Show empty activity types" checkbox to default to on so empty types are displayed
    - Results are now sorted by Date (desc order) by default
    - Fixed possible crash when reading jumplist info

    Registry Viewer
    - Support for generating reports for known registry hives (currently only SOFTWARE hive at the moment)
    - Fixed a possible crash when processing a registry file

    SQLite Browser
    - Will checks for Skype Sqlite database files during "Scan for DB Files".
    - Resizeable Dialog/Controls
    - Option (enabled by default) to convert known timestamps to readable format
    - Scan Folder button is now more useful. Will now populate with locations of known SQLite files (e.g. Chrome and Firefox profile directories)

    System Information
    - A new tab is now created for every new result
    - Added option to restore command lists back to default
    - Added "Recovery of Bitlocker Keys" to command list
    - Added ability to assign a name to an entered command. This name will then be displayed in the output/report.
    - Added support for Embedded Python 3.6.5
    - Removed the "Get" from the start of some item names.
    - Changed button text from 'Add...' to 'New...' when adding new commands
    - Moved 'Reset lists to default' option to dialog window. Added confirmation prompt to prevent accidental press.
    - Replaced spin control for moving items up/down due to overriding the handling of mouse wheel messages
    - Re-organized controls
    - Added command to get current clipboard contents
    - Added command to get anti malware (windows defender) software status
    - Added command to get current TPM status
    - Started encoding HTML special entities in output from tools so anything with HTML characters will display correctly
    - Fixed crash possible with getting printer info when system returns bad information.

    Triage Wizard (now renamed to Auto-Triage)
    - Changed Wizard icon to fingerprint icon & removed forensics dude. R.I.P forensics dude, we loved you, but the world just wan't ready for you.
    - Added option to create logical image with known system files
    - Added agent help text when mouse is hovering over a control
    - Added a free disk space check (for at least 1GB + memory size if memory dump selected)
    - Fixed a unhandled exception that could occur in the triage wizard when running a scan on a non system drive (eg D) and having only windows passwords selected.
    - Fixed a missing file error message that was displayed when running a scan on a non system drive (eg D) and having only windows passwords selected and 0 results were found
    - Fixed a crash caused by trial limitations when running the triage wizard

    Web Browser
    - Added status bar to browser.
    - Can now select export format as Web Archive Format (.mht) when exporting webpage.
    - Can now export linked PDF, ZIP and other files.

    Misc
    - Added colour coding of encrypted files displayed in a file list
    - Added exit confirmation message
    - Added warning message on OSF shutdown whenever the USB write-protect settings are changed during the course of execution
    - Fixed a long delay at startup when not running as Admin
    - Removed agent icon from feature description text on start window
    - After successfully saving a file to disk, fixed a bug with activity monitor displaying task is still active
    - Changed how temp files are stored, each thread now has a temp folder
    - Increased a timeout (from 60 seconds to 180 seconds) when trying to repair esedb databases with esetutl as was timing out during triage runs
    - To prevent machine from sleeping when running from USB, the mouse will jiggle if the time between user input (i.e. keyboard or mouse input) surpasses 10 secs.
    - Added DLL (MSVCR120.dll) required by wkhtmltopdf.exe to installer (error seen on windows )
    - Switched debug logging to logging library g3log for thread-safe, crash-safe, faster logging

  • #2
    Impressive!

    Comment

    Working...
    X