PassMark Software


No announcement yet.

OSForensics V6.1 Beta

This is a sticky topic.
  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics V6.1 Beta

    A beta build for V6.1 of OSForensics is now available.


    If you find any problems, either post them in the forum here, or EMail us.


    Device support
    - Updates to handle accessing Apple's new APFS file system. Both for physical disks and disk images.

    Create Index
    - Updates to handle indexing APFS images
    - Fixed multi-threaded indexing problems when accessing Linux EXT2 file systems.
    - Fixed memory estimation (was previously not including some offline buffers)

    Forensic Imaging
    - Made some changes to how Encase format images (.E01 and .Ex01) are created to work around an issue that limited the final image creation to a maximum of 64 .E01/.Ex01 files, which resulted in uncompressed images larger than 100GB in size and more than 64 files being unreadable. The bug caused the header of the first E01 file to be corrupted (it could be manually corrected, but it was a lot of work to do ti).

    Mobile Artifacts
    - Addition of new module to scan for mobile device information
    - Currently only supports Android disk image (looks for items in data folder) and/or backup (apps folder)

    SQLite Browser
    - Changed SQLite Browser into a viewer so users can have multiple instances open (Up to 10).

    Changes since 6.1 beta 1

    Deleted Files

    - Fixed NTFS MFT record size calculation, which can prevent parsing of the MFT in the raw disk viewer and in deleted files module.

    System Information
    - Fixed crash bug due to buffer overflow with long case device names. Device names over 12 characters caused problems in the system information module.

    Changes since 6.1 beta 2

    Email Viewer
    - Single Email Viewer can view Gmail email stored within Android mailstore.<username>

    Mobile Artifacts
    - Added date filtering.
    - Added Right Click Menu to lists (e.g. Add to Case and Export List options).

    Recent Activity
    - Fixed a bug where subitems counts in the treeview was not actively reflecting the actual filtered counts.

    Report Templates
    - Updated report templates to include Mobile Artifacts

    - Added "Add to case" action on start screen and left hand menu button to allow quick access to add a device to a case

    System Information
    - Added new commands to get Windows information (product name, build and install date) and last shutdown time from the registry

    UsnJrnl Viewer
    - Fixed incorrect filenames due to incorect length truncation

    - Preliminary support for mounting "group" devices such as entire physical disks. Contained partitions are mounted as "subdevices" and appears as folders under the parent device
    - Changed timezone drop down for GMT/UTC 0 from "GMT +0:00" to "GMT 0:00" to visually stand out more in list

    More changes are coming for the final V6.1 release......
    Last edited by Tim (PassMark); Today, 05:01 AM.